In terms of security, companies accomplished a lot of work to protect them against external attacks. Good! Now, it’s time to have a look at the internal security.
Do you have a strong security policy regarding mobile devices? Do you allow external hardware to be used? A good example is USB devices: more and more people have their privately owned USB key to exchange data. There are several misusages of those devices:
- Bring confidential documents outside the company perimeter;
- Import untrusted files onto the company network;
- Runs loggers and grabbers on local hosts.
The 3rd case will be discussed here.
Let’s imagine: your colleague comes to you and gives you his USB key, saying “Hey, John, have a look at my holiday pictures…“. You insert the key in your notebook, the content is displayed, and you see a “Holiday-2007” directory, open it and start the slide show, nice pictures indeed! He takes his USB key back and disappear…
Back at his desk, it re-insert his key, open it and look in a directory /Dump/
$ ls -al total 344 drwx------ 2 nobody nobody 2048 2007-05-05 18:28 . drwx------ 4 nobody nobody 1024 2007-05-04 15:49 .. -rwx------ 1 nobody nobody 102388 2007-05-05 18:29 history.html -rwx------ 1 nobody nobody 3586 2007-05-05 18:29 IEPasswords.html -rwx------ 1 nobody nobody 918 2007-05-05 18:29 IMClients.html -rwx------ 1 nobody nobody 55520 2007-05-05 18:29 InstalledUpdates.html -rwx------ 1 nobody nobody 1633 2007-05-05 18:29 mail.html -rwx------ 1 nobody nobody 76334 2007-05-05 18:29 MozillaCookies.html -rwx------ 1 nobody nobody 3831 2007-05-05 18:29 NetworkAdapter.html -rwx------ 1 nobody nobody 1806 2007-05-05 18:29 NetworkPasswords.html -rwx------ 1 nobody nobody 10961 2007-05-05 18:29 OpenPorts.html -rwx------ 1 nobody nobody 1153 2007-05-05 18:29 ProductKey.html -rwx------ 1 nobody nobody 968 2007-05-05 18:29 PstPassword.html -rwx------ 1 nobody nobody 60516 2007-05-05 18:29 selected.html -rwx------ 1 nobody nobody 23565 2007-05-05 18:29 Startup.html $
When you inserted the untrusted USB key, Windows examined the autorun configuration and executed a bunch of script (silently of course!) which grabbed all those nice informations (the filenames speak about themselves). This time, the USB key did not install nor execute any programs but versions exist with extra features such as key loggers, remote control applications (VNC) and more nice toys!
How to prevent this problem? As usual, in most security related issues, the end-user is the weakest point! Some social engineering will help the attacker to better know you! Some guidelines regarding USB devices:
- Never trust suspicious sources;
- Disable usage of USB devices;
- If you can’t completely disable the USB ports, disable the autorun feature
If you manage a big network of workstations and notebooks, a good idea should be a deployment of a tool like CheckPoint Integrity.
No not really close. I just read loads of blogs 🙂
BTW, Who are you? Are you close to GFI?
Hi Xavier fair enough… yes in fact there are issues with EndPointScan which can definitely be improved, and as far as I know GFI are looking at improving the online scanner. An downloadable version of the tool should also soon be made available, which will not require people to run the tool through IE. What I don’t agree with though is your stating that a best practice should be not to allow use of USBs at all. In some companies that might be feasible, but for most I think USBs are just needed and required for work. So the better way to work around this issue and threat is to use some kind of endpoint security software where you can specify who has access to USB ports, and to what level they have access. Also, I think EndPointScan is just a diagnostic tool… i.e. it should only be used by people who are wondering what endpoint devices are actually connected to the machines on their network, so they can assess where they stand. It’s the first step kind of to seeing where you stand…. then you would take other measures depending on what kind of info the scanner shows you.
I quickly read the EndPointScan website.
Sounds like a good initiative but, IMHO, I won’t recommand this product! It looks too dangerous to me. Why?
Just my two cents…
Before getting down to drastic measures like using USB glue 🙂 companies can take the first step at addressing this USB security issue by actually checking where they stand; i.e. how many USB devices are connected to the machines on their network and who is actually connecting them. EndPointScan is a free diagnostic tool which offers just that, it enables companies to identify those areas where the use of USB devices could pose a risk to the integrity of networks, systems and data.