Network Endpoint Security News - Watch Your End

There have been quite a collection of applications ported to run on USB flash disks. Most of these applications seem innocent enough, however some are deliberatly developed to get around IT software use policies in the workplace, such as P2P filesharing applications, instant messaging applications, FTP clients and podcast managers to name a few. Although these can be seen as a moderate security risk in the wrong hands they are more of a nuisance. However a new breed of applications are making their way to a USB drive near you that you should be more concerned with.

Applications which are used by security professionals (and hackers alike) to test the security of their networks and scan for vulnerabilities now have the capability to run independently from a USB flash drive and no longer require that WinPCap or other third-party packet capture drivers to be installed on a system. Applications such as Nmap, Ethereal, Showtraf, TCPDump, Nemesis and John the Ripper are now appearing online via sites in a modified form that contain an internal packet driver that is loaded when the application is launched.

What this means is that a hacker no longer needs to even have a laptop with them in order to compromise a network, simply bring a USB flash drive in a company and plug it into the USB drive of an available system.

Nmap *

Nmap is a free open source tool used for network exploration and vulnerability auditing. Using Nmap a user can quickly scan large networks as well as target specific hosts. Nmap uses IP packets in unique ways to figure ouw what hosts are available on a given network and can determine what operating system it is running as well as determine what services (including versions) it is running and can also discover what type of packet filters and firewalls are in use.

Ethereal *

Ethereal is a free protocal analyzer, also called a packet sniffer that is used for network troubleshooting, analysis and protocol development. The tool allows the user to see all traffic being passed over a network when putting a network card into what is known as “promiscuous mode”.

Showtraf *

Showtraf is a tool that monitors network traffic on a network and displays the traffic continuously via a GUI.

TCPDump *

TCPDump is similar in functionality to Ethereal, however works via the command line and does not have a graphical user interface. The application allows the user to intercept and display TCP/IP and other packets transmitted and received over a network.

Nemesis *

Nemesis works on the command line and is used for packet crafting and injection. It is used primarily for testing Network Intrusion Detection Systems, firewalls and IP stacks and other networking tasks.

John the Ripper *

John the Ripper is a password cracking tool which works to detect weak password. There are several other password cracking tools that run via USB, in fact most can. Interestingly many anti-virus applications will detect the presence of these files and quarantine them, however all one needs to do is temporarily disable the anti-virus which most users have the rights to do and it can be run without a problem.

Netpass *

Netpass is a utility used to recover network passwords on Windows 98/ME, however can also discover other passwords on XP such as .NET Passport passwords etc.

Slurp

A “podslurping” application that allows users to copy large quantities files from a system in a matter of seconds. A version that simply audits a system as an example of how such an application works is downloadable from here.

This is just a sampling of security related applications that can be run directly from a USB drive, this is by no means complete. More applications are appearing on a daily basis that can run straight from a USB flash drive. Although this can be incredibly convenient it can also prove to be a severe security issue for network administrators. With the strong focus of network security being focused on the perimeter also known as “The Great Wall Syndrome,” endpoint security has taken a back seat. Given that 70% of security breaches and data thefts occur behind the firewall and increasing cases of data theft in the news, it is time for IT professionals to seriously reconsider their endpoint security strategy.

Simple Solutions : Endpoint Security and USB Lock Down

Disabling USB ports is not difficult, however in a corporate environment this can cause problems, as many USB removable media devices are critical to business productivity. To provide granular access controls, there are products such as DeviceWall’s endpoint security solution, which allow administrators to decide who can plug-in what devices and whether they should have read/write access to these devices.

* I am not linking to the actual modified applications on purpose, primarily because although these can be used to assist in securing your network, can also be used for nefarious purposes…of course they are not difficult to find

Almost half the security experts who attended the recent E-Crime Congress in London agreed that internal users were the greatest risk to their IT security. Only 11% of respondents thought that external hackers were more dangerous, while 44% rated external and internal threats equally.

The survey also established that only eight percent of respondents felt the “average” company takes a proactive approach to security - with over half (59%) reporting that companies were only reactive.

With Mastercard refusing to explain how a breach that exposed thousands of Clydesdale Bank customers to potential identity theft, is it time for lawmakers to take a tougher stance on security breach disclosures?

In the case highlighted by Clydesdale customers, Mastercard won’t say whether the security breach affects just the UK or whether other banks are also at risk. But is that stance acceptable from an organization that holds so much sensitive data on millions of consumers?

Many countries around the world have been slow to address the issue of IT security breach disclosure - and those states that have made attempts have often run up against much opposition. But what’s best for consumers and service providers alike? Will financial institutions really make strides forward in IT security measures if they are under no obligations to report possible data thefts?

One thing is for sure; as long as it remains easier to sweep these issues under the carpet, rather than tackle them head on, consumers have every reason to remain concerned about the safety of their personal data on service providers’ systems.

Richard Stiennon in his recent blog post follows up on his article regarding how keyloggers were used to gain access to Sumitomo Bank’s wire transfer capability. Last year U.K authorities foiled what could have been one of the largest bank heists in history. Stiennon reports that the banks best practice to avoid a repeat attack is that they now super-glue the keyboard connections to their PCs.

Here is a short recap of the incident. Thieves masquerading as cleaning staff with the assistance of a security guard, installed hardware keystroke loggers on computer systems within the London branch of the Japanese bank. The computers that had the keyloggers installed on belonged to help desk personnel, the keyloggers captured all data entered via the keyboard including admin passwords and remote access.

The keyloggers were also installed on the PC’s that belonged to bank personel responsible for wire transfers, the thieves were then made an attempt to transfer 220 million pounds to offshore accounts.

Is Super-Glue really the endpoint solution that we have all been looking for? How do you think they are securing their USB and Firewire ports, maybe Silly Putty or rubber cement?

Lockheed Martin has accused three ex-employees of stealing corporate secrets in an attempt to help a competitor, L-3 Communications’ Link Simulation and Training division, win a lucrative $1 billion Air Force contract.

Lockheed says the three employees — Kevin Speed, Steve Fleming and Patrick St. Romain — were deeply involved in the program and had access to vast amounts of internal data, including plans for competing for the new contract. The company alleges that when they resigned, they copied thousands of pages of confidential data that may have been turned over to L-3 and Mediatech.

The $1 billion contract at the heart of the legal battle is, even by defense standards, no small change. Lockheed won $19.4 billion worth of contracts from the Pentagon last year versus $4.7 billion for L-3.

L-3 denies the accusations, but the case clearly highlights the ease with which insiders can remove sensitive files from the network using innocent-looking personal storage devices.

Full story here