April 27, 2007
One of our greatest fears is starting to become a reality. We warned you this was coming and it is going to get worse! You may remember the endpoint security penetration test conducted by a security firm back in June which we covered. Well apparently it served as inspiration to some actual hackers in London. Several USB flash drives infected with USB Trojans were scattered throughout a parking lot. The Trojan application was designed to steal users’ login details from compromised machines, not unlike the USB Switchblade application we saw a while back. Don’t say we didn’t tell you so!
Many security professionals are starting to see attackers favor this attack vector over phishing emails and attempting time consuming perimeter style attacks which are getting tougher. As perimeter security has become more robust, hackers are looking for easier ways to compromise systems. A USB removable media device in the hands of the technologically naive is a recipe for disaster. USB ports are wide open and human beings are curious creatures, finding a free USB flash drive in the parking lot can be too much for some employees to resist. That USB Glue option is starting to actually not sound like a bad idea.
USB Risk Prevention
To mitigate the risk, training employees should be the first line of defense. You might be surprised to learn this, but many folks don’t understand the risks posed by removable media devices. Second, if you are serious about protecting data and blocking unauthorized use of USB ports (as well as Firewire, Bluetooth, CD/DVD drives) on your network you will need a stronger policy in place as well as the endpoint security technology to implement it. Windows does not protect you, not even Vista.
The best technology we know of that enables administrators to get granular access of their endpoints is DeviceWall. There is no other technology solution that provides administrators the ability to decide who has access to these devices and ports, who has read/write access to them, enforces encryption on all USB flash drives and audits all data being written to these drives.
April 7, 2007
This week the IRS reported the theft or loss of almost 500 computer systems over the course of three years ending in 2006. There were 387 incidents and 490 laptops that disappeared. The report also refers to “other computer devices” such as USB flash drives and removable media.
The report found that IRS employees were not properly encrypting data on computer systems and removable storage devices and that password controls were inadequate. As a result of these lapses, the report admitted that it is very likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and other fraudulent schemes.
Mobile IRS Work Force Leads To Increased Thefts
A large number of the laptop thefts occurred when devices were stolen from employee vehicles and residences and recommended that staff lock their laptops in the trunks for their cars, or find a locked cabinet to put the systems when not in use in their homes. There were also over one-hundred incidents where the laptops were stolen within the IRS facilities and the report suggests that employees lock their laptops in lockable cabinets when not in use.
Unencrypted Data
The audit included a separate test on 100 random employee laptops currently used by employees and found that 44 of the systems contained unencrypted sensitive information, including taxpayer data and employee personnel data. It is through these findings that they believe a large number of IRS employees are not following encryption procedures. The reasons for not following the encryption guidelines they state are either because employees are unaware of the security requirements, find it too inconvenient, or did not know the data was considered sensitive.
USB Flash Drives & Other Removable Media Problems
The audit also found that USB flash drives and other removable media were not being encrypted or secured. The report references a similar findings in a July 2003 report, however stated that the IRS has still not taken adequate corrective actions.
Off-site Backup Facilities Not Secured
Four offsite data backup facilities were also evaluated. It was discovered that backup data was not being encrypted and adequately secured at all fours sites. At one site it was discovered that non-IRS employees had full access to the data storage area all IRS backup media. Envelope, boxes were found open and unsealed. At another site it was discovered that a retired employee still had full access rights to all storage systems at the facility.
Sources
Treasure Inspector General For Tax Administration Report:
The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices - March 23, 2007
October 27, 2006
The FBI is investigating a worker from the Los Alamos National Laboratory as the possible source of classified information from the nuclear-weapons facility discovered during the arrest of a New Mexico man on drug charges. Jessica Quintana was questioned after Los Alamos police found classified nuclear data on three USB flash drives during a search of the trailer she shares with another man who was being investigated for drug charges.
The information is believed to be classified as Secret Restricted Data which indicates it involves nuclear weapons data and may have concerned detection of underground nuclear weapons testing. Some reports are claiming that Jessica Quintana worked either in Technical Area 55 where all of the Lab’s plutonium is stored or in the X Division which handles nuclear weapons design data for a maintenance subcontractor of the Lab.
Flash drives have been banned from the Los Alamos laboratory for the past two years, yet one must wonder how this policy is actually being enforced.
In 2004 two computer disks containing confidential data went missing and one year later Los Alamos claims the disks never existed. In 1998 Wen Ho Lee was accused of stealing nuclear secrets for China, only to have the 59 counts dropped, yet Mr. Lee confessed to improper handling of restricted data.
Sources
BBC
Washington Times
Los Alamos Police Report
October 18, 2006
A small number of iPods were shipped from one of Apple’s contract manufacturer’s carrying the RavMonE.exe virus.
Full disclaimer here
The virus propogates through mass storage devices so those with an infected iPod may have also infected their USB flash drives, cameras and other removable media devices.
The PR folks at Apple are pretty quick with this one “as you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it”.
October 9, 2006
Endpoint Security Threat Level: 
CriticalUSB Hacksaw is an application created as a proof of concept as an extension to the USB Switchblade. The USB Hacksaw uses a modified version of USB Dumper that once installed on a system will run a process in the background whenever that computer starts, waiting for a USB thumb drive to be installed. Once a USB thumb drive is inserted into a system its contents is automatically sent via an encypted SMTP connection to a remote email account configured by the author.
The tool has been quickly modified to include even more malicious purposes, including the running of a special version of Nmap and other vulnerability scan tools that can scan the network the system is connected to and send the data to remote locations. A version has also been recently released that includes the ability to install the payload onto any drive installed to an infected computer, thus enabling it to infect other systems that drive is plugged into.
More Information
Hak 5 USB Hacksaw Wiki
