When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.
Full story from The Register here. Brilliantly worked out, but worrying for system security. Would you have to check every mouse at every terminal? Not the job I’d want…unless they paid me enough.
That was really ingenious, and somewhat scary at the same time. To think there is no practical defense against such an attack, other than being smart enough not to trust something given for free or found in a parking lot. Who would suspect a mouse? Unless your anti-virus software can detect the hack code as it’s being executed, you’d never know what was happening right under your fingertips… literally.
The other factor which I find less scary and more contemptible, is that the anti-virus software had undocumented code which allowed it’s own circumvention. That’s like having a stainless steel door to your house, but leaving the key under the mat.
