USB Drives a Huge Security Concern

Monday, June 28, 2010 @ 06:06 PM gHale


At one point during a meeting not too long ago a security professional wanted to point out how easy it was to infect a system. All he had to do, he said, was to drop thumb drives with whatever form of a virus he wanted to use all around an office.
Without a doubt, he added, people will pick them up, plug them into their computer and start using them. A disaster is now born.
USB thumb or flash drives have become the mainstay across the globe. The ubiquity of this technology combined with new device features has offered malware authors strong potential to circumvent customary network access controls and protections.


It is important to emphasize to control system owners and operators this attack vector can threaten control system networks just as easily as enterprise networks.
Due to the increasing reliance on commercial off-the-shelf software and operating systems in control systems networks, Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) believes USB thumb drives are a significant malware attack vector for control system networks.
Not only that, but USB drives have been involved in many cases involving the loss of sensitive information. Their small size and increasingly high storage capacity has been instrumental in the loss of or theft of sensitive information from enterprise networks.
USB drives have been a significant network attack vector for several years now. An advance in USB technology, known as U3 and introduced in 2006, added additional vulnerability. U3 gives USB drives the ability to auto run applications when inserted into a computer running Microsoft Windows in the default configuration. U3 works by using a small 4 megabyte read only partition which registers with Microsoft Windows as a CD-ROM drive. The partition is treated as a standard CD-ROM drive and U3 takes advantage of the Windows AutoPlay feature causing Windows to automatically run the U3 LaunchPad application.
In addition, applications on the thumb drive which comply with the U3 specification can write files or registry information to the host computer. The specification requires the application remove registry information once the drive exits from the host computer but there are not technical ways to enforce this. This feature has made USB thumb drives a significant vector of attack for many strains of malware. US-CERT has documented malware such as Conficker have previously used USB drives as a replication vector.
Security professionals have seen four major forms of USB network attacks:
1. USB device used as data theft device using the “USB Switchblade” technique. In this mode, the attacker uses the USB drive to steal user website credentials cached in the victim’s browser or victim domain credentials cached LM or LAN Manager password hashes. This technique can also bypass workstation screensaver authentication controls.
2. The USB device is part of a social engineering exercise. Much like the scenario at the beginning of this story, in this mode the attacker leaves infected USB drives scattered around a target organization’s premises, knowing employees will insert the drives into their workstations. The USB drive in this example would contain a custom LaunchPad application that can steal user website and domain credentials and then send them to the attacker.
3. Malware loads onto the U3 USB thumb drive’s LaunchPad application. In this mode, malware has infected the LaunchPad application on the thumb drive and uses the auto run feature of Microsoft Windows as a means of replicating itself to victim workstations and then to other machines on the targeted organization’s network.
4. A previously malware compromised workstation copies itself to a USB flash drive. The USB flash drive then hits a new machine and makes a connection. The copied malware may have an icon designed to trick the user into thinking that it is a harmless media file, causing the user to execute the malware. An example is a USB drive plugged into an infected business system and then transfers files to a control system computer, bridging the air gap between the systems.
In order to resolve these issues, ICS-CERT recommends control system owners immediately implement these precautionary measures:
• Disable the CD-ROM auto run feature on every computer in the enterprise and control system networks.
• Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
• Caution users of this attack vector and remind them unknown USB’s should never plug into a business or personal computer.



Leave a Reply

You must be logged in to post a comment.