SanDisk Cruzer Micro - Page 5 - NetStumbler.org Forums

11-24-2007	#61 (permalink)
Barry Managing the iTards. Join Date: Dec 2002 Location: Ohio Posts: 5,259	Epoxy works just as well. Didn't we see these here a while ago?? __________________ Atheism is a non-prophet organization.

11-24-2007	#62 (permalink)
audit Country Boy. Join Date: Aug 2002 Location: Deep in the Woods. Posts: 1,891	I've done that with the GPO before but then we had people with Desktop Manager installed running daily backups of their Blackberrys. Now I've installed the Web version of Desktop Manager and removed the local one from everyone's systems. Now I need to edit the GPO settings again to disable the USB ports again. __________________ audit Blackberry Outage Mail List. Be the one of first people to know about RIM outages. Blackberry Chat Mail List. My day to day life.

11-24-2007	#63 (permalink)
Airstreamer Sniffin' the aether Join Date: Nov 2004 Location: A little North of Reason Posts: 2,726	Interesting.. While looking at the USB lock, this caught my eye: ThinkGeek :: The ThinkGeek Annoy-a-tron Lets see, I'd need about 12 of those little buggers... /Evil grin... __________________ "Wait just a minute, now. Whaddya mean, you DON'T use Regedit to send email?"

11-24-2007

#64 (permalink)

Thorn

Did you do the math?

Join Date: Apr 2002

Location: Villa Straylight

Posts: 10,039

Quote:

Originally Posted by Airstreamer

While looking at the USB lock, this caught my eye:
ThinkGeek :: The ThinkGeek Annoy-a-tron
Lets see, I'd need about 12 of those little buggers...

/Evil grin...

Man, that is slick. I read the testimonial, and decided what would make it perfect would be a sticker or case marked with something for the truly paranoid. You know, "FBI", "CIA", or "Nuclear Energy Commission - Division of Population Monitoring". Even after they found it, you'd have them guessing.

__________________
Thorn
"Lawyers should never marry lawyers. This is called inbreeding. It produces idiot children and more lawyers."

11-25-2007

#65 (permalink)

beakmyn

root\.workspace\.garbage.

Join Date: Aug 2003

Posts: 4,765

Quote:

Originally Posted by Airstreamer

While looking at the USB lock, this caught my eye:
ThinkGeek :: The ThinkGeek Annoy-a-tron
Lets see, I'd need about 12 of those little buggers...

/Evil grin...

I wrote a program several years ago that hides itself on the user's computer and will play a cricket chirp at random intervals. It even changes the volume in case the user has their speakers turned down.

__________________
It's not Intelligent Design, it's peer pressure.

┌──────────────────────────────┐
╞ NS Icons Explained|et hoc genus omne ╡
└──────────────────────────────┘

11-25-2007

#66 (permalink)

Starpoint

Pr0nStumbler Expert Level

Join Date: Apr 2003

Location: Houston

Posts: 2,349

Quote:

Originally Posted by audit

I've done that with the GPO before but then we had people with Desktop Manager installed running daily backups of their Blackberrys. Now I've installed the Web version of Desktop Manager and removed the local one from everyone's systems. Now I need to edit the GPO settings again to disable the USB ports again.

Yeah, everything is USB now and corporate America needs their BB. (course I have been thinking about getting a BB myself once I am back working and all that.)

I agree with Streaker, they need to offer the "Admin" packs of 100 or so. What would be even neater is if they had some piece of circuitry in it where a small program pushed on the system checks to see if they are there. If one is removed it lets you know WHOSE pc did it. The main server could be set up so that when your IT minions set it up, they input the system ID, and how many ports it has and how which ones have the locks. This way if some manager needs his BB, you can leave one open.

However, if one is left open, who is to stop them from bringing in a hub?

__________________
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...

Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states

11-25-2007

#67 (permalink)

streaker69

Psychic Amish Stumbler

Join Date: Jul 2004

Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Posts: 11,708

Quote:

Originally Posted by Starpoint

I like that idea. Even if every single one just had a serial number and you installed a small piece of software.

I just wrote ThinkGeek an email saying they should carry an AdminPack of the locks.

It would be good in my case where I have process control machines and contractors come in and plug in things they shouldn't be plugging in.

GPO works well, I realize that, problem is, it can also work against the local admin at the same time. This is a quick and simple way to secure the USB ports and still make them available to the local admin quickly.

__________________
"One of these days, I'm going to cut you to pieces."

If you're offended by this post, please feel free to report it to one of the many helpful moderators of this forum.

Thank you.

11-25-2007

#68 (permalink)

Starpoint

Pr0nStumbler Expert Level

Join Date: Apr 2003

Location: Houston

Posts: 2,349

Quote:

Originally Posted by streaker69

Yeah.. each one with a serial #.... then you set up a DB that lists the ones in use.. if one does not report back, the DB tells you whose machine it was listed to.

Course if the user has a laptop and is EVIL like me, they can use one of these and a laptop drive

http://spirit.freeshell.org/cable1.jpg

http://spirit.freeshell.org/cable2.jpg

http://spirit.freeshell.org/cable3.jpg

I found this at Right Price Computers in Houston a few years ago. Allows me to slave up a drive to a laptop and do what I need.

11-25-2007

#69 (permalink)

Barry

Managing the iTards.

Join Date: Dec 2002

Location: Ohio

Posts: 5,259

Quote:

Originally Posted by Starpoint

Heh, we just use firewire drives.

__________________
Atheism is a non-prophet organization.

11-25-2007

#70 (permalink)

audit

Country Boy.

Join Date: Aug 2002

Location: Deep in the Woods.

Posts: 1,891

Quote:

Originally Posted by streaker69

GPO works well, I realize that, problem is, it can also work against the local admin at the same time. This is a quick and simple way to secure the USB ports and still make them available to the local admin quickly.

I have the admin's in a separate OU and a different GPO so it doesn't affect us. And I do agree that it affects the local admin but I don't have my network setup where it would affect them. I just don't want the USB ports enabled at all.

On a side note, I was talking with some security admin's at another company and they were talking about how secure their network is now that they disabled USB card access. I reminded them that they have users with Phones that have MicroSD cards in them and asked what security they had against that. They didn't know about the Mass Storage Device or that some users can enable Bluetooth and copy files to the MicroSD cards. They did an audit of the company and the cell phones and found one user that was doing just what I said and had a lot of company information on their MicroSD card, The user was taking the card out and putting it in the SD card reader and putting that in the built in reader on the laptop and moving files over. The user also had put in notice that he was leaving the company. They found out from the files what company he was going to and let the lawyers have all the info.

__________________
audit

Blackberry Outage Mail List. Be the one of first people to know about RIM outages.
Blackberry Chat Mail List.
My day to day life.

11-25-2007	#71 (permalink)
beakmyn root\.workspace\.garbage. Join Date: Aug 2003 Posts: 4,765	All this after I just re-wrote the original code in vbs and added html output! It's still a good admin tool none-the-less. Do what they will they always forget about the serial port and floppy drive and FTP. __________________ It's not Intelligent Design, it's peer pressure. ┌──────────────────────────────┐ ╞ NS Icons Explained\|et hoc genus omne ╡ └──────────────────────────────┘

11-26-2007

#72 (permalink)

Thorn

Did you do the math?

Join Date: Apr 2002

Location: Villa Straylight

Posts: 10,039

Tech Republic.com has a story on this very topic today.

» Mind your USB | IT Security | TechRepublic.com

For those of you who don't subscribe, here's the text:

Quote:

IT Security
Host: Chad Perrin

For all the latest in expensive security software and peripherals that money can acquire, enterprises inevitably still miss some security holes. It might surprise you, but one security hole often missed out by security managers is the humble universal serial bus (USB) port.

Designed as the interface solution for a legacy-free PC, a USB can connect a mind-boggling number of computer peripherals, including mouse devices, keyboards, gamepads, joysticks, scanners, printers, and flash drives. And the list goes on.

Available on just about every computing device, the USB port has become ubiquitous. It can, however, be a security bane for the enterprise.

For an illustration of just how someone could exploit an enterprise workstation via its USB port, we can turn to a true story I read recently. You can read about it in this free white paper (IDG Connect : The Extraordinary Failure of Anti-Virus Technology) (Registration needed). Read on and you tell me how plausible it sounds.

Basically, an IT security officer at a U.S.-based company purchased a handful of memory sticks. He loaded some software on them and went ahead and scattered them around the company’s parking lot.

To cut a long story short, several employees found the memory sticks and took them back to their work terminals. They then plugged them into their PCs and laptops, found the software, and ran it “just to see what it does.”

Now, it would hardly be legal, but think about just how trivial it would be to load a malware or keylogger into the USB-based flash drive instead and repeat the same exercise at a competitor’s car park?

“But we have antivirus scanners!” you cry.

Just how hard is it to code a custom malware, first testing it against the most popular antivirus scanners to verify that their puny heuristic engines don’t sound the alarm on your nefarious executable? In fact, if you’re a good programmer, you can probably up the ante by encrypting your network data when reporting home. Bravo if you piggyback it on an anonymizing network such as TOR for further obfuscation.

All is not lost however. There are some practical steps you can take to mitigate some of the threat:

* Where possible, disable USB ports.
* Where possible, don’t let your users run as root or administrator.
* Disable the Autorun feature on removable drives.
* Compartmentalize your LAN into different VLANs.
* Deploy white-listing technology to complement antivirus scanners.

In the future, I’ll elaborate on some of these items, so stay tuned.

__________________
Thorn
"Lawyers should never marry lawyers. This is called inbreeding. It produces idiot children and more lawyers."

11-26-2007	#73 (permalink)
Airstreamer Sniffin' the aether Join Date: Nov 2004 Location: A little North of Reason Posts: 2,726	USB social engineering... I heard about one like that in a Laura Chappel class several years ago. The pen testers actually printed a fake company logo on the fobs to make them look 'legit'. And the parking lot was next to the credit union that they were checking. After about 3 days of the trojan 'phoning home,' the testers waltz into the security officers cube and drop a sheet with a bunch of passwords and account info on it. Not a pretty picture. __________________ "Wait just a minute, now. Whaddya mean, you DON'T use Regedit to send email?"

11-26-2007	#74 (permalink)
audit Country Boy. Join Date: Aug 2002 Location: Deep in the Woods. Posts: 1,891	The USB thumb drive trick has been a old favorite of mine for awhile now. It works 98% of the time. I forgot who showed it to me but it was a couple years back when I was doing a pen test with another company and I was just there as backup for the primary testers. __________________ audit Blackberry Outage Mail List. Be the one of first people to know about RIM outages. Blackberry Chat Mail List. My day to day life.

11-26-2007

#75 (permalink)

Thorn

Did you do the math?

Join Date: Apr 2002

Location: Villa Straylight

Posts: 10,039

Quote:

Originally Posted by Airstreamer

I heard about one like that in a Laura Chappel class several years ago. The pen testers actually printed a fake company logo on the fobs to make them look 'legit'. And the parking lot was next to the credit union that they were checking. After about 3 days of the trojan 'phoning home,' the testers waltz into the security officers cube and drop a sheet with a bunch of passwords and account info on it.

Not a pretty picture.

That sounds like this report.

Quote:

Social Engineering, the USB Way
JUNE 7, 2006

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

__________________
Thorn
"Lawyers should never marry lawyers. This is called inbreeding. It produces idiot children and more lawyers."

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode