Party of a lifetime scam reveals IT security nightmare

That’s the word from IT security consultancy NCC Group, which conducted the test by targeting finance directors at 500 of the UK’s plcs with the USB sticks. Manufacturers, broadcasters, utility companies, retailers, banks and telecoms businesses were among the target group, all of which could have revealed sensitive customer details. Overall 47% of recipients breached their company security policies – and while broadcasters were the worst offenders, manufacturers were second. Paul Vlissidis, head of penetration testing at NCC Group, say: “These findings are extremely concerning and reflect the need for us to continue raising awareness of network security in the UK.” First invitations landed on desks at 8am and by 11.30, 70 people had inserted the USB sticks, despite many needing to bypass a warning message asking if they wanted to run the application. “This demonstrates a fundamental lack of healthy suspicion by IT users, even at a senior level. The need for real security awareness has never been greater… This kind of technique could easily be adopted by genuine hackers and these directors could have seriously jeopardised the security of their company’s networks. “Not only could fraudsters have customers’ or employees personal details to steal their identities, but they could also have gained full control of an FD’s email account, allowing them to access information regarding forthcoming unreleased trading statements or even results which they could then use to influence share dealing.” He makes the point that a real hacker could target the user’s credentials using Trojan Horse technology and plant keystroke loggers, which could then capture the user’s password. “Armed with this the hacker could simply log in remotely, unless the remote access is protected by adequate additional security measures, and extract whatever they wanted unbeknown to the company.”