In the past few months I have discussed the various threats posed by

portable storage, particularly USB keys.  I recently ran across an

interesting account of a social engineering project designed to test the

information security of an anonymous firm.  The plan was very simple and

frighteningly effective.  Auditors had a small trojan written which

would collect passwords and other sensitive information–then email this

data back to them for analysis.  The trojan was designed to be hidden

amongst image files and planted on 20 USB keys.  These keys were then

scattered around regularly frequented areas of the firm (car park,

smoking areas etc).  Out of the 20 keys, 15 were found by employees and

all of those 15 were used, activating the planted trojan.  This surely

shows what a threat USB devices can pose to the security of corporate

networks and the data they carry.  A full report can be found here.

In one of the follow up comments to this article there has been some

discussion on how to stop this type of threat.  One suggestion has been

a piece of software called gatekeeper–this looks like a

pretty useful application with some interesting features.