This is a great story of social engineering, wherein USB drives are “dropped” around a bank and employees pick them up and plug them into bank computers [via Slashdot]. This was done as part of a security audit, and what is particuarly interesting is that the employees knew a security audit was being done and knew that social engineering attacks were going to be attempted. The results:
Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
This is reminiscent of a similar social engineering test I read about maybe a year ago, where free CDs were given out on the street. The lure of free stuff is hard to combat. And, thinking about it, if I found a USB drive left in my classroom, I very well might put it in my computer to see if I could identify who it belonged to. It’s the old tension between perfect security requiring people to eliminate their instincts for trust and helpfulness.
I wonder what would happen if you tried the experiment with something dropped around a place that might be biologically contaminated – pieces of candy, say. How many people would take it and eat it?
And that’s why Windows users should disable autorun on their PCs. Not only does it stop Sony from installing their rootkit, but it also protects you from this sort of social engineering attack.
This is true, and yet it does not entirely solve the problem. It seems as if they know that several of the people not only inserted the drives in their computer, but then also browsed around it opening a number of the files. So, even without autorun, infection, particularly through a well-named file, would still be possible.
As always, the human link is the weakest on any given network.