USB memory sticks pose new dangers
Jaikumar Vijayan
September 25, 2006 (Computerworld) The ability to use tiny USB memory
sticks to download and walk away with relatively large amounts of
data has already made the ubiquitous devices a potent security threat
in corporate environments. Now, the emergence of USB flash drives
that can store and automatically run applications straight off the
device could soon make the drives even more of a security headache.
Demonstrating the potential danger, Hak.5, a security-related
podcast, earlier this month showed how a USB memory stick can -- in
just a few seconds -- be turned into a device capable of
automatically installing back doors, retrieving passwords or grabbing
software product codes.
Hak.5's "hacking framework" is called USB SwitchBlade and gives
hackers a way to automate different payloads running on a USB flash
drive, said Darren Kitchen, the Williamsburg, Va.-based co-host of
Hak.5.
SwitchBlade takes advantage of a relatively new technology from
Redwood City Calif.-based U3 LLC that allows software and
applications to be executed directly from USB drives. U3's technology
is designed to increase mobility by letting users store their
personal desktops -- including their programs, passwords, user
preferences and other data -- on a memory stick and then run it on
any computer without worrying about whether those applications are
installed on that system.
Unlike traditional USB flash drives, U3 memory sticks are self-
activating and can auto-run applications when inserted into a system.
They're part of an emerging set of "smart" flash drives becoming
available from vendors such as Migo Software Inc. and Route 1 Inc.
But the same functions that allow for such mobility also give hackers
another way to break into systems, said John Pescatore, an analyst at
Gartner Inc. in Stamford, Conn. "Most people think of these things as
storage sticks. But U3 is a little computer on a thumb drive" that
could be dangerous in the wrong hands, he said.
Hak.5 has developed code that can replace parts of the original
content on a U3 flash drive with a payload for "instantly" retrieving
Windows password hashes when a memory stick is inserted into a
computer, Kitchen said. Also available within the Hak.5 community are
payloads that in seconds can retrieve AOL Instant Messenger and MSN
passwords, browser histories and software products keys. Payloads can
also be used to install back doors and Trojan horse programs on
computers.
None of the hacker tools used in SwitchBlade are new. And security
analysts have for some time now been warning that USB-connected
devices such as flash drives and iPods can be used to sneak viruses
and other malware into corporate environments,
But the fact that such tools can now be run automatically on a self-
activating flash drive makes them far more accessible and easier to
exploit, said Ken Westin, a security analyst at Centennial Software
Ltd. a Swindon, England-based IT asset management company. "The
combination is creating a perfect storm," he said.
The Hak.5 demonstration again highlights the need for companies to
adopt holistic policies for managing USB ports, Pescatore said.
"There is a growing awareness of this problem and a desire to do more
port control," he said. The focus, however, should not just be on
preventing data leaks but should also address other potential
threats, he said.
The availability of such exploits also highlights the need for
companies to disable the Windows AutoRun feature and limit
administrative privileges on end-user systems. Kitchen said. One
mitigating factor is that physical access to a computer is still
required for someone to carry out an attack using USB drive, he said.
There are several options available to enterprises for securing USB
ports on users' systems, said Jonathan Singer, an analyst at Yankee
Group Research Inc. in Boston. Companies, for instance, can choose to
disable USB ports through group policy management -- either on their
own or through third-party vendor tools, he said. But that doesn't
allow for a great deal of "granularity by system or by user," he
said. Several tools are also available from vendors such as
Centennial, SecureWave SA and SafeBoot NV, that let companies apply
very granular and specific port control rules, he said.
Companies also need to pay attention to educating users about the
potential security risks posed by USB flash drives he said.
"If you have sensitive data, you might want to institute some sort of
USB control -- especially if you are in a regulated industry," Singer
said. "You can have a user walk away with a whole bunch of
information, or someone's PCs could get owned by a USB device they
picked up in a parking lot," he said.
search: