... scary results:

http://www.darkreading.com/document.asp?doc_id=95556

I think it was a very good idea by those who thought it up, but it's scary how effective it was. Being a member of one of the many layers of security in my IT organization, I could see this happening here too. Scary indeed...

Brilliant! http://www.elitebastards.com/forum/images/smiles/bow.gif

I love those things, I really do. And my wife loves them even more. She's got about 5, I think.

The biggest each of us has is 16GB. Maybe two more generations and we should be able to carry *everything* digital we care about around in our pocket without picking and choosing for the most important. That's pretty incredible.

The more interesting question here is how to address this? IT turning off every USB slot in the enterprise doesn't seem like a very useful solution. . . .

Enforcing common sense policies would fix it, like don't check strange USBs on the company PCs. ;)

It's that "enforcing" thing I'm pointing at tho. Getting to fire someone after the fact isn't as satisfying as not having the bad thing happen in the first place.

Social engineering is woefully underrated as an attack vector, probably because the security and anti-virus companies can't sell you something for dumb users.

That's why you need something like Kaspersky that's running all the time on all corporate machines and locked out from user control, and have all your departments firewalled from each other.

Hmm... I wonder if it would be possible to create a handshake system that only runs the USB drives if they have a particular file format or encryption system...

The technology underlying this attack was not AutoRun, but instead what appeared to be a JPEG file was actually an executable. Said executable did unscrupulous things, built itself an SMTP service and sent items outside the company.

The primary part of the problem starts with user rights to their local machine. As in, don't make people admins of their own box. That starts down the right track by NOT allowing things to trojan themselves in by creating services / et al -- at least for the most part.

A second and similarly easy method would be firewall egress control, as in not allowing data to traverse OUT unless the app / source / protocol / etc is whitelisted. Our organization finally started this at the beginning of 2007, mostly because we had people somehow still running torrents on machines that we somehow couldn't track. We also had certain types of data (cough, cough, credit card data :o ) that wasn't being handled correctly by the teams responsible -- but we (as in, centralized IT) never knew! There's a lot of nasty stuff you catch by doing this; most of which is stuff you NEED to catch even if nobody is actively attacking you.

And of course, third would be continuous education of your staff. Firing someone wouldn't do any good if the next person you hired was apt to do the very same thing. Hell, firing the "problem people" may actually be worse, as you're not fixing the problem, but in turn giving yourself another one -- retraining the new employee from scratch on their standard job duties.

Or simply use Firefox and Thunderbird.

Because if you allow people to copy files to and from their USB sticks, which you really want and need to allow, there is very little you can do.

There is no foolproof technical solution to those problems at all. The best you can do is use a hierarchical one: make it known that their boss has to pay the cleanup bill.

A Mozilla / Opera browser might avoid the specfic JPEG attack, but doesn't stop someone / something from creating bad services and sending bad data. And in fact, it isn't always an intentionally malicious source that's doing these things (ie, things that shouldn't be done). User workstation priveleges are to blame there, along with Microsoft's inane method of giving everyone Admin rights by default.

Our egress control has been our biggest win, and similarly the biggest source of frustration for a TON of people since we implemented it. Nearly all of that frustration comes from people being accustomed to "getting away with it". We found incredible amounts of sensitive data, some of it even customer and financial in nature, leaving our company on a regular bsais through unsecured means that we never even knew about. Now, this wasn't surruptous methods; this data was all destined for other institutions or vendors that we deal with.

Still, the huge amounts of data were scary. And the reason we didn't know? Because teams in charge of that data were "just" IT savvy enough to set something up, but not savvy enough to understand what they were truly doing. They had mission-critical data transfer services running from non-backed up desktop equipment in a cubicle in the middle of the floor in several cases.

The general user base had some murmors of discontent too, as people suddenly couldn't remote-in to their home machines, or use FTP services to upload data to their personal ISP's, etc. Our outbound internet traffic fell by some 40% when we first turned it on, and even now after al the other stuff has been finally brought into spec and allowed through, we're still ~25% less outbound traffic than we were 18 months ago.

We also enabled some group policies (by way of both Windows and our Symantec Endpoint Client) that disables internal network access if an external network source is attached to the workstation -- like tethering to a PDA, or installing a GSM/EVDO card-modem, et al.

What's sad is, even with all of this in place, there's another hundred ways data can leave this environment without our knowledge. And essentially, it all really boils down to the individual users doing things they really shouldn't.

Education of the masses is the single best thing you can do to limit your losses, and my company is (like most) really behind the education game. Our masses are blissfully ignorant, and training them about "technical things" like NOT copying crap to your USB drive just isn't in the interest of senior management right now.

Sadly, it will never be in their interest until something bad happens. :(

Some type of authentication on USB ports should be possible, I'd think. So that only approved/pre-configured USB sticks can be used that way. That way you've limited your education needs to a much smaller subset of the company that actually has a legitimate pre-approved and trained need.

Really, there is no technical solution that allows users to do their job, while restricting anything dangerous. None.

Most users aren't programmers, but they all have internet access. At home will do. And there are very many work arounds on the internet for anything you and your team can come up with.

It's you against thousands of enthousiast crackers. You lose.



If you don't like the hierarhical approach and really demand a technical one, the best you can do is rebuild the PC really fast if needed. Including all the user-specific changes made in the past. Which means, that you have to automate all of it. And that any change has to be done through that mechanism, otherwise you need to keep track of all those manual changes done, and reproduce them. And how are you even going to record them in a way that someone else can reproduce them in the exact same way?

I know just about any system administrator will freak out by those demands, unless they have actually worked in such an environment for a serious time, to allow for "reprogramming" them.

And yes, it's hard to implement something like that. Mostly because of politics and sysadmins who demand to freewheel as they see fit. Because I designed and implemented such a system seven years ago at a large multimational, and it is still used today, because it actually works.

Which is more than you can say about any other solution.

Or simply use Firefox and Thunderbird.

Because if you allow people to copy files to and from their USB sticks, which you really want and need to allow, there is very little you can do.

There is no foolproof technical solution to those problems at all. The best you can do is use a hierarchical one: make it known that their boss has to pay the cleanup bill.

While you're at it, run a variant of Linux, with Linux apps, and vitualized Windows OSes for anything else.

Not sure how everyone else does it, but at a local (i say local but it's actually an international corporation and one of the largest in the world in its field) pharmaceutical company here in town, the very devices and drivers allowed on each computer were totally controlled. If someone tried to plug in a USB drive it would first of all not allow it and second of all issue a report over the network directed to the security department. You could not update your display drivers or any other driver for that matter. Only the IT team could. Any state change whatsoever to the computer caused a lockdown that required IT security to step in in order to unlock it.

Even installing something like iTunes causes the same effects.

I've worked on a laptop for this company outside of the company and was able to hack around the security in order to install something that'd work with my friends' ipod on the network. Everything worked fine while at his house, but (the next day) the second the computer got within range of the company's network and connected, the entire computer was instantly locked down in such a way that only the security department of the organization could unlock it. Just for that little lapse in security that same individual was interrogated (within a few hours of him stepping into the office) by a security officer with [legitimate] threats of FBI charges being brought up if they weren't satisfied with his answers. All because he wanted to play songs off his ipod at work. Luckily in this case they accepted his answers and let him off with a warning.

The security at this company was one of the only systems I've ever seen where it didn't take me a matter of seconds to bypass any amount of work the company had done. Well, it still didn't take but a few seconds to get around it, but then all this happened the second he reconnected to his work's network. I'm sure if I really wanted to I could find away around the network side of things as well, but give how quickly and systematic the response was to something as simple as what I did, I don't think I'll try.


I believe their system would be fairly secure against such a USB-drive attack.

Not every company can have their computers locked down to that degree. That's when the problem arises.

Yeah, like I said.. this is one of the largest pharmaceutical companies in the world, with near infinite resources.

Yeah, like I said.. this is one of the largest pharmaceutical companies in the world, with near infinite resources.

Sounds like the computers were still fairly easy to compromise, but the network wasn't. I'd imagine that would take some fairly decent espionage work to get around, or rather someone with access to the wanted information willing to betray their company.
Now as for compromising the network with some kind of virus or something...only thing I can think of is how secure the network is and how secure the bioes of the computers are. Could PXE network boot be used as a way to compromise a machine? Say if all the computers are booted on at the beginning of the day?

As far as I can tell, they keep track of each individual computer's state somewhere on the network and check against that state whenever a computer connects to that network. If any substantial (or less than substantial) changes have been made since the last time the computer was connected to the network, that computer is shut down and has to be checked and authorized by their IT security department before they'll allow it to work. So, yes, outside the network the computers themselves were easy to compromise (find me one computer that isn't) but there was constant monitoring of each computer while on the network (and while connecting) that made it extremely difficult for any kind of unapproved access to be performed.

You'd think this would make booting/network-log-on rather slow but it's actually only a second or two more than normal (and all systems I saw were using Windows XP).

I'm kinda curious how the whole system worked (couldn't get too much information out of one single interaction with the network) as a whole but the basic principal seems to be "mandate everything server side and conditionally allow certain operations to be allowed on the client with every operation defaulting to 'disabled' unless explicitly allowed by an administrator."

I've personally seen some documents from the FDA on one of the higher(est) up members of the company that would create complete public uproar if released public, so it's not surprising they'd be such "nazis" with their security.

If you don't like the hierarhical approach and really demand a technical one, the best you can do is rebuild the PC really fast if needed. Including all the user-specific changes made in the past. Which means, that you have to automate all of it. And that any change has to be done through that mechanism, otherwise you need to keep track of all those manual changes done, and reproduce them. And how are you even going to record them in a way that someone else can reproduce them in the exact same way?
While potentially effective under rather severe restrictions, this still doesn't do anything to combat the original issue: the machine can still be comprimised, and then either used to steal data or surruptiosly transmit data. Sure, you can rebuild it quickly, but only if you know something is broken. And depending on the method in which it was attacked, your automation process might move the "hack" (perhaps an evil Word spreadsheet with VBA code in it) right back into production again.

I'm kinda curious how the whole system worked (couldn't get too much information out of one single interaction with the network) as a whole but the basic principal seems to be "mandate everything server side and conditionally allow certain operations to be allowed on the client with every operation defaulting to 'disabled' unless explicitly allowed by an administrator."
This is likely some extension of 802.11x authentication. In a nutshell, the workstation authenticates to the network switch. With workstation OS plugins, you can mandate certain requirements before the workstation is allowed on. If the workstation is not able to comply, there are various options that become available. Example: you can mandate an OS with a specific build and patch level, antivirus installed and definition dates within a certain age limit, workstation naming standard, et al.

Our company is looking into 802.11x this year, as we now have all the switching hardware at all sites and locations to make it work reliably. We have problems with people in the development labs building their own machines and then leaving them completely "open" while attached to the network. We also have problems with contractors plugging in "unknown" machines to our internal network and then causing virus issues (heh, only affects people who aren't standard anyway -- maybe a bit of IT darwinism hehe -- but causes unneeded network traffic issues and potential security risks) 802.11x would solve for all of these and considerably more...

There's an incredible list of things you can do within your organization that keeps information from seeping outward when it's on your network. But once it's no longer on your network, your choices dwindle to near-zero. It's only a function of time, access and money...

Something like Sanctuary Device Control (http://www.lumension.com/usb_security.jsp) shouldn't be too expensive for most enterprises.

Personally I'm more in favour of educating your users than going all draconian on them, but if you need it, Sanctuary does what it claims, and you can make all sorts of exceptions on a per user, per desktop, or per device level.

Well, it's actually not very hard to lock everything down, you can do that even on Windows computers without too much fuss. A controlled boot and replacing the default shell will go a long way. And during startup, you can check the system and force-replace all settings to the company defaults, after which you can run "light" installers for all allowed stuff. That shouldn't take more than a few seconds extra during startup.

But the main point is, if you do all that, you make the IT department responsible for carrying out all minor configuration changes users would make themselves without even noticing. The bad part in that isn't even that your IT budget explodes, but that the productivity of all users goes down tremendously.

They would have to fill out a form, collect signatures and have it processed to do many things most people do every day and take for granted.


While it seems like most employees could do their job within a very strict and closed environment, from a high-level view, that is rarely the case. If they could, they would all still use a terminal hooked up to a mainframe. Microsoft Office, or Word wouldn't be allowed, as that alone allows the users too much freedom and has all kinds of security risks build in.

For an example: Microsoft locked down Office macros (VBA) a few years ago, to disallow anything they deemed dangerous. So, what did that accomplish? It required all Office apps to be rewritten; the programmers had to put "VB." in front of the unallowed and risky commands. Users can do that themselves...