Re: Social Engineering using USB drives

["Greg Merideth" <gmerideth () ftnj net>]

We had performed a test like this a while ago by sending CD's to our
clients staff that contained "fully functional demo programs" that did
minor things such as inventory office computers or perform SNMP
monitoring of hardware devices.

Of the eight IT staff who received the CD's, four, without even
checking the website shown on the CD, ran the install, installed our
programs and installed our Trojan applications.  The four who checked
the site first were told this was a test from their employer.  The
only drawback was the four that checked the site did so from a link in
the setup program which included in the URL the users domain/login
name and private IP address.

One of the four who blindly ran the application was using zone alarm
on her laptop and casually accepted ZA's notice that a program called
"tpz8v8v.exe" was trying to access the Internet.

While it was a success on our end the client was not pleased.  Six
months later after a series of training sessions, new policy
development and ongoing test attacks they have reached a much higher
level of security.

My only concern is that now the story is out, we can look forward to a
series of copycat attempts at data theft through the Trojan horse
method.

On 6/14/06, Saqib Ali <docbook.xml () gmail com> wrote:
> A "The Enquirer" article and a "University Security Operation Group"
> discussion on how a social engineering attack was mounted by merely
> leaving USB drives outside the front door of a company.
>
> http://www.digg.com/security/Social_Engineering_using_USB_drives


--
Greg Merideth
Forward Technology, LLC.
CTO & Other Wild Stuff
gmerideth () forwardtechnology net
PGP Fingerprint
D0FCCD39743A6ABF87470A87EDE382594968A60A
"10b|~10b" - Shakespeare