overcoming usb (in)security
DESCRIPTION
This is the slides I used for my "Overcoming USB (In)Security" presentation at NextGen CyberCrime conference in SingaporeTRANSCRIPT
- 1. Overcoming USB (In)Security
-
- Michael Boman
-
-
- [email_address]
-
- http://www.michaelboman.org
2. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
3. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
4. Lost Data In The News
- Laptop stolen (May 2006) Held private information on 26 million veterans Class Action Lawsuit: $1,000 for each person!
- October 29, 2006 Lost CD contains personal data for more than a quarter-million hospital patients.
- October 30, 2006 US Federal Homeland Security Storage Drive on the Loose
5. Lost Data In The News
- November 20, 2006 Stolen Laptop causes warning to 11 million UK customers
- November 22, 2006 Laptops with UK Police Payroll Details Stolen
- April. 10, 2007 Georgia Dept. of Community Health Disk Missing
6. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
7. The USB Attack Vector
- Disgruntled Employees
-
- Copy confidential data to personal USB device(s)
-
-
- Sell to competitors
-
-
-
- Blackmail the company
-
-
-
- Bring your customers to the next employer
-
8. The USB Attack Vector
- Careless Employees
-
- Storing confidential data on removable storage
-
-
- Which can be, and often is, lost or stolen
-
9. The USB Attack Vector
- Malicious Individuals
-
- Use USB devices as attack vector and toolbox as well as store stolen data on it
10. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
11. Protecting Against Disgruntled Employees
- Just Make A Policy That Forbids USB Devices
12. USB Devices 13. USB Devices 14. USB Devices 15. USB Devices 16. USB Devices 17. USB Devices 18. USB Devices 19. USB Devices ? ? 20. USB Devices 21. USB Devices 22. Restricting USB Access
- Physically Disable USB ports
-
- Super-glue the USB port
-
- Encase the computer in secured cabinets
- Logically Disable USB ports
-
- Windows Group Policies
-
- 3rd Party Software
23. Super-Glue the USB port 24. Encase the computers in secured cabinets 25. Use software to disable USB Storage Devices 26. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
27. Protecting Against Careless Employees What if there is valid business reasons to use USB storage devices? 28. Storing Data Securely
- Encrypt data
-
- TrueCrypt
-
-
- Free (Libre / Gratis) Open Source Software
-
-
-
- Cross-platform
-
-
-
-
- Windows
-
-
-
-
-
- Linux
-
-
-
- Various Commercial Offerings Exists
29. DEMO
-
- Truecrypt Enable your USB Device
30. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
31. Background Information on U3 Enabled Drives 32. Exploiting USB
- Switchblade
-
- Silently recover information from a target Windows PCs, including password hashes, LSA secrets, IP information, etc...
33. Exploiting USB
- Hacksaw
-
- Automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.
34. DEMO
-
- Hacking with USB drive
35. Additional Hardening
- Disable Autorun
-
- http://support.microsoft.com/kb/155217
- Unfortunately there is no patch for human stupidity
-
- Awareness Training is a MUST
36. Don't forget Data Slurping 37. Agenda
- The Removable Storage Problem
- The USB Attack Vector
- Protecting the Organization Against
-
- Disgruntled Employees
-
- Careless Employees
-
- Malicious Individuals
- Question and Answers
38. Q & A
-
- If you got any questions, now is the time to ask them
39. Thank You!
-
- Slides are available at http://michaelboman.org under Creative Commons BY-NC-SA 3.0 License
40. References
- IntelliAdmin's USB Drive Disabler http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html
- TrueCrypt
- http://www.truecrypt.org
- Switchblade
- http://www.hak5.org/wiki/USB_Switchblade
- Hacksaw
- http://www.hak5.org/wiki/USB_Hacksaw