Terry Cutler – The Ethical Hacker
Home » The USB keys in the urinal revisited
Business Content Consumer Content Internet Safety

The USB keys in the urinal revisited

In 2011, a company challenged me to try and expose any security vulnerabilities that might be lurking in their system. I wrote about the experience in 2013, and it’s worth revisiting. Simply: I left two USB keys in the urinal, and that opened the company’s infrastructure.

A company’s external infrastructure—including web servers, domain name servers, email servers, and perimeter firewalls, accessible from the Internet—is a primary target of security attacks. So that’s where I started.

A Certified Ethical Hacker like myself uses tools such as keystroke loggers, sniffers, denial-of-service, and remote controls to crack passwords and eavesdrop. I tried every trick I had in my toolkit to attack their firewall, but to no avail—the network was secure. 

So, I told myself, “I’m going in.”

Companies with an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers can expose these vulnerabilities by predicting and exploiting people’s behaviours in a particular situation. We love to help others, known as prosocial behaviour.

First, I did a little recon using Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door. I wore my usual garb, a pair of good jeans and a button-down shirt.

Next, I drove to the facility. I walked into the front lobby and said to the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favour. I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”

She smiled—a good sign—and buzzed me in. Inside the men’s room, I confirmed it was unoccupied. I withdrew two USB keys from my pocket and placed one on top of the metal toilet paper holder in each stall. I gave myself a thumbs-up in the mirror, strolled back to the lobby, and flashed the receptionist a big smile

Now, I wait

Back at my office, I waited. I knew that as soon as someone found the USB keys, they would plug them into a computer. Then a program on the flash drive would auto-run and execute a remote connection to my computer.

It would give me instant access and the ability to ‘pass the hash.’ Note that I’m not talking about the good ol’ college days here. We’re taking the encrypted credentials for the computer’s owner and passing them to the company’s server, mimicking a standard login.

In a short time, my computer sprang to life. I’m in. With the ability o log into the company’s network, I could unleash mayhem. I could extract user names and passwords, open and interact with files, or take screenshots of current activity on a user’s desktop.

Management was horrified

Company management was horrified to learn how easily I had hacked into their system by exploiting how people react in certain situations. My “Big Gulp” ruse was a success because, by and large, people love to be helpful. And it’s true—curiosity does kill the cat. A person who finds a random USB stick will wonder about its content and plug it in to find out. They do this 90% each time

My backup plan should my men’s-room story have failed was to tell the receptionist that someone had dropped this USB stick on the floor and then hand it to her.

Defending against modern attackers

Leaving those USB keys in the company urinal underscores that security involves more than just protecting your network’s firewall. Internal threats are real, and they aren’t all necessarily the work of a disgruntled employee.

Employees need to understand that security threats can be triggered in numerous ways. Companies should train on how to protect against possible security threats masquerading as something perfectly innocuous—like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining access to the network.

Companies must also recognize when they have a problem— the sooner they know, the better the chances of minimizing the harm done. The good news is that most enterprises have enormous data scattered throughout firewalls, applications, routers, and log sources that are useful for determining what is happening in their networks. The bad news is that too few know how to aggregate and put that data to use.

What can security professionals do?

Security professionals must implement the technologies and processes that enable access to security logs and some type of log management to extract the information required to keep the infrastructure secure.

Better yet, they can employ a Security Information Event Manager (SIEM) to grab and correlate data and integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before I  accessed any proprietary data.

While it’s true that security threats have become more menacing, remember that security defences also have become more powerful. Ensure you take the necessary steps to protect your infrastructure and data.

If you’re a business owner, VP of IT or IT director and want to test your security systems please visit www.cyologylabs.com for a no-obligation consultation. 

Finally, don’t forget to download our mobile app, FRAUDSTER, available on Apple and Android. You can learn more at www.FraudsterApp.com

Subscribe to our mailing list

* indicates required

Related posts

Terry Cutler on CBC talks about Fraudster App

Terry Cutler

Making a case for SMB agility

Terry Cutler

Common scalability mistakes SMBs make

Terry Cutler

Four employee cyberthreat traits

Terry Cutler

Sharing the burden of online credit card fraud – part one

Terry Cutler

Back-to-school wireless security

Terry Cutler


Privacy & Cookies Policy