Friday, June 09, 2006

If you found a USB drive, would you use it?

Dark Reading | Social Engineering the USB Way
We recently got hired by a credit union to assess the security of its network.

We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Drives seeded: 20.
Drives found by employees: 15.
Drives plugged into company computers: 15. Yes, all of them.
Employees who realized anything was going on: 0.

It's unreported whether anyone tried to find the "lost" drives' owners.

No comments: