sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]

noun

  1. The scientific study of system administration and related phenomena.

Friday, 18 January 2013

Do you know where that USB stick has been?


Picture the scenario: You’ve parked your car up in the company car park like you do every morning. Coffee in one hand, brief case in the other, when you notice a USB memory stick lying on the ground.
There’s no-one around, or certainly no-one that seems to be looking for it, so you pick it up. On further inspection you notice there’s a label stuck on it, and it reads “Your Company Inc Employee Salary Reviews”


Wow! That could hold some interesting data. Now you’re going to hand it in at reception, it’s not your USB memory stick after all, and just taking it would be stealing. But can you resist taking a quick peek and seeing what the guy in the next cubical is earning?


Attacks like these are called baiting attacks.They pique the victims interest and encourage them to put the USB stick into their computers. Of course the moment they do, they are infected with a RAT (Remote access trojan)

This is possible because of a Microsoft Windows Feature called auto-run. The same feature that pops up a window when you plug in a USB memory stick, CD or DVD. Creating an auto-run program which silently installs a program in the background is a simple task. In the mean time, the user browses the media as they would normally, not knowing whats going on behind the scenes.

Attacks of this kind should reduce as Microsoft have stopped USB sticks from auto running. However the auto-run feature is still enabled on CD / DVD drives. Check out Microsoft post here http://www.microsoft.com/technet/security/advisory/967940.mspx


This means that a CD or DVD could be crafted to do exactly the same thing.
You can disable the auto-run feature completely, by following the instructions in this link http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/. For Enterprise users, it shows how to do this using Group Policy, which has to be favourable to disabling it individually on each workstation!

This could give a hacker access to your workstation, which would then be used as a base to launch further attacks on higher value network targets. E.g. the server, the firewall etc..


No comments:

Post a Comment