First, if you’re in any way responsible for security or data integrity for any sort of sizable operation, you should really review your policies and procedures for locking down accounts and accesses when IT staff resign or get fired. Nightmare on Wall Street details some of the things that can happen if you don’t handle things the right way:
Federal prosecutors charge that Duronio, a former systems administrator at UBS PaineWebber, planted malicious code – what they’re calling a logic bomb – on the company’s network.
The government contends Duronio built and planted the malicious code months ahead of time and then bought stock options – using money that he got cashing out his and his wife’s $20,000 IRA – that would only pay out if the company’s stock took a dive within 11 days. By laying out a short expiration date – 11 days instead of maybe a year or two – the gain from any payout would be much greater.
O’Malley said Duronio planned on making sure that that’s exactly what would happen, by crippling the company’s network.
“He knew something everyone else didn’t know,” O’Malley told the jury. “As he was escorted out the door [on the day he quit], there was working in the UBS system a time bomb. Within an hour or so, he was in a broker’s office making bets that UBS would take a dive.”
Second, if you’re looking to penetrate a network or installation, it turns out that the best way might not involve brute force or clever detection of holes to crawl in though – the best way probably involves exploiting people’s natural greed and curiosity:
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.
You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.
Finally, speaking of USB drives, David Pogue reviewed some new software that lets you carry a WinXP “ecosystem” around on a flash drive. My initial thought: this is pretty cool. My second thought: this totally makes hash of policies about what software can be installed on the “enterprise” desktop. You might have your users locked down to the point where they can’t install anything, but if there’s a free USB port, they can now easily route around you.