Posted by: kenwbudd | August 29, 2009

Beware Trojan Horse Laptops bearing Gifts: Security Risk

The FBI has launched an investigation to find out who is sending unsolicited laptops to state governors across the country.

The Service is reporting that governors and state officials in at least 10 US states have received mysterious computers in the mail.

The mystery began in West Virginia earlier this month when Gov. Joe Manchin’s office received five Compaq computers on Aug. 5. A week later, Manchin’s office received a sixth notebook, a Hewlett-Packard model.

The Charleston Gazette, which first reported the story, said Manchin’s office didn’t turn on the machines for security reasons. Very wise! West Virginia state police said HP confirmed the notebooks were ordered online for delivery to the governor’s office, but didn’t reveal who made the purchase.

Wyoming and Vermont have also reported similar incidents, which has led to the FBI investigation.

The incidents are raising concerns that hackers are taking advantage of low-cost laptops to circumvent digital security and anti-virus controls to infiltrate high-value targets. It’s an intriguing and ingeniously simple idea, provided that they actually take possession of a machine in the supply chain.

The entire idea of having an inside, physical component to a hack is nothing new. Security history is replete with stories of hackers using social engineering techniques to enter buildings to gain access to unsecured workstations, plant bugs and monitoring devices and steal information necessary for remote access.

If you have seen the movies “Hackers,” “Sneakers,” “Mission: Impossible,” “Eraser” and others, with similar plot lines, then you know how this works. While it’s possible for people to don janitor and Fedex uniforms to gain access to offices, the most common, cost-effective and likely way of making such an attack is ‘Dumpster diving’. Simply, sifting through other people’s trash to find discarded clues that may lead to establishing remote access.

Putting malware on a free machine that just shows up in the office, is different and arguably ingenious. Notebook, desktop and hardware costs have shrunk to the point where everyday hackers can afford the investment of buying a dozen for planting in high-value targets and the pay-off would be well worth th eeffort.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: