Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Social Engineering Using USB Drives 447

Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."
This discussion has been archived. No new comments can be posted.

Social Engineering Using USB Drives

Comments Filter:
  • wow (Score:5, Insightful)

    by nb caffeine ( 448698 ) <.moc.liamg. .ta. .enieffacbn.> on Thursday June 08, 2006 @06:41PM (#15498781) Homepage Journal
    Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)
    • Oh crap!!! (Score:5, Funny)

      by rvw14 ( 733613 ) on Thursday June 08, 2006 @06:44PM (#15498802)
      I better unplug that USB drive I found this morning.
    • Re:wow (Score:4, Funny)

      by HardCase ( 14757 ) on Thursday June 08, 2006 @06:45PM (#15498806)
      Oh crap...I'll be right back!
    • by Anonymous Coward on Thursday June 08, 2006 @07:48PM (#15499153)
      I heard that Microsoft was giving out free USB drives [theinquirer.net] containing press releases on the need to buy legitmate Windows [slashdot.org] licences.

      *wink wink nudge nudge*

    • Re:wow (Score:5, Insightful)

      by Bender0x7D1 ( 536254 ) on Thursday June 08, 2006 @08:25PM (#15499335)
      Unfortunately, even if you run ubuntu, you are still vulnerable - that's the beauty of social engineering.

      Sure, you might not fall for a renamed executable on a USB drive, but what if it's taken a step farther?

      Imagine you are walking into work early, and find an open folder on the floor, with some papers strewn around and a CD or DVD in with it. Imagine the paper is an application to put on a SIGGRAPH demonstration, and on the CD is a WINDOWS directory, a LINUX directory, a BSD directory and a SOLARIS directory and each directory has a file named SIGGRAPH_presentation.exe or there is a SIGGRAPH_presentation.jar, (eliminating the need for multiple OS versions), with a README about how to execute it. You figure, "What the heck - I love cool graphics."

      Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them.

      I don't care what OS you are running, if you can be convinced to execute something, there will be some damage done. If you aren't root the damage is limited, but there is still damage. The attack may have to involve more research on a person's interests, or require more "found" hardware to convince someone, but it can be done. Maybe someone has to buy some hardware from ThinkGeek and make a fake installation disk, then leave the box, (with the modified disk), somewhere you will come across it.

      Being convinced you are immune to the dangers of social engineering is not a good way to avoid being social engineered. A healthy dose of paranoia can go far - and it's only paranoia if there isn't anyone out to get you.
      • Re:wow (Score:5, Funny)

        by DeadChobi ( 740395 ) <DeadChobi@gmail.GINSBERGcom minus poet> on Thursday June 08, 2006 @09:19PM (#15499571)
        Speaking of paranoia, someone left a disc labeled "THE TRUTH" on my car the other day. I wonder what I did with it? Oh yeah. I tossed it. If some wanker wants to tell me "THE TRUTH" then they can do it the old fashioned way, with pamphlets.

        I find it a little odd that mine was the only car in the parking lot with such a CD on it. Maybe I shoul@(*$)*@#%^Y@Ba;skONBIAEOSNA NO CARRIER
      • Re:wow (Score:5, Funny)

        by From A Far Away Land ( 930780 ) on Thursday June 08, 2006 @10:01PM (#15499773) Homepage Journal
        I came home one day and this horse was waiting outside. Naturally I let it in. Damn Greeks!
      • by Moraelin ( 679338 ) on Friday June 09, 2006 @02:28AM (#15500577) Journal
        On the whole, I certainly aggree with you, and it's certainly refreshing to see someone who doesn't fall into the "I use Linux so I'm immune to anything" trap. But I think even you underestimate it a little.

        "Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them."

        Doesn't even need root to steal passwords. There are a _ton_ of config files and startup scripts in your home directory, which a trojan can attach itself to. It can load itself in your bash window, as a plugin in your mozilla, launch an extra program in your X, replace icons on your desktop, and god knows what else. One of those will catch on to something.

        E.g., if it's, say, Suse, I know that there'll be some programs -- e.g., Yast, every time you run the auto-updater -- where the system will ask for the root password first. I can just replace the link with one to program that shows an identical dialogue.

        Or, yeah, transmitting every file in your home directory is indeed another great way to get a ton of info. Source files that contain the URL, account and password to the productive database are the norm, rather than the exception. Or some cutesy script that goes through the firewall to download the latest nasa pic of the day or whatnot with wget, and in the process contains the user's name and password to go through that proxy. (Let's hope he's used that password in more than one place.) Or there'll always be one idiot who exported the productive database onto his local computer, or downloaded the server configs (including all database connections, with name and password) god knows what else he's copied there. There'll often be one idiot who's built some back door because he can't be arsed to go through the IT department to have something reconfigured or to properly log in. I'll love to know about that backdoor. There'll be emails with forgotten passwords. There'll be emails where people tell each other about those backdoors. ("Oh, if you come from the intranet zone, you can bypass the stupid authenticating proxy completely. Just use http//prod.somebank.com/internalurl/some.jsp?secre t_user_login=admin.") There'll often be text files or spreadsheets with all the URLs, names and passwords he uses. (The geek equivalent of post-it notes.) Etc.

        Config files outside the home directory? Those can be fun too. E.g., everyone will have access to fstab. Maybe they'll have the name and password for every single file share they use in there, or maybe it'll be offloaded to some .smbpassword file, but there's nothing that some trivial parsing can't extract. Or just send it to me as it is, together with any readable file referenced in it. I'll do the extraction by hand.

        Log files? Now those can be a cornucopia of classified information. I've seen people even log each user's name and password at each login through their clever UserRegistry or Single Sign On module or such. If someone copied a bunch of productive logs to their machine -- or I can get the password to the machine where they are -- I might be able to login and cause mayhem as 1000 of their customers. Or go to those customers' profile pages and find out their personal data.

        Etc.

        "If you aren't root the damage is limited, but there is still damage."

        As I was saying, even if you aren't root, the damage done can be catastrophic. The thinking that all that matters is that the OS survives, can sometimes miss the point. Yeah, some guy's Linux installation survived perfectly. But then I got access to his company's servers. Was it that much better? I'll bet that as far as the company is concerned, they would have cared less if I just wiped out one workstation's hard drive.
  • Will have to try it...
  • I thought of that a while back..be easy to infect people. Just hand it to them and ask them what's on it. Windows is happy to run it.
  • by Coopjust ( 872796 ) on Thursday June 08, 2006 @06:44PM (#15498801)
    Given autoplay and the fact that many USB keys do not need drivers, this could turn out to be a serious problem.

    Why not just disable USB keys [petri.co.il]? They don't need to take that data home with them...the ChoicePoint disaster, several laptops stolen out of cars... these companies need to make are personal data more secure.
    • by jafiwam ( 310805 ) on Thursday June 08, 2006 @06:53PM (#15498854) Homepage Journal
      Per the autopay dis-abler function in the group policy in windows, all removable drives aside from optical disks (DVD/CDROM) have autoplay disabled by default.

      They didn't use autoplay, they used an enticing file name on an executable. (My wife Pics.exe (with a zip icon) would do it.)

      It's sort of interesting that 15 new devices made it in the building without anyone talking about it. "Hey, look what I found" "Mine is a gig!" "Me too!". They all put it in to see what's on it probably knowing it's against the rules and did it anyway.

      It's not ignorance, its "i think i can get away with it."

      I wish I could find thumb drives in the parking lot.

      On another note, I sure hope that company didn't send the stuff they collected unencrypted. That's a violation of a bunch of rules. Penetrating a network for a security audit shouldn't lower the overall security of the network, if they sent unecrypted that's exactly what they did though.
      • I'm not sure they needed it to show up as an executable. They probably just laced the image files with spyware, which is apparently possible now.

        This is Cooooollllld. Interesting thing is that five of the twenty were contractors / non-bank employees / someone else who had access to bank PC's... Wonder if they made it through the ensuing furor.
      • Or how about this as a vector - put an executable file on the disk, labeled "Sexy Pics" and with a folder icon. Windows by default does not show extensions... and it is safe to click on folders, right?
      • On another note, I sure hope that company didn't send the stuff they collected unencrypted. That's a violation of a bunch of rules. Penetrating a network for a security audit shouldn't lower the overall security of the network, if they sent unecrypted that's exactly what they did though

        They could have caused the data to be sent unencrypted to a test machine inside the corporate network somewhere, or directly connected to the corporate network for the purposes of the test but outside the firewalls. That woul
      • It's sort of interesting that 15 new devices made it in the building without anyone talking about it. "Hey, look what I found" "Mine is a gig!" "Me too!". They all put it in to see what's on it probably knowing it's against the rules and did it anyway.

        Thus the the counterintuitively high 'value' to a social engineer (read: con-man) of and administration PROHIBITING something that's human nature.

        Everyone will do it.
        Everyone knows they are not supposed to.
        Because it's 'wrong', nobody will tell anyone else.
        Thu
    • As far as I know it's impossible to autoplay upon USB insertion. If anyone knows how to do this, please speak up.
    • But I use my USB drive to quickly ssh&vnc into my home box.
  • by PlusFiveTroll ( 754249 ) on Thursday June 08, 2006 @06:48PM (#15498815) Homepage
    This is going to be a hard one to stop. Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it.

    My best advice for corporations is to lock down the computers and only allow approved devices by security profile. Trying to train people not to act like people will fail.

    Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.
    • yeah, if you have tech savy enough company take a modest machine, stick it near the break room, don't connect it to the network at all and let people use it for curious disks/thumbdrives/applications. Would be nice if you ghosted or vmwared it frequently so users didn't pass the trojans from one USB key to another as well.

      Eh, don't imagine anyone really doing this, but it wouldn't be an awful idea.
    • Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.

      I work at a Fortune 500 company, that actually hands out USB keys with laptop provisionings. Not only might we one day find hackers attempting to place USB keys outside, we already occassionally find misplaced usb keys inside the building. Plugging one in to find out whom to return it to is both obvious and a common practice upon finding one misplaced.

      However - we have a 'test lab' box on the floor

    • Why should company computers have floppy disk drives, CD/DVD ROM drives, or USB ports? Additionally, perhaps there should be some way of "locking" keyboards and mice onto computers to prevent hardware loggers.
    • My best advice for corporations is to lock down the computers and only allow approved devices by security profile.

      great idea. Problem is that Corperations refuse to allow IT to limit what the managers, sales and marketing staff can do with their PC.

      Almost all IT managers and staff are frustrated completely with the fact that some upper VP exec is enough of an asshole that he DEMANDED that all the sales PC's came with DVD burners and other giant security holes simply for the sake of convienence.

      Until someon
  • by Ant P. ( 974313 ) on Thursday June 08, 2006 @06:48PM (#15498818) Homepage
    I would've put autoplay Goatse on them, personally.
    • Re:Autoplay trojan? (Score:5, Informative)

      by TubeSteak ( 669689 ) on Thursday June 08, 2006 @07:26PM (#15499026) Journal
      Even though you're joking, what you're proposing has been around for a looooong time.

      http://lastmeasure.com/ [lastmeasure.com]
      Last Measure is a wholly owned subsidiary of the Gay Nigger Association of America

      The bastards at GNAA created LMOS (Last Measure OS)
      http://sam.zoy.org/lmos/ [zoy.org]
      LMOS is a minimalist operating system targetting multimedia presentations, written with simplicity in mind. Due to its tiny x86 assembly core, it easily fits on a standard floppy: just write LMOS and your pictures to a CD or floppy, and it will boot and play on any IBM-PC compatible computer.

      LMOS is a handy tool to carry with you on a business card CD or an USB key. Also, instead of luring people to Last Measure mirrors or similar shock sites, you can simply hand them an LMOS CD with a "Knoppix" sticker on it.
      No matter what depravity you can think of, the Trolls have already been there and raped that idea.
  • Close those ports. (Score:3, Interesting)

    by bubulubugoth ( 896803 ) on Thursday June 08, 2006 @06:49PM (#15498819) Homepage
    I remember when was a "common practice" to remove or glue floppy disks at schools...

    But USB pose a different trouble. There ARE useful usb devices, like mouses and keyboards...

    And further more... there are phones and digital cameras, and even thos 5 in 1 memory readers that can be used to substract information or leak viruses...

    or even worse, specific purpouse programms, likt the used at the "audit"...

    And also one thing I wonder, is what Antivir was "protecting" the machine? Is nt antivir doing heuristics to look after strange things at the computer, like "something" trying to get the addressbook?

    • ...like mouses and keyboards... [emphasis mine]

      Sorry to be a spelling/grammer nazi, but just what kind of word is mouses?

      'sides, I always thought the plural of mouse was meese? (Or, is that the plural of moose? No, that's moose.)

      • Mouses has somehow, inexplicably, became viewed an acceptable substitute for mice in computing circles.

        From asking various people who use it their reason for doing so, I get answers ranging from "dunno", though fake origins of the word "mouse" in computing terms as some sort of acronym, around claims that the inventor chose that name (as far as I can tell, he doesn't care), to the suggestion that "mice" could lead to confusion with the furry creature (although why exactly it does so more than "mouse" esca

  • But.. How? (Score:3, Interesting)

    by Anonymous Coward on Thursday June 08, 2006 @06:49PM (#15498820)
    I tried using something like this for my senior prank at school. I wanted to add a startup item that pointed to shutdown.exe on the XP systems. :)

    I simply could NOT get anything to autorun from any type of flash drive. Autorun.inf wouldn't run .vbs, .bat, .exe, or even .txt files. Nothing. How could they get it to autoinstall? I know there's U3 type stuff, but that creates a fake CD Rom drive due to a CDFS partition on the flash drive itself...

    How could they get the trojan to autorun on insert? And if you're picking crap up off the ground, why wouldn't you hold shift while plugging it in if you were running Win?
  • Since the users were required to actually execute something on the usb stick, couldn't this have been done years ago on floppies? Clever, kinda... but not new is my guess.

    http://psychicfreaks.com/ [psychicfreaks.com]
    • Re:Done before? (Score:2, Informative)

      by MustardMan ( 52102 )
      It could have been done on CDs, but not floppies. Autorun.inf doesn't do anything on a floppy.

      The difference here, of course, is that a USB stick is something someone would be likely to keep to use themselves. A burned CD isn't nearly as appealing.
      • I think the burned CD can be made much more appealing via a $0.30 sharpie....

        "Pam Anderson Sex Video"

        "WoW cheats"

        " home videos"

        I'm sure there are many more possibilities...

      • Re:Done before? (Score:3, Informative)

        by ross.w ( 87751 )
        No, but when floppies were more common, it was also common to have PCs set up to boot from the floppy first and only boot from the hard disk if the floppy isn't there.

        There was a whole genre of viruses including the Pakistani Brain virus, that take advantage of took advantage of this, plus the tendency of people to forget to take their floppy out of the PC when turning it on. They would silently run the code hidden in the boot sector, which would infect the boot sector of the HDD and ensure that every flopp
    • Floppies don't autoplay like USB drives do. So, yes, this could have been done with floppy drives, but it would have taken more user intervention.
      • They used to on Macs. That was one reason Macs were so vulnerable to viruses back in the eighties. Evey file could have a resources fork and the machine would load and execute the resources on any disk you inserted. As a result mac viruses were a major problem - and this was before machines were networked.
  • by Billosaur ( 927319 ) * <{wgrother} {at} {optonline.net}> on Thursday June 08, 2006 @06:51PM (#15498832) Journal

    You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.

    There you have it -- invest in fancy firewalls, make people change their passwords every 90 days, filter email from spam, phish, virii, and trojans, and then sit back and watch as your employees bypass all those lovely defenses and lay your system vulnerable.

    I've said it before: there's no use building a wall, firing up the boiling oil, and digging a moat and filling it with sharks if you're going to build an 8-lane superhighway through it. Companies are trying to crack down, but the myriad ways that information can get stolen or transferred from a system are enourmous. USB drives, camera phones, MP3 players -- anything that can store data is a potential point of vulnerability, one which a company will be hard pressed to monitor or control. Couple that with this sudden rash of stolen laptops carrying unencrypted and often sensitive data, and the there's no reason for hackers to work too hard any more, when they can just have data handed to them.

  • Smart idea!! (Score:5, Interesting)

    by Cybersonic ( 7113 ) <ralph@ralph.cx> on Thursday June 08, 2006 @06:51PM (#15498834) Homepage
    I have to admit, this had me laughing out loud! :) I do security audits often, and I know this 'attack' would work almost anywhere.

    Add this to your weekly 'security' email/meeting as I have a feeling this may happen a bit more often now...
  • by Boap ( 559344 )
    However it is simply solved by disabling the USB ports either physically or via the registery which they should have been in the first place.
  • Black Hat Hazards! (Score:3, Interesting)

    by redelm ( 54142 ) on Thursday June 08, 2006 @07:01PM (#15498889) Homepage
    Wasn't some dude prosecuted for doing Black Hat ops, even though he was hired specifically to evaluate security?

    Before I'd even think of something like this, I'd want signed original 8.5x11 floppies giving me explicit authorization to attack^Hevaluate systems like this.

    Even then, the DHS might come after the evaluators or possession and willful use of destructive tools.

  • by dduardo ( 592868 ) on Thursday June 08, 2006 @07:06PM (#15498918)
    If they were running Linux the solution would be easy: disable USB Mass Storage in the kernel. USB mice and keyboards will still work, but they won't be able to read their thumb drives.
  • Interesting Idea (Score:2, Interesting)

    by vandalman ( 746235 )
    The first thing I do when I find a USB stick is to plug it in and open up documents to see who's it is. I mostly find them around campus, so a name on a paper lets me do a school directory look up. Shame to think I could get a virus from trying to help someone out, good idea and interesting application of USB sticks.
  • by ChaseTec ( 447725 ) <chase@osdev.org> on Thursday June 08, 2006 @07:23PM (#15499004) Homepage
    The scattered 20 trojan drives around the outside and 15 get picked up by their target. Notice how the don't bother saying what happened to the other 5. Did they not get used, not get found, found by other people? And you know some of those employees took the drives home and their personal information was captured. Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.
    • This is out of my ass but I would guess since they kept tabs on what happened to each of them and conducted surveillance that they would have been on the lookout for other people snagging them. I would also think that it wouldn't be that hard to, at the end of the day, say "hey guys, those USB drives? we need them back."

      Though the article should probably have said.
    • Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.

      I believe that's a perverted ethical viewpoinnt. The thumbdrives were obtained unethically and you cannot hold OTHERS ethically responsible for any potential damage. Is it unethical to leave a pencil out, knowing a child could grab it and stab themselves in the eye? Yes it's probably unethical to knowingly put a candy wrapper around a laxative (ok, that was me) on a playground,
  • Thin Clients (Score:3, Insightful)

    by jabelar ( 913707 ) on Thursday June 08, 2006 @07:44PM (#15499129)
    Banks and other organizations with shared computing requiring high security should consider thin clients rather than PCs. There should be no drives on bank teller computers to transfer data either onto or off of their system.
  • I think this example makes a good case for anti-virus / anti-malware programs.
  • by spentrent ( 714542 ) on Thursday June 08, 2006 @07:56PM (#15499206)

    "Why?"

    "IT says we got dongled, whatevthefuckthatmeans."

  • by spentrent ( 714542 ) on Thursday June 08, 2006 @07:58PM (#15499216)

    ...you don't know where that dongle's been.

  • by VI$7443V3R ( 981078 ) on Thursday June 08, 2006 @08:17PM (#15499293)
    Seriously. It really is.
  • Related work (Score:5, Interesting)

    by Beryllium Sphere(tm) ( 193358 ) on Thursday June 08, 2006 @08:25PM (#15499340) Homepage Journal
    Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street [silicon.com].

    Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.
  • Age old problem... (Score:4, Insightful)

    by elderban99 ( 981085 ) on Thursday June 08, 2006 @08:33PM (#15499372)
    Once again mankind is sticking things where they shouldn't be and getting infected...something that has been going on for centuries.
  • by warlock.da.newbie ( 981084 ) on Thursday June 08, 2006 @08:50PM (#15499452)
    In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.
  • by whitehatlurker ( 867714 ) on Thursday June 08, 2006 @09:00PM (#15499486) Journal
    ... I think I have an idea for a great April Fool's prank. But I need all of you to be really, really quiet about this. 'K?
  • by Mr. Freeman ( 933986 ) on Thursday June 08, 2006 @10:21PM (#15499849)
    Alright, I've read a lot of people saying "just disable USB devices". Someone said that everything should be locked down and that training people is useless.

    Disabling USB devices will not work. Even if you do it perfectly, that is, disable all storage devices but not keyboards, mice, etc. Why? Because CD-ROM drives have the exact same problem. I don't think floppy drives have any type of autorun function, but you can still put deceptive file names on them. Same problem with Email attachments.

    Now, go disable email, CD-ROMs, floppies, USB devices, and memory card readers at your office/school and see how much work actually gets done.

    You must either educate people, or restrict them to the point where they can't do their job in order to prevent your network from being infected. Given that the latter results in a huge loss of profit, I'd try to educate people.
    • by realmolo ( 574068 ) on Thursday June 08, 2006 @10:36PM (#15499914)
      Unless they need to use the CDROM drive, floppy drive, USB devices, or memory cards to DO THEIR JOB, then they SHOULD be disabled.

      The fact is, in a business setting, the machines should be completely locked down so that users can do ONLY what they need to do, and nothing else.

      Of course, politics tend to prevent that from happening. But it is proper "procedure".
  • by InakaBoyJoe ( 687694 ) on Friday June 09, 2006 @03:14AM (#15500681)

    People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.

    Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.

    Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.

    If you want your users to respect your network security concerns, you first have to try to respect your users.

    • Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.

      Keep in mind, we're not talking about mum+dad's small business here. We're talking about a financial institution. Disabling removable media should be fairly high up there on the list

  • by HerebeDragon ( 981165 ) on Friday June 09, 2006 @05:50AM (#15500964)
    If they got a hit of 15/20 usb drives, but what happened to the other 5. If they scattered them in a public place, surely other members of the public could have picked them up and could have been compromised. This would put the auditors the wrong side of the law and they had no prior agreement to pentest the general public.

Hard work never killed anybody, but why take a chance? -- Charlie McCarthy

Working...