Thread-topic: FYI: Penetration Testers Try a New Twist on Social Engineering
;-)
--Penetration Testers Try a New Twist on Social Engineering
(7 June 2006)
A credit union that had been experiencing problems with employees
sharing passwords and divulging other information too easily hired a
company to asses their network security with a focus on social
engineering. Employees were aware that their security was going to be
tested, so instead of taking the usual social engineering routes, the
penetration testing company left 20 USB drives near the credit union in
the parking lot and smoking areas. Employees picked up 15 of the 20
drives and installed them on their computers to see what they held,
which turned out to be a Trojan horse program that gathered passwords,
logins and other data and emailed them back to the company.
[Editor's Note (Northcutt): It may be a new twist to the author of the
article, but this trick as old as the hills. I first saw this done using
a floppy disk survey. You stuck the disk in your laptop, filled out the
survey, put the disk in a pre-packaged mailer and sent it back to
receive a free prize. Another variant is demonstration software. You
leave shrink wrapped CDs that look like they have games or useful
applications around the target site. People will try the game or
application while installing the attacker's software on their systems.
The article does serve as a reminder, and I like the ending. Telling
people is not enough, you need to keep hammering it into their heads.
It would be interesting to try some trojaned thumb drives in a candy jar
that if inserted into a computer posted a big red message saying you
just earned a 100 dollar fine.]
(Schultz): I have mixed feelings about this news item. On one hand, the
penetration testers deserve a great deal of credit for their ingenuity.
At the same time, however, members of the black hat community who learn
of this new social engineering method are now more likely to try it.]
