Manufacturing Computer Solutions, one of the lesser known sources of cutting-edge information security news (I love you Google!), is reporting a security study by the NCC Group. Seems the NCCG delivered a "party invitation of a lifetime" gift box (a Trojan horse shaped box would have put the icing on the cake!) with USB drive to finance directors at 500 UK companies and, surprise surprise, the clueless ones simply plugged the USB drives into their machines. Compounding the problem, many even clicked on the "Yes I want to install some software" option without a clue about what the software was actually going to do.
Paul Vlissidis, NCCG's head of penetration testing, said “This demonstrates a fundamental lack of healthy suspicion by IT users, even at a senior level. The need for real security awareness has never been greater… This kind of technique could easily be adopted by genuine hackers and these directors could have seriously jeopardised the security of their company’s networks. Not only could fraudsters have customers’ or employees personal details to steal their identities, but they could also have gained full control of an FD’s email account, allowing them to access information regarding forthcoming unreleased trading statements or even results which they could then use to influence share dealing.”
So, now we know (for sure) that the 'free USB thumb drive' trick is yet another social engineering technique that works well. The big unanswered question is what we are actually supposed to do about the threat. 'Raising awareness' is much easier said than done, getting people to change their behavior even more so. Perhaps USB lock-down technology (and/or Sumitomo's super superglue solution) is the best option here with the added benefit of frustrating those wayward employees who would steal gigs of data from right under the noses of the their managers, colleagues and security guards using thumb drives or iPods.
More security awareness, social engineering and mobile IT security links.