Comments

ThothOctober 9, 2014 7:35 AM

Well, you can easily lose it as well as easily carry it.

A secure location does not mean the data stored there is as secure as it seems. Additional steps that includes removing of USB ports from secure devices and using device cryptographic authentication methods is what makes a secure setup in a secure location truely secure.

ThothOctober 9, 2014 7:38 AM

On a second thought, if someone can exfiltrate data with these awesome cufflinks, that means someone could also inflitrate nasty stuff in as well with these awesome cufflinks ?

CallMeLateForSupperOctober 9, 2014 7:39 AM

An absolute steal at US$200. (not) Interesting idea, though fitzing with cufflinks is, to me, a PITA even once/day.

If I had these - and I am neither confirming nor denying that I do or did or would - I would apply NSA logo, in full color. ;-)

Pull up the alternate photo for a look at the backs. The soldering job is... nasty, "just the thing" to chew up a cuff.

Lars SommerOctober 9, 2014 8:26 AM

You can get them in silver "look" at around $6-$20 on aliexpress.com - maybe even prepped with chinese malware as a bonus.

Clive RobinsonOctober 9, 2014 9:58 AM

@ Vas Pup,

Microwave ovens are not designed to be "broadband" Faraday shields. So you should test the idea with each oven befor relying on it.

Briefly, the edges around the doors are viewed as transmission lines feeding a slot radiator by the designers. To prevent radiation in the ISM band the door has a shorted resonant line as part of the transmission line from the oven cavity to the slot radiator of the door edge. This resonant line makes the transmission line look like a very high impedence ONLY at certain very narrow frequency bands...

At others frequencies the resonant line can actually tune the cavity to the slot radiator of the door edge and thus for certain narrow bands it matches the cavity to the slot radiator and enhances radiation at that frequency band and can likewise effectivly add to the ERP of a phone etc as does other directional antennas, so could be worse than no Faraday shield at all.

Other frequencies may will get to the slot radiator and radiate proportianatly to the matching seen between the cavity and the transmission line and the transmission line to the door edge slot radiator at the frequency in question. In all cases the radiation efficiency broadband has a "comb" pattern of good and bad against frequency....

Oh and as Wifi users know even in the ISM band microwave ovens can be considerable sources of interferance due to "leakage" which can happen due to quite minimal door or latch damage or even somebody cleaning it such that the resonant frequency of the resonant line changes. It's why you should test them occasionaly and not lean on / touch them when actually cooking (do I follow that advice, nope, but then I always stand well away from them whilst the maggi is on).

paulOctober 9, 2014 10:06 AM

I wonder if anyone has run a design contest to think up things that have four conductors near an edge at the required spacing to fit a USB plug but look nothing like USB dongles.

Clive RobinsonOctober 9, 2014 10:15 AM

So if USB in cufflinks how about other "spy gear"?

How about a Wifi transmitter with nasty malware as a download special, walk into the office press the link and the office is owned, just the thing for a pen-test sales person ;-)

Or how about a tiny ultrasonic transmitter for all those BadUSB systems to either deliver updates or conversly with a mic download stuff...

With modern micro chips the possabilities whilst not endless woula have the story writters for the original "Mission Impossible" TV show salivating...

AnuraOctober 9, 2014 1:19 PM

I wear dress shirts to work almost every day, but none of them have cufflinks. If I wanted to be inconspicuous, I would have to hide it in my phone or soemthing... But that's just crazy talk.

QMOctober 9, 2014 1:54 PM

With all of this 007 swag, we're going to slashdot a few servers. Maybe there'll be a new term, "getting Bruced", for a sudden influx of traffic.

joyOctober 9, 2014 2:06 PM

@firedog, "WiFi hotspot cufflinks?"

That's the link below, <http://www.dalys1895.com/polished-silver-oval-wifi-and-2gb-usb-combination-cufflinks.html>

Ravi Ratan Polished Silver Oval WIFI and 2GB USB Combination Cufflinks
$250.00

Description
Ravi Ratan once again demonstrates the ability to marry elegant design with fantastic practicality with this piece. These elegant, oval cufflinks finished with silver beautifully conceal a 2GB USB drive and also double as a WiFi Hotspot: take your data with you wherever you go. It is the ultimate functional accessory.
WiFi Hotspot
2GB USB
Oval shape

IrvingOctober 9, 2014 2:31 PM

Had one pair of those.
Lost one.
I have to remember to choose one shirt that fits them when I want to use them. Still very cool when all these conditions are met.

NobodySpecialOctober 9, 2014 2:59 PM

Around here anyone wearing a shirt that needed cufflinks would be a lot more conspicuous than someone merely carrying a server out under their arm.

LessThanObviousOctober 9, 2014 3:31 PM

The form factor doesn't really matter, I don't see cufflinks being the way to go for someone moving data that they aren't supposed to be moving. The fact is, at the present time the size of the object required to store a large amount of data is so small that any reliance on physical detection is bound to be failure prone. If a company is protecting servers and the data is super critical then additional layers of security are a must. There is an expectation of trust for anyone who has physical access to data storage. If it's so critical that even those with access can't be trusted then steps must be taken in software, physical ports blocked or removed, no leaving anyone alone, no shipping failed drives to Dell without wiping them, and the list goes on.

When it comes to a person carrying data when they are out and about or when traveling, the ways it could be hidden are almost limitless. Catching someone smuggling data would be very hard. First: it would have to be known that there is a good reason to be suspicious of that person since everyone has laptops, tablets, USB sticks, Cameras, MP3 Players, etc.. Second: a search would have to be very extensive (hard drive contents, personal device contents, cavity search, (X-ray clothing, belt, shoes, books, etc...), check bags for hidden compartments, and the list goes on. That only covers items people may have when on foot. When in a vehicle it would be all but impossible to be certain all possible avenues were exhausted in a practical amount of time and even with the aid of trained dogs.

GodelOctober 9, 2014 6:46 PM

@LessThanObvious You could easily conceal a MicroSD card in your cheek. With the amount of fillings, implants etc that I've got, you'd need more than a metal detector to discriminate it from my normal equipment.

Disco StuOctober 9, 2014 7:07 PM

When it comes to vulnerability and USB sticks I've noticed something that I haven't seen published though I'm sure I'm not unique in this one. When someone has legitimate access to a Colo facility, it doesn't seem like it would be that far fetched for someone with malicious intent to put a USB stick on the end of a thin pole and poke it through the cage fencing and into the back of a target server. Then once the server reboots and boots from the USB, it's done. The same could also be done very easily to plug a long cable into an open Ethernet switch port assuming unused ports aren't disabled as per best practice, then if the retaining clip was broken off prior to inserting it, pulling the cable back out to cover their tracks would be easy.

Fortunately the people who have access to these facilities are almost without exception the good guys and if any of us saw someone attempting this, the individual would certainly receive a nerd beat down and some jail time.

BenOctober 9, 2014 11:05 PM

I remember seeing this on one of the TV episodes of White Collar as the undercover agent infiltrated a large corporate organisation and plugged one of his USB cufflinks into their network.

Chris AbbottOctober 10, 2014 12:10 AM

I think a USB embedded tie would be pretty good. If anybody asks why your tie is lunging toward the computer you could blame it on the fan. I think you'd be way better off using a little Bluetooth and linking it with your phone. I'm sure you could find one that Windows already has drivers for, or hell, if it's a NIX machine, drivers aren't usually an issue (at least with most Linux distros in my experience, even BSD).

Chris AbbottOctober 10, 2014 12:13 AM

Or actually, use a burner phone not connected to a tower, and trash the Bluetooth thing ASAP before you hightail out. Then snatch the data off of your burner phone and trash it securely.

Andrew_KOctober 10, 2014 1:27 AM

I see it coming.
Next time I'm on a job-related visit to restricted area, I will not only have to walk through all kinds of body scanners but also have to undress completely and hand over my genital piercing since it has to be checked for firmware updates.

I wonder what they will do about medical implants. WiFi-enabled tooth fillings, anyone?

GrauhutOctober 10, 2014 1:37 AM

IT guys seldom wear cufflinks, that would be too excentric. I would prefer a USB pen. :)

google_com/search?q=usb+pen&tbm=isch

But... If you are the IT guy and come to change a disk because of a raid disk error, just pull one raid1 disk and put in another, nobdy will ask, one in, one out.

ThothOctober 10, 2014 3:13 AM

@French Mailman
USB Bracelet seems like a nice idea but if you flip your hands or raise it, the USB stick is pretty obvious. It would do well by concealing a microSD in one of those metal studs though.

@Grauhut
USB pens are a good idea too... as long as no one decides to be itchy fingers to dismantle your pen for fun.

A normal or modified ring that have a compartment (locket design) would be useful in keeping a microSD.

Andrew_KOctober 10, 2014 7:39 AM

Ok, seriously.

I would be careful with carrying such things. Remember that you are considered to be what you resemble. Name three non-suspicious use cases in which a classic USB key wouldn't suffice.

Always assume that you will be subject to a stop and search. You usually don't wear french cuffs. Thus, you have laid them of in your car. A cop finds them. Discovers their dual nature. How do you explain? What happens next depends solely on the cops' technical interest and your social engineering skills. From detention and accusation of espionage to a friendly talk on amazing gadgets -- everything can happen.

I would preferr a modified classic USB key which could subtly be switched between two storages: The public and the private store. I just keep it in my pocket or a deep part of my untidy backpack. I just forgot it, no big deal. That happens all the time. The security guard can check it, a bunch of harmless MP3s and a movie from 2004 on it. No one is surprised that it is what it seems to be. Yeah, I really shouldn't have brough this here. Laugh. Then go home.

Wait. The security guard will check it. By plugging it into his computer. Time to change the topic.

@ Grauhut
The Raid 1 thing is almost a classic. Sadly.

albertOctober 10, 2014 11:05 AM

@Andrew_K
Why not conceal the data in the mp3 or jpg files? This can be done auto-magically while 'downloading' the data, then the 'implanting' s/w can delete itself. Of course, you may never see your thumb drive again....no company with sensitive data should allow ANY media to be transferred into or out of the facility.
.
'Social engineering' skills worked well in the old days (I know from personal experience), but with todays FUD environment, is it still possible to use them effectively?
..

..
I gotta go...

ThothOctober 11, 2014 8:09 AM

@Andrew_K
Gotta say I like your scheme. Neat and tidy. If a guard stops and checks, you surrender it and you are allocated a storage locker with the locker key. No big deal. If somehow you brought it in, it is one of the common "incidents" in data centers. It happens very frequently due to it's small size. Highly unlikely they will dismantle the USB stick physically and detect the dual nature of it. If you can have a custom firmware that have say a hidden digital switch somewhere that switches between public and private mode, the guard might see the old movies and songs and just laugh it off and return it back to you.

If the USB stick never returns, you can have it detect physical tamper and execute zeroize memory (with internal spare capacitor).

@albert
Social engineering still works very very well in this current age.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.