The Easiest Hack Evar

Started by TehBorken, Jun 08 06 06:46

Previous topic - Next topic

TehBorken

What's the easiest way to hack into the computer systems of a credit union?  It turns out that all you need to do is [a href="vny!://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1"]copy a virus/trojan onto USB drives and scatter them around[/a] the front door of the credit union.

This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them.

Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors....[hr style="width: 100%; height: 2px;"][font style="font-weight: bold;" size="5"]Social Engineering, the USB Way[/font]
JUNE 7, 2006
We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union's internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

The real trouble with reality is that there's no background music.

Moolah!

I wonder how the trojan was run... eventually someone or some automatic script, has to execute it.



For me, it all boils down to human stupidity and ignorance: Fine go ahead, plug in the USB drive, view the images... but why the heck are you executing a program or batch file that you have no idea what it does?



That's where I'd have stopped.



Or would like to believe so. [A onclick="addImg('icon/icon_smile_approve.gif')" href="jvascript:void(0)"][/A]
*  Please unban me!! please please please  *

TehBorken

 Raging Poodle! wrote:
I wonder how the trojan was run... eventually someone or some automatic script, has to execute it.
[span style="text-decoration: underline;"]
[/span]It was automatically run via the autorun.inf file. [span style="text-decoration: underline;"]
[/span]
 
The real trouble with reality is that there's no background music.

kingy

that would work on me as well. if i found some flash drives, of course i am going to plug it into my computer. of course, i have anti virus.
...