Oh the humanity..
A SECURITY outfit found the easiest way to crack into a company's systems was to leave a few Trojan laced USB drives scattered around the front door.
More at source:
http://www.theinquirer.net/?article=32311
Printable View
Oh the humanity..
A SECURITY outfit found the easiest way to crack into a company's systems was to leave a few Trojan laced USB drives scattered around the front door.
More at source:
http://www.theinquirer.net/?article=32311
Very funny...
Very sad...
haha indeed brilliant
except, the employees did know there was an attacked planned.
So if i was an employee of that company and i would find an usb stick
and so did 14 others, i would get suspicious
But that's me i guess :) ...
... paranoid
Lol back in my electronic prankster days I used to do this with Floppy disks. Not anything new but certainly fun to watch when the employees already knew.
Hmmmm,
The company obviously has an inadequate security policy, or certainly one that is not enforced properly.
I know quite a few places where taking an external device on site and attaching it to the organisation's kit would get you fired.
Let's face it, if you have a lousy policy and lousy enforcement you are vulnerable, period.
Not so much a case of "if" but "when"?
:)
I had a good think about this one.
We've not considered USB drives to be a significant risk over and above anything else. Especially for information theft data can be emailed out, printed out, written to CD etc etc.
For malware we didn't consider USB drives to be a greater risk than staff bringing in CDs or floppies.
As for sticking them into the PC, I've got to admit that until that story I would have stuck the drive in to find out the owner. CD autoboot is blocked by default and I would have assumed that USB autoboot was also blocked. But it isn't.
I've got some of our guys looking into blocking of the autoboot function hopefully something that can be done without purchasing software.
We might need to modify policy to more explicitly oppose plugging in untrusted devices.
Haha, that's great...maybe Kevin Mitnick could learn a bit about this level of social engineering?Quote:
The specially written trojan that collected passwords, logins and machine-specific information from the user’s computer, and then emailed the company with the findings. Stasiukonis said that the attack was so simple and beat the hell out of hanging out with the smokers, sweet-talking receptionists, or commandeer a meeting room and jack into the network.
On a serious note, something like that isn't surprising at all (how sad is that?). In this day and age of ease-of-use, people sacrifice security for convenience. If people had to pass a computer IQ test before owning a laptop or PC, not only would we have smarter users but we'd also have no job, haha... It's like pro-creating...just because two people can doesn't mean it's the best idea.
At work we've removed the floppy and usb devices by disabling them in the bios which is also password-protected. Prevents a lot of nasties coming into the workplace but also keeps data at the workplace to a better degree. Now if we could only block hotmail, yahoo mail, and any other free webmail service, it'd be a lot more locked down but that's almost prohibitive.
I think that there's a registry tweak to block it.Quote:
Originally posted here by Aspman
I've got some of our guys looking into blocking of the autoboot function hopefully something that can be done without purchasing software.
I don't know if this is the case, but perhaps when the employees were warned about an attack, they were envisioning some cracker at a keyboard trying to break in. In any event, it seems this company needs to do some serious threat awareness training (besides, of course, disabling access for this kind of device).Quote:
haha indeed brilliant
except, the employees did know there was an attacked planned.
So if i was an employee of that company and i would find an usb stick
and so did 14 others, i would get suspicious
But that's me i guess ...
... paranoid
Quote:
I think that there's a registry tweak to block it.
TheHorse13 posted the registry edit here
http://www.antionline.com/showthread...&highlight=usb
I believe vista has a way to disable it built in....
MLF
Hmmm. Is there a way to block 'Autorun' only, still allowing drives to work?
And that while I know a company who fired people who let collegues do a quick thing while they were still logged in under their own name.
This guy on http://www.darkreading.com/boards/me...?msg_id=134597 put it nicely:
Quote:
You two have hit upon the very essence of the portable storage security problem-- the devices are meant to improve employee productivity, allowing employees to take work home with them. The guy who spilled all the data at Veterans Affairs was trying to be a good guy--he took his work home to do some extra, and then got his laptop stolen. The security people say shoot him, he exposed secure data. But if his laptop hadn't been stolen, he probably would have been praised for his extra effort. The technology is there to help the employees, and it seems that firing them, or denying them access to the technology, is contrary to its purpose. Yet, we can't just let these folks walk around with sensitive data, or allow them to introduce malware through curiousity about a found thumb drive. So what's the answer??
ha ha!!! that is brilliant! :)
i would fall for that 1 :), if i found a usb flash drive on the floor you can be sure I would use it :)
Yep.Quote:
Originally posted here by Aspman
Hmmm. Is there a way to block 'Autorun' only, still allowing drives to work?
There is a reg key change for that too. Throw a lil search in Google. I can't remember off hand what the value is.
--TH13
In the article it stated they even knew an attack was comming but yet when these ''mysterious' USB drives appear in the front of the credit union about 20 of them they just stick them in and run it from there.
Just goes to show you, curiosity killed the cat. ;)
I believe the answer would be a VPN. Why would someone need 26 million records at home? That's just stupid.Quote:
http://support.microsoft.com/default...b;en-us;823732 ----> how to disable the usage of USB storage devices ....
What we really miss these days is security awarness ... Not all people appreciate the importance of security .... I worked for an ISP lately .... their customer services and marketing teams were totally clusless when it comes to security .... and to add insult to injury, they all had administrative privileges .... I don't blame them, the IT team holds absolute responsibility .... the IT team did not apply the least of security basics to protect the network that is {nominally} the vein of cretical information flowing back and forth... they just let it vulnerable to leakage and violation ..... this is really disgusting ..... I really wish someone to hurt them a little bit ... just to make a wake up call for those whiners
To quote the darkreading post:
I'd have to disagree with the first bold line. It has nothing to do with him trying to be a "good" guy IMHO simply because usb thumb drives make data transportation so easy (upwards of 8gb drives or probably higher by now). When he signed his employment papers, there's undoubtedly a few lines or more about sensitive data, etc. It all starts with "well, it's only a few" followed by a few more times doing it, he sees everyone else doing it....maybe his boss even did it. Nobody's the wiser until something bad like this happens and he's the scapegoat that'll be crucified, drawn and quartered, tarred and feathered, etc... It doesn't matter if the president was doing the same thing, it'll always be the lowest man on the totem pole who gets axed.Quote:
You two have hit upon the very essence of the portable storage security problem-- the devices are meant to improve employee productivity, allowing employees to take work home with them. The guy who spilled all the data at Veterans Affairs was trying to be a good guy--he took his work home to do some extra, and then got his laptop stolen. The security people say shoot him, he exposed secure data. But if his laptop hadn't been stolen, he probably would have been praised for his extra effort. The technology is there to help the employees, and it seems that firing them, or denying them access to the technology, is contrary to its purpose. Yet, we can't just let these folks walk around with sensitive data, or allow them to introduce malware through curiousity about a found thumb drive. So what's the answer??
Prime example: everyone here knew about the Marriott incident where millions of customer information records with SSN, addresses, credit card numbers, etc on a tape got stolen, right?
I personally knew the guy who's job it was to manage the backups (I worked at Marriott Vacation Club International for 3 years). His office had tapes everywhere, stacked up, drawers full...simply because tape management is almost impossible to do after a few weeks of inheriting. They have Iron Mountain, just like a lot of major businesses do. His office is locked every day, just like everyone else's. He comes in on a Monday and finds a few tapes missing. What does he do? The honest thing. He reports it immediately and that's when the sh*t hit the fan. He got ostracized from the higher-ups because of his "sloppiness", etc. Got suspended without pay until they were to decide his fate (which took a month before he got fired). How can one really blame him for something he didn't start, that everyone prior to him did, etc. I've got several administrator friends over there and they say "Yeah, before this happened, MI would call us and say 'Hey, did you guys get those tapes we mailed'...'No, haven't gotten them at all'...'Ok, we'll just send another batch'". They issued a mandate to have anyone with tapes in their possession to send them in so they can be identified and put away safely. They're STILL having tapes sent in by people that have ZERO rights to have them. VPs, receptionists, etc...saying things like "YEAH I FOUND THIS IN MY BOTTOM UNLOCKED DRAWER".
I know I went on a diatribe there, but it pisses me the F off to see a case like that where there's so many guilty parties, yet one guy gets the axe because everyone got lax. The second bold part is not true either. I guarantee a lot more people than him were working from home using laptops from work with sensitive data on it and you can bet the bank THAT stopped after he got nailed.
It always starts out small, like petty theft. Nothing bad happens, so it progresses more and more until eventually, something goes haywire and it's all over CNN.
In the end, it's a lose-lose situation, really. The guy was trying to do work from home or wherever. No faulting him for that. What he really did wrong was have sensitive data on his laptop which wasn't in his actual office. Data integrity is immediately compromised the minute you have any alternate transfer/storage method available and trusting anyone to always do the right thing is open to interpretation.
Working in an enterprise environment, it's almost impossible to employ security methods that aren't in some manner invalidated because of the white-list of allowed people. Prime example, we have a lot of people that watch streaming video and listen to streaming audio at work. Nothing's really wrong with the audio, it's the video that trenches the 10mb internet pipe. So, it's in the works to have policy written that's completely banning it and employing Websense policies. But, there's going to be a white-list of senior vps and the president to let them do what they want. Nothing is completely across-the-board and the IT team feel pretty helpless when they know the right thing to do, but since they're on the bottom, it's promptly ignored by people who don't have the awareness of security. Been there, done that, hehe....Quote:
Originally posted here by Black Cluster
http://support.microsoft.com/default...b;en-us;823732 ----> how to disable the usage of USB storage devices ....
What we really miss these days is security awarness ... Not all people appreciate the importance of security .... I worked for an ISP lately .... their customer services and marketing teams were totally clusless when it comes to security .... and to add insult to injury, they all had administrative privileges .... I don't blame them, the IT team holds absolute responsibility .... the IT team did not apply the least of security basics to protect the network that is {nominally} the vein of cretical information flowing back and forth... they just let it vulnerable to leakage and violation ..... this is really disgusting ..... I really wish someone to hurt them a little bit ... just to make a wake up call for those whiners
That was great it sounds like something that would happed to some high security place. Cause hell i know some people in the army if they found a usb drive or other they would plug it in to any puter they found to find out what was on it.
I know there are tools to be able to block/track/monitor USB device usage. IIRC, in the Windows registry, when a USB device is plugged in, it creates a key in the registry. (or elsewhere in the machine, I can't remember, I haven't used a Windows box in about 3 years)