Well, if you've been following along...we talked about who the insiders are and the metrics behind economic espionage. We've discussed why they do it and how they get the data. But I know this probably hasn't been very technical for most of you. Today that is going to change. Today we're going to talk about how your secrets are actually leaving the company!
USB - Form factors? You want form factors? We got form factors!
We're spending a fair amount of time telling our security guards to prevent people from entering secure areas with USB devices. As these thumbdrives start having greater capacity, the risk to your business is growing as well. Have you seen some of the new designs in USB that have popped up recently? You've probably already seen the USB 2GB watch or the ultra-chic Oakley Thump sunglasses, made popular by Dog the Bounty Hunter.
But have you seen these other very cool form factors? We got USB built into a credit card, USB stuffed animals, "wooden" USB devices, USB "sushi" (For my TechNet buddy and fellow sushi aficionado, Harold Wong)...Note to Self: Post some of the sushi restaurants I go to when I travel. We also got USB Master Chief for friend and fellow gamer, Keith Combs. (My Christmas shopping is apparently taking care of itself.)....
.....and my personal favorite, USB Barbie.
For years USB has been a way to store your data on a portable medium. Problem was, I could carry my docs with me, but what did you do if the hotel business center didn't have Microsoft Office installed? (You pack up your crap and stay at a real hotel, that's what you do!) Seriously, you were pretty much hosed. Sounds like a great "business opportunity" doesn't it. Welcome to the game a USB device that not only carries your docs and data, it also carries the app with you and runs the app through a Virtual CD drive. The technology is called U3 and it's available pre-installed on many USB devices. Don't get me wrong....it's a great idea....until someone decided to make it a security risk.
Fear the Switchblade and the Hacksaw
You know with a name like this it can't be good. Switchblade was the first implementation of the nasty hacker tool, and Hacksaw is the v2.0 of the tool. Switchblade essentially copies system info off from the machine once it's plugged in and Autorun allowed it to run as a virtual CD. Stuff like LSA Secrets, PIDs, password hashes, etc. What does that mean? It means while I hand you my USB and tell you that I need to provide my .PPT to you, I'm getting something in return. Nice huh?
Hacksaw does essentially the same thing, only it silently installs Blat and STunnel to your machine, which will then proceed to send nice encrypted emails of all your docs (encrypted no less)....to a GMail account of your choosing. I don't even need to stick around! It also pulls the data off of any remote USB thumbdrives that gets plugged into the infected system. Think about THAT the next time you pop a USB into the hotel's business center computer!!! I demo this when I'm live and trust me...it works.
(Did you check out those links? They have videos of a the attack actually being demonstrated! Go back and watch!)
You may be saying...."Kai, what about my AV software..won't that catch this?" Answer: "It depends." Does your AV software scan remote USBs for things that are not actually being installed on the local machine? Switchblade bypasses that. Hacksaw bypasses by installing an SMTP Mailer...which most AV software don't block. We already know you got TCP Port 25 open. Here are some things to do....
Mitigating USB Risks
So how do you stop it?
- Turn off Autorun - Yes, now you have to click on that game to make it run, but it's better than the alternative.
- Implement User Access Control (UAC) - Windows Vista UAC will catch it when it tries to elevate.
- Implement some form of USB Device Blocking - Yes, Windows Vista has a GPO that will do this.
- Implement some form of Information Rights Management or Content Protection software - Think of Microsoft's Rights Management Services or other Data Leakage Prevention solutions from Tablus, Reconnex, or Vontu.
- ....but DO SOMETHING! And if you see a guy carrying sushi out of the company...stop him.
NEXT TIME: Insider Threat continues with: "Phone Home + The Power of PMP"