This short article documents how frighteningly easy it was to compromise a credit union’s network security. They simly left USB flash drives that had been purposely infected with trojans where employees could find them, sat back, and waited for sensitive data to stream in. Even worse, the employees had been tipped off that a security audit was going to be performed.
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.