Post by nictoe on Jul 22, 2012 3:59:19 GMT -7
Dropped USB Sticks as a Malware Vector: DSM Does Cybersecurity Right
Kyt Dotson | July 12th
The reason that some malware is called a Trojan is a play on the Trojan horse from the mythology about the ancient Greek siege of the city of Troy. Most Trojans are actually software pretending to be something else (thus getting themselves inside the “gates” of a computer’s security) but in some cases there are actual physical Trojan horses. In this case people should be aware of and beware of not just Greeks bearing gifts but random USB keys borne as gifts.
Workers at the Dutch offices of DSM, a chemical company, almost discovered this the hard way; but they have a very smart IT department and good training for employees. Reported by Dutch language news site, Elsevier.
Data Criminals have made an attempt to steal passwords and usernames of DSM employees. They put several USB sticks in the parking lot of the multinational, which contained programs that were capable of sending usernames and passwords to a remote site…
The unusual plan failed, however, because the employee who is the first USB stick took it immediately to the IT department. There the malicious software was detected and the IP addresses that the malware communicated with blocked.
This is a very old strategy—as old as the Trojan war in fact—and it’s been employed to gain surreptitious access to many different corporations even as far back as spear-phishing with CD-ROMs. In those attacks, the CDs were mailed to unsuspecting secretaries or executives as part of product pitches that contained malicious code designed to infiltrate the computer system and steal information to exfiltrate.
Heerlen, Netherlands headquartered DSM obviously have a well thought out plan of employee training to keep them from becoming the weakest link in their security system. As we well know, from the lesson of the Kobayashi Maru, attackers will examine the culture of a secure place and attempt to exploit the weaknesses that they see arising from the human behaviors therein. Often employees themselves are unsuspecting vectors for malware.
In the past Trojans have taken the form of bogus e-mails, such as the ILOVEYOU virus that managed to infect tens of millions of Windows personal computers in May 2000. It was an unsophisticated attack that still managed great and widespread infection because it tactfully exploited the unsuspected curiosity of people to open unknown e-mails and in many cases took advantage of weak security settings. Now most computers have firewalls, antivirus, and require greater personal attention before running a program.
Of course, a Trojan hidden on a USB stick might still get around that if the employee then uses the USB stick and ignores warnings about autorun.
Employees trained not to use insecure devices on corporate networks and taught to have the IT department vet them first will be the first and last line of defense against Trojans attempting to infiltrate the network. This is exactly what is currently an obstacle to BYOD (bring your own device) culture for many workplaces—having a trustworthy device setup that can leave the cyber-barbed-wire fence of the corporate network and be allowed back in again as trustworthy.
bit.ly/PHfe9m
