Social Engineering Using a USB Drive

When users receive phishing email through certain techniques, it is often called social engineering. For instance, you receive an email explaining that your Yahoo account is about to be disconnected. In order to prevent this from happening, you are prompted to provide personal information such as your user ID, password and full name. If you respond to this phishing email with the requested information, you will have given a hacker access to your email and to personally identifiable information (PII) located within your account.

Social Engineering is thus described as a non-technical intrusion that relies on human interaction and often involves tricking other people into breaking normal security procedures.

There are a variety of tactics used in social engineering, some of which are:

Social Engineering by Phone. A hacker calls pretending to be someone in a position of authority to persuade the user into providing sensitive information. They could use positions of authority such as impersonating a phone company representative or a bank representative.

Dumpster Diving. Also known as trashing, this is when a hacker searches for sensitive information (e.g., bank statements, pre-approved credit cards and student loans) in the garbage.

Online Social Engineering. Hackers often try to trick users into providing sensitive information via email, instant messaging, chat rooms or social networking sites, etc. For instance, a hacker will send a fraudulent email claiming to be a banking institution, credit card company or department store, etc. They request that the user verify their user name, password and user ID either by responding to the email or by clicking on a link that directs the user to a legitimate looking, but fake website.

Reverse Social Engineering. This is when a hacker poses as a technical aide to fix a computer problem which they actually created, or which doesn't exist. The user contacts this aide and is then prompted to give sensitive information to them in order to fix the problem. The user provides the required information and the problem seems to be solved.

USB Drives

Hackers can also use USB drives to gain access to sensitive information kept on a computer or network. Hackers may infect one or more USB drives with a virus or Trojan, that when run, will provide hackers with access to logins, passwords, and information on the user's computer or the network the computer is connected to. The hacker may then leave the infected USB unattended on the floor, in or next to a cluster machine, in hallways, restrooms or any areas with a relatively high volume of traffic. A user who finds a USB drive will often install the device on their computer or on a cluster machine to search for identifiable information that can be used to locate the owner of the USB device.

This document focuses on social engineering using a USB drive. If you suspect that your machine or any machine that you have used to plug in a USB drive was compromised, please take the following steps:

1. Disconnect the computer from the network
2. Disable the wireless connectivity
3. Contact the Information Security Office (ISO) at iso-ir@andrew.cmu.edu, your departmental administrator, DSP consultant, or Computing Services Help Center at X8-HELP (4357) or it-help@cmu.edu

Measures of Protection

• Install and update anti-malware software (e.g. Windows Defender). Visit Secure Your Computer on the Computing Services website for instructions on downloading, using and updating anti-malware software.

• Install and maintain a firewall. For instructions on how to configure Windows Firewall, or Macintosh, please visit the Computing Services Secure Your Computer.

• Avoid plugging an unknown USB into your computer or a cluster computer. When a USB drive is found unattended, please give it to a cluster consultant, the Computer Services Help Center, a residence assistant (RA) or to Carnegie Mellon campus police.

• Disable Autorun on your machine. Autorun is a feature that allows Windows to automatically run the startup program when a CD, DVD, or USB device is inserted into a drive. Autorun also automatically shows the contents of the USB device such as an iPod or thumb drive when it is inserted into the computer. To disable the Autorun feature on your machine, please take the following steps: (the steps were recommended by CERT Vulnerability Note 889747).

To effectively disable Autorun in Microsoft Windows, import the following registry value:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

To import this value, perform the following steps:

• Copy the text
• Paste the text into Windows Notepad
• Save the file as autorun.reg
• Navigate to the file location
• Double-click the file to import it into the Windows registry

Please note that all computers managed by DSP (Desktop Support Program) have the Autorun feature disabled, to prevent automatic program execution by Windows when CD/DVD or USB device is inserted into the computer. When inserting a CD/DVD or any USB device, Windows will no longer open these devices automatically. To see the content of any inserted media, please open “My Computer” from your desktop or start menu and double click on the desired drive to view its contents.