Steve Stasiukonis, VP and founder of Secure Network Technologies Inc, tells us how easy it is using social engineering to collect passwords and data from a large and apparently secure corporation , by means of leaving USB drives around and waitinmg for people to wonder "I wonder what's on it?", and click..
"We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us...
..The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
..After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management."
Glorious stuff. How should the law begin to help deal with this kind of thing? An obigation of security of systems, just as we currently have to provide a safe system of working under health and safety, seems the way to go, at least for any industry which handles the personal data of third parties. (of course, we theoretically have that already under DP law at least in Europe - but as usual, where's the enforcement mechanism?)
No comments:
Post a Comment