Overcoming USB (In)Security Michael Boman [email_address] http://www.michaelboman.org
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Lost Data In The News Laptop stolen (May 2006) Held private information on 26 million veterans Class Action Lawsuit: $1,000 for each person! October 29, 2006 – Lost CD contains personal data for more than a quarter-million hospital patients.  October 30, 2006 – US Federal Homeland Security Storage Drive on the Loose
Lost Data In The News November 20, 2006 – Stolen Laptop causes warning to 11 million UK customers November 22, 2006 – Laptops with UK Police Payroll Details Stolen April. 10, 2007 – Georgia Dept. of Community Health – Disk Missing
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
The USB Attack Vector Disgruntled Employees Copy confidential data to personal USB device(s) Sell to competitors Blackmail the company Bring your customers to the next employer
The USB Attack Vector Careless Employees Storing confidential data on removable storage Which can be, and often is, lost or stolen
The USB Attack Vector Malicious Individuals Use USB devices as attack vector and toolbox as well as store stolen data on it
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Protecting Against Disgruntled Employees “Just Make A Policy That Forbids USB Devices”
USB Devices
USB Devices
USB Devices
USB Devices
USB Devices
USB Devices
USB Devices
USB Devices ? ?
USB Devices
USB Devices
Restricting USB Access Physically Disable USB ports Super-glue the USB port Encase the computer in secured cabinets Logically Disable USB ports Windows Group Policies 3rd Party Software
Super-Glue the USB port
Encase the computers in secured cabinets
Use software to disable USB Storage Devices
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Protecting Against Careless Employees What if there is valid business reasons to use USB storage devices?
Storing Data Securely Encrypt data TrueCrypt Free (Libre / Gratis) Open Source Software Cross-platform Windows Linux Various Commercial Offerings Exists
DEMO Truecrypt Enable your USB Device
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Background Information on U3 Enabled Drives
Exploiting USB Switchblade Silently recover information from a target Windows PCs, including password hashes, LSA secrets, IP information, etc...
Exploiting USB Hacksaw Automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.
DEMO Hacking with USB drive
Additional Hardening Disable Autorun http://support.microsoft.com/kb/155217 Unfortunately there is no patch for human stupidity Awareness Training is a MUST
Don't forget Data Slurping
Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
Q & A If you got any questions, now is the time to ask them
Thank You! Slides are available at http://michaelboman.org under Creative Commons BY-NC-SA 3.0 License
References IntelliAdmin's USB Drive Disabler http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html TrueCrypt http://www.truecrypt.org Switchblade http://www.hak5.org/wiki/USB_Switchblade Hacksaw http://www.hak5.org/wiki/USB_Hacksaw

More Related Content

ODP
USB (In)Security 2008-08-22
PPT
USB flash drive security
PPTX
USB Defender Overview
PDF
Portable storage device management
PPTX
Learn How to Detect, Prevent, and Replace the Use of USB Drives
PPT
Computer and Network Security
PPT
01-intro-thompson.ppt
USB (In)Security 2008-08-22
USB flash drive security
USB Defender Overview
Portable storage device management
Learn How to Detect, Prevent, and Replace the Use of USB Drives
Computer and Network Security
01-intro-thompson.ppt

Similar to Overcoming USB (In)Security (20)

PPT
01-intro-thompson.ppt
PPT
01-intro-thompson.ppt
PPTX
Cyber-savvy Cyber-safety
PPTX
B3: Backup & its relevance
PDF
File000152
PPT
Cybersafety basics
PPTX
An introduction to cyber security by cyber security infotech pvt ltd(csi)
PPT
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public school
PPTX
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
PPTX
2. rats (trojans) (cyber awareness series)
PDF
Usb
TXT
Read me!
PDF
Cyber security
PDF
Microcontroller mayhem - ECTF & USSS 2011
PPT
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
PPT
cybersafety_and_cyber_security_basics.ppt
PPT
Cyber security and safety
PPT
Cybersafety basics.ppt cs
PDF
Commonwealth of Learning cybersecurity training for teachers | 2022
PPT
0290-cyber-security-basics, for biggners
01-intro-thompson.ppt
01-intro-thompson.ppt
Cyber-savvy Cyber-safety
B3: Backup & its relevance
File000152
Cybersafety basics
An introduction to cyber security by cyber security infotech pvt ltd(csi)
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public school
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
2. rats (trojans) (cyber awareness series)
Usb
Read me!
Cyber security
Microcontroller mayhem - ECTF & USSS 2011
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
cybersafety_and_cyber_security_basics.ppt
Cyber security and safety
Cybersafety basics.ppt cs
Commonwealth of Learning cybersecurity training for teachers | 2022
0290-cyber-security-basics, for biggners
Ad

More from Michael Boman (20)

PPTX
How to drive a malware analyst crazy
PPTX
Indicators of compromise: From malware analysis to eradication
ODP
44CON 2014: Using hadoop for malware, network, forensics and log analysis
PDF
DEEPSEC 2013: Malware Datamining And Attribution
PPT
44CON 2013 - Controlling a PC using Arduino
PDF
Malware Analysis on a Shoestring Budget
PPTX
Malware analysis as a hobby (Owasp Göteborg)
PPTX
Malware Analysis as a Hobby
PPTX
Malware analysis as a hobby - the short story (lightning talk)
KEY
Sans och vett på Internet
PDF
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
PPT
Hur man kan testa sin HTTPS-server
PPT
OWASP AppSec Research 2010 - The State of SSL in the World
PPTX
Enkla hackerknep för testare
ODP
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
ODP
Automatic Malware Analysis 2008-09-19
PPT
Privacy in Wireless Networks
PDF
Network Security Monitoring - Theory and Practice
ODP
Introduction To Linux Security
ODP
How to drive a malware analyst crazy
Indicators of compromise: From malware analysis to eradication
44CON 2014: Using hadoop for malware, network, forensics and log analysis
DEEPSEC 2013: Malware Datamining And Attribution
44CON 2013 - Controlling a PC using Arduino
Malware Analysis on a Shoestring Budget
Malware analysis as a hobby (Owasp Göteborg)
Malware Analysis as a Hobby
Malware analysis as a hobby - the short story (lightning talk)
Sans och vett på Internet
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Hur man kan testa sin HTTPS-server
OWASP AppSec Research 2010 - The State of SSL in the World
Enkla hackerknep för testare
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Automatic Malware Analysis 2008-09-19
Privacy in Wireless Networks
Network Security Monitoring - Theory and Practice
Introduction To Linux Security
Ad

Recently uploaded (20)

PPTX
_Cyber-Futuristic AI Technology Thesis Defense.pptx
PDF
epic-retirement-criteria-for-funds (1).pdf
PPTX
Lecture on Perfect Competition of the course introduction to microeconomics
PPTX
ratio analysis presentation for graduate
PDF
MPEDA Export License Apply Online for Seafood Export License in India.pdf
PPTX
Risk Based Audit - Key to managhe the bussines & Creating the value
DOCX
Tiếng anh 7 Friends Plus_ Unit 3 _Final Test.docx
PPT
Chapter 3-elasacity and its applications
PDF
PHYSIOLOGICAL VALUE BASED PRIVACY PRESERVATION OF PATIENT’S DATA USING ELLIPT...
PPTX
Corporate Governance and Financial Decision-Making in Consumer Goods.pptx
PPTX
1. Set Theory - Academic AWellness 2024.pptx
PPTX
Case study for Financial statements for Accounts
PPT
Relevant Information & Alternative Choice Decisions
PDF
Chapterrrrrrrrrrrrrrrrrrrrrrrrr 2_AP.pdf
PPTX
BU22CSEN0300556_PPT.pptx presentation about
PPTX
Rise of Globalization...................
PPTX
Premium Ch 6 Supply, Demand, and Government Policies.pptx
PPTX
Integrated Digital Marketing and Supply Chain Model for.pptx
PPT
1_Chapter_1_Introduction_to_Auditing.ppt
PDF
Income processes in Poland: An analysis based on GRID data
_Cyber-Futuristic AI Technology Thesis Defense.pptx
epic-retirement-criteria-for-funds (1).pdf
Lecture on Perfect Competition of the course introduction to microeconomics
ratio analysis presentation for graduate
MPEDA Export License Apply Online for Seafood Export License in India.pdf
Risk Based Audit - Key to managhe the bussines & Creating the value
Tiếng anh 7 Friends Plus_ Unit 3 _Final Test.docx
Chapter 3-elasacity and its applications
PHYSIOLOGICAL VALUE BASED PRIVACY PRESERVATION OF PATIENT’S DATA USING ELLIPT...
Corporate Governance and Financial Decision-Making in Consumer Goods.pptx
1. Set Theory - Academic AWellness 2024.pptx
Case study for Financial statements for Accounts
Relevant Information & Alternative Choice Decisions
Chapterrrrrrrrrrrrrrrrrrrrrrrrr 2_AP.pdf
BU22CSEN0300556_PPT.pptx presentation about
Rise of Globalization...................
Premium Ch 6 Supply, Demand, and Government Policies.pptx
Integrated Digital Marketing and Supply Chain Model for.pptx
1_Chapter_1_Introduction_to_Auditing.ppt
Income processes in Poland: An analysis based on GRID data

Overcoming USB (In)Security

  • 1. Overcoming USB (In)Security Michael Boman [email_address] http://www.michaelboman.org
  • 2. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 3. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 4. Lost Data In The News Laptop stolen (May 2006) Held private information on 26 million veterans Class Action Lawsuit: $1,000 for each person! October 29, 2006 – Lost CD contains personal data for more than a quarter-million hospital patients. October 30, 2006 – US Federal Homeland Security Storage Drive on the Loose
  • 5. Lost Data In The News November 20, 2006 – Stolen Laptop causes warning to 11 million UK customers November 22, 2006 – Laptops with UK Police Payroll Details Stolen April. 10, 2007 – Georgia Dept. of Community Health – Disk Missing
  • 6. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 7. The USB Attack Vector Disgruntled Employees Copy confidential data to personal USB device(s) Sell to competitors Blackmail the company Bring your customers to the next employer
  • 8. The USB Attack Vector Careless Employees Storing confidential data on removable storage Which can be, and often is, lost or stolen
  • 9. The USB Attack Vector Malicious Individuals Use USB devices as attack vector and toolbox as well as store stolen data on it
  • 10. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 11. Protecting Against Disgruntled Employees “Just Make A Policy That Forbids USB Devices”
  • 22. Restricting USB Access Physically Disable USB ports Super-glue the USB port Encase the computer in secured cabinets Logically Disable USB ports Windows Group Policies 3rd Party Software
  • 24. Encase the computers in secured cabinets
  • 25. Use software to disable USB Storage Devices
  • 26. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 27. Protecting Against Careless Employees What if there is valid business reasons to use USB storage devices?
  • 28. Storing Data Securely Encrypt data TrueCrypt Free (Libre / Gratis) Open Source Software Cross-platform Windows Linux Various Commercial Offerings Exists
  • 29. DEMO Truecrypt Enable your USB Device
  • 30. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 31. Background Information on U3 Enabled Drives
  • 32. Exploiting USB Switchblade Silently recover information from a target Windows PCs, including password hashes, LSA secrets, IP information, etc...
  • 33. Exploiting USB Hacksaw Automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.
  • 34. DEMO Hacking with USB drive
  • 35. Additional Hardening Disable Autorun http://support.microsoft.com/kb/155217 Unfortunately there is no patch for human stupidity Awareness Training is a MUST
  • 36. Don't forget Data Slurping
  • 37. Agenda The Removable Storage Problem The USB Attack Vector Protecting the Organization Against Disgruntled Employees Careless Employees Malicious Individuals Question and Answers
  • 38. Q & A If you got any questions, now is the time to ask them
  • 39. Thank You! Slides are available at http://michaelboman.org under Creative Commons BY-NC-SA 3.0 License
  • 40. References IntelliAdmin's USB Drive Disabler http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html TrueCrypt http://www.truecrypt.org Switchblade http://www.hak5.org/wiki/USB_Switchblade Hacksaw http://www.hak5.org/wiki/USB_Hacksaw

Editor's Notes

  • #2: Ladies and Gentlemen, Thank you for having me. I understand that I am between you and your lunch, so please bear with me while I will discuss a very important problem that is often overlooked. My name is Michael Boman and I am a IT Security Researcher and Developer with over 8 years experience in the field. My day job is to think up technical solutions to improve my employer's bottom line. But for fun I research IT security and privacy issues. My current projects includes automated malware analysis and turning a standard Linksys router into a powerful detection system for attacks on the Internet. Today I will share with you my findings and opinions on the risks associated with USB storage devices and removable storage in general.