Why you should lock off USB

I found this story on the Dark Reading website. It deals with a brilliant social engineering attack by Steve Stasiukonis of Secure Network Technologies Inc. It provides a really good argument for why blocking the use of USB thumb drives.

In the linked story, a credit union hired Secure Networking Technologies (SNT) to assess the security of their network. SNT took a novel approach. They scattered a collection of vendor giveaway USB thumb drives around the credit union’s parking lot several hours before work began. Each USB drive was filled with random image files and a custom trojan. The trojan would collect passwords, logins and other information from a user’s computer and then email it back to SNT.

The experiment ran 3 days. Of 20 scattered USB drives, 15 were found by employees. Each found USB drive was plugged into at least one of the credit union’s computers. In each case where someone plugged the drive into their computer, they executed the Trojan. SNT knew this because they received the password and login information from the computers where USB drives were attached.

This method of gaining access to a network is certainly a lot simpler than sitting out in the parking lot with a wireless card attempting to crack WEP!