Chilling story about a security firm’s successful infiltration of a credit union’s infrastructure using old USB flash drives. They wrote a Trojan that would collect “. . . passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us,” put it on the thumb drives and scattered them around the employee parking lot.
The bottom line:
Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.
Business Opportunity: Software or Epoxy?”
Do I sense a product opportunity? Software that erases everything on a flash drive that doesn’t have a security certificate? Or how else could one do it?
Or you could sell epoxy glue guns to seal off the USB ports. “Secure Goo” anyone?
Recent Comments