Dropped USB Sticks in Parking Lot as Actual Attack Vector

For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them.

This is the first time I've heard of criminals trying this trick.

Posted on July 12, 2012 at 9:47 AM • 31 Comments

Comments

MiramonJuly 12, 2012 10:06 AM

This has been Microsoft's fault since whenever it was they decided floppy disks should autoload by default -- 1981, maybe?

Without that one stupid decision, the whole floppy-based virus industry wouldn't have started, and perhaps malware in general would be a smaller problem today.

Anyhow, the general lack of security methods applied to memory cards and thumb drives is entirely consistent with that grand tradition.

seheJuly 12, 2012 10:11 AM

Happened recently near a bio/chemical plant where a relative works. They noticed because the corporate anti-virus set off the alarms upon insertion of the stick, which prompted security to search the area.

Apparently, they found several 'stray' USB spread around the compound.

JoeJuly 12, 2012 10:26 AM

I don't remember where I read it (might have been here actually), but didn't the Stuxnet virus get planted using a similar idea?

MichaelJuly 12, 2012 10:31 AM

The article mentions more than one USB drive was dropped, which probably gave the game away. Maybe it's the first time we heard of such an attack, but it's not as targeted or effective as it could be.
Now, imagine a scenario where the criminal properly researched the target, and placed just one USB drive in a more strategic location where a specific person would eventually run the malware. If the criminal managed to infect the right machine, he/she would have a very good vantage point to launch whatever attack.

OrinJuly 12, 2012 11:05 AM

Windows can be locked down so that "unknown" USB drives are locked out - but Windows in its default state is different from Windows as it can be run in a locked down state (using removable device policies, AppLocker)

InfojanitorJuly 12, 2012 11:42 AM

I respect Bruce but I have to disagree with his statement. At some point the users have to take responsibility for their actions on the system. The computer is not there to anticipate the nature of stupidity for an irresponsible user instituting unknown elements to its environment. The very nature of the USB device is that it functions universally moving us away from the constant loading of drivers depending on what system we were using. Some of the same tactic's that we as security professionals use are definitely used by our opponents. These tactics have been used by our opponents as long as we professionals have used them. It's the nature of the game that we all play against each other for better or worse. Opponents know that you can't patch the user no matter how hard you may want to and an attack against the human factor will usually yield results faster than attempting to assault the system or environment directly.

bobJuly 12, 2012 11:53 AM

@ Infojanitor

Why should they take responsibility for their actions? It's just a job. "Oooo, free USB stick! Wonder what's on it? A virus? Cool, I'll go and read in the canteen until IT get my computer sorted out."

If a company relies on every one of it's staff being motivated, happy and responsible, it's not going to last very long.

Bob BarkerJuly 12, 2012 12:27 PM

$ chmod -R +x /media/*

Who picks up a USB stick and this is his first step? I don't get it.

EdwardJuly 12, 2012 1:01 PM

Nice one Bruce! No wonder that white hats are so behind if they see *lost* usb sticks as an attack vector just now. (We have 2012, c'mon.)

Marti RaudseppJuly 12, 2012 1:37 PM

What many of the commentors don't seem to realize is that even if the operating system doesn't immediately execute what's on the stick, the USB port opens up an enormous attack surface:

* All USB device drivers supported by the OS -- written by all sorts of different vendors with unknown security expertise
* All file system code (via USB mass storage)
* Access to network services on the host computer (as a USB Ethernet adapter)
* Direct keyboard/mouse control
* Probably lots more that I can't even imagine
* The USB stick could be interactively communicating to the attacker over a radio connection

And since this is not a common attack vector (yet?), USB code is not written defensively like networking code -- it's probably full of holes like Swiss cheese. And a vulnerability in a driver or file system means kernel mode execution rights to the attacker -- the highest possible.

Bottom line: keep unknown USB sticks away from your computers. Educate your users. The USB stack might be secured eventually, but not in this decade.

WaelJuly 12, 2012 2:01 PM

@ Marti Raudsepp

"kernel mode execution rights to the attacker -- the highest possible."

I *think* there are higher...

Ascending order:
Hypervisor level (think Ring -1 as opposed to kernel's Ring 0)
Firmware level (BIOS for example) (Ring -2 :) )
Microcode level.

If you have Kernel level access you do not necessarily have FW level access or Microcode level access, although it gets you a "ring" closer.

JardaJuly 12, 2012 2:04 PM

I am always willing to be targetted by an attacker dropping several brand new USB sticks of 32 GB or more around my location. dd cures all infections. :-)

MingoVJuly 12, 2012 6:30 PM

If I found a USB stick in the parking lot of a business or government agency, I would take it the IT department so they could use a non-networked "test" computer to see if the USB stick belongs to an employee (and to see if the employee was transferring sensitive info without adequate encryption).

If I found a USB stick in a public place, I would plug it into one of my older, non-networked Macs to try and find the owner. (The likelihood of malware targeting a Mac is low, and if it did I'd just wipe the hard drive.) If it had no pointers to an owner, I'd reformat it for my own use.

Dirk PraetJuly 12, 2012 6:40 PM

From where I'm sitting, the blame for infections through USB are shared by both IT and the user. The former need to put controls in place to prevent unknown USB devices from being hooked up to the network, the latter educated on security policies and procedures regarding such devices. Failure to do so or non-compliance with applicable policies should imply consequences for both.

I know of at least one local (military) customer who has a habit of introducing inadvertent salesreps or other vistors caught with cellphones or USB sticks to two mean-looking MP's called Bubbah and Jesus, whose primary job it is to scare the living daylights out of such people.

WaelJuly 12, 2012 7:05 PM

@ Dirk Paret

Yup! Role Misappropriation again.

IT is the delegated owner for protecting the corporate's assets. They must not delegate that task to a non-owner, such as the user. IT sending an email to the users saying "Please do not plug USB sticks you find in the parking lot in corporate computers" is equivalent to delegating the protection task to the users. This email should act to raise the awareness, not to prevent the Vulnerabilities. Other controls need to be in place BY IT ...

whiskeyJuly 12, 2012 9:25 PM

Sounds like corporate espionage. This attack is probably more common than anyone realizes.

pgaggeJuly 13, 2012 2:50 AM

@Wael: if the corporate *information* assets (as opposed to the physical servers, networks and dull stuff like that) are owned by IT, with the sole responsibility for protecting and determining who should have access, the corporation is in big trouble. Almost all modern corporations are dependent for their profitability and survival on the availability and integrity of huge amounts of information. It may be processed by a lot of technology, but that does not make IT departments experts in the value of that information. (Some try to be. They may evolve away from the traditional IT role.)

USB sticks, cloud storage services, email to pick three: all are threat vectors, but also productivity boosters when used correctly. The final defence against external threats is always the admittedly variable common sense of the end users. That's not 'delegating' a responsibility: the responsibility *starts* on the business side, with whoever owns the information assets. IT should be able to block and mitigate a set of known threats, but won't be able to stop them all efficiently without hindering the business from getting done. Reasonable security (as opposed to the mythical perfect security) is obtained only by IT and end users collaborating.

echowitJuly 13, 2012 8:53 AM

Where are people buying USBs that are so expensive that it's worth trying to clean up a "free" one found on the ground?

Agree with the "give it to IT Security" idea, tho. They could actually get some benefit out of it if they uncovered something nefarious.

Benefit v. Risk, anyone?

paulJuly 13, 2012 9:09 AM

I think it's a mistake to equate "found lying on the ground" with "unknown". All you have to do is use a case with a corporate logo that marks the drive as tradeshow swag (!) or put a label on that identifies it as belonging to some (possibly fictional) person or department, and it becomes "known".

Dirk PraetJuly 13, 2012 1:45 PM

@ Wael

Other controls need to be in place BY IT

That's exactly what I said. Please try to read my comments correctly.

WaelJuly 13, 2012 2:00 PM

@ Dirk Praet

My response was in support of your statement, not correcting it. I should have been more clear.

@ pgagge
I also lost a response to you, that somehow is not showing. Was a long one and I did not save to locally...

WaelJuly 13, 2012 2:04 PM

@ Moderator

Is there a pending post from me in the queue? Posted about 20 min ago to @ pgagge?

ModeratorJuly 13, 2012 5:06 PM

Wael,

I don't have anything in the queue or spam filter for you, so I'm afraid I can only suggest you recreate.

WaelJuly 13, 2012 6:39 PM

@ pgagge

Excellent response...

if the corporate *information* assets (as opposed to the physical servers, networks and dull stuff like that) are owned by IT, with the sole responsibility for protecting and determining who should have access, the corporation is in big trouble.

Not necessarily. Hire the right team or complain about consequenses. IT is in charge of implementing who should have access. They are given a list of users and thier needs. Sometimes they do decide who should have access to what.

Almost all modern corporations are dependent for their profitability and survival on the availability and integrity of huge amounts of information. It may be processed by a lot of technology, but that does not make IT departments experts in the value of that information. (Some try to be. They may evolve away from the traditional IT role.)

IT doesn't need to be experts in the value of the information. They only need to know that it has to be protected. They will get mandates and instructions or information from various departments that quantify the security level needed.

USB sticks, cloud storage services, email to pick three: all are threat vectors, but also productivity boosters when used correctly.

"when used correctly":

Who decides that? User, IT, or common sense?
I say IT makes the rules and policies and tries to enforce these policies and controls. And the User complies, if s/he has common sense. IT also has to assume users are not to be trusted. It's IT's neck on the line if a user inserts a USB disk on corporate network, and brings the network down
for a few hours. Who is going to stand tall in front of the Man to explain to him the situation?
User or the IT head?
CEO to CIO: What happened? I hear that credential have been compromised and the press is after us.
CIO: Ummmm. Ummm. This guy found a USB stick in the parking lot and...
Is that gonna fly?

The final defence against external threats is always the admittedly variable common sense of the end users. That's not 'delegating' a responsibility: the responsibility *starts* on the business side, with whoever owns the information assets.

In most corporate environments I have seen, the user owns nothing. Everything belongs to Corporate and they tell you that. That also includes waivering your rights to privacy. They tell you they will monitor all communication channels.The ownership of information is indisputable, and thier lawyers make that crsytal clear. The Coporate legal entity owns the information, and IT is the entity entrused with protecting this information. Users are asked to "comply". I am basically saying instead of just "ask", "enforce" as well.

"IT should be able to block and mitigate a set of known threats, but won't be able to stop them all efficiently without hindering the business from getting done. Reasonable security (as opposed to the mythical perfect security) is obtained only by IT and end users collaborating."

Collaboration means users conforming to IT policies, it means alerting IT to threats they become aware of. Collaboration does not mean the user is to be entrusted with protecting an asset s/he does not "own". We can talk about examples from real life. I am sure you have heard about people who lost thier unencrypted laptops with huge amount of information that caused thier employer a lot of money, negative press releases and embaracment, along with other heartburns.
So Mr. Salesman has a database with tens of thousands of customers, thier usernames, ID's, Social Secrity numbers, ages, etc. IT has protected this database on thier servers with all "known" mechanisms and controls. Mr. Salesman, wants to be productive, is on the road all the time (road worrior), and doesn't like the idea of VPN, slow connections; the inconvienice and productivity you talk about. So he copies this database locally on his laptop -- his common sense allows him to do that. And does not encrypt it -- ignoring IT's policy that all company information on mobile devices must be encrypted.

The guy forgets the Laptop in a train, a Taxicab, or somewhere - he doesn't rememeber. IT finds out, or worse (as sometimes is the case) someone makes this information public. You can guess the rest from there (or read about it)

Two question here:
1- who is at fault here?
2- How could such incidents be reduced (I don't say prevented) in the future?

So the user is surley accountable. Mr. Salesman violated the company's policy, and needs to be "wisdomised" (rhymes with another word derived from Sodom and Gomorrah). His accountability stops here. IT on the other hand, is not only accountable, but responcible. They should have had the controls in place to prevent such a scenario, and these controls are not "Rocket Science".

Regarding "as opposed to the mythical perfect security"...
Short background, Clive Robinson's style rubbed off on me :)
So I stated before that security (in my mind) is:
"The painless ability to protect the asset through complete awareness and total assured control by the owner of the asset"
I also said that "absolute security" does not exist -- that is clear from the definition. So this is the definition I use when I am analysing a security incident or when working on a security solution. It's not set in stone, and is open for improvments, critisisms... You can also totally disregard it. So in Elcetrical Engineeering, they used some models. These were ideal and did not exist (or existed under rare conditions) in real life. These models were used to simplify design and analysis of complex circuits. For example there is the "ideal current source" and the "ideal voltage source". You can replace ideal with "perfect" as well. I tried to do the same for Security. What parameters would allow an ideal or perfect "Security" model to exist? It was on this blog that I found the two "ideal" models: The Castle and the Prison. The Castle and the Prison could be related to each other like Voltage and Currect are (through a brick resistor, or Ohms law :)). Some have said this is purely theoretical, but I find such approach to be systematic and methodical. I am starting to digress towards C-v-P again, so I had better stop here.


mrUniverseJuly 13, 2012 7:48 PM

@Jarda
You may want to brush up on how flash memory works before claiming 'dd cures all infections'- if the USB stick has had a few tweaks to the memory manager, you might be in for some nasty surprises when the 'unusable' sector turns out to have needed cleaning after all...

WaelJuly 13, 2012 11:49 PM

@ pgagge -- Supplimentary...

The IT I am talking about includes
Corporate security.

Andrew WhiteOctober 26, 2012 9:55 AM

Many people underestimate the danger of Autorun and the first sample of the parking lot above is a very good example which actually caused problems in our company. Our company use the latest antivirus software but one of our employees found a USB stick and plugged it in. The antivirus software didn't recognize the work initially until it had spread over several computer. Since then we have all USB ports disabled for external storage (including media players). Keyboards and mice are still okay and managers can still use USB stick to take home HR and contract data to work at home. We are using a product called encryptstick for this. They also had autorun setup by default. We reported this security concern to the vendor and to our surprise they removed the autorun feature with the next release which in our opinion clearly showed that they took the report seriously. Unfortunately not many vendors would do this.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..