By Ira Winkler

I recently read an article where a security consulting firm mailed USB drives to a variety of business executives. Apparently the enticement for loading the drive on a computer was an invitation to a party. Once installed though, the drive apparently ran a program that contacted the attackers to let them know who ran the drive. Of course, press releases and marketing blitzes to the affected users followed. This is just so wrong and possibly criminal.

A legitimate penetration tester does not choose whom to “penetrate” on their own. Let’s be generous and assume that the “consultants”, and I have to use this term loosely here, as part of the tool informed the victims that software would run on their system with unknown effects, that still doesn’t mean that the person who OKed the use had the authority to bring software into the company. Likewise, it is possible that the software could run amok or create other unintended damages.

The “consultants then used the data to put out a report for marketing purposes, and is now apparently contacting the victim companies to market security services. You don’t hack someone as a marketing study. While the results are interesting, they are not in anyway unexpected, or noteworthy. The fact that people can be completely ignorant to security concerns is nothing new. Exploiting the fact without permission is relatively new, and possibly illegal.

Let’s see how many people actually look into this study in detail.

Related posts:

1. Carly Fiorina Poised to Ruin CIA
2. VA Laptop Theft Fallout
3. The IRS is Very Mistaken
4. Some Wishes for 2008
5. Imagination: Security’s Missing Link

Posted by Ira.Winkler on Sunday, January 28th, 2007, at 12:54 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.