Printers

Mind your USB

For all the latest in expensive security software and peripherals that money can acquire, enterprises inevitably still miss some security holes. It might surprise you, but one security hole often missed out by security managers is the humble universal serial bus (USB) port.

For all the latest in expensive security software and peripherals that money can acquire, enterprises inevitably still miss some security holes. It might surprise you, but one security hole often missed out by security managers is the humble universal serial bus (USB) port.

Designed as the interface solution for a legacy-free PC, a USB can connect a mind-boggling number of computer peripherals, including mouse devices, keyboards, gamepads, joysticks, scanners, printers, and flash drives. And the list goes on.

Available on just about every computing device, the USB port has become ubiquitous. It can, however, be a security bane for the enterprise.

For an illustration of just how someone could exploit an enterprise workstation via its USB port, we can turn to a true story I read recently.  You can read about it in this free white paper (Registration needed).  Read on and you tell me how plausible it sounds.

Basically, an IT security officer at a U.S.-based company purchased a handful of memory sticks. He loaded some software on them and went ahead and scattered them around the company's parking lot.

To cut a long story short, several employees found the memory sticks and took them back to their work terminals. They then plugged them into their PCs and laptops, found the software, and ran it "just to see what it does."

Now, it would hardly be legal, but think about just how trivial it would be to load a malware or keylogger into the USB-based flash drive instead and repeat the same exercise at a competitor's car park?

"But we have antivirus scanners!" you cry.

Just how hard is it to code a custom malware, first testing it against the most popular antivirus scanners to verify that their puny heuristic engines don't sound the alarm on your nefarious executable? In fact, if you're a good programmer, you can probably up the ante by encrypting your network data when reporting home. Bravo if you piggyback it on an anonymizing network such as TOR for further obfuscation.

All is not lost however. There are some practical steps you can take to mitigate some of the threat:

  • Where possible, disable USB ports.
  • Where possible, don't let your users run as root or administrator.
  • Disable the Autorun feature on removable drives.
  • Compartmentalize your LAN into different VLANs.
  • Deploy white-listing technology to complement antivirus scanners.

In the future, I'll elaborate on some of these items, so stay tuned.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

16 comments
The Listed 'G MAN'
The Listed 'G MAN'

In the 80's the ultimate 'Spy film' device everybody was fighting over was the tape. "I have the tape" - said to dramatic music. Roll forward to the present, now we are looking at the flash card or USB drive as the smuggle item of choice. "I have the drive" "I have the card" Seeing as these devices can be plugged in to any machine the danger is real - so much so that the movies have picked up on the fact. However, what I never worked out is that the 'tape' was always a dictaphone tape that could not really hold computer data anyway (well in the way they used it)!

me19562
me19562

Very good article. Actually I believe that the main concern for SMB will be the malware that could infiltrate through a USB attach device. User training combine software when possible it's very important to minimize the threat. But for big enterprises and governments it's more than just malware. Unsecured systems could be target for data theft and that's why big enterprises and governments lock down systems USB or any other type of interface that could allow an attacker to gain access to the system or network sensitive, confidential, secret or top secret information.

afhavemann
afhavemann

Just helped a friend setup a new machine, an HP. The keyboard & mouse are Bluetooth, so's my phone; which promptly setup a relationship with the system. My phone has over 2gb of storage. Need I elaborate? AFH

JCitizen
JCitizen

workstations where the user needed to swap info with mobil devices.

MoltenJules
MoltenJules

It is no surprise that the FBI apparently use epoxy resin on all USB ports on new PCs. That is one way of providing a physical defence. I wonder if they do that at HMRC?

The Scummy One
The Scummy One

Personally, at my work most systems are not locked down. But there are a few that I have personally locked down, including USB, swapping a cd burner for dvd drive, and disabling cardreaders. But these are very few, and there is a good reason for it on these particular systems.

royhayward
royhayward

Please. The real moral of your story has nothing to do with the USB port. It is the user. You probably could have found the same results with seeding the area with disks and CDs with a PIM app or a yatzee game. Sure if you have dumb machines that don't need USB based on their purpose, disable it. But for my own workstation where I spend the majority of every day using it to make money for the company, lets not make it harder or less convenient for me to use. ---------- If a user is willing to run the app, "just to see what it does."? then there is a user education issue, not an insecure port issue.

Alfa11
Alfa11

Great article, in our company USB ports are disabled on the BIOS. And obviously BIOS are password protected :). We are not that big so we could do this on all workstations.

sterling_barlow
sterling_barlow

Apparently, my firm buys their computers from a different place than the rest of you. All of our keyboards and mice are USB. Disabling USB would prove somewhat of a challenge to legitimate use.

DLMc
DLMc

Unfortunately you are right! However no matter what you do to try and minimise the risk, the human will take the risk. Put up a security barrier (physical or logical) and people will bypass it. We need to think beyond "removing the USB ports", "removing the disk drives" etc. Perhaps the first step is to automatically disconnect a PC from the corporate net should an external source be detected, until the source and the workstation is declared clean. At least minimise the damage to one machine. Like you, I need the technology for day to day work. Waiting for whitelisting or approvals gets in the way of doing business. A sad fact of life!

andronin
andronin

At the company I work we deployed the Sanctuary Device Control product. It is by no means cheap, but it allows you to only allow the devices you want to work on the workstation, e.g. USB Keyboards, Mouse's, Printers, Cellphone SYNC. If you need certain persons to have access to a Thumb drive you can allow just that user/group and monitor the files. The latest versions even allows you to block/allow file types.

ManiacMan
ManiacMan

on the drives, so what's to stop users from running non-approved apps on their corporate PCs' by simply plugging in their U3 enabled USB drives?

The Scummy One
The Scummy One

to turn USB into PS2, of course the system will need PS2 ports... Also, PS2 keyboards and mice can replace USB ones easily, if there are ports (once again).

chatch
chatch

something called restrictions. all programs except, for example, "msword.exe" etc can be disabled. most users aren't clever enough to change u3.exe to notepad.exe etc., so that usually blocks it.

royhayward
royhayward

I use a wireless keyboard and mouse. I haven't seen one of those that was PS2, but maybe I just haven't looked hard enough. Post a link to where I can buy a wireless PS2 kb&m if you have one.