Entry of External Removable Media Into Company Premises
Posted on March 27, 2008
Filed Under Portable Devices |
Lets Encrypt these USB devices to become Tamper Free
As PDAs become more powerful, and memory becomes cheaper, more people are carrying around a lot of personal information in an easy-to-lose format. First check most trusted brands in Flash memory devices on the services they provide for the data safety; like Transcend Elite Series- It got encryption option in it, but it provides an additional feature of configuring email clients on the USB and storing all mails on it, which we do not want from organization perspective. In Kingston Data Traveler 101, which is just password protected without encryption. So none of them suits an organization fully.
So if you manually encrypt with software like TrueCrypt on a USB flash drive, the user needs Administrative privileges to install the drivers which is not good. Also a word of advice - never use “True Crypt’s Traveler mode” on an untrusted computer.
Cryptography is an exception. As long as you don’t write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.
Unfortunately, cryptography can’t solve most computer-security problems.
The one problem cryptography “can” solve is the security of data when it’s not in use.
Check these links for encrypting your data;
PGP Disk:
http://www.pgp.com/products/wholediskencryption/
Choosing a secure password:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
http://www.iusmentis.com/security/passphrasefaq/
Risks of losing small memory devices:
http://www.schneier.com/blog/archives/2005/07/risks_of_losing.html
Laptop snatching:
http://www.sfgate.com/cgi-bin/article.cgifile=/chronicle/archive/2006/04/08/MNGE9I686K1.DTL
or http://tinyurl.com/fszeh
Microsoft BitLocker:
http://www.schneier.com/blog/archives/2006/05/bitlocker.html
TrueCrypt:
http://www.truecrypt.org/
Why entry of external removable media into company premises is a bad idea?
IPods with their large hard drives, USB 2.0 and FireWire connectivity can be an ideal tool for file-pilfering, known as Podslurping. A lot has been said about the threat of iPods, digital cameras and USB memory sticks to information security programs. Because all of these are basically high-capacity storage devices, they make it easy for thieves to slip into your organization, quickly download a bunch of confidential docs, and then slip out. Thieves can hide corporate secrets on the SD card of a digital camera, and if they want to be really sneaky, they can even delete the files so that the information won’t show up during a casual inspection. Then, when they get home, they can use an “undelete” program to recover the secrets.
But there is another important threat that portable storage poses to today’s information systems. Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB’s internal storage, and hide them as “deleted” files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that’s likely to be with us for many years to come.
AutoRun is just a really bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what’s on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the “Shift” key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search engines for “disable autorun”) or you can download and use Microsoft’s TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting “Take no action” for each kind of disk that’s listed. Unfortunately, disabling AutoPlay for CDs won’t always disable AutoPlay for USB devices, so the registry hack is the safest course of action.
AutoRun is the feature built into Windows that automatically runs a program specified by the file “autorun.inf” whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. The feature exists so that software makers can have pretty splash screens appear on the computer when the installation CD-ROM is placed into the drive. Unfortunately, there are few, if any, restrictions placed on what AutoRun programs can do-as far as Windows is concerned, it’s just another program that the user is running. AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what’s on the media, not have programs automatically run. The AutoRun threat is very real and has been exploited on a massive scale. The Rootkit/spyware combination that Sony Music distributed last year on millions of compact discs was installed as part of an AutoRun script. Spyware was installed on Windows-based PCs all over the world. It turns out that the music CDs also included spyware for Macs, but on MacOS the spyware needed to be manually installed, and few Apple users bothered.
But as bad as AutoRun is, there’s a vulnerability built into practically every desktop computer and server that’s currently in use-and this is a vulnerability that affects PCs running Windows, Macs and quite possibly machines running Linux or even Solaris. The vulnerability is based on the direct memory access facilities built into the FireWire and USB standards.
In the 1990s, the Macintosh operating system had this feature, which was removed after a virus made use of it in 1998. Microsoft needs to remove this feature as well.
You can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files. If an attacker can convince you to plug his USB device into your computer, he can take it over.
Technical Bugs
There are basically two ways to move information between a computer system and the rest of the world. The first is called Programmed I/O (PIO), when the computer’s central processing unit carefully copies each byte of memory between the world and the computer. PIO is easy to implement-the early PCs used PIO exclusively-but it’s slow.DMA, on the other hand, uses bulk data transfers to move blocks of information between the world and the PC’s memory. When early PCs moved from PIO to DMA, the maximum data transfer speed rose from 8MBps to 480 Mbps. USB 2.0 lets you use more of those devices at once and also adds a new speed, which can use the entire 480 Mbps bandwidth that USB 2.0 provides for Hi-Speed devices. With DMA-based systems the CPU sets up the transfer and then goes off to work on other things. Because FireWire and USB were designed with the intention of connecting high-speed disk drives, both specifications have provisions for DMA. This means that, under many circumstances, a device that’s plugged into a FireWire or USB interface has the ability to read and write to individual physical memory locations inside a the host computer. Such access necessarily bypasses the host operating system and any security checks that it might wish to implement.
In theory, this iPod DMA technique could be used to send an attack to the victim that would disable certain security checks in the victim’s Windows operating system. Or the attacker could simply modify the running system so that instead of running user code, it instead scans the system’s hard drives for confidential documents and copies them to the iPod.
On the other hand, there’s been ample evidence that USB-only PCs running Windows are susceptible to yet another kind of attack: a buffer-overflow attack that’s made possible because of poorly written USB drivers. Such coding errors can be exploited by USB devices as yet another way of taking over computers running the Windows operating system. It’s a shame that today’s FireWire and USB-based systems weren’t designed with security in mind. It wouldn’t have been hard to build security in from the beginning-for example, by allowing DMA only to specific memory addresses that had been previously designated by the host operating system. Sadly, that’s a decision that would have had to be made years ago.
Mitigation Process
To defend against these threats, minimize the amount of data on your desktop PC and laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database with them?
The best defense against data loss is to not have the data in the first place.
Throwing encryption at the problem isn’t going to help; in fact it will probably make it worse. The core of the problem is that people don’t classify their data properly, and don’t take proper steps to protect data that should be classify “secret”. If we just say, “Everything on your laptop is now encrypted”, users will continue to just dump whatever on their laptop even data that they have no business having/keeping/transporting, because now, “It’s encrypted and perfectly safe.” If we want a technical solution to the problem, we need to make it easier for people to classify and manage their data. Also the email service providers are providing us with more and more GBs of storage space which get increasing, tempting the user to keep his data forever. But how secure are these data, what if a breach occurs?
The top two reasons for mismanagement of data in a company are;
- Failure to make backups
- Taking confidential data out of a secure facility
Given the risk involved and the relatively low cost of implementing policies, conducting employee education, and potentially deploying technological means to limit abuse of USB ports, more businesses should be actively working to minimize this threat. Failure to do so may well leave the business with significant exposure — both to third parties (in the event personally identifiable information is compromised) and, potentially, to its own shareholders and investors (in the event company proprietary information is compromised)
HTH,
Asok
Comments
Leave a Reply