Originally posted on www.watchyourend.com
“Hey can I charge my iPod on your laptop for a few minutes? Hey thanks man, have a free USB stick, a friend gave it to me and I already have a ton of these things, oh check out the photo he put on there it’s hillarious!”
Bruce Schneier discusses an article recently published in the Spring issue of 2600 titled “iPod Sneakiness” where the author mixes a combination of social engineering with an iPod running a *podslurping application. Imagine if you (or your employees) were at a Starbuck’s with your laptop and someone came up to you and innocently asked if they could plug their iPod into your computer to power it up. If that iPod has a podslurping application installed on that iPod they would be sucking more than power from your laptop, they would also be sucking down files and passwords from your system.
I used to work for a large public technology company that actually has a Starbucks on campus. Since the Starbucks is not company owned, anyone can sit in the coffee shop without security badges. The amount of potential information that could be compromised from an attack such as this is beyond comprehension, as engineers, IT staff and top level executives all visit this “hub” with their laptops.
Making a Trojan Clickalicious
In an further discussion of the Dark Reading article discussing a recent penetration test on a credit union, using USB sticks and a Trojan; it appears that Autorun was not used to run the application. Instead the application was masked as a JPEG image using Windows ability to mask extensions, and embed an icon into the executable, so the credit union employees thought they were opening an image, not executing an application.
*Podslurping is a term to describe where a portable storage device such as an iPod is used to illicitly download large quantities of data by directly plugging it in to a computer, where the data is held, or which is on the inside of a firewall where the data is held. As these storage devices get smaller and their storage capacity gets larger it is becoming an increasing security risk to companies and government agencies. Access is gained while the computer is unattended.