identity theft, phishing, imposter, fake, websites, honey stick, drive-by download, malware, virus infections, curiosity killed the cat, satisfy your curiosity
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.


Group Administrator

"ScottWright"

65% of honey sticks to date have been used in risky ways that could impact business operations. What's a Honey Stick? - Look for the link at the bottom of any article on this page for an explanation.

 

Customer Service Rep Security Awareness Test
Product ID: 00000002

Find out what your CSR knowledge of security policies and general security best practices is... before your clients do it for you! In the CSR Security Awareness Test, we schedule 5 randomly scheduled inquiries to your phon ... More »

Non-Member Price: $299.00 $249.00

September 2009 Posts

Archives
  The Honey Stick Project - Measuring risk decisions
Blog Entry

Can opening a file on a found USB stick lead to identity theft?

Monday, September 28th 2009 @ 12:00 AM (not yet rated)    post viewed 1778 times

Background

My initial experiment continues with the purpose of measuring what percentage of people who pick up a found USB drive will put their computers at risk by trying to see what's on them. However, while I'm doing that, I can also test some other interesting scenarios.

Most of you know enough not to click on links in email SPAM by now. When you see a suspicious email message, you tend to disregard it, and any links in the message. Sometimes they look pretty real, but you may even know enough not to click on a link that looks like "www.paypa1.com" (where the letter "L" is replaced with a number "1" because they look similar - or identical - in some fonts.)

But if an attacker just wants to get you to visit their infected or phishing/imposter website, they could use something like a Honey Stick with a website "redirect" that loads the web page as soon as you open a file. It just needs a file that refreshes itself, and takes you to the URL when you open it.

Trying to Measure Susceptibility of the Public

In the latest version of the Honey Sticks I deploy, I take the user to a fake web site - one they've never seen before - when they open one of the files. They have no reason to trust this site. They should just abandon it. But what they see is a "Login Page" with the user name and password fields pre-filled. The password is even "starred" out so it looks like it's been entered into a real password field for the website. Then there's a "Login" button and a "Forgot my password" link. It all looks real, but just takes you to another page with no real information on it, if you click either of these links.

What's the point of this? Just to demonstrate that our curiosity can get the better of us - even when we know we might be putting ourselves at risk.

Note that I don't collect any personal information or ask for anything to be filled in. It's already filled into the user name and password fields! All I want to know is if people will click  on the "Login" button or "Forgot my password" links to satisfy their curiosity. With every click on this unknown website, the user is risking having malware downloaded. Of course, I don't use any software for this experiment on the Honey Sticks or on the website - just basic HTML. Nothing else. It's all safe for anyone who visits. I just get a chance to test decisions anonymously.

Interesting Results

So, what's the result? Of the first two devices that I deployed in Ottawa that redirect to this website, both of them were used. Firstly, that raises the percentage of people I've measured making risky decisions to something still higher than the 65% I had previously measured. But in both cases, the user chose to try to log in - to see what was inside the website that was protected with a password - once they saw that the password was already pre-filled.

What You Should Do to Avoid Being a Victim

So, please use this example as a lesson that you could be putting your computer and network at risk - or you could be taken to what looks like a real shopping site that has "fantastic deals" where you might be tempted to enter personal information like a credit card number. Because you didn't actually enter the URL - the file on the device did - you may not realize it's not the real, trusted site. This is just one way you can be putting yourself at risk from using unauthorized devices.

NOTE: The same thing can happen if you follow links to unknown sites from a simple Google search. You can check out sites using the McAfee SiteAdvisor or Google SafeBrowsing plugins for your browser, to check the reputation of a website before you go there.


I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

ScottWright
Group Administrator		ScottWright said on Thursday, October 29th 2009 @ 8:41 AM:

I'd like to find out how many of my readers would be interested in a book on how to design and deploy Honey Stick tests. I've been working on such a book, but need to see a demand for it in the market to raise the priority on getting it published.

Please let me know if you are interested by emailing me at scott@streetwise-security-zone.com