KeriBlog

Cars, Security & a Peek into my Life

The ‘USB to Ego’ Attack

A brief backstory first, to set up the attack.

I arrived at the end of Honda’s FCEV launch, extra unfortunately, because there was water involved, a simulated rainstorm, rare. Like the guy mopping up said, “ya you missed a good one”.

It was in celebration of their latest invention – hydrogen fuel cell technology. Don’t know much about it, you know how I feel about Hybrids, points to Honda for being so bold in their design (coming 2015)…

….but this is a security post, so!

I was taking the below photo, the crowd was starting to thin, and a well-dressed gentleman appeared to my left.

“Hi Keri, here’s the USB key with photos and the presentation, have a good show”. We smiled at one another, he left, I went back to photo-ing.

It wasn’t until later that it hit me, it was so perfect a moment, maybe too perfect.

The Attack:

At a busy event, it’s normal to see a face once and never again, if you notice many faces at all, because cars.

Then an “executive” appears all full of flattery… “hello, I am noticing you, you are a name, so it’s important that you get this information, because you and your opinion matter”… take this USB key, put it into you computer… pretty good right?!

Appear, praise the ego > give a USB key > melt away >
wait a few hours >access target’s computer

NOTE: I’m not at all saying this is what occurred, just that it’s in the realm of possibility (Honda and I know one-another a long time (and if this is the case, USB guy: please LinkedIn me.))

The Defence: 

Never use a USB key you find laying around in public, or from a source you don’t totally trust.

 

 

 

Always Backup Twice

Make 2 copies of the same back up.

1 copy stays with you, and 1 copy is stored offsite

Because imagine your house burnt down,
with both your computer and backup inside.

Alternative Method

Subscribe to an online backup service.

It automatically searches your computer for new files, then remotely saves and stores them for you.

(I use the main method, I haven’t decided yet if I trust the cloud)

 

 

Expand and UnMask URLs Before Clicking

URLs shorteners are used to simplify a complicated URL, for the purpose of sharing.

Shrink it to better fit into Tweets, Instagrams, make it more manageable. For example:

http://keriblog.com/car-talk/driving-a-honda-civic-si-hfp-at-the-niagara-drive-centre/

becomes

http://bit.ly/N8PrR5

Bit.ly, or Google’s goo.gl shortners are popular, good ‘ole TinyURL.

However!

It’s a blind click, just trusting that the URL
goes to where you’re expecting it to

The attack:

Phishing and social media scams use shortened URLs… example: a private message is sent, “Click here to see the photo I posted of you on Facebook!”.

Click the shortened link > hey this isn’t Facebook > it’s a website that just gifted you a virus, or malware.

The defence:

Expand the URL, “unmask it”. Then, decide if you want to click it.

Try LongURL.org or UnmaskURL.com

If your gut makes you pause, listen. Don’t click it.

Infecting your entire system irreparably, can happen with one bad click.

 

 

It’s Okay just Click It

http://5z8.info/fakelogin_m3e1hn_the-most-dangerous-game

http://5z8.info/illegal-guns-for-sale_p2e3kj_malicious-cookie

Go on…

Nah for real it’s safe, it’s a re-direct to KeriBlog.com.

There’s nothing nefarious on the other end, it’s an overly-dramatic URL I made with ShadyURL.com.

Just checking to see if you’re paying attention.

I wouldn’t do that.

on my blog

 

 

Wipe Electronics before Tossing Them

Nice idea, this. Found in the parking lot of a gas station.

But, of these 7 computers… I’d guess only 30% have been wiped.

Before it leaves your control, clear it all…

… your phone before sending it for service, hard drives before Goodwill, your phone before exiting the rental car…

If I was a desperate poor person without morals, this bin would be my start into the blackmail business.  And if that occurred to me, someone’s actually doing it.