Take care of untrusted USB keys!

In terms of security, companies accomplished a lot of work to protect them against external attacks. Good! Now, it’s time to have a look at the internal security.

Do you have a strong security policy regarding mobile devices? Do you allow external hardware to be used? A good example is USB devices: more and more people have their privately owned USB key to exchange data. There are several misusages of those devices:

  • Bring confidential documents outside the company perimeter;
  • Import untrusted files onto the company network;
  • Runs loggers and grabbers on local hosts.

The 3rd case will be discussed here.

Let’s imagine: your colleague comes to you and gives you his USB key, saying “Hey, John, have a look at my holiday pictures…“. You insert the key in your notebook, the content is displayed, and you see a “Holiday-2007” directory, open it and start the slide show, nice pictures indeed! He takes his USB key back and disappear…

Back at his desk, it re-insert his key, open it and look in a directory /Dump/ which contains the following files:

$ ls -al
total 344
drwx------ 2 nobody nobody   2048 2007-05-05 18:28 .
drwx------ 4 nobody nobody   1024 2007-05-04 15:49 ..
-rwx------ 1 nobody nobody 102388 2007-05-05 18:29 history.html
-rwx------ 1 nobody nobody   3586 2007-05-05 18:29 IEPasswords.html
-rwx------ 1 nobody nobody    918 2007-05-05 18:29 IMClients.html
-rwx------ 1 nobody nobody  55520 2007-05-05 18:29 InstalledUpdates.html
-rwx------ 1 nobody nobody   1633 2007-05-05 18:29 mail.html
-rwx------ 1 nobody nobody  76334 2007-05-05 18:29 MozillaCookies.html
-rwx------ 1 nobody nobody   3831 2007-05-05 18:29 NetworkAdapter.html
-rwx------ 1 nobody nobody   1806 2007-05-05 18:29 NetworkPasswords.html
-rwx------ 1 nobody nobody  10961 2007-05-05 18:29 OpenPorts.html
-rwx------ 1 nobody nobody   1153 2007-05-05 18:29 ProductKey.html
-rwx------ 1 nobody nobody    968 2007-05-05 18:29 PstPassword.html
-rwx------ 1 nobody nobody  60516 2007-05-05 18:29 selected.html
-rwx------ 1 nobody nobody  23565 2007-05-05 18:29 Startup.html
$

When you inserted the untrusted USB key, Windows examined the autorun configuration and executed a bunch of script (silently of course!) which grabbed all those nice informations (the filenames speak about themselves). This time, the USB key did not install nor execute any programs but versions exist with extra features such as key loggers, remote control applications (VNC) and more nice toys!

How to prevent this problem? As usual, in most security related issues, the end-user is the weakest point! Some social engineering will help the attacker to better know you! Some guidelines regarding USB devices:

  • Never trust suspicious sources;
  • Disable usage of USB devices;
  • If you can’t completely disable the USB ports, disable the autorun feature

If you manage a big network of workstations and notebooks, a good idea should be a deployment of a tool like CheckPoint Integrity.

5 comments

  1. Hi Xavier fair enough… yes in fact there are issues with EndPointScan which can definitely be improved, and as far as I know GFI are looking at improving the online scanner. An downloadable version of the tool should also soon be made available, which will not require people to run the tool through IE. What I don’t agree with though is your stating that a best practice should be not to allow use of USBs at all. In some companies that might be feasible, but for most I think USBs are just needed and required for work. So the better way to work around this issue and threat is to use some kind of endpoint security software where you can specify who has access to USB ports, and to what level they have access. Also, I think EndPointScan is just a diagnostic tool… i.e. it should only be used by people who are wondering what endpoint devices are actually connected to the machines on their network, so they can assess where they stand. It’s the first step kind of to seeing where you stand…. then you would take other measures depending on what kind of info the scanner shows you.

  2. I quickly read the EndPointScan website.
    Sounds like a good initiative but, IMHO, I won’t recommand this product! It looks too dangerous to me. Why?

    • I won’t allow a company to install a piece of software downloaded from the Internet which requires admin rights on my computer to run.
    • You only support Internet Explorer
    • Why take measures to detect who connected what, where and when? A best practice should be do not allow at all and define a global USB-devices policy.

    Just my two cents…

  3. Before getting down to drastic measures like using USB glue 🙂 companies can take the first step at addressing this USB security issue by actually checking where they stand; i.e. how many USB devices are connected to the machines on their network and who is actually connecting them. EndPointScan is a free diagnostic tool which offers just that, it enables companies to identify those areas where the use of USB devices could pose a risk to the integrity of networks, systems and data.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.