When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework.
The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious.
The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.
[In a related study] the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.
This reminds me of stories about medieval poisoning plots involving members of the treacherous Borgia family. They didn't use the bite of a poisoned mouse, though.
A typical hacking attack involves 0) getting a person in a position to enter a malicious command; 1) entering the command; 2) downloading malicious software; 3) installing the software; 4) performing a malicious operation; 5) cleanup and/or escape undetected.
It would be interesting to map major key security penetration cases to this sequence of steps, from ancient Trojan Horse to Enigma to Stuxnet.
tags: invention, innovation, security, information, system, control, five element analysis