Knowing that we’re interested in the use and abuse of USB keys, a keen-eyed Naked Security reader alerted us to an interesting-sounding story on a Dutch news site.
Under the headline Criminals in espionage attempt at DSM (a major Dutch materials and life sciences company), Elsevier.NL reports that this case involves crooks who “put USB sticks in the parking lot.”
The risks both of losing and of finding USB keys are clear – clear enough that Naked Security’s 2011 report into lost keys sold at auction by Sydney’s rail operator led to an official change in auction policy.
And, along with “did you hear that X% of people give out their passwords in return for Y” (where Y is something like a ballpoint pen or a chocolate bar), stories about successful USB-keys-in-the-parking-lot attacks have become often-heard anecdotes at seminars and conferences.
But do USB key attacks really work?
Or is this just some sort of current-day internet security meme?
On this account, Elsevier’s story piqued my interest.
Perhaps this would be an unambiguously documented case of a successful, real-world USB-driven intrusion by bona fide cybercriminals? (Please excuse the tautology.)
No such luck, fortunately. (Please excuse the oxymoron.)
There was a smoking gun, but the story:
- points out that the employee who found the first USB key took it straight to IT,
- fails to identify the malware except for dubbing it a keylogger,
- and admits that the plan, for what it was worth, was an abject failure.
In short, this story could equally well have been headlined Sensible employee leaves Dutch multinational cyberintruders dead in the water.
So, to those of our readers who have complained that they’d like to read about security successes on Naked Security once in a while, rather than about breaches, disasters, successful exploits and the like: this one’s for you!
(For those cynics who wonder, like me, if putting infected USB keys in the parking lot could ever work – my penetration testing friends assure me that it works just fine. But they consider it infra dig to use the technique, because it implies they have failed to get in by more haxorious means.)
–
Images of chocolate bars and the big green tick courtesy of Shutterstock.
"But they consider it infra dig to use the technique, because it implies they have failed to get in by more haxorious means."
You know, it is exactly that kind of thinking that will always put a true hacker one step ahead of "security professionals". I mean sure, dropping a USB key in a parking lot is not all cool and high tech but why drag out a bazooka to knock down a door when sometimes you can just knock on the door?
Hackers tend to like the path of least resistance. Sure it gives you more "street cred" to exploit all these different flaws and get in through some really technical method. In the end though it does not matter how you got in, just that you got in. So why waste countless hours trying some super hard way?
When you're used to the comfort of the box it's really hard to think outside of it.
Actually the technique could evaluate how well educated the employees of a company are, so cannot understand why not to use it on a penetration testing scenario.
Really disappointing that Paul's colleagues don't think like that…
Firstly, since Sophos doesn't have a penetration testing business, they aren't my colleagues. They're my friends. (Not that the two are mutually exclusive, of course!)
Secondly, you're insulting them by assuming that they "don't think like that."
Thirdly, you're neglecting that penetration testers, though authorised by a company to bypass that company's procedures and policies, are _not_ authorised to behave immorally or to break the law.
So reputable pen testers who scattered USB keys in a car park (where they might easily be taken and used outside the company that authorised the pen testing, possibly by complete outsiders to the company) would almost certainly _not_ implant a keylogger for fear of inadvertently and unlawfully collecting PII from an unintended victim.
For the educational purposes you mention, a simple "call home" – merely visiting a URL with no payload and logging the connection – woud suffice.
Fourthly, I'm not sure why you're disappointed that an intelligent, well-informed expert might consider it _infra dig_ to proceed with a USB attack. (Perhaps you have confused _infra dignitatem_, which means "beneath dignity", with "beyond abiility"?)
Quite a number of my pen testing chums are into lockpicking as a hobby. It's actually quite fun – cerebral and surprisingly relaxing. Sort of like playing Scrabble, but in the dark and with four Qs and one U.
Am I impressed by someone opening a complex padlock with just a strip of springy steel? Yes. Would I be equally impressed by someone opening that padlock using an angle grinder? No. (Thermite, probably. But an _angle grinder_?)
Fifthly (as we say in the security industry), it was an attempt a light humour! An excuse to deploy the neologism "haxorious"! A touch of fun!
Well, once again you prove my point.
"I'm not sure why you're disappointed that an intelligent, well-informed expert might consider it _infra dig_ to proceed with a USB attack. (Perhaps you have confused _infra dignitatem_, which means "beneath dignity", with "beyond abiility"?) "
"Beneath dignity"? From what I understand Kevin Mitnick who many would consider a very successful hacker was not above dumpster diving. So your talking about the dignity level of scattering USB drives? We are talking about a group of people who have no problem digging in the trash.
As for your wonderful bit about picking locks. Well, I pick locks for fun and it is a great hobby. It can be useful for getting into your own things sometimes. At the same time though, if I was trying to break into someone elses house I will not waste the time picking a lock when I can just kick in the door.
Point is that the tools you use are determined by the job your doing. If your goal is simply to hack into a business then a USB attack such as that may well be an easy way to do so. It is not a method I would toss just because it is not "cool" or that I am "above" such things.
In fact, odds are very high I would just alter it slightly. For example, get a nice custom USB made from one of these cheap advertising companies. Have a fake business printed on the side of the drive and mail it to the business with some other "promotional" junk. What are the odds then that they will toss the drive?
So yes, I will agree, it is not pretty, it is not impressive or anything to brag about but the point is that if your goal is to get into the company then who cares? If your breaking into a house to steal all their jewelry then it does not matter if you picked the lock or just kicked in the door, so why waste time and energy picking a lock? It is all about what is the easiest way to do the job I have set out to do. Not about "how cool can I look doing this job"
Somebody has been paying attention.
If I find a USB dongle anywhere I will keep it, hug it, and call it George – after I format it.
They don't cost much but it's like finding a $5 or $10 bill on the sidewalk. Paper money has germs but we know how to take care of that.
There have been exploits in the past that worked merely by inserting a usb key, and most people don't have autorun disabled, so inserting a foreign media into your compute, even with the intent to format it, is risky business.
If you press Shift key while inserting USB stick until it appears on My Computer, the autorun.inf will be neglected so it will be safe. Then right click and format. 🙂
I feel sorry for windows users who find a USB key and take it home, either to keep it or to see if there is anything personally identifiable on the drive to return it and find out there's a virus on it.
As a linux user though, there's a very small chance (1%) that it'd effect me… so don't try 😛