IIn 2005 it was a top 10 business give away. In 2006, it"s on the 'most wanted' list for potential corporate criminals. That's right. the oh so convenient, oh so small, oh so coveted USB Mini Drive could soon be banned in a corporation near you because it has the power to be a weapon of mass destruction.
Steve Stasiukonis ,VP and founder of Secure Network Technologies Inc. wrote a piece in Dark Reading all about the vulnerabilities corporations because of the beloved USB Mini. Here's a clue--buy stock in SuperGlu
As part of his business Stasiukonis is hired by companies to test the security of their networks. The client in this case asked them to really push the social engineering button. Stasiukonis writes,
Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.
So here is what Stasiukonis did: He took about 20 USB and had one of his folks write a trojan that,"
" when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us."
Early one morning he "seeded" a bunch of USB drives in strategic locations:
the parking lot, smoking area and other place employees frequented. Then he got a cup of coffee and watched.
Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
As interesting as this possible threat to corporate systems is the ethical discussion that follows the article. Not all readers are amused at the company's tactics to test the security of their system.
As one writer suggested, the easy fix is to simply Superglue all USB ports on corporate computers.
Net Net-- don't be surprised if someone from tech support stops by your desk later today with a bucket of Superglue--why deal with the real problem, when Superglue will do.
Hat Tip to the Daily Irrelevant.
Image Credit: Flickr member, Kansir