Companies spend vast sums of money year after year erecting firewalls, keeping viruses off the systems and trying to keep the security policies up to date to keep the bad guys out. However, time after time, users show that they are the weakest point in any security breach.
“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC)
Microsoft recently pushed out an update for XP and Vista machines and massively reduced the number of attacks that occurred through Autorun attacks. However that is only one attack vector in a hackers arsenal but they still have at their heart, the user being the weakest link:
Just because it has a hole, you don’t have to stick something in it.
Deliberately dropped USB sticks inserted into computers
Bloomberg reported recently that the US Government deliberately put this to the test to see how security conscious their own staff were. They deliberately dropped USB sticks in car parks of government offices and this of government contracts and waited to see how many were used. The results showed that 60% of dropped devices were insterted into computers. If the device had a company logo then 90% of those found were likely to be plugged in.
PenetratioAn testers access network through a USB mouse
I read a report in The Register this week about a contracted firm of penetration testers who were hired to try and gain access through the companies firewall while being limited to what attack vectors they could use. Instead they modified a standard USB mouse to contain a flash drive and micro controller that would compromise a computer if plugged in without resorting to illegal access methods. The modified mouse was repackaged with marketing materials and shipped to a specific individual in the company and was of course plugged in. 60 seconds afterwards malware stored in the flash drive was run and three days later the information collected was posted to a server under the penetration testers control.
For story in full and to see the insides of the modified mouse see the article on The Register.
Repeat after me, I will not click suspicious links
RSA Spear-fishing attack
I have made reference to the RSA security attack previously in this blog. This is a brief description of how it happened.
The definition of spear-fishing is — sending a limited number of rigged e-mails to a select group of recipients — rely on human weaknesses like trust, laziness or even hubris.
In March, the RSA was in the midst of a hiring campaign and so when some employees received emails with attached Excel spreadsheets titled “2011 Recruitment Plan”. Despite the emails being deposited in the junk-mail folder one employee retrieved the email and opened it. The Excel sheet was booby trapped with an Adobe Flash file that exploited a bug in the software that allowed remote access to the users PC. As a result of this the RSA lost information relating to one half of the two factor authentication process the company distributes.
The basic rule in defines of this sort of attack is not to open suspicious links or files (repeat that now 100 times). To be fair the group that attack the RSA was well organised and cleverly distributed.
A new variation of spear-fishing is now appearing called Whale-fishing and looks to bypass the average worker and targets management staff to try to gain access to higher levels of information.