Security Basics mailing list archives
Re: Social Engineering using USB drives
From: "Greg Merideth" <gmerideth () ftnj net>
Date: Thu, 15 Jun 2006 10:43:40 -0400
We had performed a test like this a while ago by sending CD's to our clients staff that contained "fully functional demo programs" that did minor things such as inventory office computers or perform SNMP monitoring of hardware devices. Of the eight IT staff who received the CD's, four, without even checking the website shown on the CD, ran the install, installed our programs and installed our Trojan applications. The four who checked the site first were told this was a test from their employer. The only drawback was the four that checked the site did so from a link in the setup program which included in the URL the users domain/login name and private IP address. One of the four who blindly ran the application was using zone alarm on her laptop and casually accepted ZA's notice that a program called "tpz8v8v.exe" was trying to access the Internet. While it was a success on our end the client was not pleased. Six months later after a series of training sessions, new policy development and ongoing test attacks they have reached a much higher level of security. My only concern is that now the story is out, we can look forward to a series of copycat attempts at data theft through the Trojan horse method. On 6/14/06, Saqib Ali <docbook.xml () gmail com> wrote:
A "The Enquirer" article and a "University Security Operation Group" discussion on how a social engineering attack was mounted by merely leaving USB drives outside the front door of a company. http://www.digg.com/security/Social_Engineering_using_USB_drives
-- Greg Merideth Forward Technology, LLC. CTO & Other Wild Stuff gmerideth () forwardtechnology net PGP Fingerprint D0FCCD39743A6ABF87470A87EDE382594968A60A "10b|~10b" - Shakespeare
Current thread:
- Social Engineering using USB drives Saqib Ali (Jun 14)
- Re: Social Engineering using USB drives Greg Merideth (Jun 15)