Security
USB devices — a prescription for disaster
April 2006
USB devices are
commonly know as the 'Swiss army knife' of the hacker and if not secured
can leave both sensitive information and computer systems vulnerable to
attack. But how likely is it that any hacker will waste their time try
to obtain your information and what would they do with it?
Currently,
this risk must be considered to be a lot less than your local bank’s
database or cashpoint machine. However, a disturbing fact is that a
number of hackers just 'do it for fun'. For example, it could be 'fun'
to put some sensitive medical information about a local MP on the
Internet or sell it to the tabloid press.
So what makes USB devices such a security issue? There are several
factors that combine together to make USB devices a security nightmare.
1. The USB memory drives themselves.
It is very easy to mislay one of these devices. After all many of us
lose our car keys every day and these devices are often attached to a
key ring. What makes this worse is that many USB memory drives may have
confidential and potentially interesting information on them.
Some devices have varying levels of security on board using AES
encryption to ensure data stored on them remains secure. The Achilles
heal of all of these devices is they more often than not use passwords,
set by the user, to unlock the data. It has been documented for years
how poor most users password choices are when the system does not
enforce good choices and non of these devices provide this feature.
Interestingly, some devices now require fingerprint verification to
access the data. This is a little too James Bond-like for me, but no
guarantee that some unauthorized person may not use your finger print,
with or without you attached, to access the data.
2. The USB port on the computer itself.
Even if your organisation is using the protected USB memory drives
that use encryption and finger prints, there is often no control over
the computer port itself. A potential hacker could bring any old USB
memory drive, insert it into the port and download data on to it.
This gets considerably worse when you consider it is now possible to
contain entire operating systems (such as Dam Small Linux — DSL)
together with a number of hacking tools on a USB memory drive and use
this device to boot up the USB-based operating system on any PC. This
will allow any hacker potential access to your network and network
servers.
There are commercially available software packages that will manage
and provide access control for USB ports on all PCs on the network.
However, this is yet another set of controls that a hard pressed IT
department will have to manage and one more thing that can go wrong.
3. USB driver software loopholes
Perhaps most significantly, there are well published security attacks
on most versions of the Windows operating system that exploit loopholes
in the USB driver software that is used by Windows to control the USB
ports. This software acts at a very low level and may allow a hacker to
take control of the computer itself or install hacking software on the
computer.
Currently there are service pack upgrades for Windows for all of the
USB driver issues that have been reported by security companies.
However, I wonder how many hard pressed IT departments have managed to
put the latest service pack on every PC in the organization, even the
one in the remote clinic that no one likes to go to. The potential for
this threat still exists in many organisations.
4. Other USB devices
Many other types of USB devices have become available. These include
USB Bluetooth devices, USB external hard drives, USB keyboards etc. Many
of these devices many seem harmless enough until you consider the
unprotected and uncontrolled USB port on any PC on your network could
give a potential hacker the chance to use these devices to obtain
confidential information.
An example of this is 'keyboard skimming'. You may have heard of
'cash point skimming' where hackers obtain you PIN code and a copy of
your cash card by attaching devices to cash point machines. Well,
unfortunately, it is possible to place a device inside a USB keyboard
and it will record all the keystrokes for two to three days. Having
installed such a keyboard on a PC on your network a hacker can simply
return and exchange it later, then take as much time as they wish to
analyze the covert keystroke data obtained from the keyboard to obtain
your user names and passwords to key information systems.
Considering all of the potential risks of USB devices not only in
compromising the security of confidential information but the very
computer networks on which this information resides, you like me may
come to the conclusion that the use of these devices should be banned
within the NHS.
Many large companies have done exactly that and have also secured the
USB ports on all their PCs, and you could say they have far less to lose
that the NHS.
Clearly the prescription for the NHS on USB devices is: “Give up
soon. USB kills your security.”
Phil Colledge
www.123consultants.com
To top |