Before we jump into the USB memory security recommendations, a little background is in order…
“According to a straw poll carried out at InfoSecurity Europe, 90 per cent of the 12,000 attendees routinely carried portable storage devices. The survey also showed that 80 per cent of visitors believed their company had lost valuable confidential data through the use of these devices.
Although these gadgets are designed to be perfectly harmless, it does not take much for them to become a major security headache. It is all too easy to use them to siphon off valuable data.
Even legitimate users can simply lose the device, or have it stolen. Organizations need to ensure that they have the right security measures in place to protect themselves from this type of data leakage.” — V3
“Police in the Australian State of Victoria have warned citizens not to trust unmarked USB sticks that appear in their letterboxes. The warning, issued today, says ‘The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.’” — The Register
“An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation’s car park has failed. Instead of plugging the discarded drives into a workstation, which would have infected the machine, the worker who first found one of the devices handed it in to DSM’s IT department. Sysadmins subsequently found an unspecified password-stealing keylogger.” — The Register
USB Memory Security
Trojan Horse USB Memory Security
Some companies stamp their logos onto USB sticks and use them as giveaways. Most are probably benign advertising gifts used to foster good will. But you can’t be sure. Anyone can have sticks made with custom printing, including your logo. In fact, legitimate USB sticks may be purchased for Trojan Horse use. They can also load a stick with spyware, viruses, etc.
General USB Memory Security
Unsecured memory sticks are easily stolen or copied. They may still contain valuable information, even if “erased”. Always secure these data storage devices. In a business setting, the data on the device should be password protected and encrypted.
Memory sticks given as gifts or promotional items may contain spy software (possibly unbeknownst to the giver).
“Found on the ground” USB sticks are risky. They may have been planted for you to find. Never plug one into a computer to see what is on it. It may contain a destructive virus or keystroke logger.
Security Director Alert: USB Sabotage Kills Devices in Split-Second – Only $49.95
For just a few bucks, you can pick up a USB stick that destroys almost anything that it’s plugged into. Laptops, PCs, televisions, photo booths — you name it.
Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester’s repertoire of tools and hacks, says the Hong Kong-based company that developed it.
It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges — all in the matter of seconds.
On unprotected equipment, the device’s makers say it will “instantly and permanently disable unprotected hardware”…
The lesson here is simple enough. If a device has an exposed USB port — such as a copy machine or even an airline entertainment system — it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.
“Any public facing USB port should be considered an attack vector,” says the company. “In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack.”
Not every device is vulnerable to a USB Kill attack. The device maker said that Apple “voluntarily” protected its hardware. — ZDnet
USB Memory Security – Harassment Sticks
The Devil Drive (not currently available but previously sold units are out there) brings the office prank to a new level of sophistication. It looks like a regular USB cable, but it’s actually a device of electronic harassment. Just be aware of it should you hear complaints.
The Devil Drive has three functions:
- It causes annoying random curser movements on the screen.
- It types out random phrases and garbage text.
- It toggles the Caps Lock.
USB Memory Security – Chameleon Sticks
Some USB memory sticks have alter egos. They may look like simple memory sticks, but they are actually voice recorders and/or video cameras.
- Keep an eye out for these devices at business meetings.
- Lock out USB ports
USB Memory Security – Virus Injection Warning
USB ports in general have been cited as security vulnerabilities…
“Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user’s knowledge. The duo said there is no practical way to defend against the vulnerability.” – BBC
Although these researchers hacked an Avaya phone in their experiment, computers, phones, and other devices with USB ports are vulnerable as well…
“Ang Cui and Salvatore Stolfo, both of Red Balloon Security, announced multiple vulnerabilities in the Avaya ONE X Voice over IP (VoIP) phone system. Exploitation, they said, can lead to general mayhem, including turning the phone into a listening post, propagating malware to other phones, and then propagating malware to other embedded devices that the phone can reach on the network such as printers or routers.” – Mocana
USB Memory Security Recommendations
- Block ports with a mechanical port block lock.
- Place security tape over that.
- Create a “no USB sticks unless pre-approved” rule.
- Warn employees that a gift USB stick could be a Trojan Horse gift.
- Warn employees that one easy espionage tactic involves leaving a few USB sticks scattered in the company parking lot. The opposition knows that someone will pick one up and plug it in. The infection begins the second they plug it in.
- Don’t let visitors stick you. Extend the “no USB sticks unless pre-approved” rule to them as well. Their sticks may be infected.
IBM Takes The USB Memory Security Lead
This new policy is being instituted to prevent confidential and sensitive information from being leaked due to misplaced or unsecured storage devices.
According to a report by The Register, IBM’s global chief Information security officer Shamla Naidoo issued an advisory stating that the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” This advisory further stated that this policy is already in effect for some departments, but will be further enforced throughout the entire company.” more
In Other news…
“South Korea Hands Kim Jong-un a Path to Prosperity on a USB Drive” – The New York Times
Kevin D. Murray CPP, CISM, CFE is a business counterespionage consultant and TSCM specialist with over four decades of experience.
Murray Associates is an independent security consulting firm, providing eavesdropping detection and counterespionage services to business, government and at-risk individuals.
Headquartered in the New York metropolitan area, a Murray Associates team can assist you quickly, anywhere in the United States, and internationally.