One of the break out television series of the past year has been Sam Esmail’s Mr Robot, a dark drama-thriller set in a slightly dystopian version of New York City, starring Rami Malek as an anti-social computer programmer who works as a cybersecurity engineer during the day but is a vigilante hacker by night.
The show features some of the most believable on-screen ‘hacking’ of the past few years – indeed, there are comments whilst a group of anonymous-like hackers watch the 1995 film Hackers about how unrealistic the hacking shown on film and TV usually is. One particular scene stood out for me, which is what I’m going to write about today.
At a point in the series, the main character needs to hack into a prison – something that sounds quite unbelievable but is actually all too realistic for reasons which we’ll go into another time. One of the first attacks attempted sees a hacker dropping USB flash drives in the car park of the correctional facility.
The ground littered with the USB sticks, the team wait until they catch their first fish – an officer who promptly picks up a drive and plugs it into his computer, deploying whatever malicious code was on the drive immediately.
This of course sounds like it was dreamt up for the show, but was actually a reconstruction of the circumstances that led to an attack that is widely accepted as being one of the most devastating cyber attacks for a nation ever. Stuxnet, which in laymans terms was a computer virus, was developed to attack a specific part of the Iranian nuclear infrastructure. It is understood to have been developed by another nation state with the specific intention of damaging the centrifuges used by Iran to enrich uranium. The main deployment method? A little USB flash drive.
Most people have a few of these – either bought, collected as freebies at events or given out by their company with requisite branding – they are considered so cheap that in an office environment they often pass hands many times, floating around, going from presentation to presentation. There is a huge misunderstanding of the risk that they can bring to organisations.
To understand why the risk is so large, it’s important to make the connection that the socket on your computer that you plug your little USB drive into is the same one that you plug a mouse, a printer, a phone charger or a keyboard into; they are specifically designed to be universal, and the computer relies on the device identifying itself properly to understand what type of device is actually being plugged in.
The stuxnet virus took advantage of a feature that has since been removed from Windows: autorun, which allowed the USB to tell the computer to run any arbitrary file once the stick was plugged in. This hole has now been plugged and so devices can no longer do that without permission, but there are many ways to get around that and have a virus deployed to your machine.
One of the devices that almost every desktop computer accepts without question is a USB keyboard – these are ubiquitous; if you’re reading this at your desk you probably have one in front of you.
A device that we love to demonstrate vulnerabilities with is the rubber ducky (above) – it looks like a flash drive but identifies itself as a keyboard to any computer that it’s plugged into. Using pre-programmed scripts, this device can ‘type’ commands – meaning that it can do anything that you can do, from sending emails to downloading and opening items and applications from the web. It can also carry malicious software and act as a both a keyboard and USB storage – running whatever payload it carries without human interaction.
This is troubling, because it identifies the real weak point in most computer networks – the users themselves.
Let’s go back to the USB drive lying on the ground in a car park. When (and in most cases it’s a when, not an if) it is found by a person, the first thing that they will do with it is plug it into a computer – whether out of a sense of care for whoever had dropped it (hoping to identify the owner) or because they subscribe to the ‘finders keepers’ mantra. As soon as they do this, even the very best network security has been breached.
To demonstrate this, the US Department of Homeland Security ran a test by dropping seemingly innocuous USB drives outside government offices and suppliers – 60% of these were picked up and plugged in, and when an official logo was added to the outside of the device this rose an astounding 90%. As soon as they were plugged in, the malicious code executed and the hackers “owned” the machines.
What should you take away from this? The weakest link in your company security is invariably the people within it, and the only way to strengthen that chink in the armour is through continuous training on what not to do and what to be wary of. As part of our Inform service we offer training for executive level employees alongside other staff to help them understand the risks that cyber crime poses to their organisations, alongside penetration testing from a specialist partner – to find out more, just get in contact here.
Do you still want a free USB flash drive?