Well, if you've been following along...we talked about who the insiders are and the metrics behind economic espionage. We've discussed why they do it and how they get the data. But I know this probably hasn't been very technical for most of you. Today that is going to change. Today we're going to talk about how your secrets are actually leaving the company!
USB - Form factors? You want form factors? We got form factors!
We're spending a fair amount of time telling our security guards to prevent people from entering secure areas with USB devices. As these thumbdrives start having greater capacity, the risk to your business is growing as well. Have you seen some of the new designs in USB that have popped up recently? You've probably already seen the USB 2GB watch or the ultra-chic Oakley Thump sunglasses, made popular by Dog the Bounty Hunter.
But have you seen these other very cool form factors? We got USB built into a credit card, USB stuffed animals, "wooden" USB devices, USB "sushi" (For my TechNet buddy and fellow sushi aficionado, Harold Wong)...Note to Self: Post some of the sushi restaurants I go to when I travel. We also got USB Master Chief for friend and fellow gamer, Keith Combs. (My Christmas shopping is apparently taking care of itself.)....
.....and my personal favorite, USB Barbie.
For years USB has been a way to store your data on a portable medium. Problem was, I could carry my docs with me, but what did you do if the hotel business center didn't have Microsoft Office installed? (You pack up your crap and stay at a real hotel, that's what you do!) Seriously, you were pretty much hosed. Sounds like a great "business opportunity" doesn't it. Welcome to the game a USB device that not only carries your docs and data, it also carries the app with you and runs the app through a Virtual CD drive. The technology is called U3 and it's available pre-installed on many USB devices. Don't get me wrong....it's a great idea....until someone decided to make it a security risk.
Fear the Switchblade and the Hacksaw
You know with a name like this it can't be good. Switchblade was the first implementation of the nasty hacker tool, and Hacksaw is the v2.0 of the tool. Switchblade essentially copies system info off from the machine once it's plugged in and Autorun allowed it to run as a virtual CD. Stuff like LSA Secrets, PIDs, password hashes, etc. What does that mean? It means while I hand you my USB and tell you that I need to provide my .PPT to you, I'm getting something in return. Nice huh?
Hacksaw does essentially the same thing, only it silently installs Blat and STunnel to your machine, which will then proceed to send nice encrypted emails of all your docs (encrypted no less)....to a GMail account of your choosing. I don't even need to stick around! It also pulls the data off of any remote USB thumbdrives that gets plugged into the infected system. Think about THAT the next time you pop a USB into the hotel's business center computer!!! I demo this when I'm live and trust me...it works.
(Did you check out those links? They have videos of a the attack actually being demonstrated! Go back and watch!)
You may be saying...."Kai, what about my AV software..won't that catch this?" Answer: "It depends." Does your AV software scan remote USBs for things that are not actually being installed on the local machine? Switchblade bypasses that. Hacksaw bypasses by installing an SMTP Mailer...which most AV software don't block. We already know you got TCP Port 25 open. Here are some things to do....
Mitigating USB Risks
So how do you stop it?
NEXT TIME: Insider Threat continues with: "Phone Home + The Power of PMP"
You forgot the most important control of them all: legal T&C's prohibiting the exposure of documents to unauthorized individuals, and then... putting (C) notices in the master templates. Only (C) is enforceable, and a legal contract helps remind them of their responsibilities.
There is a huge opportunity cost of disabling USB drives. This cost is more than any possible gain by blocking them. Most companies that lose data do not lose any reputation, shareholder loss, or long term financial loss. Let's look at some examples:
HP - lost some documents when the board was spying on journalists. Result? HP stock has gained gone from $35 per share to just under $50, a 39% gain. HP's share of the PC market has gone marginally up. After they sacked the criminals in the board, anyone who CARED about this, respected HP more and are more likely to buy HP products, as we did earlier this year. In my personal experience, the loss of documents NEVER ends up being an end of company event UNLESS something criminal is going on (Enron, Worldcom, etc). Therefore, why protect against it? It's a complete WAFTAM.
Not being able to interchange data in an easy fashion means I HAVE to get around your controls to do my job. This sets a really bad precedent - the same as the idea that drinking at 21 stops binge drinking. No it doesn't, but it makes otherwise honest and law abiding folks go out and break the law and get fake ID.
Be reasonable about your security controls. Blocking USB does not help stop the insider loss story. Yes, they can be used for this purpose.. but so can printing things out, burning a CD or DVD (4.7 GB per disk), using a floppy (remember those things?), using my personal web mail client the censorware knows nothing about, using my personal file uploading app written in Flash, the list goes on and on and on and on. I have many ways to get your documents out, and I'm sure that others have many others I can only dream of, too.
If someone really wants the information out, they'll get it out. Don't harm the little guy just doing their job. Don't waste your company's money and time by blocking things like this. I consider this to be in the same boat as blocking folks from changing their desktop, screensaver or mouse pointer. Absolutely zero benefit from a security perspective.
Protect yourself using the only thing that provides you some certainty: legal T&C's and copyright. Make it clear that if there's any violation, after your biggest baddest lawyers have finished with them they'll be eating ramen for the rest of their days.
Great comment! Appreciate the feedback. I covered the why of Insider Threat earlier, and will cover the various egress methods in turn….starting with USB. I have plans to cover Mobile Devices, DVD, Copiers, etc. Vista allows the selective blocking of USB devices by GUID, so you can literally block only thumbdrives that have not been approved by the IT staff. The use of a draconian “block all USBs” is, as you suggest, ill-advised. I absolutely agree that we need stronger policies to enforce security, before we start worrying about technical mitigations. The copyright only works if the company follows our copyright laws….and lots of countries refuse to follow them and often endorse corporate espionage efforts.
Good to see someone from OWASP on here. I think you guys do terrific work and point my Dev audiences to you every time I speak.
I've been a long time reader - the wonders of RSS :)
I like your blog as your posts are fairly rational and level headed when it comes to business <-> security balance. There are too many dogmatic folks out there :)