Announcement

Collapse
No announcement yet.

Threat from USB Thumb Drives

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Threat from USB Thumb Drives

    The threat to information systems posed by visitors or disgruntled employees, vendors, etc. who might bring USB thumb drives to your facility is growing as these devices not only have grown in capacity to hold many GB of data, but also are showing up in many "disguised" forms, such as a "lipstick", or this ballpoint pen/USB drive. Adding to the problem, there are complete operating systems (sometimes called "LiveDistros", such as Damn Small Linux) now for these drives that permit the user to mount the drive, boot into the OS on the thumb drive, conduct business using a variety of apps he brings with him (for instance, there's a complete VOIP PBX/soft phone called "[email protected]" you can run, complete with the OS and Apache server, from a 2GB drive) and then he carries virtually every crumb of the evidence of his activity away with him instead of leaving it on the computer whose USB port he uses. There's a thumb drive, incidentally, that has the jacks required for a microphone and ear buds that you can use with the VOIP application to make Internet phone calls from your parasite machine. These things, together with the LiveDistros and the apps they can implement, are becoming very scary. Even if you just used such a device in an old-fashioned dead-drop operation, it wouldn't take but a few drops to transfer the important content from a research lab system right out the front door. And you'd probably chuckle when you stop at the front desk to sign the security log as you leave...using your USB thumb drive/pen.

    If only Sandy Berger had had one of these and one of the tiny USB-ported pocket scanners, he wouldn't have had to stuff documents from the National Archives down the front of his pants. So much more elegant...
    Attached Files
    Last edited by SecTrainer; 12-26-2006, 08:11 PM.
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

  • #2
    Good post! I recall reading an article not too long ago about the upcoming Windows Vista release. It mentioned something about administrators will be able to more easily disable USB ports on certain computers with Vista installed. It also mentioned that some administrators went as far as filling USB ports with super glue I'll see if I can find that article, unless you already know which one I am referring to...
    "To win one hundred victories in one hundred battles is not the highest skill. To subdue the enemy without fighting is the highest skill." Sun-Tzu

    Comment


    • #3
      There is always the old fashioned way - email things to your account. It is even easier now with copiers that can scan and mail the document in PDF.
      Quote me as saying I was mis-quoted.
      Groucho Marx

      Comment


      • #4
        Originally posted by davis002
        It also mentioned that some administrators went as far as filling USB ports with super glue I'll see if I can find that article, unless you already know which one I am referring to...
        Hadn't heard of that one, but I can easily imagine them trying ANYTHING to disable those USB ports!
        "Every betrayal begins with trust." - Brian Jacques

        "I can't predict the future, but I know that it'll be very weird." - Anonymous

        "There is nothing new under the sun." - Ecclesiastes 1:9

        "History, with all its volumes vast, hath but one page." - Lord Byron

        Comment


        • #5
          Originally posted by Eric
          There is always the old fashioned way - email things to your account. It is even easier now with copiers that can scan and mail the document in PDF.
          Yup, that's one electronic version of the dead-drop that has the extreme advantage that no one has to physically go to a specific location, and either party to the drop can be sitting at a computer anywhere in the world. It's also nearly instantaneous, of course.

          Fortunately, email server administrators have caught on to this and will (if they're smart) implement controls not only on what gets emailed in (size, type of attachments, etc.) but also what goes out. This can become quite sophisticated, sniffing not only header packets for destination and other info, but also data packets, looking for keywords, etc.
          "Every betrayal begins with trust." - Brian Jacques

          "I can't predict the future, but I know that it'll be very weird." - Anonymous

          "There is nothing new under the sun." - Ecclesiastes 1:9

          "History, with all its volumes vast, hath but one page." - Lord Byron

          Comment


          • #6
            Infoworld and eWeek (Ziff Davis Media) stated that administrators were putting super glue into the USB ports to keep those damn devices out. Usually, you need to reboot into Linux to take control of a target PC, which might be detectable if someone's watching you.

            This is where U3 comes in. (http://www.u3.com/)

            I have a U3 Sandisk device that runs U3 programs encapsulated onto the thumb drive. While it's gonna kill the life of the device (I don't expect it to last a year from all the Read/Write operations), it does make for handy "presence anywhere."

            On it, I keep Firefox, Thunderbird, Trillian, OpenOffice, and Skype. Find a 2k or XP based PC, plug it in, and boom. From any PC, I can run those programs and keep the info on my drive.

            This can augment the USB threat because you don't need to reboot (which looks suspicious as hell), and can run programs that your administrator may not want you running.

            A well locked down XP box, or an XP client on a 2k3 server will obviously prevent this, but lets face it: How many SMBs bother to lock that stuff down, or even have the IT personnel with requisite MS training to do so? Not every company has an MCSE with the Security track on hand.
            Some Kind of Commando Leader

            "Every time I see another crazy Florida post, I'm glad I don't work there." ~ Minneapolis Security on Florida Security Law

            Comment


            • #7
              Here's a link to the Vonage thumb-drive/phone flash demo...it may take awhile to load the first time. Click on "Product Gallery" at the upper right for closeups. Vonage soft-phone software is preinstalled.

              Put this baby in your pocket, hook into any computer with (default or improperly configured) Web access, and you're in business. I haven't checked to see what port this uses but as Vonage uses SIP instead of H.323, I'd guess it uses 5060 for signaling and dynamic port assignment for the voice.

              Of course, like so many technologies, it's obviously a very useful tool for perfectly legit purposes, also. Great for travelers, and you can also see how it would enable phone service via your squad's computer if you have the right data link, enough speed and Web service. However, some wireless providers (British Telecom, for one) have started to block port 5060 over wireless themselves to prevent VOIP...meaning you gotta use your phone minutes to make phone calls, by gum! I know they want to limit the data traffic, given their current capacity, but sooner or later they'll be able to sell us a single data link and they won't care whether we're using our Treo as a phone or a modem.

              (This would also solve their "problem" with mobile wireless routers, which enable multiple people traveling together in a car, for instance, all to use one data link on their laptops, or to set up mobile hot-spots. I heard that Verizon had wanted the FCC to make these routers illegal, of all the goofy ideas, but the FCC just gave them the bird.)
              Last edited by SecTrainer; 12-28-2006, 09:20 AM.
              "Every betrayal begins with trust." - Brian Jacques

              "I can't predict the future, but I know that it'll be very weird." - Anonymous

              "There is nothing new under the sun." - Ecclesiastes 1:9

              "History, with all its volumes vast, hath but one page." - Lord Byron

              Comment


              • #8
                Post to bury SPAM.
                Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

                Comment


                • #9
                  hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information. Now if a person does possess the knowledge to get past security then it seems very well possible, and i had never thought about it before. Sounds kinda scary at how easy things are getting these days.

                  And its not like you can ban thumb drives from your workplace because many people use them for legitimate purposes. I use mine to back up all my security reports, college work, etc.

                  Comment


                  • #10
                    Originally posted by locknid
                    hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information. Now if a person does possess the knowledge to get past security then it seems very well possible, and i had never thought about it before. Sounds kinda scary at how easy things are getting these days.

                    And its not like you can ban thumb drives from your workplace because many people use them for legitimate purposes. I use mine to back up all my security reports, college work, etc.
                    locknid:
                    Agreed; however, unauthorized access is still key to keeping your data safe. Irregardless of encryption, passwords and the like, if the information is valuable to a third party, with time and effort the data can be obtained. For the unsuspecting user, inductive coupling can be disastrous and the bad guy does not even have to enter the protected space.
                    Enjoy the day,
                    Bill

                    Comment


                    • #11
                      Yeah I do agree that it is a very big problem, more likely to happen at smaller companies though. And I have seen some sloppy networks where is wasn't that hard to "stumble" across important data. But what can be done about it?

                      possibly disable the drivers for thumb devices in the operating system so they can not be used, but that still leaves cdr/dvdr drives which are very common.

                      Comment


                      • #12
                        Originally posted by locknid
                        Hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information.
                        Unfortunately, your optimism is misplaced. The history of computer security is replete with attacks that succeeded despite these security measures. In fact, there is virtually no form of computer security that can solve the weak link in the chain, namely people.

                        Kevin Mitnick basically it this way: "You can have all the firewalls, all the encryption, all the technology you want, and the system is still indefensible against the careless user, the disgruntled employee, the disloyal insider, a trusted partner, or the agent who penetrates your organization."

                        It is in the hands of just such people that makes the thumb drive such a threat - because of its size, storage capacity, the new disguised physical formats it is taking, and the capability of literally turning it into a "computer on a keychain" with its own operating system that can "leech" off the physical components of a "host" system and its network, so that carrying information away actually represents the least of their dangerous qualities.
                        "Every betrayal begins with trust." - Brian Jacques

                        "I can't predict the future, but I know that it'll be very weird." - Anonymous

                        "There is nothing new under the sun." - Ecclesiastes 1:9

                        "History, with all its volumes vast, hath but one page." - Lord Byron

                        Comment


                        • #13
                          Originally posted by SecTrainer
                          Unfortunately, your optimism is misplaced. The history of computer security is replete with attacks that succeeded despite these security measures. In fact, there is virtually no form of computer security that can solve the weak link in the chain, namely people.

                          Kevin Mitnick basically it this way: "You can have all the firewalls, all the encryption, all the technology you want, and the system is still indefensible against the careless user, the disgruntled employee, the disloyal insider, a trusted partner, or the agent who penetrates your organization."

                          It is in the hands of just such people that makes the thumb drive such a threat - because of its size, storage capacity, the new disguised physical formats it is taking, and the capability of literally turning it into a "computer on a keychain" with its own operating system that can "leech" off the physical components of a "host" system and its network, so that carrying information away actually represents the least of their dangerous qualities.
                          SecTrainer:
                          The wisdom offered bespeaks the value you have brought forth to this forum. Harken back some 25-or so years when unshieled motors on a floor buffer distorted an Army's research laboratory. How did the buffer get into the facility remains a mystery to this day. The government furnished the machines to be used but there was a substitute made without anyone's knowledge.
                          When conducting security surveys or other security consulting duties, it chills my intestinal matter when on an afterhours visit and ask who are those folks the answer is "there only janitors." Did they sign in? Yes, here on the log. What are their names? Four entries were marked, "cleaning crew." Odd name for four individuals. Shoot Bill, they are only janitors, what possible harm could they do? Plenty! Has the company and its employees been the subject of background investigations? The answer, I don't know; that is a facilities responsibility. Ok, when they come here how do you know who they are? Well the facilities folks handle that. When you literally handcarry the MIS/IT manager to the facilities office the "person-in-charge" can only state they with a company and the company send three people each night. Then you repeat the same series of questions you previously asked the MIS/IT manager. Then the stonewall. You contact the Security Officer who hired you only to be told he works for the facilities manager. When you brief senior management they nod their collective heads and thank you for what you had done and ask when will we get your survey report. You get your check and find out later they removed or "revised," the operative word is changed, several sections of the original report to include the table of contents and leave all else in tack. Your name is still there.
                          Mort Kelly's "Pogo" was correct when he stated, "We have met the enemy and he is us."
                          That is what our friend must understand, it's people, people, people ...
                          Enjoy the day,
                          Bill

                          Comment


                          • #14
                            Originally posted by Bill Warnock
                            SecTrainer:
                            Four entries were marked, "cleaning crew." Odd name for four individuals. Shoot Bill, they are only janitors, what possible harm could they do? Plenty!
                            Bill
                            Absolutely. Inserting someone who is actually a very highly-skilled operative into a "cleaning crew" or "maintenance crew" is a well-known method of both industrial and military espionage. It is very difficult to convince company execs and HR people that some of these "low-level" people require background checks just like people in "higher" positions of trust because of the relatively unfettered access that janitors, maintenance people, mail couriers and the like are granted to all parts of the facility, including both the executive suite and the facility "innards" (plumbing, HVAC, telecom closets, etc.)...all of which must be cleaned, maintained, etc. and present golden opportunities for a trained operative.

                            That "janitor" sweeping the floor in your office might very well have as much computer or other knowledge as your IT manager, for all you know...unless you do the background checks, and then take the pains to see that they are supervised properly.
                            "Every betrayal begins with trust." - Brian Jacques

                            "I can't predict the future, but I know that it'll be very weird." - Anonymous

                            "There is nothing new under the sun." - Ecclesiastes 1:9

                            "History, with all its volumes vast, hath but one page." - Lord Byron

                            Comment


                            • #15
                              Got a question

                              Originally posted by SecTrainer
                              The threat to information systems posed by visitors or disgruntled employees, vendors, etc. who might bring USB thumb drives to your facility is growing as these devices not only have grown in capacity to hold many GB of data, but also are showing up in many "disguised" forms, such as a "lipstick", or this ballpoint pen/USB drive. Adding to the problem, there are complete operating systems (sometimes called "LiveDistros", such as Damn Small Linux) now for these drives that permit the user to mount the drive, boot into the OS on the thumb drive, conduct business using a variety of apps he brings with him (for instance, there's a complete VOIP PBX/soft phone called "[email protected]" you can run, complete with the OS and Apache server, from a 2GB drive) and then he carries virtually every crumb of the evidence of his activity away with him instead of leaving it on the computer whose USB port he uses. There's a thumb drive, incidentally, that has the jacks required for a microphone and ear buds that you can use with the VOIP application to make Internet phone calls from your parasite machine. These things, together with the LiveDistros and the apps they can implement, are becoming very scary. Even if you just used such a device in an old-fashioned dead-drop operation, it wouldn't take but a few drops to transfer the important content from a research lab system right out the front door. And you'd probably chuckle when you stop at the front desk to sign the security log as you leave...using your USB thumb drive/pen.

                              If only Sandy Berger had had one of these and one of the tiny USB-ported pocket scanners, he wouldn't have had to stuff documents from the National Archives down the front of his pants. So much more elegant...
                              The site I work is a beach resort condominum complex...its not got any classified govermental stuff here...is this device still a problem for us...like info on f/d pc's that could be used for identity theft? Just curious.

                              Comment

                              Leaderboard

                              Collapse
                              Working...
                              X