Thursday, June 08, 2006

When USB Drives are Laying Around

What would people do when they see a USB drive laying around somewhere? They plug it in their computers of course!

In this interesting study about social engineering and security in the workplace, we can get some insights as to why USB drives can be quite nightmarish to the enterprise.

The consultants were testing the employees on how sensitive they were to the security of their data. How easy it is for them to share passwords and other critical information to other people. One way the consultants went about this is by scattering about 20 cheap USB drives in places where the employees frequently go like the parking lot. This was done very early in the morning. 15 USB drives were found and all of them were plugged into the computers once the employees found them. Unknown to them the USB drives had a Trojan that would run, collect and then send the passwords to the consultants.

"Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat."

Maybe we should ask why does this happen? I think the primary reason is that even today USB drives I think still has that some sort of novelty in it unlike CD-ROMS and floppy disks which immediately gives you alarm signals on its possible contents. Just read the consultants observation on the behaviors of those who found the drives.

"It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks."

The thing is the people in this company knew that a security inspection is going on at that moment!

First off I think that the unique shape of every USB drive out there instills immediate curiosity on those who see it. Another thing is that maybe people are thrilled to know if they can make it work on their PC. Are they curious if they can find some hidden dirty secret there? Maybe but in my opinion it is just plain curiosity of a funny looking device at this point.

Source: Social Engineering, the USB Way

Technorati tags: / / / /

posted by Henry Marcos at 12:09 AM

Add To: / Digg / Furl / Technorati Favorites


Post a Comment

<< Home