06-10-2006, 07:00 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Are Your Employees Unknowingly Aiding Hackers?
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
"We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network."
8O Wow! I must admit, it never occurred to the this is a problem. The article isn't clear, but it seems that the program would automatically run. I don't own a USB drive and the few I have used have been solely for giving large files to someone rather than trying to email a 20MB file across the hallway. If USB drives can run programs automatically when inserted into a PC without the users knowledge this is indeed a scary scenario. As one who has a dozen or so SD/MiniSD/CF cards, I can say I'd be tempted to insert a found card to examine the contents. Will PCs also run those when the card slot is built into the machine? It will certainly put me on my guard from now on before slipping a card or USB drive in my machine.
|
| |
|
|
|
06-10-2006, 07:12 PM
|
|
Executive Editor, Android Thoughts
Join Date: Aug 2006
Posts: 3,233
|
|
I read through this yesterday (and even posted a link on my personal blog), and assumed that the user actually had to click on the trojan. It sounded like they laced the drives with images to make users start looking through the contents, and either had a dummy exe file on there or were really crafty and made an exe look like an image file.
Scary stuff, which is why i don't join credit unions :mrgreen:
__________________
Dr. Jon Westfall, MCSE, MS-MVP
Executive Editor - Android Thoughts
News Editor - Windows Phone Thoughts
|
| |
|
|
|
06-10-2006, 07:21 PM
|
|
Editorial Contributor
Join Date: Jun 2007
Posts: 5,411
|
|
If you don't know where it's been, don't stick it in.
I would bet that there wasn't anything exceptionally devious on those drives. Anything like AtomicBanana.exe or DuckHunt.exe would probably have been run. Play a game, load a trojan. They are all over.
What is interesting is that those 15/20 folks apparently didn't share their good fortune. If you found that 19 of your colleagues also fond a thumb drive outside that morning, wouldn't you be a bit suspicious. Almost like they new it was wrong and didn't want to be found out. :roll:
__________________
Sometimes you are the anteater, sometimes you are the ant.
|
| |
|
|
|
06-10-2006, 11:47 PM
|
|
Intellectual
Join Date: Jul 2002
Posts: 193
|
|
Heh, its funny you mention this since the development group at work has started to take threat modeling more seriously lately and we were discussing this particular scenario yesterday.
|
| |
|
|
|
06-11-2006, 12:59 AM
|
|
Pupil
Join Date: Jan 2005
Posts: 33
|
|
This reminds me of an article I read a while ago about a London computer security firm doing a publicity stunt. It was around Valentines Day or something similar and they handed out CDs with a "special offer" from a jewlery store. When people inserted the disk it popped up a message.
Social engineering has always been the easiest way to get into anything. Unfortunately, the only way to prevent it is education of all your employees (or lock down your computer systems to where they're almost unusable).
|
| |
|
|
|
06-11-2006, 02:33 AM
|
|
Executive Editor, Android Thoughts
Join Date: Aug 2006
Posts: 3,233
|
|
Quote:
|
Originally Posted by Sven
What is interesting is that those 15/20 folks apparently didn't share their good fortune. If you found that 19 of your colleagues also fond a thumb drive outside that morning, wouldn't you be a bit suspicious. Almost like they new it was wrong and didn't want to be found out. :roll:
|
I hadn't thought of it, but these credit union people sure were all about finders-keepers. I found a lost USB memory stick a few months back outside a building on campus, and did pop it in to see the contents (Yes yes, it could have been a virus... although since no auto-run exists for these things and I'm fairly proficient at spotting viruses, I took the risk) to look for a name or address or something. Why did I do this? Well, the next stop was campus police to turn it in - I just had a sinking feeling that they wouldn't do more than just hold it - I wanted to have the party who lost it be notified.
But apparently these people didn't bother turning it into a receptionist or to their designated lost-and-found, because if they had, they would have noticed a strangely high amount of these things popping up that day!
__________________
Dr. Jon Westfall, MCSE, MS-MVP
Executive Editor - Android Thoughts
News Editor - Windows Phone Thoughts
|
| |
|
|
|
06-11-2006, 07:40 AM
|
|
Ponderer
Join Date: Sep 2003
Posts: 98
|
|
Actually USB Flash Drives are not supposed to able auto-run. Windows XP does not support "AutoPlay" nor "AutoRun" for removable drives.
That being said, it wasn't long before enterprising folks discovered how to make USB drives do just that. There are two ways you can have a USB drive self-start:- Set it up as a fixed drive by assigning a permanent drive letter to it and designating it as a drive, and...
- Place an .INI file in its root that directs an accompanying application to start immediately.
While this is helpful in many instances, it can also present new problems for IT managers.
Eg, MedicAlert has a division called eHealth Key that markets a USB drive programmed with an application that, upon insertion in a USB port, auto-installs a program that allows a user to access and edit their MedicAlert emergency medical profile data and both save it to the drive as well as update MedicAlert's database. The key is worn around the neck on a lanyard or chain and can be inserted in a PC at any hospital. Emergency care workers at an ER will then be able to access their emergency medical instructions on the key. (But not alter it without an account number, username, and password).
Of course those with less noble intent can inject other programs onto a PC using the same methods.
|
| |
|
|
|
06-11-2006, 11:05 AM
|
|
Ponderer
Join Date: Jan 2005
Posts: 93
|
|
Not too long ago I bought a 4 gig Thumb drive. As soon as I plugged it in to my computer a program was launched. It is called a U3 Smart Drive. There are two partitions on it with one containing the U3 software. I was suprised and annoyed as I could not get rid of it!
I finally found a program provided by the Geek Squad at Best Buy that reformats the drive and removes the boot partition.
If you want to read what it is all about goto www.u3.com.
|
| |
|
|
|
06-11-2006, 06:02 PM
|
|
Thinker
Join Date: May 2004
Posts: 481
|
|
During network room 'GI party' we would always come up with drives that were taken out of PC's for one reason or another with no note taped to it. And lately we've seen a lot of various flash cards that were found on the floor and turned into us, etc., etc....
We have a couple of PC's set up for things like QA and going through various media. These machines always have network cable unplugged. As a matter of fact we even have a sign taped to the front of these PC's that the network cables are not to be connected under any circumstances to any network or other PC without the approval of the current operations room supervisor. No ifs, ands or buts.
Most of the flash cards (SD/CF/etc.) are usually lost cards from cameras or sometimes personal backups. HDD's are not such a problem but the plug-in USB drives are worrisome since people now have the ability to unknowingly bring in a virus on them or knowingly (or worse, stupidly not knowing that they shouldn't be) taking data off premises.
At least in our organization PC's are starting to show up without USB ports accessible from outside the case and soon none at all on the motherboard. Floppy and silicon cards have not been seen on our PC's for ages. This is for the rule for general office staff (aka users). For technical people such as programmers, researchers and these types backups of their work are made nightly so again nothing has to be offloaded from PC to other media. We do have a number of scenarios where we have to download to QA, laptops and customers to mention a few. Sales personnel are supplied with the latest and greatest on their laptops (USB and cards are disabled). No salesperson has 'their' own laptop setup 'their' own must have way (ah, well almost. Bring in 3meg a year and we can make an adjustment).
So far this system works out OK but there are always tweaks to who, what and where. Bottom line is that if someone wants to be able to get stuff off or on to a machine there has to be a reason and all sorts of approvals. And I'm sure with the latest high profile theft of a government laptop we will be tightening the screws on who, what and where. This tends to keep dishonest people honest and stupid people smart :wink: .
Jeff-
|
| |
|
|
|
06-11-2006, 11:26 PM
|
|
Neophyte
Join Date: Apr 2004
Posts: 6
|
|
Easy IT solution
If the computer(s) are members of a domain then a simple "Disable USB" Group Policy Object takes care of it.
For non-domain computer & work group computers in START>RUN>(type)regedit>OK
Navigate to HKEY_LOCAL_MACHINE>CurrentControlSet>Services>USBSTOR
edit the registry value "Start" from "3" to "4"
Exit & restart.
USB storage devices, flash cards etc are locked. Regular USB devices that do not act as storage devices still work. (i.e. a USB multi-function printer with a multi-card reader might be blocked, or might be a loop-hole, not sure) But it is a bit more noticeable to bring in a multi-function printer to work 8O than a USB storage media device :mrgreen:
"Hey uh..Bob,..whatcha got there?" ..... "Oh,..uh..nothin..nothin really." :roll:
|
| |
|
|
|
|
|
Linear Mode
