At Information week on Thursday they reported that FireFox 3 had a "Security Flaw". This is not a surprise, all software has bugs but this should have been reported prior to the release so that Mozilla had time to fix the bug and repair it prior to release.
Information week raises the issues about paying security researchers for bugs they submit "...Security experts have raised concerns about such programs, saying they set a precedent in which people could start selling their information to the highest bidder, who could end up being a criminal. In addition, there's no guarantee that the information is coming from an ethical hacker."
Paying for exploits is a difficult issue. Should we encourage security researchers to continue to find the vulnerabilities? Will it ensure that the problems are found before others can exploit it? Or are we creating a cycle economy? Detect a flaw, pay for it, report it, fix it and find another flaw.
I believe that it is important for researchers to find these flaws and report them responsibly. They should be paid for their work (otherwise they may turn black :) ) but perhaps vendors should place bounties for their own bugs, rather than 3rd parties placing bounties down.
Saturday, June 21, 2008
Moving from old provider
Finally, I have done it! I have moved my domain name from UCVHOST to Blogger! Thank goodness for that!
What an effort! It took a little over a week and a half to get the Auth code from my previous provider and then about another half week for the domain name to come across (After about 5 emails).
But now I am here it seems much easier and faster and the site is up all the time (need I say more).
I hope to place more articles soon. Cheers
What an effort! It took a little over a week and a half to get the Auth code from my previous provider and then about another half week for the domain name to come across (After about 5 emails).
But now I am here it seems much easier and faster and the site is up all the time (need I say more).
I hope to place more articles soon. Cheers
Thursday, June 5, 2008
Attacks against your intranet
When was the last time you looked at the logs of your intranet server? A day, week, month, year ago perhaps?
When you looked at them, was it to find usage? To see which departments were most active? Were those departments or personnel allowed to access those parts of the intranet?
Did you check what browser agents were using your intranet? Were the agents part of your SOE? Or are they foreign agents?
Were all the hits recorded in the log file from inside your business? If they weren't from inside, should your RAS (Remote Access Solution) allow outside contact to your intranet?
When you looked at the logfiles did you check for irregular entries in the requests? Were form submissions as you intended or as expected? Did you happen to record all of the form events, both POST and GET?
I bet your thinking "Ummm, jeez, I might go have a look at those log files right now".
But do you know what you are looking for?
For this exercise I will assume that you are using the common log format.
For those at home, the common log format is space delimited, meaning that each element of the record is separated by a space character (i.e. " ").
127.0.0.1 - frank [10/Oct/2007:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.14) Gecko/20080404 Iceweasel/2.0.0.14 (Debian-2.0.0.14-0etch1)
OK, the breakdown
What should I be looking for?
When you looked at them, was it to find usage? To see which departments were most active? Were those departments or personnel allowed to access those parts of the intranet?
Did you check what browser agents were using your intranet? Were the agents part of your SOE? Or are they foreign agents?
Were all the hits recorded in the log file from inside your business? If they weren't from inside, should your RAS (Remote Access Solution) allow outside contact to your intranet?
When you looked at the logfiles did you check for irregular entries in the requests? Were form submissions as you intended or as expected? Did you happen to record all of the form events, both POST and GET?
I bet your thinking "Ummm, jeez, I might go have a look at those log files right now".
But do you know what you are looking for?
For this exercise I will assume that you are using the common log format.
For those at home, the common log format is space delimited, meaning that each element of the record is separated by a space character (i.e. " ").
127.0.0.1 - frank [10/Oct/2007:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.14) Gecko/20080404 Iceweasel/2.0.0.14 (Debian-2.0.0.14-0etch1)
OK, the breakdown
- 127.0.0.1- The IP Address
- "-" - empty element
- frank - username (For authenticated content) this will be a "-" if the content does not require authentication.
- [10/Oct/2007:13:55:36 -0700] - The date and time the request ends
- "GET /apache_pb.gif HTTP/1.0" - The object request from the client
- 200 - The status code from the server pertaining to the object request, in this case the status code 200 mean
- Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.14) Gecko/20080404 Iceweasel/2.0.0.14 (Debian-2.0.0.14-0etch1) - This is the useragent that describes both the browser and the OS supporting it.
What should I be looking for?
- Checking IP addresses against a known subnets within your organisation. Does it fall out of the normal IP address range? Or does it come through the any form of proxy or DMZ?
- Do login times to information lay outside normal parameters?
- Are old/closed accounts accessing the account? Are non-shift workers logging in after hours.
- By conducting volume analysis on the traffic that flows from the webserver you can identify if information is being accessed.
- Continual 401 codes within the log could represent blind spidering occurring on your intranet
- You can also can identify machines on your network that are not on your SOE by pulling the information from "useragent".
Tuesday, June 3, 2008
Weekly browser trash
Below is a round up containing links that have been into my browser.
- Upside-Down-Ternet - “My neighbours are stealing my wireless Internet access. I could encrypt it or alternately I could have fun.” This site discusses alternates to getting angry when people steal your bandwidth.
- GOGOL BORDELLO - These guys have been called gypsy punk. It rocks hard! Make sure you check out the videos
- Big book of windows hacks - Thank you Google books been trying to find this one locally for a while now
- Dancho Danchev's Blog - I have really taken a liking to this guy and what he writes for the community
Security versus Usability
I think it is safe to say that many of us in the technology sector are client focused, a server goes down (from a DDOS attack) - we face the music with the client, expecting nothing more than to be blasted back into last Tuesday (heaven forbid it be the Monday previous… yuck Monday) or we get an irate call from a customer because their local desktop machine or laptop is infected with the latest tastiest piece of Malware, from a porn site that they never visited… damn those porn fairies.
When are we going to pause and think “hold on, this user is damaging our equipment and we are the ones getting the blame”. Not real fair me thinks…
This brings me to the point of security versus usability. Where is the line that we must draw in the sand to say that this is the boundary, you cross it and you will have to pay some consequences.
Looking at this from the point of view of a business is: we are saving the business money and time by placing preventative measures in place before the user can destroy the business from the inside out (we are after all just a giant bit of candy).
Lets look at an example of this in practice:
USB Keys (the fun never ends) the user brings in some funny movie from home that they have placed on their shiny new U3 USB device. However, let us say, there is a new worm that has now compromised the CD ROM component on the device, which you can find more information on compromising the U3 CD pseudo-device from http://cse.msstate.edu/~rwm8/hackingU3/. This piece of malware now downloads itself onto the machine and transmits all of the word and excel files to an external email address, as in http://www.hak5.org/wiki/USB_Hacksaw .
What remedies can be taken?
How should we deal with this situation?
How will the business cope when johnny releases the new sales figures to the outside world?
What can be done about giving an even split to the Security versus Usability Debate?
Obviously prevention is better than cure, so we should implement the following:
Many people say that this is not a real solution as it has been said/tried/implemented before and failed, but folks, if you don’t implement a meaningful policy and enforce it, then you have no chance of really making a difference.
What could we have done in this specific case?
Prohibiting the use of portable devices in desktop machines, using third party software tools (such as devicewall; http://www.devicewall.com) to disable the USB endpoints.
The use of a centralized computing and storage unit could have moved the data into the individual’s centralised storage once scanned and clean the user could have access to their data.
What remedies can be taken?
Depending on your business climate, the remedies could be from informing the user to a severe reprimand or even loss of employment, but it must be inline with the offence. Copying an image joke to an email from a USB key hardly warrants dismissal, however the distribution of pornography certainly would
When are we going to pause and think “hold on, this user is damaging our equipment and we are the ones getting the blame”. Not real fair me thinks…
This brings me to the point of security versus usability. Where is the line that we must draw in the sand to say that this is the boundary, you cross it and you will have to pay some consequences.
Looking at this from the point of view of a business is: we are saving the business money and time by placing preventative measures in place before the user can destroy the business from the inside out (we are after all just a giant bit of candy).
Lets look at an example of this in practice:
USB Keys (the fun never ends) the user brings in some funny movie from home that they have placed on their shiny new U3 USB device. However, let us say, there is a new worm that has now compromised the CD ROM component on the device, which you can find more information on compromising the U3 CD pseudo-device from http://cse.msstate.edu/~rwm8/hackingU3/. This piece of malware now downloads itself onto the machine and transmits all of the word and excel files to an external email address, as in http://www.hak5.org/wiki/USB_Hacksaw .
What remedies can be taken?
How should we deal with this situation?
How will the business cope when johnny releases the new sales figures to the outside world?
What can be done about giving an even split to the Security versus Usability Debate?
Obviously prevention is better than cure, so we should implement the following:
- Develop a meaningful policy that encourages users to conform to standards and policies laid out by the corporation - in consultation with the users, ensuring that the policy errs on the side of security
- Enforce the policy to the letter - this must be followed by all staff, with no exceptions.
- Utilise deterrent software
- Disable functionality within the operating system
- Utilise physical means to restrict the ability to execute prohibited action
Many people say that this is not a real solution as it has been said/tried/implemented before and failed, but folks, if you don’t implement a meaningful policy and enforce it, then you have no chance of really making a difference.
What could we have done in this specific case?
Prohibiting the use of portable devices in desktop machines, using third party software tools (such as devicewall; http://www.devicewall.com) to disable the USB endpoints.
The use of a centralized computing and storage unit could have moved the data into the individual’s centralised storage once scanned and clean the user could have access to their data.
What remedies can be taken?
Depending on your business climate, the remedies could be from informing the user to a severe reprimand or even loss of employment, but it must be inline with the offence. Copying an image joke to an email from a USB key hardly warrants dismissal, however the distribution of pornography certainly would
Universal Serial Bus: Small, Available, Threatening (2006)
Abstract
While the implementation of the USB standard across multiple computing platforms has given rise to new devices and allowed for the advancement in portable technology, including the development of devices for the easy transmission of data between computing platforms, seldom is the question asked in regard to the forensic integrity of these devices and the operating systems that they utilise as hosts.
Keywords
USB, Computer Forensics, U3, Malicious Code
Introduction
The Universal Serial Bus (USB) has been a great leap forward for computing world wide. This plug standard along with the device drivers allow the connection and near-instant recognition of a variety of devices including input devices such as keyboards and mice, out put devices such as speakers, headsets and printers, and also removable storage devices such as USB memory keys, external hard disk drives and external CD ROM drives. The USB standard allows these connections to occur across many computing platforms and operating systems such as Apple MAC OS, Microsoft Windows NT-based systems and the Linux platforms.
While the use of USB has been a giant leap forward for the computing world, it appears that both hardware implementations, such as Direct Memory Access (DMA), and software security factors, for example Operating System implementations of Autorun, have been overlooked in favour of usability. This oversight has lead to concerns that USB devices could be used for unlawful purposes including intellectual property theft and the spread of malware. Although it is not a new phenomena for removable computing devices to be utilised in computer crimes, as exemplified with the USB’s CD and floppy disk predecessors, USB devices represent an alarming development that will more readily enable criminals to minimise the audit trail of their crimes while also having the ability to transport increasingly large amounts of data.
This paper seeks to investigate the forensic implications of USB storage devices with a view to examining the inability of operating systems to manage the threat these devices pose. An investigation that incorporates the impact of technological advances will also be undertaken into the security and forensic implications resulting from USB devices. The outcomes of these investigations will demonstrate that current security measures lack the capacity to minimise the threat posed by USB devices and that this will in turn lead to difficulties in investigating crimes that have utilised such devices.
Pervasiveness of the Universal Serial Bus
Since 1996 (Koon, 2005) the Universal Serial Bus platform has come from obscurity to become the unified platform for plugging external devices into computing objects. The most interesting of these in terms of computer forensics is USB storage devices due to their ability to store and shift large volumes of data leaving only small amounts of trace on the computing device.
USB storage is everywhere, helping us move files from one place to another, holing and playing our songs on our digital music devices, storing our digital photos on our digital cameras and holding our appointments and emails on our Personal Data Assistants. The USB interface gives us the ability for devices to be recognised quickly, and the capability to be upward mobile due to the size and portability of these devices.
The USB device has changed the corporate environment just as floppy drives and CD-Burners before it. However unlike the floppy disk and the CD the USB storage device poses a far larger risk. Transferring large quantities of data on floppies was not feasible, and the deployment of CD burners within the enterprise is, for the larger part, not implemented due to cost. The implementation of USB connections on enterprise workstations is, for the greater part, common place.
The pervasiveness of the USB standard has meant that the uptake of the wired USB standard has more than two billion connections today (USB-IF, 2006), this accounts for all varieties of input/output devices. The USB standard is implemented in nearly every Desktop and Laptop computer across the globe. Making this connection standard highly it available to most users, both at home and in the corporate environment.
In the corporate environment the USB standard has allowed people to be upwardly mobile with information, giving the mobile workforce more access to the information on the move. The use of the USB storage device has enabled large quantities of data to be easily transmissible between system entities without the aid of network resources.
USB is great, so where is the threat?
While USB storage devices allow for the fast transmission of data between systems and devices, there are a number of threats that are presented by USB storage. These include:
· the ability to store and migrate large amounts of data,
· the portability of this data from one place to another
· The variety of appearances of these storage devices
· The ease of concealment making the USB storage device harder to detect
· The ability to trace the device post incident during forensic examination
The preceding list of threats illustrates that the ability to use USB devices to store and transport large amounts of data heightens the vulnerability of many corporations, leaving them more open to criminal attacks that may ultimately remain anonymous. Following is a more in-depth analysis of these threats and their forensic implications.
USB Storage Limits
USB storage devices allow for the storage of massive amounts of data and give the owner the freedom to easily transport such data. The storage capacity of these devices ranges from 8 megabytes to an amazing 64 gigabytes on a relatively small USB key (Buslink, 2006). For example, the Apple Corporation’s iPod is capable for storing 60 gigabytes of information, both music and data. To date, approximately 60 million iPod devices have been sold since their launch in 2001 (Dahdah, 2006) with Apple continuously developing and marketing this product as it forms a core component of its business. There are also external hard drive devices that can now exceed 4 terabytes. While these devices are not as compact as USB keys, they still have a high level of portability. The ability to covertly use these devices to rapidly siphon or deposit large amounts of data onto a system poses the greatest security and forensic threat to computing systems that have not been secured against this possibility.
Concept of Storage: USB Devices are Becoming Smaller and Harder to Detect
The large variety of devices readily available on the market as lead to the proliferation of confusion and misinformation regarding the definition of a storage device and the real and potential threat these devices could pose to the information security of an organisation. The lack of a comprehensive list of what constitutes a storage device has lead to many oversights in terms of devices that could potentially be used for storing and transporting data. For instance, Anderson (n.d.) has outlined a variety of devices that could be overlooked when collecting evidence, including watches, pens and novelty devices that may in fact have USB storage capabilities. It is reasonable to expect that beige boxes with “storage” or “hard drive” written in bold letters down the side of the device would be noticed, but some USB devices such as the iPod or Music devices are not thought of as data transfer devices. However, they should never in the first instance be discounted as mere music players.
Furthermore, although some devices are quite obviously storage devices, their increasingly small size translates into portability and ease of concealment. For instance, the USB pen drive or memory stick was created with portability in mind and, as such, was designed to be as small as possible. This minimal size allows the device to transported and concealed with ease while not compromising on storage capacity. Many fictional works have also captured the fact that USB can be easily smuggled into and out of workplace environments with ease. For example, the fictional Hollywood movie The Recruit shows classified data being smuggled from an American intelligence agency through the use of a USB memory stick small enough to be hidden in base of a traveller’s coffee mug.
Moreover, the general rule is that the smaller a device is, the easier it is to destroy. This is particularly relevant to USB storage devices. Once the attack has been carried out the data has been uploaded or downloaded, the USB device can easily be destroyed, thus removing a vital piece of forensic evidence. Both the size of the device and the container enable the device to be destroyed with little waste to dispose of.
USB Storage is Becoming More Intelligent
While operating systems have always been able to permit USB devices to function with some level of intelligence, there have been advances in these devices that enable them to provide their own smarts. The use of such technology as the Autorun feature and the newer U3 standard provide this cleverness by allowing the system to identify the device as something that could be trusted such as a Compact Disk or a localised hard disk drive. Additionally, the U3 Standard has provided users with greater systems portability by enabling USB devices to store and run self-contained programs. This allows the user to operate programs, such as personalised web browsing software, and also provides the user with consistent environment abilities across different computers.
Despite the positive features of these developments, many individuals are of the opinion (Garfinkel, 2006) that the Microsoft Windows Autorun feature is surplus to the requirements of any user and is a bad idea in any situation. These opinions have arisen in spite of the fact that the Autorun feature must be enabled by the user before it can become functional. The potential for this type of technology to be exploited for malicious purposes has been identified by many security professionals (Hak.5, 2006). One of the major risks posed by the U3 standard is the ability it provides to operate a device as one or multiple devices, a storage area and a virtual CD-ROM device. This duality enables the device to immediately run as a CD-ROM and negate the user interaction required for the Autorun to occur as. Furthermore, by hacking the CD/DVD part of this device Malware is able to run as a CD would giving it the same rights to run such features as Autorun and giving access to the file system under the current uses account (Lemos, 2006; McGrew, 2006).
Further risk is posed by the development of products, such as Switchblade and Hacksaw. In the case of the USB Switchblade application, which enables the program’s user to offer the drive to others while the other system downloads local information such as passwords and account details (Hak.5, 2006). USB Hacksaw, an extension of USB Switchblade, is designed to silently and automatically install data from the victim’s computer onto a USB storage device. This data is then sent to a predefined email account (Hak.5, 2006). The two preceding products have also been combined with several network aware products, which further extends the risk of these programs by giving them the ability to traverse not only portable storage devices but also the network in which the host system is connected. This has been illustrated by Spektormax’s combination of the tools HakSaw, SwitchBlade, VNC as well as an Nmap. This has allowed the infested system to scan for network clients and information and even eventually compromise systems on the network.
The aforementioned features present a forensic quandary in that the increased intelligence of these devices allows for a system to be compromised even when a valid user is connected or logged into the machine. For instance, in addition to the attacker utilising a USB device, a legitimate user may inadvertently assist in the crime simply by plugging in their own USB key. There are also other mechanisms that allow a system to be compromised without the user’s knowledge, for example, buffer overflow issues that are largely caused by incorrect or poor coding on device drivers. Garfinkel (2006) attributes this problem to the DMA connections that are allowed on FireWire and USB connections. However, regardless of the source of these weaknesses, the result is that the ability to trace the source of a computer crime is becoming increasingly diminished and the computer crime that makes use of physical storage devices may now not require physical proximity to the targeted system.
While USB devices can be a risk themselves, advances in data storage have allowed USB devices to pose further threats. For instance, programs such as TrueCrypt (TrueCrypt, 2006) offer the ability to hide a secure file system area within another encrypted file, thus enabling the true protection of data to occur. This file within a file also allows the individual to give the forensic examiner the pass phrase with plausible deniability that any other internal file system exists (TrueCrypt, 2006).
Meat-Bag Security
Due to the large variety of readily available USB devices, it is reasonable to expect that both security and regular personnel might not instantly recognise the risks posed by some devices. Take, for example, personal music players. In an environment where such devices are allowed, many employees may be entering and exiting the building with large-capacity storage devices. However, physical security staff are unlikely to recognize a device with headphones as a threat to the organisation’s security. Furthermore, the information stored on these devices can easily be hidden to a casual inspection, particularly in the inspector is inexperienced with the use and manipulation of such products. In such cases, the inspection may reveal nothing of interest on the device even though the data is there awaiting the use of an undelete program to restore it to its former glory.
In terms of physical security, size is also a factor. As mentioned above, the increasingly small size of USB storage devices has translated into portability and ease of concealment. Their small size has created a multitude of ways for storage devices to be covertly removed from an establishment, even if that establishment is manned by security personnel authorised to conduct bag searches. This issue could easily translate into an inability to trace the source of the attack.
Are the Principles of Computer Forensics Able to Address the USB Threat?
As the above investigation demonstrates, the principles of forensic science are hampered by USB devices. This is due in part to the fact that information stored on the device is unknown prior to the device being after. Furthermore, once the device has been removed it can change and no checksums done before and after the device is removed. This means that information could be placed in an encrypted partition on the device. Also, there are no transfer records on the computer system except for information stating that the device was plugged in.
When these features combine with the security threats discussed above, one becomes aware of the new challenge that USB devices present to a forensic investigation. Currently, the tools used to prevent and investigate attacks are, in many respects, inadequate for effectively dealing with a violation that has utilised a USB storage device. As in most cases, prevention is better than cure, and many of the forensic implications can be pre-emptively dealt with by examining the cause of the threat.
The Failure of Operating Systems AND the IMPACT on forensic systems
While it would be convenient to blame the USB storage device for the aforementioned problems, the heart of the issue lies with the security-related inadequacies of the operating systems that are presently available. By looking beyond the device itself, one can determine that the operating system acts as an enabler to the crimes that can be committed through the use of a USB storage device. The true forensic impact of the USB storage device is due to the lack of proper logging into and out of the port. In fact, the majority of operating systems do not offer any form of logging mechanism nor are there appropriate system controls to monitor the throughput – either input or output – in the USB connection . For example, the endpoint security in Microsoft Windows XP for USB and storage devices requires the use of third party products in order to ensure the true data security of the ports.
Logging
While there are log files available in current generation operating systems, when these logs are replayed they may sometimes appear incomplete (Farmer, 2001) and overlook some of the important events that occurred during a given session. Furthermore, USB logs do not yet even show that this is a problem. As such, there is no proof that the input device identified by the computer actually belongs to the computer’s regular operator. These issues are compounded by that fact that there is also no indication as to what type of data has been accessed or copied (Lemos, 2006). The gravity of this threat is evidence through the ability for a file to appear to be local on the machine before being stolen by a third party. Barring trace amounts of data telling the investigator that the device had been plugged in, no records would exist that this event had occurred. In his article, Garza (2005) highlights the problems this can create for a system. Consider, for instance, the possibility of the Autorun feature being combined with two ten second attacks. This would enable the perpetrator to load tracking or key logging software before stealing dozens of credit card records, leaving only a thin trace of evidence regarding the device, such as the device ID. Even though Microsoft prohibits the use of Autorun scripts in combination with an active USB device, the use of a U3 device can bypass the security due to its unique ability to appear as two devices.
In the majority of operating systems there is simply no logging taking place pertaining to information such as files copied, files used on the device or executables utilised. This lack of logging on USB storage devices can also make it harder to build a cohesive case against the accused. For example, the individual in question may have had or been entitled to access to the resource that contained Intellectual Property. However, if an intelligent device, such as an enhanced U3 device like Hacksaw, was plugged into the computer it could retrieve the word documents or excel files that contain the information.
Remedies
While there are many suggested remedies, it seems that the only way of permanently shutting down a USB, serial or any other unsecured port is by using a physical method such as glue or Duco Cement (Lundquist, 2006) . However, there are alternatives that can be pursued such as monitoring, logging, disabling supporting driver resources, the use of deterrent software, training security personnel to recognise the risks presented by portable devices and the creation and enforcement of policy. These options are outlined below.
1. Development of a meaningful security policy.
The development of a meaningful policy is perhaps the most important element in protecting the organisation and its associated infrastructure from a variety of malware including viruses, worms and other malicious executables. This policy should also allow relevant personnel the ability to request the inspection of storage devices that are present on the premises. If the level of information sensitivity deems it necessary, provisions could also be made for the registration of all storage devices entering and exiting the building. These policies in regard to USB devices need to be developed to ensure that at least within the enterprise the impact of the USB device is minimised if not entirely removed.
2. Reminding the customer of their rights and responsibilities
While the user has the right to their privacy, they also have the responsibility to the organisation to ensure that their practices abide to the policies and codes of conduct that are laid out by the organisation. This could include posters, internal newsletters or system warnings when a USB storage device is detected. This reminding of the customer should enforce the fact that there are risks associated with the use of external unapproved media. Explaining the risks in an illustrated, meaningful, non-technical manner can assist in this education campaign.
3. Enforcing the security policy - to the letter
The enforcement of security and device policies is not an easy sell; however, security enforcement is a necessity, particularly in the case of managing portable storage devices within an organisation. This process can be optimised by enuring that security staff are adequately trained to detect unauthorised storage devices, including the various forms of USB devices. Employees should also be required to undergo awareness training in order to familiarise them with the security processes that they will operate under as a member of the organisation. Employees who then breach the company security policy should then be dealt with according to a predefined action plan.
4. Use of deterrent software
In order to mitigate the threat posed by USB devices, an organisation should consider installing software that enables all information from a device to be a dumped in a specified location where it can later be subjected to post-incident analysis. Consideration should also be given to the implementation of key dumping software through which staff are able to access information from a USB device from their desktop once that information has been scanned and cleaned in a temporary holding area. Another alternative is using logging software such as devicewall (Devicewall, 2006) , which monitors device throughput, allowing certain devices and restricting the rights the user has to copy or move a file from one place to another. The key point for organisations to note with regards to computer forensics is that recording an incident is the first step toward the minimisation of the risk associated with prosecution.
5. Disabling ports for endpoint security
The Microsoft Windows solution allows corporations to disable the USB device drivers, removing rights to the drivers so that only administrators can access USB storage devices and change the registry so that no devices can be added to the system. However, with the right tools these changes could be overthrown. Unfortunately, glue or Duco cement appears to be the only failsafe means of eliminating the threats posed by USB storage devices.
CONCLUSION:
As the above discussion demonstrates, the enormous benefits that have accompanied the introduction of USB devices have been counterbalanced by the new threats these devices pose to information security. These threats stem from the oversight of security factors in favour of usability. This is because the features of usability and transportability are the mainstays of the USB device, and it is in these areas that constant improvement is sought by USB device manufacturers.
While the security implications posed by such devices are grave and may include practically untraceable thefts and attacks, what is perhaps of even more concern is that this threat is yet to be taken seriously. Oversights by USB device and operating system providers means that USB devices can readily be used for unlawful purposes, such an intellectual property theft and the proliferation of malware. Granted, it is not a new phenomena for removable storage devices to be utilised in computer crimes; however, USB devices represent an disquieting development that more readily enables criminals to minimise the audit trail of their crimes through the methods exemplified in this paper. The impact of this development is compounded by the ability to transport increasingly larger amounts of data on increasingly smaller, and therefore less detectable, devices.
This paper has examined the forensic implications presented by USB storage devices in order to illustrate that this threat has been neglected in the security design of the currently available operating systems. This investigation has demonstrated that current security measures lack the capacity to minimise the threat posed by USB devices and that, if appropriate security measures are not implemented, this threat will in turn lead to difficulties in investigating crimes that have used USB technology.
REFERENCES:
Buslink. (2006). 64GB USB 2.0 Bus Drive Pro 2 Series [Electronic Version]. Retrieved 14 October 2006 from http://www.buslinkbuy.com/products.asp?sku=BDP2%2D64G%2DU2.
Dahdah, H. (2006). How long will the iPod be the core of Apple’s business? [Electronic Version] from http://www.computerworld.com.au/index.php/id;1547444792;fp;2;fpid;3.
Devicewall. (2006). Endpoint Security: USB Security, Device Lockdown and USB Encryption - Prevent Data Theft with DeviceWall [Electronic Version] from http://www.devicewall.com/.
Farmer, D. a. V., W. (2001). Forensic Computer Analysis: An Introduction [Electronic Version] from http://www.ddj.com/184404242.
Garfinkel, S. (2006). Attack of the iPods! [Electronic Version]. Retrieved 14 October 2006 from http://www.csoonline.com/read/050106/ipods_pf.html.
Garza, V. R. (2005). Attack: USB could be the death of me [Electronic Version]. Retrieved 14 October 2006 from http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1112458,00.html.
Hak.5. (2006). USB Hacksaw [Electronic Version] from http://www.hak5.org/wiki/USB_Hacksaw.
Koon, J. (2005). The USB Vision: 10 Years Later [Electronic Version] from http://www.everythingusb.com/timeline.html.
Lemos, R. (2006). USB drives pose insider threat [Electronic Version]. The Register from http://www.theregister.co.uk/2006/06/27/usb_drives_security_threat/.
Lundquist. (2006). USB Security: A Sticky Situation [Electronic Version].
McGrew, W. (2006). Hacking U3 Smart USB Drives [Electronic Version] from http://cse.msstate.edu/~rwm8/hackingU3/.
TrueCrypt. (2006). TRUECRYPT - F R E E O P E N - S O U R C E O N - T H E - F L Y E N C R Y P T I O N [Electronic Version]. Retrieved 14 October 2006 from http://www.truecrypt.org/.
USB-IF. (2006). Certified Wireless USB from the USB-IF [Electronic Version] from http://www.usb.org/developers/wusb.
While the implementation of the USB standard across multiple computing platforms has given rise to new devices and allowed for the advancement in portable technology, including the development of devices for the easy transmission of data between computing platforms, seldom is the question asked in regard to the forensic integrity of these devices and the operating systems that they utilise as hosts.
Keywords
USB, Computer Forensics, U3, Malicious Code
Introduction
The Universal Serial Bus (USB) has been a great leap forward for computing world wide. This plug standard along with the device drivers allow the connection and near-instant recognition of a variety of devices including input devices such as keyboards and mice, out put devices such as speakers, headsets and printers, and also removable storage devices such as USB memory keys, external hard disk drives and external CD ROM drives. The USB standard allows these connections to occur across many computing platforms and operating systems such as Apple MAC OS, Microsoft Windows NT-based systems and the Linux platforms.
While the use of USB has been a giant leap forward for the computing world, it appears that both hardware implementations, such as Direct Memory Access (DMA), and software security factors, for example Operating System implementations of Autorun, have been overlooked in favour of usability. This oversight has lead to concerns that USB devices could be used for unlawful purposes including intellectual property theft and the spread of malware. Although it is not a new phenomena for removable computing devices to be utilised in computer crimes, as exemplified with the USB’s CD and floppy disk predecessors, USB devices represent an alarming development that will more readily enable criminals to minimise the audit trail of their crimes while also having the ability to transport increasingly large amounts of data.
This paper seeks to investigate the forensic implications of USB storage devices with a view to examining the inability of operating systems to manage the threat these devices pose. An investigation that incorporates the impact of technological advances will also be undertaken into the security and forensic implications resulting from USB devices. The outcomes of these investigations will demonstrate that current security measures lack the capacity to minimise the threat posed by USB devices and that this will in turn lead to difficulties in investigating crimes that have utilised such devices.
Pervasiveness of the Universal Serial Bus
Since 1996 (Koon, 2005) the Universal Serial Bus platform has come from obscurity to become the unified platform for plugging external devices into computing objects. The most interesting of these in terms of computer forensics is USB storage devices due to their ability to store and shift large volumes of data leaving only small amounts of trace on the computing device.
USB storage is everywhere, helping us move files from one place to another, holing and playing our songs on our digital music devices, storing our digital photos on our digital cameras and holding our appointments and emails on our Personal Data Assistants. The USB interface gives us the ability for devices to be recognised quickly, and the capability to be upward mobile due to the size and portability of these devices.
The USB device has changed the corporate environment just as floppy drives and CD-Burners before it. However unlike the floppy disk and the CD the USB storage device poses a far larger risk. Transferring large quantities of data on floppies was not feasible, and the deployment of CD burners within the enterprise is, for the larger part, not implemented due to cost. The implementation of USB connections on enterprise workstations is, for the greater part, common place.
The pervasiveness of the USB standard has meant that the uptake of the wired USB standard has more than two billion connections today (USB-IF, 2006), this accounts for all varieties of input/output devices. The USB standard is implemented in nearly every Desktop and Laptop computer across the globe. Making this connection standard highly it available to most users, both at home and in the corporate environment.
In the corporate environment the USB standard has allowed people to be upwardly mobile with information, giving the mobile workforce more access to the information on the move. The use of the USB storage device has enabled large quantities of data to be easily transmissible between system entities without the aid of network resources.
USB is great, so where is the threat?
While USB storage devices allow for the fast transmission of data between systems and devices, there are a number of threats that are presented by USB storage. These include:
· the ability to store and migrate large amounts of data,
· the portability of this data from one place to another
· The variety of appearances of these storage devices
· The ease of concealment making the USB storage device harder to detect
· The ability to trace the device post incident during forensic examination
The preceding list of threats illustrates that the ability to use USB devices to store and transport large amounts of data heightens the vulnerability of many corporations, leaving them more open to criminal attacks that may ultimately remain anonymous. Following is a more in-depth analysis of these threats and their forensic implications.
USB Storage Limits
USB storage devices allow for the storage of massive amounts of data and give the owner the freedom to easily transport such data. The storage capacity of these devices ranges from 8 megabytes to an amazing 64 gigabytes on a relatively small USB key (Buslink, 2006). For example, the Apple Corporation’s iPod is capable for storing 60 gigabytes of information, both music and data. To date, approximately 60 million iPod devices have been sold since their launch in 2001 (Dahdah, 2006) with Apple continuously developing and marketing this product as it forms a core component of its business. There are also external hard drive devices that can now exceed 4 terabytes. While these devices are not as compact as USB keys, they still have a high level of portability. The ability to covertly use these devices to rapidly siphon or deposit large amounts of data onto a system poses the greatest security and forensic threat to computing systems that have not been secured against this possibility.
Concept of Storage: USB Devices are Becoming Smaller and Harder to Detect
The large variety of devices readily available on the market as lead to the proliferation of confusion and misinformation regarding the definition of a storage device and the real and potential threat these devices could pose to the information security of an organisation. The lack of a comprehensive list of what constitutes a storage device has lead to many oversights in terms of devices that could potentially be used for storing and transporting data. For instance, Anderson (n.d.) has outlined a variety of devices that could be overlooked when collecting evidence, including watches, pens and novelty devices that may in fact have USB storage capabilities. It is reasonable to expect that beige boxes with “storage” or “hard drive” written in bold letters down the side of the device would be noticed, but some USB devices such as the iPod or Music devices are not thought of as data transfer devices. However, they should never in the first instance be discounted as mere music players.
Furthermore, although some devices are quite obviously storage devices, their increasingly small size translates into portability and ease of concealment. For instance, the USB pen drive or memory stick was created with portability in mind and, as such, was designed to be as small as possible. This minimal size allows the device to transported and concealed with ease while not compromising on storage capacity. Many fictional works have also captured the fact that USB can be easily smuggled into and out of workplace environments with ease. For example, the fictional Hollywood movie The Recruit shows classified data being smuggled from an American intelligence agency through the use of a USB memory stick small enough to be hidden in base of a traveller’s coffee mug.
Moreover, the general rule is that the smaller a device is, the easier it is to destroy. This is particularly relevant to USB storage devices. Once the attack has been carried out the data has been uploaded or downloaded, the USB device can easily be destroyed, thus removing a vital piece of forensic evidence. Both the size of the device and the container enable the device to be destroyed with little waste to dispose of.
USB Storage is Becoming More Intelligent
While operating systems have always been able to permit USB devices to function with some level of intelligence, there have been advances in these devices that enable them to provide their own smarts. The use of such technology as the Autorun feature and the newer U3 standard provide this cleverness by allowing the system to identify the device as something that could be trusted such as a Compact Disk or a localised hard disk drive. Additionally, the U3 Standard has provided users with greater systems portability by enabling USB devices to store and run self-contained programs. This allows the user to operate programs, such as personalised web browsing software, and also provides the user with consistent environment abilities across different computers.
Despite the positive features of these developments, many individuals are of the opinion (Garfinkel, 2006) that the Microsoft Windows Autorun feature is surplus to the requirements of any user and is a bad idea in any situation. These opinions have arisen in spite of the fact that the Autorun feature must be enabled by the user before it can become functional. The potential for this type of technology to be exploited for malicious purposes has been identified by many security professionals (Hak.5, 2006). One of the major risks posed by the U3 standard is the ability it provides to operate a device as one or multiple devices, a storage area and a virtual CD-ROM device. This duality enables the device to immediately run as a CD-ROM and negate the user interaction required for the Autorun to occur as. Furthermore, by hacking the CD/DVD part of this device Malware is able to run as a CD would giving it the same rights to run such features as Autorun and giving access to the file system under the current uses account (Lemos, 2006; McGrew, 2006).
Further risk is posed by the development of products, such as Switchblade and Hacksaw. In the case of the USB Switchblade application, which enables the program’s user to offer the drive to others while the other system downloads local information such as passwords and account details (Hak.5, 2006). USB Hacksaw, an extension of USB Switchblade, is designed to silently and automatically install data from the victim’s computer onto a USB storage device. This data is then sent to a predefined email account (Hak.5, 2006). The two preceding products have also been combined with several network aware products, which further extends the risk of these programs by giving them the ability to traverse not only portable storage devices but also the network in which the host system is connected. This has been illustrated by Spektormax’s combination of the tools HakSaw, SwitchBlade, VNC as well as an Nmap. This has allowed the infested system to scan for network clients and information and even eventually compromise systems on the network.
The aforementioned features present a forensic quandary in that the increased intelligence of these devices allows for a system to be compromised even when a valid user is connected or logged into the machine. For instance, in addition to the attacker utilising a USB device, a legitimate user may inadvertently assist in the crime simply by plugging in their own USB key. There are also other mechanisms that allow a system to be compromised without the user’s knowledge, for example, buffer overflow issues that are largely caused by incorrect or poor coding on device drivers. Garfinkel (2006) attributes this problem to the DMA connections that are allowed on FireWire and USB connections. However, regardless of the source of these weaknesses, the result is that the ability to trace the source of a computer crime is becoming increasingly diminished and the computer crime that makes use of physical storage devices may now not require physical proximity to the targeted system.
While USB devices can be a risk themselves, advances in data storage have allowed USB devices to pose further threats. For instance, programs such as TrueCrypt (TrueCrypt, 2006) offer the ability to hide a secure file system area within another encrypted file, thus enabling the true protection of data to occur. This file within a file also allows the individual to give the forensic examiner the pass phrase with plausible deniability that any other internal file system exists (TrueCrypt, 2006).
Meat-Bag Security
Due to the large variety of readily available USB devices, it is reasonable to expect that both security and regular personnel might not instantly recognise the risks posed by some devices. Take, for example, personal music players. In an environment where such devices are allowed, many employees may be entering and exiting the building with large-capacity storage devices. However, physical security staff are unlikely to recognize a device with headphones as a threat to the organisation’s security. Furthermore, the information stored on these devices can easily be hidden to a casual inspection, particularly in the inspector is inexperienced with the use and manipulation of such products. In such cases, the inspection may reveal nothing of interest on the device even though the data is there awaiting the use of an undelete program to restore it to its former glory.
In terms of physical security, size is also a factor. As mentioned above, the increasingly small size of USB storage devices has translated into portability and ease of concealment. Their small size has created a multitude of ways for storage devices to be covertly removed from an establishment, even if that establishment is manned by security personnel authorised to conduct bag searches. This issue could easily translate into an inability to trace the source of the attack.
Are the Principles of Computer Forensics Able to Address the USB Threat?
As the above investigation demonstrates, the principles of forensic science are hampered by USB devices. This is due in part to the fact that information stored on the device is unknown prior to the device being after. Furthermore, once the device has been removed it can change and no checksums done before and after the device is removed. This means that information could be placed in an encrypted partition on the device. Also, there are no transfer records on the computer system except for information stating that the device was plugged in.
When these features combine with the security threats discussed above, one becomes aware of the new challenge that USB devices present to a forensic investigation. Currently, the tools used to prevent and investigate attacks are, in many respects, inadequate for effectively dealing with a violation that has utilised a USB storage device. As in most cases, prevention is better than cure, and many of the forensic implications can be pre-emptively dealt with by examining the cause of the threat.
The Failure of Operating Systems AND the IMPACT on forensic systems
While it would be convenient to blame the USB storage device for the aforementioned problems, the heart of the issue lies with the security-related inadequacies of the operating systems that are presently available. By looking beyond the device itself, one can determine that the operating system acts as an enabler to the crimes that can be committed through the use of a USB storage device. The true forensic impact of the USB storage device is due to the lack of proper logging into and out of the port. In fact, the majority of operating systems do not offer any form of logging mechanism nor are there appropriate system controls to monitor the throughput – either input or output – in the USB connection . For example, the endpoint security in Microsoft Windows XP for USB and storage devices requires the use of third party products in order to ensure the true data security of the ports.
Logging
While there are log files available in current generation operating systems, when these logs are replayed they may sometimes appear incomplete (Farmer, 2001) and overlook some of the important events that occurred during a given session. Furthermore, USB logs do not yet even show that this is a problem. As such, there is no proof that the input device identified by the computer actually belongs to the computer’s regular operator. These issues are compounded by that fact that there is also no indication as to what type of data has been accessed or copied (Lemos, 2006). The gravity of this threat is evidence through the ability for a file to appear to be local on the machine before being stolen by a third party. Barring trace amounts of data telling the investigator that the device had been plugged in, no records would exist that this event had occurred. In his article, Garza (2005) highlights the problems this can create for a system. Consider, for instance, the possibility of the Autorun feature being combined with two ten second attacks. This would enable the perpetrator to load tracking or key logging software before stealing dozens of credit card records, leaving only a thin trace of evidence regarding the device, such as the device ID. Even though Microsoft prohibits the use of Autorun scripts in combination with an active USB device, the use of a U3 device can bypass the security due to its unique ability to appear as two devices.
In the majority of operating systems there is simply no logging taking place pertaining to information such as files copied, files used on the device or executables utilised. This lack of logging on USB storage devices can also make it harder to build a cohesive case against the accused. For example, the individual in question may have had or been entitled to access to the resource that contained Intellectual Property. However, if an intelligent device, such as an enhanced U3 device like Hacksaw, was plugged into the computer it could retrieve the word documents or excel files that contain the information.
Remedies
While there are many suggested remedies, it seems that the only way of permanently shutting down a USB, serial or any other unsecured port is by using a physical method such as glue or Duco Cement (Lundquist, 2006) . However, there are alternatives that can be pursued such as monitoring, logging, disabling supporting driver resources, the use of deterrent software, training security personnel to recognise the risks presented by portable devices and the creation and enforcement of policy. These options are outlined below.
1. Development of a meaningful security policy.
The development of a meaningful policy is perhaps the most important element in protecting the organisation and its associated infrastructure from a variety of malware including viruses, worms and other malicious executables. This policy should also allow relevant personnel the ability to request the inspection of storage devices that are present on the premises. If the level of information sensitivity deems it necessary, provisions could also be made for the registration of all storage devices entering and exiting the building. These policies in regard to USB devices need to be developed to ensure that at least within the enterprise the impact of the USB device is minimised if not entirely removed.
2. Reminding the customer of their rights and responsibilities
While the user has the right to their privacy, they also have the responsibility to the organisation to ensure that their practices abide to the policies and codes of conduct that are laid out by the organisation. This could include posters, internal newsletters or system warnings when a USB storage device is detected. This reminding of the customer should enforce the fact that there are risks associated with the use of external unapproved media. Explaining the risks in an illustrated, meaningful, non-technical manner can assist in this education campaign.
3. Enforcing the security policy - to the letter
The enforcement of security and device policies is not an easy sell; however, security enforcement is a necessity, particularly in the case of managing portable storage devices within an organisation. This process can be optimised by enuring that security staff are adequately trained to detect unauthorised storage devices, including the various forms of USB devices. Employees should also be required to undergo awareness training in order to familiarise them with the security processes that they will operate under as a member of the organisation. Employees who then breach the company security policy should then be dealt with according to a predefined action plan.
4. Use of deterrent software
In order to mitigate the threat posed by USB devices, an organisation should consider installing software that enables all information from a device to be a dumped in a specified location where it can later be subjected to post-incident analysis. Consideration should also be given to the implementation of key dumping software through which staff are able to access information from a USB device from their desktop once that information has been scanned and cleaned in a temporary holding area. Another alternative is using logging software such as devicewall (Devicewall, 2006) , which monitors device throughput, allowing certain devices and restricting the rights the user has to copy or move a file from one place to another. The key point for organisations to note with regards to computer forensics is that recording an incident is the first step toward the minimisation of the risk associated with prosecution.
5. Disabling ports for endpoint security
The Microsoft Windows solution allows corporations to disable the USB device drivers, removing rights to the drivers so that only administrators can access USB storage devices and change the registry so that no devices can be added to the system. However, with the right tools these changes could be overthrown. Unfortunately, glue or Duco cement appears to be the only failsafe means of eliminating the threats posed by USB storage devices.
CONCLUSION:
As the above discussion demonstrates, the enormous benefits that have accompanied the introduction of USB devices have been counterbalanced by the new threats these devices pose to information security. These threats stem from the oversight of security factors in favour of usability. This is because the features of usability and transportability are the mainstays of the USB device, and it is in these areas that constant improvement is sought by USB device manufacturers.
While the security implications posed by such devices are grave and may include practically untraceable thefts and attacks, what is perhaps of even more concern is that this threat is yet to be taken seriously. Oversights by USB device and operating system providers means that USB devices can readily be used for unlawful purposes, such an intellectual property theft and the proliferation of malware. Granted, it is not a new phenomena for removable storage devices to be utilised in computer crimes; however, USB devices represent an disquieting development that more readily enables criminals to minimise the audit trail of their crimes through the methods exemplified in this paper. The impact of this development is compounded by the ability to transport increasingly larger amounts of data on increasingly smaller, and therefore less detectable, devices.
This paper has examined the forensic implications presented by USB storage devices in order to illustrate that this threat has been neglected in the security design of the currently available operating systems. This investigation has demonstrated that current security measures lack the capacity to minimise the threat posed by USB devices and that, if appropriate security measures are not implemented, this threat will in turn lead to difficulties in investigating crimes that have used USB technology.
REFERENCES:
Buslink. (2006). 64GB USB 2.0 Bus Drive Pro 2 Series [Electronic Version]. Retrieved 14 October 2006 from http://www.buslinkbuy.com/products.asp?sku=BDP2%2D64G%2DU2.
Dahdah, H. (2006). How long will the iPod be the core of Apple’s business? [Electronic Version] from http://www.computerworld.com.au/index.php/id;1547444792;fp;2;fpid;3.
Devicewall. (2006). Endpoint Security: USB Security, Device Lockdown and USB Encryption - Prevent Data Theft with DeviceWall [Electronic Version] from http://www.devicewall.com/.
Farmer, D. a. V., W. (2001). Forensic Computer Analysis: An Introduction [Electronic Version] from http://www.ddj.com/184404242.
Garfinkel, S. (2006). Attack of the iPods! [Electronic Version]. Retrieved 14 October 2006 from http://www.csoonline.com/read/050106/ipods_pf.html.
Garza, V. R. (2005). Attack: USB could be the death of me [Electronic Version]. Retrieved 14 October 2006 from http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1112458,00.html.
Hak.5. (2006). USB Hacksaw [Electronic Version] from http://www.hak5.org/wiki/USB_Hacksaw.
Koon, J. (2005). The USB Vision: 10 Years Later [Electronic Version] from http://www.everythingusb.com/timeline.html.
Lemos, R. (2006). USB drives pose insider threat [Electronic Version]. The Register from http://www.theregister.co.uk/2006/06/27/usb_drives_security_threat/.
Lundquist. (2006). USB Security: A Sticky Situation [Electronic Version].
McGrew, W. (2006). Hacking U3 Smart USB Drives [Electronic Version] from http://cse.msstate.edu/~rwm8/hackingU3/.
TrueCrypt. (2006). TRUECRYPT - F R E E O P E N - S O U R C E O N - T H E - F L Y E N C R Y P T I O N [Electronic Version]. Retrieved 14 October 2006 from http://www.truecrypt.org/.
USB-IF. (2006). Certified Wireless USB from the USB-IF [Electronic Version] from http://www.usb.org/developers/wusb.
Further on USB security (2006)
It’s fantastic getting some feedback, thanks for your comments youknowyouwantit!!! You raise some interesting questions, such as this one - “…wondering if the root cause of the problem of podslurping etc is a symptom of failure on the part of corporate IT departments?”. It is quite possible that it is indeed a failure of the IT department, however the realisation that there is a security issue is the begining of rectification for the issue. For many orgaisations information is their primary resource and should be protected at all costs.
I do know what you mean by the term “embuggerance” - it is true across different organisations that many security implementations are simply a knee-jerk reaction to an incident. Some of these implementations, such as two factor authentication, are now regarded as too little too late.
In his article Two-Factor Authentication: Too Little, Too Late Bruce Schneier states that “… Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.” This is due to the nature of the attacks, bypassing the authentication and piggy backing on the existing transaction that is occuring.
The rate of phishing attacks is now up 80% in the first half of 2006 and trojan infection and bot nets - with over 50,000+ entities - are becoming common place. But I digress: the issue for this discussion is USB security.
What should be addressed is the requirements of the organisation to have portable data, how the information is improved by being portable. For many organisations the requirement should truely be analysed: does our fictional accountant in a large corporation need to take the corporate information home to conduct analysis on the payroll? Or even be able to transfer the information to another computer? The ability to transfer information within the enterprise should be enabled by corporate networks and network shares/storage available, not by a USB key.
Let’s look further at this example of our fictional accountant. Why would he need to move data about? He probably has one terminal that he uses on a daily basis and the corporation has provided him with the use of a shared storage area, or perhaps utilises a document management system of some description, that he can allow or deny the use of the report or spreadsheet figures to certain individuals. For all these situations the corporation has got him/her covered for all of their IT requirements.
I hear a little voice in the back of my head saying “What about if he has a standalone? He may need to move files from his terminal to the other machine”, my question back would be, “If he is an accountant, why the hell does he have a standalone to begin with? Where is the business case?”. All of his transactions within the enterprise should be on the main server or terminal where it can be monitored or analysed post-incident.
Having an optimised IT infrastructure would remove the requirement for the customer to possess portable devices within the corporation.
To be continued… But for now though over to you…
I do know what you mean by the term “embuggerance” - it is true across different organisations that many security implementations are simply a knee-jerk reaction to an incident. Some of these implementations, such as two factor authentication, are now regarded as too little too late.
In his article Two-Factor Authentication: Too Little, Too Late Bruce Schneier states that “… Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.” This is due to the nature of the attacks, bypassing the authentication and piggy backing on the existing transaction that is occuring.
The rate of phishing attacks is now up 80% in the first half of 2006 and trojan infection and bot nets - with over 50,000+ entities - are becoming common place. But I digress: the issue for this discussion is USB security.
What should be addressed is the requirements of the organisation to have portable data, how the information is improved by being portable. For many organisations the requirement should truely be analysed: does our fictional accountant in a large corporation need to take the corporate information home to conduct analysis on the payroll? Or even be able to transfer the information to another computer? The ability to transfer information within the enterprise should be enabled by corporate networks and network shares/storage available, not by a USB key.
Let’s look further at this example of our fictional accountant. Why would he need to move data about? He probably has one terminal that he uses on a daily basis and the corporation has provided him with the use of a shared storage area, or perhaps utilises a document management system of some description, that he can allow or deny the use of the report or spreadsheet figures to certain individuals. For all these situations the corporation has got him/her covered for all of their IT requirements.
I hear a little voice in the back of my head saying “What about if he has a standalone? He may need to move files from his terminal to the other machine”, my question back would be, “If he is an accountant, why the hell does he have a standalone to begin with? Where is the business case?”. All of his transactions within the enterprise should be on the main server or terminal where it can be monitored or analysed post-incident.
Having an optimised IT infrastructure would remove the requirement for the customer to possess portable devices within the corporation.
To be continued… But for now though over to you…
Open Source Information Examples - Fun for the whole family (2006)
In the last post I said that information could be retrieved by using google and other tools to retrieve information about a company. Following are some of the examples of the search terms that could be used in a data finding exercise:
- Directory browsing on webserver
- Identifying unpatched security flaws
- Password lists and information for the administration of servers
- Names of the administrators of the network
- Delegated owners of accounts
- Whois or Finger information
Open Source Information - What information can be gathered about your business? (2006)
How many times have you gone on the internet and searched for your name, or a partners name, or even an old friend or ex-girlfriend? While the internet may not appear to have the answers the information sometimes can still be there.
Of the One Billion (approximately 1,086,250,903 people http://www.internetworldstats.com/stats.htm) that use the internet it would be safe to assume that for the vast majority that utilise the internet for personal use would have some data about them stored or accessable to individuals out on the internet.
While people using Myspace have many details on the web including their birthdays, height and even their sexual preferences. But what about information about the business?
Consider Johnny Long and his web site http://johnny.ihackstuff.com/ this site is a prime illustration of the mechanisms that can be employed to gain information through google about the poor implementation of restrictive
* Directory browsing on webserver
* Identifying unpatched security flaws
* Password lists and information for the administration of servers
* Metadata in PDF documents and Office Documents such as Excel and Word.
* Selling second hand equipment such as hard drives
* newspaper ads for jobs
* Names of the administrators of the network
* Delegated owners of accounts
* Whois or Finger information
* Or even the unsecured web cam that watches your server room or a whole bunch of other cameras
This information could be used to either do the initial penetration testing for the organisation, or could be used to develop an information base to begin social engineering on the business.
What are your experiences?
Of the One Billion (approximately 1,086,250,903 people http://www.internetworldstats.com/stats.htm) that use the internet it would be safe to assume that for the vast majority that utilise the internet for personal use would have some data about them stored or accessable to individuals out on the internet.
While people using Myspace have many details on the web including their birthdays, height and even their sexual preferences. But what about information about the business?
Consider Johnny Long and his web site http://johnny.ihackstuff.com/ this site is a prime illustration of the mechanisms that can be employed to gain information through google about the poor implementation of restrictive
* Directory browsing on webserver
* Identifying unpatched security flaws
* Password lists and information for the administration of servers
* Metadata in PDF documents and Office Documents such as Excel and Word.
* Selling second hand equipment such as hard drives
* newspaper ads for jobs
* Names of the administrators of the network
* Delegated owners of accounts
* Whois or Finger information
* Or even the unsecured web cam that watches your server room or a whole bunch of other cameras
This information could be used to either do the initial penetration testing for the organisation, or could be used to develop an information base to begin social engineering on the business.
What are your experiences?
USB Security - The Mobile Workforce (2006)
USB Security is a corporate problem that cannot be solved by one solution, as commented by Grey Roo; however, the underlying theme is that to ensure technology is not abused, people - both IT and in the other elements of the work force - need to be able to identify and agree that there is a risk that needs to be mitigated. The real risk does not come from the implementation of devices such as mice and wacom drawing tablets, but from devices with storage that usually flow freely around the organisation, such as digital cameras, USB keys and mobile hardrives.
Now back to the real title of this article - USB Security - The Mobile Workforce.
While many businesses are expanding, there is a requirement for the business to be upwardly mobile in order to take advantage of opportunities that are presented. This requirement must be met through the use of portable IT equipment, including mobile phones, laptops and, possibly, USB devices.
But how do you secure mobile data and devices? While there is no foolproof way to prevent device and data theft there are, however, products and policies that can minimise and attempt to mitigate the issue. The elements that should be controlled are:
1. Data
2. Device
3. Connections - both the end points and the medium
Or as one of my esteemed colleagues says, we should protect the whole sausage factory, the inputs, the processing and the outputs, not to mention the remnants of the process, i.e. the stored data.
Protecting mobile data can be achieved by implementing a number of solutions. These could include such things as:
* a mini DRM
* encrypting the storage medium
* disallowing the endpoints such as USB and firewire connection; or
* utilising a thin client system.
I have spoken previously about the software devicewall, truly awesome stuff, but at the moment I have not see any mini DRM systems… yet… however other mechanisms should be investigated in regard to protecting data, such as encrypting the storage medium or utilising thin client technology.
Some thin client technology caught my eye the other day while “surfing”. The box is from a company called neoware, and it seems to be shaping up ok.
As with all products, open source or proprietary, ensure that they are tested in appropreate environments with appropriate data.
But how the hell does this relate to USB security in the mobile workforce? The data that is on the external devices should be protected at all costs, and in regard to USB devices and the information contained there within, in my humble opinion, should not be able to be accessed, or transferred onto a device which connects with or transfers data with a trusted corporate network. Should a presentation need to be done, I can think of nothing more simple than the plugging in of a laptop and a VGA cable. Surely a CEO or CIO can identify which is the 15 pin connection on their laptop and which way it is plugged in?
Anyhow over to you…
Now back to the real title of this article - USB Security - The Mobile Workforce.
While many businesses are expanding, there is a requirement for the business to be upwardly mobile in order to take advantage of opportunities that are presented. This requirement must be met through the use of portable IT equipment, including mobile phones, laptops and, possibly, USB devices.
But how do you secure mobile data and devices? While there is no foolproof way to prevent device and data theft there are, however, products and policies that can minimise and attempt to mitigate the issue. The elements that should be controlled are:
1. Data
2. Device
3. Connections - both the end points and the medium
Or as one of my esteemed colleagues says, we should protect the whole sausage factory, the inputs, the processing and the outputs, not to mention the remnants of the process, i.e. the stored data.
Protecting mobile data can be achieved by implementing a number of solutions. These could include such things as:
* a mini DRM
* encrypting the storage medium
* disallowing the endpoints such as USB and firewire connection; or
* utilising a thin client system.
I have spoken previously about the software devicewall, truly awesome stuff, but at the moment I have not see any mini DRM systems… yet… however other mechanisms should be investigated in regard to protecting data, such as encrypting the storage medium or utilising thin client technology.
Some thin client technology caught my eye the other day while “surfing”. The box is from a company called neoware, and it seems to be shaping up ok.
As with all products, open source or proprietary, ensure that they are tested in appropreate environments with appropriate data.
But how the hell does this relate to USB security in the mobile workforce? The data that is on the external devices should be protected at all costs, and in regard to USB devices and the information contained there within, in my humble opinion, should not be able to be accessed, or transferred onto a device which connects with or transfers data with a trusted corporate network. Should a presentation need to be done, I can think of nothing more simple than the plugging in of a laptop and a VGA cable. Surely a CEO or CIO can identify which is the 15 pin connection on their laptop and which way it is plugged in?
Anyhow over to you…
Worms in the Mist: A year in review (2006)
It has been a big year with changes in hardware, allowing vendors to compete on an even platform, where only features separate the OS market, Products with a preceding “i” have been the focus of many presentations and I bought myself a Sandisk Sansa media player. Yes, in summary it was a huge year.
Unfortunately it has also been a big year for the Bot threat. These threats have, since writing the Paper Worms in the Mist, proceeded to become one of the most prevalent threat on the internet, where counting entities that are not infected is far easier than counting those which have been subsumed by the “Bot-herders”.
In my paper “Worms in the Mist” I discussed trends that should be occurring over the next few years, while this was primarily fixed on self propagating instances, it also suggested that other forms of malicious code would take the same route.
Trend: Personal Challenge to Personal Gain
As we have seen from media reports [1] [2] [3] there is a significant change in the wind pertaining to the use of malicious technology, the use of which has gone from somewhat of a prank to a serious issue.
Trend: Increased Accessibility, Decreased Costs
Access to the Internet for the global populations means that the distance between each of us can now be measured in seconds, rather than hours or days. While this may benefit us in an effort to communicate and consolidate information it also ensures that we are only seconds away (I was going to say spitting distance, but how does one spit online?) from some of the worlds worst con-men and con-women across the globe.
Trend: Anarchic Disruption to Targeted Crime; Trend: Machine Gun to Sniper Fire; Trend: Impersonal to Personal
The jacking and dumping of stocks [4] is excellent proof of this change, where spam is used to change the outcomes of markets and enable the spammer to make a profit. Bot nets are now being used for organised crime, ID theft, leaching of bank accounts and blackmail more so now than a year ago, this has been identified by the recruitment and investment by organised crime.
Trend: Single Exploit to Multiple Exploits
While this change has not been as prevelant I believe that it is merely a matter of time before we see a well written, multiple exploit, self updating vehicle.
It is now that I am seeing that quality has become a hot issue for “Bot-herders”, where the implementation of good code that is able to be hidden well against Antivirus and have “flexible features”, where loosing part of the botnet is an issue, not only of optimisation but of wasted investment dollars and time.
What will this year hold? I am going to finish up with a quote that understands the value of change:
“We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be Lulled into inaction.” - Bill Gates
Unfortunately it has also been a big year for the Bot threat. These threats have, since writing the Paper Worms in the Mist, proceeded to become one of the most prevalent threat on the internet, where counting entities that are not infected is far easier than counting those which have been subsumed by the “Bot-herders”.
In my paper “Worms in the Mist” I discussed trends that should be occurring over the next few years, while this was primarily fixed on self propagating instances, it also suggested that other forms of malicious code would take the same route.
Trend: Personal Challenge to Personal Gain
As we have seen from media reports [1] [2] [3] there is a significant change in the wind pertaining to the use of malicious technology, the use of which has gone from somewhat of a prank to a serious issue.
Trend: Increased Accessibility, Decreased Costs
Access to the Internet for the global populations means that the distance between each of us can now be measured in seconds, rather than hours or days. While this may benefit us in an effort to communicate and consolidate information it also ensures that we are only seconds away (I was going to say spitting distance, but how does one spit online?) from some of the worlds worst con-men and con-women across the globe.
Trend: Anarchic Disruption to Targeted Crime; Trend: Machine Gun to Sniper Fire; Trend: Impersonal to Personal
The jacking and dumping of stocks [4] is excellent proof of this change, where spam is used to change the outcomes of markets and enable the spammer to make a profit. Bot nets are now being used for organised crime, ID theft, leaching of bank accounts and blackmail more so now than a year ago, this has been identified by the recruitment and investment by organised crime.
Trend: Single Exploit to Multiple Exploits
While this change has not been as prevelant I believe that it is merely a matter of time before we see a well written, multiple exploit, self updating vehicle.
It is now that I am seeing that quality has become a hot issue for “Bot-herders”, where the implementation of good code that is able to be hidden well against Antivirus and have “flexible features”, where loosing part of the botnet is an issue, not only of optimisation but of wasted investment dollars and time.
What will this year hold? I am going to finish up with a quote that understands the value of change:
“We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be Lulled into inaction.” - Bill Gates
Ubuntu Ultimate Edition 1.7 on Compaq F500
I had some issues in using my Compaq F500 in using Ubuntu Ultimate Edition on my Compaq F500. This included it crashing out (and freezing) and the screen not working. These issues were overcome with the use of the following boot options:
• acpi=off
• vga=792
Once I added those to the end of the grub boot options the system ran fantastically. I had some conflicting information initially, where the boot option should read noacpi however this has been changed to a standard on and off switch.
I hope this helps some of you out there.
• acpi=off
• vga=792
Once I added those to the end of the grub boot options the system ran fantastically. I had some conflicting information initially, where the boot option should read noacpi however this has been changed to a standard on and off switch.
I hope this helps some of you out there.
Images from Malware
Making pictures out of malware is not a new thing, but the way Alex Dragulescu has done it has given a faceless object shape colour and identity. This was a series of prints commissioned by Messagelabs
Check out the artists site at: http://www.sq.ro/malwarez.php
Moving across to Blogger?
Due to reliability issues on my previous Hosting provider I will be moving my content across to Blogger. :) Yay...
Subscribe to:
Posts (Atom)
