We all "Love" USB drives - SANS Internet Storm Center

We all "Love" USB drives
Loss of confidential information because of a USB stick is nothing new, but this one is quite amusing. A NZ guy buys a second hand MP3 player in the US. When he plugs it in there are files on the device with details of US Military personnel (article). Turns out the previous owner's house was broken into and the player was taken. That still doesn't explain why she had an MP3 player with work files on them, or does it? Well it actually makes sense. I suspect her day went along these lines (and this is purely hypothetical). "Can I please have a USB drive to put some files on so I can work on them at home?". The answer was likely a resounding "No". After all, we know that certain information should not leave the organisation and USB drives are evil. She remembers her 10 year old nephew showing her how to place files on an MP3 player, which she has been allowed to plug into her PC so it can charge (music is good for morale in the office). So after sitting down at the desk, those files marked Confidential, Sensitive, Personal, etc are easily copied across in a flash. Of course she probably could have just emailed them to her hotmail/yahoo/gmail/webmail account. Actually just had a thought, maybe she used the MP3 player because the US Military banned USB drives back in November. Although it was a ban on all removable media. There are numerous other examples, one of my other favourites for January is the article on 9000 USB drives left in dirty washing and picked up by dry cleaners. It is easy enough to do, I know. I've put the last 5 drives through the washing machine at home (all working again, thanks for asking). They are tiny, easy to loose and cheap so we don't look after them. You may also remember another example where a consulting firm, PA Consulting in the UK, disclosed details of 84,000 prisoners. And whilst not a USB drive you must have seen the McCain Blackberry sales. Which I suppose brings us to other devices through which data walks out the door. My 500GB drive isn't much bigger than pack of cards, my Iphone holds 16GB, my camera 8GB and the smallest USB drive I have is 4GB and no bigger than a thumb nail and I'm positive collectively we could come up with numerous other devices to store data. USB storage doesn't always look like a USB drive either. They come in a variety of shapes and sizes. Google USB and any of the following: pen, watch, duck, and lighter and you'll see a few examples. This is why we "love" USB drives. So it is pretty clear that from a security perspective, USB drives are a major ..... Not the only way to get data out, but certainly a good old favourite. Addressing the issue is a bit of a challenge. A good place to start is of course with policy. Develop a policy that outlines the rules under which the devices can be used or there might even be a blanket ban. If you are going to allow the devices make sure that you include a statement in the policy that the information must be encrypted. Writing the policy is the easy part, getting people to do it is trickier. When my dog was a pup it did something extremely unpleasant in the house. A mild whack with a rolled up news paper on its nose and the problem was sorted. Not just for that instance, but until the day she died a long long time later. If only it was that easy with people. In pentests and investigations you find information in the darnedest places. For example many encrypted drives have a small unencrypted portion where the decrypt software is so you can use the information in non work machines (that is a whole argument for a different day). So where do you think people store their files? Yep in the small unencrypted space on the drive. Where is that newspaper? So we need things to back up the policy. There are plenty of products about in the market place that will help you secure devices. In Windows world you can use group policies In linux, OSX, etc the USB devices can be disabled. Have a look at the NSA document that describes how to disable USB devices on different platforms (the site was a bit slow when I looked). Once thing the commercial products I know off do nicely, is log what is placed onto or taken off the device, which is handy in investigations. BTW if you have a nice way to provide an audit trail using opensource tools I'd be interested in hearing from you. So we have a policy and some technology to back it up. To finish things off you'll need some processes to monitor things and you will need to educate the users. Most importantly you need to have your version of the rolled up newspaper. If you have a nice way of dealing with this particular issue, let me know. For example I know of one site where epoxy glue is their friend, remarkably few USB issues at the site. Cheers Mark H - Shearwater	Mark 392 Posts ISC Handler Jan 30th 2009
Thread locked Subscribe	Jan 30th 2009 1 decade ago
While not open source by any means, Pointsec does a fine job of restricting USB access and providing reports and email alerts. It ties to Active Director and you can set policies for people and / or computers.	Jasey 93 Posts
Quote	Jan 30th 2009 1 decade ago
We've been using DeviceLock for a while and quite happy with it. It is also not open source, but it covers all our needs in controlling access to any types of removable devices and it is easy to use and deploy (even easier than epoxy glue, i guess ).	ArD 6 Posts
Quote	Jan 31st 2009 1 decade ago

Loss of confidential information because of a USB stick is nothing new, but this one is quite amusing.   A NZ guy buys a second hand MP3 player in the US. When he plugs it in there are files on the device with details of US Military personnel (article). Turns out the previous owner's house was broken into and the player was taken. That still doesn't explain why she had an MP3 player with work files on them, or does it? Well it actually makes sense.

I suspect her day went along these lines (and this is purely hypothetical). "Can I please have a USB drive to put some files on so I can work on them at home?". The answer was likely a resounding "No". After all, we know that certain information should not leave the organisation and USB drives are evil.   She remembers her 10 year old nephew showing her how to place files on an MP3 player, which she has been allowed to plug into her PC so it can charge (music is good for morale in the office).   So after sitting down at the desk, those files marked Confidential, Sensitive, Personal, etc are easily copied across in a flash. Of course she probably could have just emailed them to her hotmail/yahoo/gmail/webmail account. Actually just had a thought, maybe she used the MP3 player because the US Military banned USB drives back in November. Although it was a ban on all removable media.

There are numerous other examples, one of my other favourites for January is the article on 9000 USB drives left in dirty washing and picked up by dry cleaners. It is easy enough to do, I know. I've put the last 5 drives through the washing machine at home (all working again, thanks for asking). They are tiny, easy to loose and cheap so we don't look after them. You may also remember another example where a consulting firm, PA Consulting in the UK, disclosed details of 84,000 prisoners. And whilst not a USB drive you must have seen the McCain Blackberry sales. Which I suppose brings us to other devices through which data walks out the door. My 500GB drive isn't much bigger than pack of cards, my Iphone holds 16GB, my camera 8GB and the smallest USB drive I have is 4GB and no bigger than a thumb nail and I'm positive collectively we could come up with numerous other devices to store data. USB storage doesn't always look like a USB drive either. They come in a variety of shapes and sizes. Google USB and any of the following: pen, watch, duck, and lighter and you'll see a few examples. This is why we "love" USB drives.

So it is pretty clear that from a security perspective, USB drives are a major ..... Not the only way to get data out, but certainly a good old favourite. Addressing the issue is a bit of a challenge.   A good place to start is of course with policy. Develop a policy that outlines the rules under which the devices can be used or there might even be a blanket ban. If you are going to allow the devices make sure that you include a statement in the policy that the information must be encrypted.    Writing the policy is the easy part, getting people to do it is trickier.

When my dog was a pup it did something extremely unpleasant in the house. A mild whack with a rolled up news paper on its nose and the problem was sorted. Not just for that instance, but until the day she died a long long time later. If only it was that easy with people. In pentests and investigations you find information in the darnedest places. For example many encrypted drives have a small unencrypted portion where the decrypt software is so you can use the information in non work machines (that is a whole argument for a different day).   So where do you think people store their files?   Yep in the small unencrypted space on the drive.   Where is that newspaper?   So we need things to back up the policy.

There are plenty of products about in the market place that will help you secure devices. In Windows world you can use group policies In linux, OSX, etc the USB devices can be disabled. Have a look at the NSA document that describes how to disable USB devices on different platforms (the site was a bit slow when I looked). Once thing the commercial products I know off do nicely, is log what is placed onto or taken off the device, which is handy in investigations. BTW if you have a nice way to provide an audit trail using opensource tools I'd be interested in hearing from you.

So we have a policy and some technology to back it up. To finish things off you'll need some processes to monitor things and you will need to educate the users. Most importantly you need to have your version of the rolled up newspaper.

If you have a nice way of dealing with this particular issue, let me know. For example I know of one site where epoxy glue is their friend, remarkably few USB issues at the site.

Cheers

Mark H - Shearwater

Mark

392 Posts
ISC Handler

Jan 30th 2009

While not open source by any means, Pointsec does a fine job of restricting USB access and providing reports and email alerts. It ties to Active Director and you can set policies for people and / or computers.

Jasey

93 Posts

We've been using DeviceLock for a while and quite happy with it. It is also not open source, but it covers all our needs in controlling access to any types of removable devices and it is easy to use and deploy (even easier than epoxy glue, i guess ;-)

).

ArD

6 Posts