usb (in)security 2008-08-22

Overcoming USB (In)Security

Michael Boman

[email protected]

http://michaelboman.org

Agenda

The Removable Storage Problem

The USB Attack Vector

Protecting the Organization Against

Disgruntled Employees

Careless Employees

Malicious Individuals

Question and Answers

Agenda





Careless Employees



Is there a problem with removable storage? Let's see...

Lost Data In The News

Laptop stolen (May 2006) Held private information on 26 million veterans Class Action Lawsuit: $1,000 for each person!

October 29, 2006 Lost CD contains personal data for more than a quarter-million hospital patients.

October 30, 2006 US Federal Homeland Security Storage Drive on the Loose

Laptops, CDs, backup tapes, hard drives seems to go missing every day, and they all seem to store confidential data of some sort.

Lost Data In The News

November 20, 2006 Stolen Laptop causes warning to 11 million UK customers

November 22, 2006 Laptops with UK Police Payroll Details Stolen

April. 10, 2007 Georgia Dept. of Community Health Disk Missing

And the list goes on and on and on...

Agenda





Careless Employees



What are the threats that can use the USB port as an attack vector?



Copy confidential data to personal USB device(s)

Sell to competitors

Blackmail the company

Bring your customers to the next employer

Disgruntled employees is a threat that deliberately steals data to either sell to competitors or blackmailing the company. It also seems to be a common occurrence that when the employee leaves his current employment he or she makes sure that a copy of the client portfolio, marketing material and other data that might be useful is a undeclared part of the exit package. Sales people in particular seems to think that customers belongs to them personally and not the company they worked for.


Careless Employees

Storing confidential data on removable storage

Which can be, and often is, lost or stolen

The biggest threat to your data is careless employees, who put your data at risk by ignoring policies or just don't think through the whole process. Storing confidential data on a removable storage is a dangerous proposition, as the smaller the device is the easier it is to forget.



Use USB devices as attack vector and toolbox as well as store stolen data on it

Finally we have malicious 3rd parties. It can be your competitors, or someone who thinks it will be a blast to have that data. They can use removable storage to launch attacks against your infrastructure and steal your data.

Agenda





Careless Employees



Protecting Against

Just Make A Policy That Forbids USB Devices

The general knee-jerk reaction you get when you show people that USB devices are insecure is that they just outright forbids USB devices, without thinking it through. Today's mice and keyboards are USB driven. Your web cam is also a USB device, and it will not be long before most headsets becomes USB devices as well (as the sound quality of a USB headset is noticeable better then the analog microphone jack, especially on laptops). These are facts that needs to be considered as more and more companies switches over to VOIP and soft phones

USB Devices

So what kind of devices do we need to look out for? Well, you have your standard thumb drives, your pocket drives and your hard drive enclosures.

USB Devices

Easy enough to spot them...

USB Devices

Then you got the pen drives, which are USB storage devices that looks like general pens and they work as pens as well. They are easy to conceal among everyday stationary.

USB Devices

But let's say you manage to spot them as well...

USB Devices

Then we got the wrist bands with built in USB storage device. They look harmless and they are at times even trendy. You also got watches which are mp3 and/or general USB storage devices.

USB Devices

A bit more difficult to spot them, but let's say that you get those out of the picture as well...

USB Devices

Then you got your MP3 player, your PDA phone and your smart phone. All capable to store a large amount of data. What will you do with them?

USB Devices

?

?

Well, the mp3 player is perhaps possible to ban, but in most places especially among executives and professionals you will have a hard time getting them to hand over their phones.

USB Devices

How about this guy? It's a nice cute teddy bear. Not posing any danger to your data, right?

USB Devices

Wrong. Even this teddy bear is a USB storage device. Now, how many of you would actually suspect this teddy bear for being a USB storage device if it is located at a cute female office worker's desk beside a photo of her other half?

Restricting USB Access

Physically Disable USB ports

Super-glue the USB port

Encase the computer in secured cabinets

Logically Disable USB ports

Windows Group Policies

3rd Party Software

OK, so know we know that USB devices are bad. How can we restrict access to them?

Super-Glue the USB port

Easiest is to super-glue the USB port. It's a one-way trip and it is not generally reversible Do note that mice and keyboards are USB devices as well and it's easy enough to unplug your mice and put a USB hub in there to attach the USB storage device, or simply perform the data transfer using only the keyboard.

Encase the computers in secured cabinets

If super-gluing the USB ports isn't your cup of tea you could enclose the computers in secure cabinets where you can restrict physical access to the USB ports. It has the added benefit that your office will look like NASA mission control. Of course it might clash with your current interior design and not to mention that the manufacturers of such furniture does charge a premium for the items. Going DIY on it might also be a source of problems as you need to make sure that the equipment is properly ventilated.

Use software to disable USB Storage Devices

If you are looking for something cheaper you could use a software solution. The problem with a software solution is that you depend on the software to keep the USB port secure. A miss-placed administrator password or a quick boot from a live CD and your efforts has been circumvented. If you can live with those risks then take a look at IntelliAdmin's free utility that disables the USB storage driver as Microsoft described at KB555324 with a few added features.

There are also many commercial solutions but they, by definition, cost money and I am trying to show you how you can solve this without opening your wallet at all I don't want to hear the excuse we don't have a budget for this from anyone.

Agenda





Careless Employees



So what to do when you have a valid business need of storing confidential data on a removable storage?

Protecting Against
Careless Employees

What if there is valid business reasons
to use USB storage devices?

So what if there is a valid business reason to use USB storage devices? It could be the only cost-effective way to transport the data. Thumb drives has replaced the floppy disk as the means to transport documents and applications and some applications are now being designed to be stored and accessed from a USB device, like PortableApps.com's offerings which allows you to bring your office application, browser, anti-virus and VPN application with you where-ever you go, making any compatible computer your workstation. How do you protect your data in such a scenario?

Storing Data Securely

Encrypt data

TrueCrypt

Free (Libre / Gratis) Open Source Software

Cross-platform

Windows

Linux

Various Commercial Offerings Exists

You can use TrueCrypt to encrypt the data so that even if the device is lost or stolen the data is not compromised.

TrueCrypt is free software that creates a encrypted volume that under Windows looks like a normal drive and under Linux is just another mount point.

As usual there are many commercial offerings available as well, in both hardware and software, but I will again not cover them here.

DEMO

Truecrypt Enable your USB Device

Agenda





Careless Employees



Background Information on
U3 Enabled Drives

U3 LLC is a joint venture that is backed by Sandisk and its subsidiary, M-Systems. U3 is responsible for the development of a proprietary application design specification created for Microsoft Windows operating systems so that applications can be executed directly from a specially formatted USB flash drive (i.e. it can be run without first being installed on the computer).Applications are allowed to write files or registry information to the host computer, but this information must be removed when the flash drive is ejected. Customizations and settings are instead stored with the application on the flash drive which allows one to run software on any computer with the same settings.

Exploiting USB

Switchblade

Silently recover information from a target Windows PCs, including password hashes, LSA secrets, IP information, etc...

The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc.

While the USB Switchblade does require a system running Windows 2000, XP, or 2003 logged in with Administrative privileges and physical access the beauty lies in the fact that the payload can run silently and without modifying the system or sending network traffic, making it near invisible. For example the USB Switchblade can be used to retrieve information from a target system at a LAN party by lending the key to an unsuspecting individual with the intent to distribute a game patch or other such illegal software.

DEMO

Switchblade in Action

Exploiting USB

Hacksaw

Automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.

The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic prorogation to other USB devices is possible however was not shown on Hak.5 episode 2x03.

DEMO

Hacksaw in Action

Additional Hardening

Disable Autorun

http://support.microsoft.com/kb/155217

Unfortunately there is no patch for human stupidity

Awareness Training is a MUST

To protect against SwitchBlade and HackSaw type of attacks you need to disable auto-run or at least hold down the shift-key when inserting the media (how to disable autorun is described in Microsoft Knowledge Base article 155217 and is the preferred way as you might forget to hold down the shift key or worse, you are not around when the media is inserted.Remember that inserting your own media to a another computer can have similar effect: The data from the thumb drive can be harvested and malicious software can be planted on it to help it spread further.

Agenda





Careless Employees



Q & A

If you got any questions,
now is the time to ask them

Thank You!

Slides are available at http://michaelboman.org under
Creative Commons BY-NC-SA 3.0 License

References

IntelliAdmin's USB Drive Disabler
http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html

TrueCrypt

http://www.truecrypt.org

Switchblade

http://www.hak5.org/wiki/USB_Switchblade

Hacksaw

http://www.hak5.org/wiki/USB_Hacksaw

IntelliAdmin's USB Drive Disablerhttp://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html

TrueCrypthttp://www.truecrypt.org

Switchbladehttp://www.hak5.org/wiki/USB_Switchblade

Hacksawhttp://www.hak5.org/wiki/USB_Hacksaw

Overcoming USB (In)SecurityMichael [email protected]://www.securitytinker.com

2007 Michael Boman. Licensed under Creative Commons BY-NC-SA 30 License.

Muokkaa otsikon tekstimuotoa napsauttamalla

Muokkaa jsennyksen tekstimuotoa napsauttamalla

Toinen jsennystaso

Kolmas jsennystaso

Neljs jsennystaso

Viides jsennystaso

Kuudes jsennystaso

Seitsems jsennystaso

Kahdeksas jsennystaso

Yhdekss jsennystaso

Click to edit the notes format

usb (in)security 2008-08-22

Technology