A "Certified Ethical Hacker" posts the story of how he broke into a company that really seemed to have its act together. After trying to break into the firewall with all the usual tricks, he decided he needed to go after the weak link.
So I told myself, “Screw it. I’m going in.”Perhaps needless to say - it didn't take long. As he says, people tend to be curious and if they find a USB drive they're more than likely going to plug it into their computer to see what's on it. It may be completely good intentions; "this looks like Dave's drive, but maybe I should see if I can tell if it's his". And it could be just to see if there are any cool pics on it.
First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.
I hopped into my truck and drove over to the facility. Doing my best to look sharpish, I walked into the front lobby and said to the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”
She smiled — a good sign — and buzzed me in. Once I was inside the men’s room and had confirmed it was unoccupied, I yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall.
I drove back to my office and waited, because as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto run and execute a remote connection to my computer.
Is this how Stuxnet was uploaded into the Iranian nuclear facilities? It's hard to imagine someone walking off the street into those facilities and getting permission to use the restroom, but the infection was spread by infected USB drives. It's not hard to imagine those drives could have been left somewhere that was a known hang out or gathering place of workers from those plants. I don't know Iranian culture, but I know that every base I've ever been around has some favorite "watering holes" nearby where some open ears can gather a lot of information tidbits. So what if they (officially) don't drink?
What strikes me about this attack is that it's totally social engineering. It relies on the receptionist's social tendency to be kind to a guy in distress, and it relies on the guy who picks up the USB drive in the Mens' room to look at it out of curiosity. The software attack on the drive would have failed without the social work.