__/ [ dsteel0@xxxxxxxxxxx ] on Tuesday 25 July 2006 17:40 \__
> The Ghost In The Machine wrote:
>> Just in case you thought it couldn't get any weirder:
>>
>> [http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1]
>>
>> Social Engineering, the USB Way
>>
>> JUNE 7, 2006 | We recently got hired by a credit union
>> to assess the security of its network. The client asked
>> that we really push hard on the social engineering
>> button. In the past, they'd had problems with employees
>> sharing passwords and giving up information easily.
>> Leveraging our effort in the report was a way to drive
>> the message home to the employees.
>>
>> The client also indicated that USB drives were a
>> concern, since they were an easy way for employees
>> to steal information, as well as bring in potential
>> vulnerabilities such as viruses and Trojans. Several
>> other clients have raised the same concern, yet few
>> have done much to protect themselves from a rogue USB
>> drive plugging into their network. I wanted to see if
>> we could tempt someone into plugging one into their
>> employer's network.
>>
>> [end excerpt]
>>
>> Now, there's a few issues here.
>>
>> [1] Linux would really help in defending against these sorts of trojans.
>> At least with Linux one can theoretically look in the horse without
>> letting the soldiers out. (However, there's a possibility of Flash
>> making things interesting. I'll have to look.)
>
> It doesn't state which OS is in use on the network in question. Maybe
> it already is. It clearly states that the user's activate dthe trojans
> by flicking through images on the stick - as long as they're
> double-clicking to activate, isn't it still possible on *nix to run a
> trojan? Especially a custom-written piece of software, as per the one
> in the article (or, so it sounds).
>
>>
>> [2] Linux could help in locking down mounting of rogue devices such as
>> USB drives -- if IT wanted to bother; the users might have a fit,
>> though.
>
> As an aside - so can Windows, but I don't want to be labelled an MS
> apologist, so I'll leave it at that.
Our resident trolls will possible intervene and take the opportunity to
apologise.
>> [3] *This* one was relatively harmless, put up as a more or less
>> security test/prank/experiment. How about the next one?
>
> I heard about one where they had a foxy femme outside a building
> handing out sparkly free CD's, which everyone grabbed, and immediately
> took into the building and ran...
Were it by any chance AOL CD's? They make shiny coasters.
|
|