For years, it’s been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn’t that people are plugging the sticks in, but that the computers trust them enough to run software off of them.
This is the first time I’ve heard of criminals trying this trick.
sehe • July 12, 2012 10:11 AM
Happened recently near a bio/chemical plant where a relative works. They noticed because the corporate anti-virus set off the alarms upon insertion of the stick, which prompted security to search the area.
Apparently, they found several ‘stray’ USB spread around the compound.
Christopher • July 12, 2012 10:23 AM
Well, they did fix it after 30 years. Autorun is disabled now in Windows 7.
Joe • July 12, 2012 10:26 AM
I don’t remember where I read it (might have been here actually), but didn’t the Stuxnet virus get planted using a similar idea?
Michael • July 12, 2012 10:31 AM
The article mentions more than one USB drive was dropped, which probably gave the game away. Maybe it’s the first time we heard of such an attack, but it’s not as targeted or effective as it could be.
Now, imagine a scenario where the criminal properly researched the target, and placed just one USB drive in a more strategic location where a specific person would eventually run the malware. If the criminal managed to infect the right machine, he/she would have a very good vantage point to launch whatever attack.
Orin • July 12, 2012 11:05 AM
Windows can be locked down so that “unknown” USB drives are locked out – but Windows in its default state is different from Windows as it can be run in a locked down state (using removable device policies, AppLocker)
Toy Trumpet • July 12, 2012 11:16 AM
They weren’t even trying. These guys are far more subtle. Sure, everyone knows not to plug in a USB stick, right? But a mouse? What harm can it do…
http://pentest.netragard.com/2011/06/24/netragards-hacker-interface-device-hid/
Infojanitor • July 12, 2012 11:42 AM
I respect Bruce but I have to disagree with his statement. At some point the users have to take responsibility for their actions on the system. The computer is not there to anticipate the nature of stupidity for an irresponsible user instituting unknown elements to its environment. The very nature of the USB device is that it functions universally moving us away from the constant loading of drivers depending on what system we were using. Some of the same tactic’s that we as security professionals use are definitely used by our opponents. These tactics have been used by our opponents as long as we professionals have used them. It’s the nature of the game that we all play against each other for better or worse. Opponents know that you can’t patch the user no matter how hard you may want to and an attack against the human factor will usually yield results faster than attempting to assault the system or environment directly.
bob • July 12, 2012 11:53 AM
@ Infojanitor
Why should they take responsibility for their actions? It’s just a job. “Oooo, free USB stick! Wonder what’s on it? A virus? Cool, I’ll go and read in the canteen until IT get my computer sorted out.”
If a company relies on every one of it’s staff being motivated, happy and responsible, it’s not going to last very long.
Edward • July 12, 2012 1:01 PM
Nice one Bruce! No wonder that white hats are so behind if they see lost usb sticks as an attack vector just now. (We have 2012, c’mon.)
Marti Raudsepp • July 12, 2012 1:37 PM
What many of the commentors don’t seem to realize is that even if the operating system doesn’t immediately execute what’s on the stick, the USB port opens up an enormous attack surface:
And since this is not a common attack vector (yet?), USB code is not written defensively like networking code — it’s probably full of holes like Swiss cheese. And a vulnerability in a driver or file system means kernel mode execution rights to the attacker — the highest possible.
Bottom line: keep unknown USB sticks away from your computers. Educate your users. The USB stack might be secured eventually, but not in this decade.
Wael • July 12, 2012 2:01 PM
@ Marti Raudsepp
“kernel mode execution rights to the attacker — the highest possible.”
I think there are higher…
Ascending order:
Hypervisor level (think Ring -1 as opposed to kernel’s Ring 0)
Firmware level (BIOS for example) (Ring -2 🙂 )
Microcode level.
If you have Kernel level access you do not necessarily have FW level access or Microcode level access, although it gets you a “ring” closer.
Jarda • July 12, 2012 2:04 PM
I am always willing to be targetted by an attacker dropping several brand new USB sticks of 32 GB or more around my location. dd cures all infections. 🙂
MingoV • July 12, 2012 6:30 PM
If I found a USB stick in the parking lot of a business or government agency, I would take it the IT department so they could use a non-networked “test” computer to see if the USB stick belongs to an employee (and to see if the employee was transferring sensitive info without adequate encryption).
If I found a USB stick in a public place, I would plug it into one of my older, non-networked Macs to try and find the owner. (The likelihood of malware targeting a Mac is low, and if it did I’d just wipe the hard drive.) If it had no pointers to an owner, I’d reformat it for my own use.
Dirk Praet • July 12, 2012 6:40 PM
From where I’m sitting, the blame for infections through USB are shared by both IT and the user. The former need to put controls in place to prevent unknown USB devices from being hooked up to the network, the latter educated on security policies and procedures regarding such devices. Failure to do so or non-compliance with applicable policies should imply consequences for both.
I know of at least one local (military) customer who has a habit of introducing inadvertent salesreps or other vistors caught with cellphones or USB sticks to two mean-looking MP’s called Bubbah and Jesus, whose primary job it is to scare the living daylights out of such people.
Wael • July 12, 2012 7:05 PM
@ Dirk Paret
Yup! Role Misappropriation again.
IT is the delegated owner for protecting the corporate’s assets. They must not delegate that task to a non-owner, such as the user. IT sending an email to the users saying “Please do not plug USB sticks you find in the parking lot in corporate computers” is equivalent to delegating the protection task to the users. This email should act to raise the awareness, not to prevent the Vulnerabilities. Other controls need to be in place BY IT …
whiskey • July 12, 2012 9:25 PM
Sounds like corporate espionage. This attack is probably more common than anyone realizes.
pgagge • July 13, 2012 2:50 AM
@Wael: if the corporate information assets (as opposed to the physical servers, networks and dull stuff like that) are owned by IT, with the sole responsibility for protecting and determining who should have access, the corporation is in big trouble. Almost all modern corporations are dependent for their profitability and survival on the availability and integrity of huge amounts of information. It may be processed by a lot of technology, but that does not make IT departments experts in the value of that information. (Some try to be. They may evolve away from the traditional IT role.)
USB sticks, cloud storage services, email to pick three: all are threat vectors, but also productivity boosters when used correctly. The final defence against external threats is always the admittedly variable common sense of the end users. That’s not ‘delegating’ a responsibility: the responsibility starts on the business side, with whoever owns the information assets. IT should be able to block and mitigate a set of known threats, but won’t be able to stop them all efficiently without hindering the business from getting done. Reasonable security (as opposed to the mythical perfect security) is obtained only by IT and end users collaborating.
echowit • July 13, 2012 8:53 AM
Where are people buying USBs that are so expensive that it’s worth trying to clean up a “free” one found on the ground?
Agree with the “give it to IT Security” idea, tho. They could actually get some benefit out of it if they uncovered something nefarious.
Benefit v. Risk, anyone?
paul • July 13, 2012 9:09 AM
I think it’s a mistake to equate “found lying on the ground” with “unknown”. All you have to do is use a case with a corporate logo that marks the drive as tradeshow swag (!) or put a label on that identifies it as belonging to some (possibly fictional) person or department, and it becomes “known”.
Dirk Praet • July 13, 2012 1:45 PM
@ Wael
Other controls need to be in place BY IT
That’s exactly what I said. Please try to read my comments correctly.
Wael • July 13, 2012 2:00 PM
@ Dirk Praet
My response was in support of your statement, not correcting it. I should have been more clear.
@ pgagge
I also lost a response to you, that somehow is not showing. Was a long one and I did not save to locally…
Wael • July 13, 2012 2:04 PM
@ Moderator
Is there a pending post from me in the queue? Posted about 20 min ago to @ pgagge?
Moderator • July 13, 2012 5:06 PM
Wael,
I don’t have anything in the queue or spam filter for you, so I’m afraid I can only suggest you recreate.
Wael • July 13, 2012 6:39 PM
@ pgagge
Excellent response…
if the corporate information assets (as opposed to the physical servers, networks and dull stuff like that) are owned by IT, with the sole responsibility for protecting and determining who should have access, the corporation is in big trouble.
Not necessarily. Hire the right team or complain about consequenses. IT is in charge of implementing who should have access. They are given a list of users and thier needs. Sometimes they do decide who should have access to what.
Almost all modern corporations are dependent for their profitability and survival on the availability and integrity of huge amounts of information. It may be processed by a lot of technology, but that does not make IT departments experts in the value of that information. (Some try to be. They may evolve away from the traditional IT role.)
IT doesn’t need to be experts in the value of the information. They only need to know that it has to be protected. They will get mandates and instructions or information from various departments that quantify the security level needed.
USB sticks, cloud storage services, email to pick three: all are threat vectors, but also productivity boosters when used correctly.
“when used correctly”:
Who decides that? User, IT, or common sense?
I say IT makes the rules and policies and tries to enforce these policies and controls. And the User complies, if s/he has common sense. IT also has to assume users are not to be trusted. It’s IT’s neck on the line if a user inserts a USB disk on corporate network, and brings the network down
for a few hours. Who is going to stand tall in front of the Man to explain to him the situation?
User or the IT head?
CEO to CIO: What happened? I hear that credential have been compromised and the press is after us.
CIO: Ummmm. Ummm. This guy found a USB stick in the parking lot and…
Is that gonna fly?
The final defence against external threats is always the admittedly variable common sense of the end users. That’s not ‘delegating’ a responsibility: the responsibility starts on the business side, with whoever owns the information assets.
In most corporate environments I have seen, the user owns nothing. Everything belongs to Corporate and they tell you that. That also includes waivering your rights to privacy. They tell you they will monitor all communication channels.The ownership of information is indisputable, and thier lawyers make that crsytal clear. The Coporate legal entity owns the information, and IT is the entity entrused with protecting this information. Users are asked to “comply”. I am basically saying instead of just “ask”, “enforce” as well.
“IT should be able to block and mitigate a set of known threats, but won’t be able to stop them all efficiently without hindering the business from getting done. Reasonable security (as opposed to the mythical perfect security) is obtained only by IT and end users collaborating.”
Collaboration means users conforming to IT policies, it means alerting IT to threats they become aware of. Collaboration does not mean the user is to be entrusted with protecting an asset s/he does not “own”. We can talk about examples from real life. I am sure you have heard about people who lost thier unencrypted laptops with huge amount of information that caused thier employer a lot of money, negative press releases and embaracment, along with other heartburns.
So Mr. Salesman has a database with tens of thousands of customers, thier usernames, ID’s, Social Secrity numbers, ages, etc. IT has protected this database on thier servers with all “known” mechanisms and controls. Mr. Salesman, wants to be productive, is on the road all the time (road worrior), and doesn’t like the idea of VPN, slow connections; the inconvienice and productivity you talk about. So he copies this database locally on his laptop — his common sense allows him to do that. And does not encrypt it — ignoring IT’s policy that all company information on mobile devices must be encrypted.
The guy forgets the Laptop in a train, a Taxicab, or somewhere – he doesn’t rememeber. IT finds out, or worse (as sometimes is the case) someone makes this information public. You can guess the rest from there (or read about it)
Two question here:
1- who is at fault here?
2- How could such incidents be reduced (I don’t say prevented) in the future?
So the user is surley accountable. Mr. Salesman violated the company’s policy, and needs to be “wisdomised” (rhymes with another word derived from Sodom and Gomorrah). His accountability stops here. IT on the other hand, is not only accountable, but responcible. They should have had the controls in place to prevent such a scenario, and these controls are not “Rocket Science”.
Regarding “as opposed to the mythical perfect security”…
Short background, Clive Robinson’s style rubbed off on me 🙂
So I stated before that security (in my mind) is:
“The painless ability to protect the asset through complete awareness and total assured control by the owner of the asset”
I also said that “absolute security” does not exist — that is clear from the definition. So this is the definition I use when I am analysing a security incident or when working on a security solution. It’s not set in stone, and is open for improvments, critisisms… You can also totally disregard it. So in Elcetrical Engineeering, they used some models. These were ideal and did not exist (or existed under rare conditions) in real life. These models were used to simplify design and analysis of complex circuits. For example there is the “ideal current source” and the “ideal voltage source”. You can replace ideal with “perfect” as well. I tried to do the same for Security. What parameters would allow an ideal or perfect “Security” model to exist? It was on this blog that I found the two “ideal” models: The Castle and the Prison. The Castle and the Prison could be related to each other like Voltage and Currect are (through a brick resistor, or Ohms law :)). Some have said this is purely theoretical, but I find such approach to be systematic and methodical. I am starting to digress towards C-v-P again, so I had better stop here.
mrUniverse • July 13, 2012 7:48 PM
@Jarda
You may want to brush up on how flash memory works before claiming ‘dd cures all infections’- if the USB stick has had a few tweaks to the memory manager, you might be in for some nasty surprises when the ‘unusable’ sector turns out to have needed cleaning after all…
Wael • July 13, 2012 11:49 PM
@ pgagge — Supplimentary…
The IT I am talking about includes
Corporate security.
renoX • July 19, 2012 7:01 AM
@Miramon: the problem with USB sticks isn’t only with Microsoft’s AutoRun (even though it was a dumb idea), see here:
http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux
Andrew White • October 26, 2012 9:55 AM
Many people underestimate the danger of Autorun and the first sample of the parking lot above is a very good example which actually caused problems in our company. Our company use the latest antivirus software but one of our employees found a USB stick and plugged it in. The antivirus software didn’t recognize the work initially until it had spread over several computer. Since then we have all USB ports disabled for external storage (including media players). Keyboards and mice are still okay and managers can still use USB stick to take home HR and contract data to work at home. We are using a product called encryptstick for this. They also had autorun setup by default. We reported this security concern to the vendor and to our surprise they removed the autorun feature with the next release which in our opinion clearly showed that they took the report seriously. Unfortunately not many vendors would do this.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Miramon • July 12, 2012 10:06 AM
This has been Microsoft’s fault since whenever it was they decided floppy disks should autoload by default — 1981, maybe?
Without that one stupid decision, the whole floppy-based virus industry wouldn’t have started, and perhaps malware in general would be a smaller problem today.
Anyhow, the general lack of security methods applied to memory cards and thumb drives is entirely consistent with that grand tradition.