[ISN] USB memory sticks pose new dangers

From: InfoSec News (alerts@private)
Date: Mon Sep 25 2006 - 23:50:49 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9003592

By Jaikumar Vijayan
September 25, 2006 
Computerworld

The ability to use tiny USB memory sticks to download and walk away with 
relatively large amounts of data has already made the ubiquitous devices 
a potent security threat in corporate environments. Now, the emergence 
of USB flash drives that can store and automatically run applications 
straight off the device could soon make the drives even more of a 
security headache.

Demonstrating the potential danger, Hak.5, a security-related podcast, 
earlier this month showed how a USB memory stick can -- in just a few 
seconds -- be turned into a device capable of automatically installing 
back doors, retrieving passwords or grabbing software product codes.

Hak.5's "hacking framework" is called USB SwitchBlade and gives hackers 
a way to automate different payloads running on a USB flash drive, said 
Darren Kitchen, the Williamsburg, Va.-based co-host of Hak.5.

SwitchBlade takes advantage of a relatively new technology from Redwood 
City Calif.-based U3 LLC that allows software and applications to be 
executed directly from USB drives. U3's technology is designed to 
increase mobility by letting users store their personal desktops -- 
including their programs, passwords, user preferences and other data -- 
on a memory stick and then run it on any computer without worrying about 
whether those applications are installed on that system.

Unlike traditional USB flash drives, U3 memory sticks are 
self-activating and can auto-run applications when inserted into a 
system. They're part of an emerging set of "smart" flash drives becoming 
available from vendors such as Migo Software Inc. and Route 1 Inc.

But the same functions that allow for such mobility also give hackers 
another way to break into systems, said John Pescatore, an analyst at 
Gartner Inc. in Stamford, Conn. "Most people think of these things as 
storage sticks. But U3 is a little computer on a thumb drive" that could 
be dangerous in the wrong hands, he said.

Hak.5 has developed code that can replace parts of the original content 
on a U3 flash drive with a payload for "instantly" retrieving Windows 
password hashes when a memory stick is inserted into a computer, Kitchen 
said. Also available within the Hak.5 community are payloads that in 
seconds can retrieve AOL Instant Messenger and MSN passwords, browser 
histories and software products keys. Payloads can also be used to 
install back doors and Trojan horse programs on computers.

None of the hacker tools used in SwitchBlade are new. And security 
analysts have for some time now been warning that USB-connected devices 
such as flash drives and iPods can be used to sneak viruses and other 
malware into corporate environments,

But the fact that such tools can now be run automatically on a 
self-activating flash drive makes them far more accessible and easier to 
exploit, said Ken Westin, a security analyst at Centennial Software Ltd. 
a Swindon, England-based IT asset management company. "The combination 
is creating a perfect storm," he said.

The Hak.5 demonstration again highlights the need for companies to adopt 
holistic policies for managing USB ports, Pescatore said. "There is a 
growing awareness of this problem and a desire to do more port control," 
he said. The focus, however, should not just be on preventing data leaks 
but should also address other potential threats, he said.

The availability of such exploits also highlights the need for companies 
to disable the Windows AutoRun feature and limit administrative 
privileges on end-user systems. Kitchen said. One mitigating factor is 
that physical access to a computer is still required for someone to 
carry out an attack using USB drive, he said.

There are several options available to enterprises for securing USB 
ports on users' systems, said Jonathan Singer, an analyst at Yankee 
Group Research Inc. in Boston. Companies, for instance, can choose to 
disable USB ports through group policy management -- either on their own 
or through third-party vendor tools, he said. But that doesn't allow for 
a great deal of "granularity by system or by user," he said.  Several 
tools are also available from vendors such as Centennial, SecureWave SA 
and SafeBoot NV, that let companies apply very granular and specific 
port control rules, he said.

Companies also need to pay attention to educating users about the 
potential security risks posed by USB flash drives he said.

"If you have sensitive data, you might want to institute some sort of 
USB control -- especially if you are in a regulated industry," Singer 
said. "You can have a user walk away with a whole bunch of information, 
or someone's PCs could get owned by a USB device they picked up in a 
parking lot," he said.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Sep 26 2006 - 00:03:40 PDT