Tuesday, May 20, 2014

Techy Tuesday - The Problem is in the Users' Chair

Since we did a piece on security and TAILS/TOR Sunday, I thought I'd stick with security for one more post.  I swear I've heard some security guys say that line in the title.  If people would pay even a modicum of attention to reasonable passwords or phrases, and kept their wits about them, there would be much fewer problems.

A "Certified Ethical Hacker" posts the story of how he broke into a company that really seemed to have its act together. After trying to break into the firewall with all the usual tricks, he decided he needed to go after the weak link.
So I told myself, “Screw it. I’m going in.”
First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.

I hopped into my truck and drove over to the facility. Doing my best to look sharpish, I walked into the front lobby and said to the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”

She smiled — a good sign — and buzzed me in. Once I was inside the men’s room and had confirmed it was unoccupied, I yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall.
I drove back to my office and waited, because as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto run and execute a remote connection to my computer.
Perhaps needless to say - it didn't take long.  As he says, people tend to be curious and if they find a USB drive they're more than likely going to plug it into their computer to see what's on it.  It may be completely good intentions; "this looks like Dave's drive, but maybe I should see if I can tell if it's his".  And it could be just to see if there are any cool pics on it.

Is this how Stuxnet was uploaded into the Iranian nuclear facilities?  It's hard to imagine someone walking off the street into those facilities and getting permission to use the restroom, but the infection was spread by infected USB drives.  It's not hard to imagine those drives could have been left somewhere that was a known hang out or gathering place of workers from those plants.  I don't know Iranian culture, but I know that every base I've ever been around has some favorite "watering holes" nearby where some open ears can gather a lot of information tidbits.  So what if they (officially) don't drink? 

What strikes me about this attack is that it's totally social engineering. It relies on the receptionist's social tendency to be kind to a guy in distress, and it relies on the guy who picks up the USB drive in the Mens' room to look at it out of curiosity. The software attack on the drive would have failed without the social work.


  1. The Army simply stopped allowing users to plug things into USB ports except for three approved devices.

    Had the company in question shut down the USB ports the way the Army has, the hack would have failed because users would have known that USB drives weren't allowed on the network.

    The attack would have had to come through a CD/DVD instead, which is something you just don't find laying about in a restroom.

  2. Sure. It's easier to do that in a classified environment than an open environment where people might be using thumb drives to carry data or instrument plots back to their desks.

    The last time I worked in the deep black world, USB didn't exist, but floppy disks were an issue. You just couldn't bring them into a secure facility.

    But still... one shouldn't pick up a thumb drive out of a bathroom and go use it. I'm remembering a Simpsons episode with Barney the drunk picking up a toothpick off the bathroom floor to use. It's not that much worse.

    Yeah, OK, a toothpick is much worse.

  3. This goes back years - before there were USB ports - but when I worked for (agency name redacted) we wound up getting pretty heavy handed with Policy Editor in Windows to make floppy drives, CD drives and many user accessible features unavailable to all but Sys Admins because we were always fighting viruses and other user-driven issues.

    When a Privileged Person complained they needed data on a floppy or CD, we got it and loaded it on a designated non-networked PC. If it passed all the security measures, we loaded that one file for them. The infection rate on those floppies and CDs was about 70%. More than once we had to destroy the drive on that standalone PC because we couldn't be positively sure we had removed the contamination.

  4. Passwords are a pet peeve of mine but my view of them is probably the opposite of yours. I recently bought a windows 8 computer and it forced me to go through the process of creating a email and password before I could get into the system. I did, some phony name and some phony password. It rejected my password because it didn't have any numbers in it so I tried again. It rejected it again because now it needed capitols as well as lower case. So I tried again and was rejected again as I needed at least one non-alpha non-numeric in the password. One more try was the charm I created a password that could not be hacked. What was that password? I dunno! To complex to remember. But no worries it cannot be hacked! of course my intent all along was to never use the Windows email and I don't even remember the phony name. But I spent 50 years in the computer field and I know the biggest problem with passwords especially if you are required to change them every 3 months is remembering them. Ask yourself which is easier to remember: "uiB3lso*h1" or "skunk"? I have worked on systems where I had half a dozen different passwords for different parts of the job and different levels of security and these passwords had to be changed every three months often making a new one up on the spot. I was of course not supposed to write down any passwords and I could not repeat passwords. But the good news is this was before the passwords Nazi's forced you to use long disjointed strings of letters numbers and #@*. I had a system and my passwords were never hacked and were no more likely to be hacked then Zoju5*dplvx2" was. Most of the advice on passwords is wrong and most passwords are NOT hacked they are either obsevrved as you enter them, intentionally loaned or found written down someplace.

  5. Anon - actually, I think of passwords as about as useful as regular door lock: they'll keep out honest people, but anyone who wants to get in and is determined enough will get in.

    I've worked in those situations, too, where you have to change a dozen passwords every 90 days or anytime someone leaves the group. Can't write anything down. It's a major pain.

    I think most people have seen how XKCD addressed passwords, pointing out that we've spent 20 years of effort developing passwords that are hard for us to remember and easy for computers to guess, instead of the way it should be.

  6. #!/bin/bash

    # Get the wordlist from http://world.std.com/~reinhold/diceware.wordlist.asc
    # then edit the PGP signature off the top and bottom

    function get1to7776() {

            dd bs=1c count=2 < /dev/random 2> /dev/null | \
            od -t u2 | \
            head -1 | \
            awk '{print ($2 % 7775) + 1}'

    function fourwords() {

            for i in 1 2 3 4
                    awk "NR == $LINE {print \$3}" < ~/lib/diceware.wordlist.asc.nosig

    echo $(fourwords) | sed 's/ /_/g'

  7. My company (Oil and Gas) does not allow USBs and disabled all ports. You take it to the computer-wallah and he checks it through and then sends you the files by email, or you use the one stand alone PC to look something up. Result? No viruses or hack-spastics giving trouble.