IT
Interaction with removable media
Removable media can easily be impregnated
with malicious code and when connected into a
corporation’s system this infection is passed across to
the corporation allowing data theft and unauthorised
access. Most organisations are on guard against this
type of activity, and this vector seems almost archaic
or old hat to many I.T. professionals, so much so that
they forget to let the frontline staff know that this
practice contains a very real risk to the viability of the
company’s cyber defence.
Many businesses formulate a “Bring your own device
policy”, which may or may not be policed adequately.
To circumvent these policies, bad characters exploit
human curiosity to target an organisation in a
method referred to as a “Candy Drop”.
A “Candy Drop” is when virus infected USB drives
are dropped in a targeted area such as a staff car
park, which are usually found by staff and plugged
into the businesses system to explore what the hard
drives contain. Connection allows the infection of the
target system to occur and malicious activity to take
place. A Credit Union in the USA tested its employees
by dropping twenty infected USB drives near staff
cars in a secure parking area. Of the twenty drives,
fifteen were connected to the credit union’s devices
against company policy. To ensure further success
bad characters will often mark the USB or hard drives
with enticing labels such as “Confidential”, “Celebrity
Nudes” or “Military Eyes Only”.
Removable media also presents further problems,
with employees able to download personal client
information, corporate secrets and the like, these
drives can then be sold or inadvertently left in public
areas allowing breaches of your company’s data.
Unsecured wireless hotspots
Public wireless connections, the kind found in cafes,
airports, public transport, fast food outlets and the
like may be unsecured meaning that you are sharing
bandwidth with others including identity thieves. In
fact many identity thieves frequent these locations
and create their own hotspots that unsuspecting
computer users connect to. These “fake” hotspots
are often named appropriately to induce you to
connect and inadvertently bypass the legitimate
wireless connection.
For example if a traveller was waiting for a flight at
an airport and they looked at the available Wi-Fi
connections, a fake connection named Free Airport
Wi-Fi may sound legitimate but may also be fake. It
is surprisingly easy to do and there is a large target
group ready to deceive. These hotspots can be
used to steal personal and financial data as well as
corporate secrets.
An experiment in the centre of London concerning
the use of a wireless hotspot captured the
details of 250 users in the first hour - all data was
destroyed - however it showcased the tendency to
trust wireless hotspots. Interestingly the wireless
connection in the experiment contained in their
terms and conditions that users must surrender
their first born child to the providores of the hot
spot to use the service. It appears that at least 250
people were prepared to do so!
Weak passwords
We all know the risk of weak passwords and
organisations ensure that strong passwords are
utilised. A password is in effect a key, and in our
offline world we have different keys for different
aspects of our lives, that is, my front door key is
different from my car key which in turn is different
to the key for my garden shed. However online
we often use one password for all aspects of our
digital presence, so if my personal email password
is compromised, it allows the bad character to
access my online banking or my work systems.
Exclusivity and the recording of passwords is
another concern, passwords are often shared
between employees or left under the mouse pad,
and that it is as good as hiding my wallet and keys
in my shoe at the beach:- who would ever think a
thief would think of looking in there!
GOVLINK » ISSUE 2 2017
43