This is a great story of social engineering, wherein USB drives are “dropped” around a bank and employees pick them up and plug them into bank computers [via Slashdot]. This was done as part of a security audit, and what is particuarly interesting is that the employees knew a security audit was being done and knew that social engineering attacks were going to be attempted. The results:
Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
This is reminiscent of a similar social engineering test I read about maybe a year ago, where free CDs were given out on the street. The lure of free stuff is hard to combat. And, thinking about it, if I found a USB drive left in my classroom, I very well might put it in my computer to see if I could identify who it belonged to. It’s the old tension between perfect security requiring people to eliminate their instincts for trust and helpfulness.
I wonder what would happen if you tried the experiment with something dropped around a place that might be biologically contaminated – pieces of candy, say. How many people would take it and eat it?