U3 USB Stick (In-)Security
Q2/2007 by Martin Suess, martin.suess@csnc.ch
3
install bot and infects the PCs there. He is
then able to control these machines.
These are only four out of dozen of possible
scenarios.
Ready, Set, Go - Available Packages
The worst is yet to come: There are packages
which are built exactly for the purposes named
above. And they can be downloaded for free.
One of these packages
is the so-called "USB
Switchblade" developed
by the group Hak.5 [4]. It
is made to silently
"recover" information from a target Windows
computer, including password hashes, LSA
secrets, IM passwords, IP information and
more. It requires a Win2k/XP/2k3 system and a
user with administrative privileges and physical
access but its payload can run silently and
without modifying the system or sending
network traffic, making it near invisible.
Another package by Hak.5 is the "USB
Hacksaw" which automatically infects Windows
PCs. Once it is installed it will retrieve
documents from USB drives plugged into the
target machine and securely transmit them to
an email account. Even automatic propagation
to other USB devices is possible.
What happened so far?
More and more incidents involving USB sticks
can be read in newspapers. In one case, a
Dutch officer lost his USB stick in a rental car
and then got into the hands of a Dutch
newspaper. The USB stick contained
confidential information like secret entrance
codes to a diplomat's home and the names of
bodyguards…
A security analyst posted an article [3] about
one of his jobs. He got hired by a financial
institute for a penetration test. He gathered
promotional USB sticks and copied a self
written trojan on each of the sticks. One day,
early in the morning, he dropped 20 of those
sticks around the financial institute. Within three
days, 15 sticks were found and all plugged in
and the trojans were executed…
In January 2007 the British security group NCC
sent 500 modified USB sticks to financial
directors of British companies [13]. The USB
sticks where covered as invitations for an event
and automatically started a website when they
were plugged in. According to NCC, more than
47% of the managers plugged the sticks in and
the website was opened…
Mitigation Approaches
So how can someone get rid of those risks?
Most of us would not want to miss the ease of
use that USB sticks provide, would we?
There are multiple approaches which should be
combined:
• Policies
• Technical Solutions
• Education
Policies
A few basic rules may save a lot of trouble.
Release rules in your IT Policy to restrict or
forbid the usage of USB devices generally or
USB sticks only.
Keep sensitive data strongly encrypted. This
makes it a lot harder - if not impossible - for a
data thief to gain anything from stolen
information.
Be restrictive with giving away your USB stick
and accepting sticks from other people.
Technical Solutions
Disabling USB Devices
If you do not need USB devices, disable the
USB port generally. For some devices, this can
be done in the BIOS settings. In Windows, USB
mass storage devices can be disabled through
the registry.
The following image shows the registry key
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\USBSTOR:
(18 Seiten)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern