Announcement

Collapse
No announcement yet.

Threat from USB Thumb Drives

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • nineelevensoftware
    replied
    Beware Free Thumb Drives:

    I recently ran into a very interesting article where a security company was asked to assess network security for a credit union. They wrote a trojan program and installed it on some thumb drives. They then figured out a way to get the thumb drives into the hands of employees. Guess what happens next!
    I recommend that you read this article for yourselves. Genuine hackers could of done some serious damage. They could of possibly had client account numbers emailed to them!

    Here's a link to the article:
    http://www.darkreading.com/document....556&print=true

    Leave a comment:


  • ValleyOne
    replied
    Originally posted by stevesurf
    Very true. It is not only the USB Drives, but virtually any two-way communication device that can run a password extraction, cookie grab or history grab application. Think about it; you probably use one every day.

    "Hey there, can I charge my iPod on your computer?"
    "Sure"
    [he plugs it in; the iPod runs an embedded app and retrieves the user's password list]

    There are many such exploits run each day. While your ISM staff is requiring you to physically search bags and protect against laptop theft, there are far more opportunities to get data for aan exploit...
    Flash memory cards for instance? LIke Secure Digital Cards? Or XD Cards?

    Leave a comment:


  • stevesurf
    replied
    Originally posted by SecTrainer
    These devices present a potential problem for any PC to which unauthorized people might have physical access and that have "active" or "live" USB ports, as most do...
    Very true. It is not only the USB Drives, but virtually any two-way communication device that can run a password extraction, cookie grab or history grab application. Think about it; you probably use one every day.

    "Hey there, can I charge my iPod on your computer?"
    "Sure"
    [he plugs it in; the iPod runs an embedded app and retrieves the user's password list]

    There are many such exploits run each day. While your ISM staff is requiring you to physically search bags and protect against laptop theft, there are far more opportunities to get data for aan exploit...

    Leave a comment:


  • Eric
    replied
    From what I am reading here then, computer security must follow/use the same wording as physical security but meaning different things to lessen this exposure.

    Barriers
    Controls
    Supervision

    Leave a comment:


  • Central
    replied
    this has been a issue for quit a while now, not just in this industry. The best way to remove this option is to simple set system policies disabling of all USB drives and an automated message once a third-party hardware device is just installed.

    Leave a comment:


  • ValleyOne
    replied
    Some might recall a video I posted on another thread. After reading this thread the actions of those police officers at UCLA seem A LOT more than justifiable...

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by james2go30
    The site I work is a beach resort condominum complex...its not got any classified govermental stuff here...is this device still a problem for us...like info on f/d pc's that could be used for identity theft? Just curious.
    These devices present a potential problem for any PC to which unauthorized people might have physical access and that have "active" or "live" USB ports, as most do...most of them now being located right on the front of the machine for easy access, in fact. Identity theft is, of course, one possible form of attack. It's amazing how different software can "litter" the computer's hard drive with different kinds of "backup" files, etc. that the user does not even know anything about...but savvy hackers do. These so-called "temporary" files are often left out of the user's encryption process, by the way. And, of course, some will carry away even encrypted files to be cracked later at leisure. Encryption alone is not the "savior" some presume it to be, and must be integrated with many other elements of security in order to be effective against all but the most casual of attacks.

    As I also explained, the PC can be used as a "host" whereby the individual attaches the thumb drive containing a complete operating system and other utilities and application software. They "boot" into the OS on the thumb drive and then "leech" onto a network (which might be the Internet, for instance) and conduct their activities, which might be illegal (for instance, transferring kiddie photo files, or accessing a remote server using the host PC's "trusted" IP address) without leaving a trace behind other than some very vague logfile entries on the host and ISP systems, if that, (and even these vapor trails would simply point to the innocent host!)

    This offers the prospect, for instance, of a terrorist conducting activities over the Internet using available machines such as those found in public libraries and universities, or any other PC they can access, and then simply walking away with the evidence of his activity in his pocket, not left on the host.

    Other possibilities include the ability to use the thumb drive to install a "back door" to the host. The individual does nothing more than this while physically "on site", so the attack might only take a couple of minutes. Then, they leave and will access the compromised host remotely from another place - perhaps halfway around the world - at a later time.

    The bottom line is that every PC, no matter who owns it or where it's located, should be secured from unauthorized physical access when not in use or under direct authorized supervision. We know this to be true for many other reasons, but still we don't do it.

    And the problem is made all the more complex by laptops and other portable systems. I was in a restaurant restroom not long ago and saw that a man had parked his laptop on a wall shelf while he used one of the stalls. It's hard to believe that anyone who has been even semi-conscious over the last few years would still be so ignorant about all the security breaches he was committing...but some are, or maybe they just don't care. After all, it's just the company laptop, not theirs!
    Last edited by SecTrainer; 01-14-2007, 11:40 AM.

    Leave a comment:


  • james2go30
    replied
    Got a question

    Originally posted by SecTrainer
    The threat to information systems posed by visitors or disgruntled employees, vendors, etc. who might bring USB thumb drives to your facility is growing as these devices not only have grown in capacity to hold many GB of data, but also are showing up in many "disguised" forms, such as a "lipstick", or this ballpoint pen/USB drive. Adding to the problem, there are complete operating systems (sometimes called "LiveDistros", such as Damn Small Linux) now for these drives that permit the user to mount the drive, boot into the OS on the thumb drive, conduct business using a variety of apps he brings with him (for instance, there's a complete VOIP PBX/soft phone called "[email protected]" you can run, complete with the OS and Apache server, from a 2GB drive) and then he carries virtually every crumb of the evidence of his activity away with him instead of leaving it on the computer whose USB port he uses. There's a thumb drive, incidentally, that has the jacks required for a microphone and ear buds that you can use with the VOIP application to make Internet phone calls from your parasite machine. These things, together with the LiveDistros and the apps they can implement, are becoming very scary. Even if you just used such a device in an old-fashioned dead-drop operation, it wouldn't take but a few drops to transfer the important content from a research lab system right out the front door. And you'd probably chuckle when you stop at the front desk to sign the security log as you leave...using your USB thumb drive/pen.

    If only Sandy Berger had had one of these and one of the tiny USB-ported pocket scanners, he wouldn't have had to stuff documents from the National Archives down the front of his pants. So much more elegant...
    The site I work is a beach resort condominum complex...its not got any classified govermental stuff here...is this device still a problem for us...like info on f/d pc's that could be used for identity theft? Just curious.

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by Bill Warnock
    SecTrainer:
    Four entries were marked, "cleaning crew." Odd name for four individuals. Shoot Bill, they are only janitors, what possible harm could they do? Plenty!
    Bill
    Absolutely. Inserting someone who is actually a very highly-skilled operative into a "cleaning crew" or "maintenance crew" is a well-known method of both industrial and military espionage. It is very difficult to convince company execs and HR people that some of these "low-level" people require background checks just like people in "higher" positions of trust because of the relatively unfettered access that janitors, maintenance people, mail couriers and the like are granted to all parts of the facility, including both the executive suite and the facility "innards" (plumbing, HVAC, telecom closets, etc.)...all of which must be cleaned, maintained, etc. and present golden opportunities for a trained operative.

    That "janitor" sweeping the floor in your office might very well have as much computer or other knowledge as your IT manager, for all you know...unless you do the background checks, and then take the pains to see that they are supervised properly.

    Leave a comment:


  • Bill Warnock
    replied
    Originally posted by SecTrainer
    Unfortunately, your optimism is misplaced. The history of computer security is replete with attacks that succeeded despite these security measures. In fact, there is virtually no form of computer security that can solve the weak link in the chain, namely people.

    Kevin Mitnick basically it this way: "You can have all the firewalls, all the encryption, all the technology you want, and the system is still indefensible against the careless user, the disgruntled employee, the disloyal insider, a trusted partner, or the agent who penetrates your organization."

    It is in the hands of just such people that makes the thumb drive such a threat - because of its size, storage capacity, the new disguised physical formats it is taking, and the capability of literally turning it into a "computer on a keychain" with its own operating system that can "leech" off the physical components of a "host" system and its network, so that carrying information away actually represents the least of their dangerous qualities.
    SecTrainer:
    The wisdom offered bespeaks the value you have brought forth to this forum. Harken back some 25-or so years when unshieled motors on a floor buffer distorted an Army's research laboratory. How did the buffer get into the facility remains a mystery to this day. The government furnished the machines to be used but there was a substitute made without anyone's knowledge.
    When conducting security surveys or other security consulting duties, it chills my intestinal matter when on an afterhours visit and ask who are those folks the answer is "there only janitors." Did they sign in? Yes, here on the log. What are their names? Four entries were marked, "cleaning crew." Odd name for four individuals. Shoot Bill, they are only janitors, what possible harm could they do? Plenty! Has the company and its employees been the subject of background investigations? The answer, I don't know; that is a facilities responsibility. Ok, when they come here how do you know who they are? Well the facilities folks handle that. When you literally handcarry the MIS/IT manager to the facilities office the "person-in-charge" can only state they with a company and the company send three people each night. Then you repeat the same series of questions you previously asked the MIS/IT manager. Then the stonewall. You contact the Security Officer who hired you only to be told he works for the facilities manager. When you brief senior management they nod their collective heads and thank you for what you had done and ask when will we get your survey report. You get your check and find out later they removed or "revised," the operative word is changed, several sections of the original report to include the table of contents and leave all else in tack. Your name is still there.
    Mort Kelly's "Pogo" was correct when he stated, "We have met the enemy and he is us."
    That is what our friend must understand, it's people, people, people ...
    Enjoy the day,
    Bill

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by locknid
    Hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information.
    Unfortunately, your optimism is misplaced. The history of computer security is replete with attacks that succeeded despite these security measures. In fact, there is virtually no form of computer security that can solve the weak link in the chain, namely people.

    Kevin Mitnick basically it this way: "You can have all the firewalls, all the encryption, all the technology you want, and the system is still indefensible against the careless user, the disgruntled employee, the disloyal insider, a trusted partner, or the agent who penetrates your organization."

    It is in the hands of just such people that makes the thumb drive such a threat - because of its size, storage capacity, the new disguised physical formats it is taking, and the capability of literally turning it into a "computer on a keychain" with its own operating system that can "leech" off the physical components of a "host" system and its network, so that carrying information away actually represents the least of their dangerous qualities.

    Leave a comment:


  • locknid
    replied
    Yeah I do agree that it is a very big problem, more likely to happen at smaller companies though. And I have seen some sloppy networks where is wasn't that hard to "stumble" across important data. But what can be done about it?

    possibly disable the drivers for thumb devices in the operating system so they can not be used, but that still leaves cdr/dvdr drives which are very common.

    Leave a comment:


  • Bill Warnock
    replied
    Originally posted by locknid
    hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information. Now if a person does possess the knowledge to get past security then it seems very well possible, and i had never thought about it before. Sounds kinda scary at how easy things are getting these days.

    And its not like you can ban thumb drives from your workplace because many people use them for legitimate purposes. I use mine to back up all my security reports, college work, etc.
    locknid:
    Agreed; however, unauthorized access is still key to keeping your data safe. Irregardless of encryption, passwords and the like, if the information is valuable to a third party, with time and effort the data can be obtained. For the unsuspecting user, inductive coupling can be disastrous and the bad guy does not even have to enter the protected space.
    Enjoy the day,
    Bill

    Leave a comment:


  • locknid
    replied
    hopefully the most important files and programs on a network are behind passwords, encryption, plus tons of other security software. I don't think the average worker posses the knowledge to get past these security devices. Just like we are hired as security for physical property there are people hired to protect software and information. Now if a person does possess the knowledge to get past security then it seems very well possible, and i had never thought about it before. Sounds kinda scary at how easy things are getting these days.

    And its not like you can ban thumb drives from your workplace because many people use them for legitimate purposes. I use mine to back up all my security reports, college work, etc.

    Leave a comment:


  • Mr. Security
    replied
    Post to bury SPAM.

    Leave a comment:

Leaderboard

Collapse
Working...
X