It'll only get worse
Once USB-C (3.1) sticks become more common, security threats will only increase.
As you can route PCI over USB-C, goodness knows the sorts of attacks that could then be carried out.
Arriving at a recent conference organised by one of the government's many regulatory bodies, I received my obligatory lanyard – and something else, credit-card-shaped, emblazoned with the branding for event. "What's this?" I asked. "Oh, that's a USB key." I presume the conference organisers mistook my wild-eyed stare of …
Once USB-C (3.1) sticks become more common, security threats will only increase.
As you can route PCI over USB-C, goodness knows the sorts of attacks that could then be carried out.
You're dealing with marketroids & PR.
These are the folk who will keep sending out emails which exactly emulate phishing emails to customers and would-be customers. Emails, even, warning their customers of the dangers of phishing. They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.
Given half a chance they'll hoard customer details contrary to GDPR until they earn their employers multi-million quid fines.
They'll make every effort to force ads onto people who make abundantly clear by using ad blockers that ads are unwelcome and hence hugely counter-productive.
They lobbied Bambi's govt to make exceptions for existing customers to let them bypass TPS and make those calls despite use of TPS should send the same message as ad-blockers.
They're the biggest single risk to their employers in terms of pissing off potential and existing customers and in attracting GDPR fines.
You're never going to talk sense into them.
Hello:
You're dealing with marketroids & PR.
Indeed ...
But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...
I'm sure you get the idea.
To all these shitheads it's all about the money (moolah, dough, wonga, bread, etc.) and only about the money and up to a point in makes sense: if they do not get the results expected from them, they are out of a job.
None of these minions serving the upper echelons give a monkey's toss about what their actions mean or their consequences.
So they just do as they are told, instead of putting spokes in the wheel, like I was once told I should and was then promptly sacked.
Business ethics? Corporate responsability and accountability?
Yes, they've surely heard of all that at some time or another but these have long ago become abstract values.
Cheers,
O.
But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...
...more often than not come from a background in marketing and PR.
There's your problem, right there, and it's cultural, not technical or political in nature.
Meanwhile, at our $BIGCORP...
1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.
2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.
You couldn't make it up, etc...
> report the email as attempted phishing
Yup. This. I see stupid stuff happen all the time, and people just facepalm without telling anyone that can do anything about it.
The amount of "WAIT. WHAT?!" faces and "well that stops now!" I've gotten when I've asked "do you know about [stupid thing]?"
My company was recently acquired.
I was given a new email address and a new web-based email account <my_name>@BIGCORP.COM
The *very first* email in my new inbox, was titled "Mandatory Security Training!" and came with a link, which I stupidly clicked and entered my newly provided credentials, only to be informed that this had been a phishing email from their "IT security team" and that I had failed.
So, like a good boy, I went to change my password.
"Password cannot be changed because you have had this one for less than 7 days"
Had a new co-worker with something similar. When he clicked the "Mandatory Training" email, and was reprimanded for clicking on a spammy link. A spammy internal link, but still, he should have forwarded it to the internal security "check link for validity" service, which no one was using.
It turned out he actually had. Being a new employee, he'd followed the policy verbatim.
It turned out that the suspicious link account that you were supposed to forward links to had its' spam filter cranked up to maximum sensitivity. In other words, the suspicious link checker account blocked all incoming links that were suspicious from being seen by the team that was supposed to check them. Which of course explained why "no one used it". People in fact had been using it for months, but all their emails had been deleted before being read.
Management then asked why no one noticed or commented on the fact that IT had not responded to their submissions. "We're so used to being ignored that it didn't seem worth mentioning" was the answer, much to the shock of executives.
$HOSPITALS often outsource their purchasing and payment systems these days, I just rip my hair out when they email us PAYMENT.HTML and PO#76293.HTML documents ... if you deal with China then you're used to getting New_Order.XLS files too, and of course when my customers need to send a picture of something it's always PICTURE.DOC ... these are real, not fake - they come in every week.
1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.
2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.
You must be at IBM...
At $WORK we get the corporate (IT "InfoSec") -sponsored phishing attempts too, with dire warnings of how many employees still fall prey, and then inevitably followed by even more security theatre measures which do more harm than good.
Status quo, right? Everybody has this now, and "InfoSec" departments push their agenda with scare tactics and bogeymen more than ever.
And yet, they don't seem to be able to manage the obvious common sense things. E.g. $WORK uses a common SaaS IT ticket tracking system -- you've heard of them, they're awful. But the real point is that they're awful outside of $COMPANY's borders and control, meaning that any corporate intellectual property in an IT ticket is on the internet.
Same with some of the doc/publishing suites (Engineering product plans in o365 Sharepoint, anyone?) and even source code in some cases.
So yes, don't click those scary phishing email links from "InfoSec", but do share the company jewels with the cloud.
Several years ago, our IT send out one of their OMG world-is-ending ALL CAPS blanket emails to the company.
To summarize, it said:
"A new malware attack is being spread through malformed URLs in email links. Our firewall is currently not configured to protect against these types of attacks, and we are currently waiting for a fix from the vendor. In the meantime, employees are not, under any circumstances whatsoever to click on any external links. Disciplinary action will be taken against those who fail to comply with this mandate.
You are required to confirm that you have read, and understood this new mandate. You must sign the electronic form at www.externalcorp.com/signatures.asp no later than Friday. Failure to comply will result in disciplinary action, including termination".
Yes, employees were required to click an external link in order to promise not to click on internal links. With both actions being grounds for dismissal.
"Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account."
Me for some time now. I reported a number of these to their phishing report helpline. I eventually emailed that or some similar address than in the continued absence of any reply I'd discontinue the email address set up specifically for said bank. No reply so I gave them the chop. They don't seem to have noticed their emails bouncing.
Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account.
I haven't seen such from Kiwibank. Westpac - some of their emails have been known to be virtually indistinguishable from known phishing attacks.
And one bank in NZ displays 3rd party advertising (or used to), AFTER your log-in. With won't say which Bank that is, but that they're a Bank in New Zealand. A couple of characters should be able to figure that out...
Ugh don't remind me. It isn't just PR and marketroid people.
Once upon a time, at a big corporate firm I worked at, we had the "report this email as phishing" button, which we were to use if a suspicious email shows up.
anyway, one day, I started getting emails from the "IT Security department", asking me to click on a link with their updated security policy on it.
Thing is:
- The email headers did not match the domain in the "to" field, nor did it match the name of the sender.
- The email headers showed not the company domain, but some generic sounding one I had never heard of, and the company search engine did not return any results for the domain
- The email was generically written, not even my name in it
- The URL that I was to click on was on yet another third party domain, which was a complete unintelligible alphabet soup of a domain, with long strings of what looked like random characters, ending in ".doc"
Knowing about doc macros, exploits, etc.. there was no way I was going to click on the link while on the corporate windows box, and the entire thing smelled like a phishing email (and who better to impersonate than the IT security staff, a lot of people would listen to them just because they are the "IT security" people).
so I promptly clicked the "report phishing" email, and was on my way. I did this repeatedly over the course of two weeks, until my manager called me into his office.
Apparently the head of the IT security team was livid with rage because their important IT security policy was being flagged as a phishing email (apparently if someone flags an email as "phishing", all the other people get a "this might a phishing email" header on the email, so they don't click on it, because it can be grounds for termination of you knowingly infect the company).
Apparently the random letters are a tracking ID for my account, so they know that (a) I am the one reporting the email, and (b) I haven't read the document yet.
All my points about how it looks like a phishing email were accepted by my manager, then immediately overruled.
I was told that the email is safe, and that I should stop reporting it as phishing, and more to the point that I should click on the link to view the policy.
So I did what I was told, and the first page of the IT policy was about the risks of phishing emails, and what to look out for (which was almost the exact same criteria I reported the email for), without a hint of blasted irony from the "IT security" team.
So now, I have to assume that no matter how dodgy an email (or its attachments) look, I have to trust it if it says "IT security team" on it. Talk about blowing a gaping hole in a companies security policy. Seeing as all future emails I have since received from the security team are still looking like a phishing email, I can see my complaints fell on deaf ears, and there were no repercussions for them.
My point is, we have a long long way to go before "best practices" can be considered in security. Companies still don't get it, if even their security teams are not able to make an email seem legitimate. Instead you get in trouble for "showing up" the security team.
I feel that they are only doing this "IT policy" and phishing email training to "tick a box" on their cybersecurity checklist. They don't actually care about security or preventing phishing. It is a "cover your ass" ploy from legal, nothing more.
As long as attitude like that is prevalent in companies, nothing will get better, and it may well get worse. You can't expect the PR and marketroids to be any better when the culture they work in encourages such behavior.
They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.
You should NEVER, under any circumstances, kill a marketing or PR droid and then take their keyboards from them.
It is far better, and far FAR more enjoyable, to take their keyboards from them while they're living and then apply said keyboard in an appropriate manner until both cease to function! (unless it's a really good keyboard, in which case find something else for said application).
Would make for a nice point in a talk about security : get answers to the following questions and then comment on the results :
1. Did you accept a free USB stick at the entrance ?
2. Are you going to put it in your device ?
3. Are you going to give it to another employee, or to a family member ?
4. Did you accept a free coffee ?
5. Did you accept a free brownie (cake, not human) ?
6. Did you pick up a brownie you saw on the floor and eat it ?
7. Did you accept and read the glossy literature ?
8. Did you accept the cute air freshener to hang in your car ?
9. Did you accept the promotional item modelled on a presidential seal ?
We're accustomed to dealing with most of these threat models. Mostly without errors, but occasionally we screw up.
Acceptable answers to:
1. Did you accept a free USB stick at the entrance ?
2. Are you going to put it in your device ?
are
(a) No
(b) Yes, and I'm going to reformat it before I mount it or give it to anybody.
Anything else shows insufficient paranoia. But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.
> Reformatting won't protect you against malware at the firmware or chip level
I'm just going to jump in with a shameless plug for a pet project of mine - an open-source USB hardware firewall.
https://github.com/robertfisk/USG/wiki
It allows only known-good USB commands to pass, thus blocking BadUSB type attacks. (The filesystem may still be infected but a reformat will take care of that.) It is designed exactly for the scenario of someone handing you an untrusted USB stick and expecting you to plug it into your system.
The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.
The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.
The project looks great, and as someone who has had to work with untrusted USB's many times (cheap (thus disposable) laptop running Linux, later a Pi-like device), the device project looks great and is has replaced one of my presents-to-self for early next year :)
One question... Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?
> Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?
The firewall will provide some protection against USB killers, simply because the voltage spike has to pass through 2 ESD clamps and 2 microprocessors before reaching your computer. So the firewall will be destroyed, but your computer may be saved.
But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.
That's little use if it presents itself to the USB bus as something other than a file system, for example as an input device.
Ages ago I was tempted to put replacement QR codes at all the labels in Tesco veggie section. I noticed recently they are gone.
You mean especially QR codes are dangerous?
I managed to find an app that reads them (and other barcodes) and only decodes & displays, with an option to save it or create a Firefox tab. Most phones seem to open the browser directly.
I despise people using obfuscated short codes (invented for Twitter and no longer needed there?). 1: The short code provider knows your IP, the time, your browser, OS and previous web site. 2: You have no idea what it will load.
What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device. If the device presents as having storage then a full virus scan would be executed on the storage and the results displayed. The files (if any) on the device would not be accessible until after the virus scan and the user acceptance of the scan result.
To allow for the possibility of a USB bricker device, all data and power lines should be protected by zener diodes (clamp data to +5.5v/-0.6v and power to +(maximum charging voltage +1 volt)/-0.6v)
I am missing the zap-option, applying a higher than survivable voltage to the USB if it turns out to be unsafe. It will require some rewiring in the computer to make such an action safe for the computer itself though.
My question to you: Are you paranoid enough?
Would be a nice option but for one thing : you have to be sure that said mount option cannot be tunneled through or otherwise worked around by the USB device. If done right it should be efficient enough to contain most malware, but a determined review by those damn blackhats could well uncover an unprotected exhaust port . . .
Personally, I'd prefer a device external to the PC. Some brick-sized thing or block, with a USB slot and a small flat screen that would, upon being turned on, simply list the files on the key, including hidden files if there are any. That way I could see if there is only the one file, or a host of other files, and decide what I want to risk : plug it in my PC and analyze it, or just trash the key entirely ?
A reformat option would be good as well.
Maybe someone could dream that up with a Raspberry Pi ?
This is too simplistic and generalised; not all Linux are equal. All Linux are reconfigurable, even to the extent that some Linux do not include USB kernel modules (the paranoid option). For those that do, a careful crafting of rules in 'udevs' is necessary to create the appropriate behaviours*. Further, given deeply meaningful knowledge of the Registry, even Windoze can be configured to mount the volume of a USB storage device in a 'sandbox' and not assume that any executable in the contents of the sandbox should be executed without inviting the external (responsible?) human to so approve.
*So, what to do about USB devices that are *not* storage devices? A faker USB device that is to all intents a 'keyboard' that squirts "go to attacker's hell-hole web site now" in the direction of your web browser at USB wire speed?
Totally a thing. Some TNT (turner network television) promo device looked exactly like a flash drive, so I decided to find out how big and if it was writeable. (this was years ago, a slightly more innocent time!) It merely pushed out keystrokes for the Windows key and their address for the particular show and enter. So I popped it open... it was just a little SOIC and a USB plug on what could have been 1 layer from a 4-layer "real" PCB, judging by how thin it was. Then I briefly hated them for being cheap and lazy even though I knew it was fairly clever and I had still fallen for it.
Good thing it was all just about TV. That was a WinXP box, after all...
We could make that run on a raspberry pi rather easily. If we don't let the standard interface run, it doesn't have any automatic handling for USB disks. Then we block acceptance of other USB devices at the device level. Our display would have to be mounted on the GPIO system, but a cursory check of the pi hat manufacturers shows several options that can do display, touch input, and power from the GPIO. We'd first check what interface(s) the USB device says it provides, and assuming it's only storage, we can grab details about the filesystem and the files on it. We should probably do a quick scan for suspicious stuff, especially windows executables and shell/batch/powershell scripts. This wouldn't help against a USB device that intends on physically destroying a machine, but I don't know whether someone is really likely to start handing those out, and at least only our USB tester would be vaporized. This isn't completely foolproof (for example, you could have an innocent-appearing storage disk that only mounts the malicious stuff after ten minutes) but it'd be pretty good against the typical threats. Should we build it?
I know Windows has a poor reputation for introducing security holes in the OS, but isn't automatic device scanning on insertion a common feature of both MS and third-party virus scanners ?
If hardware 'safety checkers' became common and there was a significant effort to distribute malware-laden memory devices, we would quickly have an arms race : consider a device that detects a format operation and adds a malware file after the first n files have been written to the device and it is re-inserted.
"Maybe someone could dream that up with a Raspberry Pi ?"
I was just thinking of doing this with an Arduino. No need for the RPi's power.
My solution was to create a device about the size and length of an adults thumb that allows you to plug a USB A device into it. It would then tell you how that device was presenting itself to the host. You would be able to see that a flash drive is presenting as a flash drive and as a HID device at the same time.
If it is a USB keyboard I was going to have this device try to capture any keystrokes. You can use it to test a real keyboard or see what a flash drive is trying to type into your shell if it appears as a keyboard.
I was also thinking of having an option to wipe out the partition table of the flash drive so to reformat it you need not plug it into a computer at first, putting that machine at risk should it do something silly and generate thumbnails for images on the drive when you accidentally open it instead of right clicking ;)
It could also let you confirm that other USB devices seem to be working, so you can check that second hand PS4 controller seems to be trying to connect and has an unbroken cable.
Using a RPi would allow you to do many more things such as check the files on the drive etc.
Thinking about it, an RPi zero would fit the form factor I'm thinking of.
"The problem is that some of these attacks are happening within the driver layers"
Not if you are booting from ROM each time something is inserted, and have no persistent storage or any connectivity whatsoever, only a screen. Granted, that description doesn't exactly fit any current hardware all that well (even a Live CD is only a partial match), but it's not like it couldn't be done...
I presume the concept involves a USB device that attempts to brick a host.
Most ports are indeed defended by TVSes. But volume and board area are low and cost is definitely a consideration. What you find is decent ESD performance and low/moderate hardness against conducted EMC threats.
See: https://www.st.com/en/protection-devices/usb-port-protection.html?querycriteria=productId=SC1489 for a typical approach.
Any reasonable EE student with with DC/DC converter design experience can build you a thumb device that will overmatch the protection. What I dont know is whether you just destroy a USB bridge IC and bring down part of the USB bus, or can cause more extensive damage.
That is why I was saying zener diodes - a typical USB bricker sends a high voltage negative pulse down the data lines. Because of the small space in a typical USB key the actual energy is unlikely to exceed one joule per pulse. For a negative pulse a protective zener diode will be forward biased and will easily clamp the voltage to under one volt without being strained. (A discrete zener diode is a lot less fragile than a sub 1 micrometer transistor in an integrated circuit.)
(For a positive pulse a 5.5v zener will clamp the spike voltage to under 6v which is still low enough to protect the ICs.)
What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device.
Already exists.
Disable autorun and put a Software Restriction Policy GPO in to not execute any executable code outside of authorized locations (eg, %program files%, %servershare%) unless you are an admin.
Hence, local users can't execute files that haven't been put in an authorized location, and can't put them in an authorized location themselves. This provides quite a lot of protection; since %temp% is blocked as a authorised location and outlook puts files there when it runs then while the users can open documents sent to them (.doc(x), .xls(x), .pdf) then executable content (.exe, .vbs, .etc) will not run. They literally then can't run trojans attached to emails if they try. They can't run executables from USB sticks either.
Then lock down office from downloading content from the internet that's not in the document and block unsigned macros from running and... how can users damage their computers? They can't. This is all available for zero cost with group policy out of the box.
From https://www.circl.lu/projects/CIRCLean/: "The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer."
Last time I looked all my Pis were computers.
But a good idea even if the explanation wobbles.
I find one wanker - a senior executive - texting away on a personal iFone at the start of a sensitive briefing. Phones are not even allowed in the entire building, let alone in a brief. So I quietly and politely ask if I can take the phone to the front desk for him.
Slightly embarassed, my Dear Leader gives me the phone and I secure it.
Upon my return I find him banging away on a BlackBerry, and there is another BlackBerry as backup. Oh, FFS!
A couple of days later some swinging dick working for Dear Leader attempts to slap my wrist for embarassing Dear Leader.
With leadership like this what difference does it make what sort of USB stick is left in the executive head? Parking lot? Tossed through open window of BMW parked in the "executive reserved" space?
@AC, I totally agree with you this should be an actionable offence. We have the lockers, signs, a polite but firm receptionist and so forth. There is no excuse to have a device in the room...
...but it all depends on who you are: in the service we called this "different spanks for different ranks." Sucked then, sucks now.
I have no doubt that I or any other working stiff could get sacked for bringing a phone in ... but execs get a free pass. And this REALLY pisses off the workforce. Technical types crave consistency, and this includes consistency in policy and its application. Stuff like this can grow a little seed of discontent into a full-blown insider threat problem... why do we insist on tempting fate?
And this is not just in IT policy - my team was rocked recently when we lost a good man because his accesses were yanked. He and the wife were separated. He started seeing a new gal and got popped for moral turpitude. I won't claim that my guy's decision making process was sound, but what burns is the manager who sacked him had a well-known affair going on with his admin... including some navel exploration and offshore drilling done on company time. WTF, over?
Couldn't agree more.
We had a lock down policy which stopped the usage of any usb device, guess who were the first to request that their PCs were excluded from the policy. Oh yes Dear Leaders you are the probably more responsible than any else on the company for security issues.......and lets not forget marketing, who cry all day about not having the right to do X or Y, then they cry to the leaders who ask for an exemption also for the marketing department....it never ends...... and Finance are never far behind because of the upcoming audit with PWC etc
Scribble out a quick note:
I, Swinging Dick take full personal legal and financial responsibility for deleted, corrupted or encrypted data including resulting loss of business, reputation and fines for distribution of personal data caused by use of an unsecured phone on company property.
Ask him to sign it and watch how quickly he remembers that he is late for a meeting.
@Flocke >>>I, Swinging Dick take full personal legal and financial responsibility for deleted, corrupted or encrypted data including resulting loss of business, reputation and fines for distribution of personal data caused by use of an unsecured phone on company property.<<<
Adding -- and in contravention of company/site security policy ref.xxx -- can't hurt, lawyers love that bit :)
In my experience, senior management in many organisations want to have the security box ticked but they often don't want the expense and hassle of actually implementing very much of any security policy. They do like to have security people who can be held responsible for any security issues that arise.
how to tell the difference between commercial interest and national interest;
Oh, that's trivial... Is it going for your wallet or insisting to offer you something for free? Former. Is it going for your vote or trying to scare you? Latter.
between marketing hype and political propaganda;
Same as above.
between authentic relationship...
You need not worry about those, you don't have any.
...and clever manipulation.
There isn't any of that around either. Blunt in-your-face manipulation is just so much more effective...
Do you also reject free coffee, cakes and random ornaments ?
Yes, you might do if you're afraid someone might poison or bug you, and quite right too.
But in general, we trust people based on their reputation. The conference organiser's reputation will be that they might nag you to sell their conferences, but they probably won't try to drug, bug or infect you with malware. Because they have some integrity, and don't want to be demonised.
Why is the branded USB drive any different ? You probably shouldn't accept it from someone who comes up to you in the street. Same goes for the other things I suggested - if someone in the street offers you cookies you make a judgement based on your experience and prejudices about whether to take them.
The USB stick isn't any different. There is a possibility of accidental or intentional malware. You can choose to trust it or not according to your usual threat model. It doesn't make the marketroids stupid for offering it, nor does it make you stupid for accepting it.
"Why is the branded USB drive any different ?"
Because you don't really know who made it and how? You may trust your contacts, but do you know how many layers of procurement and supply they went through to source these cheap 'gifts'?
Risk vs benefit - no real benefit vs a tiny (but > 0) risk of possibly severe consequences.
True, you don't know who made it. Same goes for shop-bought comestibles, though the threat model is less severe (less likely that there's someone intentionally putting rohypnol in grocery-store milk, but by no means impossible).
You might though, expect a responsible marketroid to buy such devices from a reputable source and perhaps even scan a sample of them before handing them out. Likewise, you wouldn't expect them to give you tea, coffee and biscuits by skipdiving at the local supermarket.
I still say 'be reasonable' - the process for trusting USB sticks is only similar to the processes we already use for other gifts and promotional articles.
If there is a warning to take away, it's that promoters should bear in mind that USB sticks are in the same category as other items with a mild threat. Source them responsibly, but don't necessarily give them up. Punters like these things.
(declaration : no, I'm not a vendor of promotional USB sticks. I do occasionally get given them and I'm happy to accept them, though I wouldn't miss them as they're usually a bit small in capacity).
Not so. I would trust nobody's "reputation" to vouch for the pristine state of a tchotchke they are offering me, no matter who they are. The knowledge that someone from PR in their organisation hired a conference organizer outfit who outsourced the trinket procurement to a bauble personalization joint shipping the cheapest mass-produced stuff directly from Alibaba fills me with very much zero confidence that anyone interested along the chain did not add a little something to the whole batch. I DID buy local-retail-store-sold photo frames that came malware-laden straight from the factory you know.
> I'm old enough to remember the poisoned Tylenol scandal. And I think they managed to do it DESPITE tamper resistance.
Actually no, the Tylenol incident did kickstart the tamperproof packaging on almost everything edible, not just prescription medicine. At that time you could take an over-the-counter medicine bottle off the shelf, pop the top off, put it back on, and no-one was the wiser. Not even a plastic band around the cap. Yup. People trusted lots more back then.
I did a paper on that incident in college to satisfy "do a paper on something security related" and the instructor didn't specify "computer security" so he was impressed how I did make it related.
If you allow this to go as far as it can, you end up not able to use anything. Every time you buy something with a USB connector on it, it might have been compromised. Every time you are given something, that might be compromised too. The computer you bought might have malware preinstalled. The parts you were going to use to build yourself a computer because you can't trust the manufacturers might have malware on them.
In the case of the conference, I think it's fair to assume that the drive is probably safe. Don't just assume that it is--test it first--but it is not the high-risk situation like when drives are found unattended. If you always use "what is possible" as your question for trust, you will end up at a dead end. Instead, ask "what is feasible" and "what is likely", and take whatever precautions are available for those infeasible and unlikely things that nonetheless are possible.
Rigghhhhhtt.
Who the F do you trust - many moons ago had a customer who called us in a rip roaring panic attack. Trusted supplier of half his product line had sent a dvd of updates to their service software and it just happened to contain a virus inserted at the dvd production site. Talk about a cockup involving an entire nation of distributors and a multi-billion dollar business exposed.
"The conference organiser's reputation will be that they might nag you to sell their conferences, but they probably won't try to drug, bug or infect you with malware."
Succeeding without trying is an option. Just how much cost do you think they're prepared to take on board to source promotional tat?
First action upon starting at my current workplace:
A blanket ban on all USB sticks and any mass storage devices, and any "unauthorised" USB devices in general.
You want that, it has to come through IT who will scan it, and copy it to normal storage for you. If it leaves site at any point, it has to be scanned again. No exceptions. Not even for the big bosses. USB is just disabled and alerts us when it's attempted.
That's held for 4 years, and I'm regularly able to demonstrate why it's in place (with speakers, presentations and visitors all the time, there's ALWAYS something on a stick, and more often than not I have to refuse them access).
Number of virus infections: 1. Contained to a single PC. Introduced from a dodgy download, which the user persisted in attempting to run despite it being a file-inside-a-file-inside-a-file from a personal webmail from a spam from someone they didn't know, etc. etc. etc.
(Second action on starting at my current workplace: Stop all the password expiry nonsense as per all modern password guidelines.)
Honestly, you have ZERO NEED to use USB sticks, or even devices. The hindrance is literally "Hi John, nice to meet you, can I just take that stick from you to give to IT, they'll put it on the system for you and give it back, cool, let's go get a coffee and get you set up, eh?". You're just introducing the potential for everything from keyboard loggers, wireless access that bypasses your network security (or even shares out the local network to the Internet!), etc. etc. to anyone.
You need a piece of software that lets you block categories of USB drivers (e.g. mass-storage, etc.) and also whitelist authorised devices. Even then, there's potential for serious compromise (e.g. nothing to stop a USB keylogger looking like an authorised keyboard by offering fake USB PIDs).
I'd be happy to not use USB storage devices when I go to a customers site, unfortunately most of them block and won't allow an alternative method of obtaining logs or retrieving software updates.
It'd be more convenient to have access to Office365/One drive or similar, save me then putting the USB device back into my laptop having been on their network.
Easy it's called "I can implement that change, but it'll cost you one IT Manager and a lawsuit about trying to get rid of them for providing adequate data and system security with a reasonable, demonstrably-effective, proven and already-in-place system".
Also, that in any proper workplace, such people DO NOT have access to the IT system whatsoever (physically or electronically), in any way, to implement such a change behind your back - even if they got IBM/Microsoft themselves to come in and try to do it.
Hint: The triggering of any one tripwire which suggests intrusion - whether by my own employees (IT department), other employees, outside entities, management, or any of their consultants - will result in the correct response in the case of such potential compromise. A full system shutdown until the situation can be determined.
Other hint: Every workplace I work at is made aware of a simple rule. If I ever discover that the master password lists / backup devices are accessed by anyone other than authorised personnel in the reasonable execution of their jobs (and I will know), I walk.
You really need to read GDPR. Unless your boss has a reason to have the domain administrator's password/access (hint: They don't, unless that boss is the domain administrator), then it's illegal for them to have it. They can *request* it. They can *instruct* me to hand it over. And I guarantee that it'll cost them one IT Manager and a lawsuit unless it was absolutely required (e.g. I'm in a coma in hospital somewhere).
P.S. The best way to stop such things is to say "Sure, I'll do that. But it's against my advice. Just sign here to tell me that you understand that and accept the consequences". I've actually used that. It's incredibly effective. No, my boss does not have any IT rights beyond that of any other member of staff working in such a position (e.g. he has a PC with office, rights to the documents he requires, but can't even rebuild his own machine or log into a server).
"Unless you can prove it's totally lawyer-proof, C-suites can probably just counter they can lawyer their way out of nigh anything."
Some of us work in jurisdictions with better employee rights protection. There'd also be a risk of flagging themselves up to the ICO in which case it'd most likely be settled very quietly out of court.
There's also the fact that some of us work/have worked for businesses that take security very seriously and there it really does start at the top.
"There's also the fact that some of us work/have worked for businesses that take security very seriously and there it really does start at the top."
Applicable word being SOME, not MOST. You're the exception; most places the execs have the ability to override and use their legal teams to find whatever excuse they need to make it above-board. Isn't that why there hasn't been any REALLY crippling judgments against big companies?
"You're the exception"
Actually I have the luxury of not working for anyone these days.
But you may be right in that before I retired my last client had the word "Security" as the first word in the company name and meant it so that helped. Directors would have Richter 8 shouting matches in the open office but not about security. At one time they hired a company to try ringing various members of staff - and freelancers - to try to pry out company information and found we were effective at rebuffing them. Prior to that I worked for a large company that had a major, in PR terms at least, security egg-on-face incident and after that they went on a not entirely security theatre kick so at that time at least they became quite security minded. I don't suppose it lasted when their feet were no longer held to the fire.
When security requirement are imposed externally, and the likes of GDPR can do that, it becomes in the top team's interest to take is seriously.
"You really need to read GDPR. Unless your boss has a reason to have the domain administrator's password/access (hint: They don't, unless that boss is the domain administrator), then it's illegal for them to have it."
Do tell, where in the GDPR does it say that? (or even mention passwords?)
"Do tell, where in the GDPR does it say that? (or even mention passwords?)"
"Even though passwords are not specifically mentioned, Regulation (EU) 2016/679 does stipulate that “a high level of protection of personal data” is required. GDPR also requires safeguards to be implemented that prevent the abuse, unlawful access, or transfer of personal data."
https://www.netsec.news/gdpr-password-policy/
I don’t accept free USB sticks anymore, although I have sometimes wondered whether I might be safe with one from a reputable vendor (HPE, Microsoft and so forth) - although the reputable vendors don’t seem to hand them out anymore.
Even with fresh, sealed in box, USB sticks I plug them into a non-network connected Raspberry Pi which automatically repartitions and formats any drive plugged into its USB port. If it’s an obvious bit of malware, this will wipe it. If its one of those electrocution gizmos, I don’t care (it’s a Raspberry Pi! Nice n cheap!) Of course, there are more insidious ways of compromising USB devices - but I haven’t yet thought of a way of getting around those. All thoughts welcome!
You could reformat them with a secure file system (I assume such things exist) that would cryptographically sign updates so that the files could not be modified without using the appropriate private keys.
This would protect you from USB sticks that modify their contents after you have written them.
They work at the controller level by impersonating an unexpected controller. They still don't inject driver-level code into the OS.
Yes, if you plug a USB stick into a port and no files are displayed but the stick secretly opens a command shell and types commands into it, it won't help. That's certainly something the OS writers should address.
You cannot trust your Raspberry Pi fully either. In the end you should ask yourself what there is to be gained by the seller, and at what effort, and to what price. If it is white-label, they won't be hurt by bad press. But the larger manufacturers and distributors have a lot to lose. Sometimes the free market does provide some protection.
In the end you should not act paranoid either. But, to be honest, with computers it is hard to tell where you should draw the proverbial line.
My last few roles which included networking for the NHS always had our most tech savvy staff overruled by a director who knew nothing
I remember one uncomfortable fight about USB sticks. We only got them barred by hitting the Patient Data Not Allowed Off site paranoia button.
But most people will do what they want, try it, and not think twice about logging it as a fault.
It's a shame IT is seen as an expense as training EVERYONE on basic Infosec principles, and throw in GPDR as well, might help.
It's baffling IT is such an internal part of any organisation yet if you let them the other depts would walk all over them.
When you work on a secure site the networks are of course air-gapped. So the only form of data transfer for normal PC's* is the RED usb stick... Which has to be signed for and audited in and out.
If you saw a red USB that was not in someones possession, you were not to touch it, you were to ring security immediately who would send armed ninja to appropriately dispose of the USB... and the person who had not looked after it. Security used to leave them on the floor in hallways as a honey-trap for the unwary.
It's not called sneaker-net for nothing!
*Secure Magneto Optical drives (EMP proof) were available for those who could use them!
This post has been deleted by its author
I've actually worked at a security related company where you got a miniature USB stick as "present" during the family days. Probably meant to get you trained in accepting gifts such as that. They also sported encrypted USB sticks where you needed to install a program (McAfee shit) to decrypt it. The only problem: none of my peers wanted to click the executable ('d Oh), if I was even inclined to ask them. I would actually be embarrassed and slightly awed by the trust put in me if they would click the executable. Fortunately the computers in the office did not accept just any USB stick (but a stick mimicking a input device could still do the trick for most of those security solutions).
The security officer nicely wore the lanyard with the company logo on it. It fitted nicely with the access card from which the company name was deliberately missing. Of course the USB stick also had the logo, in case somebody finding the stick on the street would not have another look at the contents.
You cannot make things like that up (which could not be said from the passwords they used).
....but for a certain software firm deciding that you just had to automatically run applications based on a file extension "to improve the user experience". Obviously because they had this 'feature' everyone else had to copy it to remain competitive.
This could be a useful illustration of just how screwed up what passes for computing has become these days. Simple, straightforward, solutions to problems get lost, users buy into complexity and suddenly its all voodoo, smoke and mirrors because we can't collectively turn around and say "This crap just isn't working properly, it needs fixing".
I remember my first virus, off of a floppy disc, setting off klaxons and flashing red warnings from Central Point Anti-virus.
For many years I reported such things to wherever they came from, and went to considerable lengths to point out security problems. I was the poster-boy for proactive user behaviour.
Ultimately I stopped bothering when it became clear that the majority of companies and institutions just don't care, and especially don't want customers wasting their time on such things.
I guess there was just one too many times when the offending party replied with "Don't bother your little head with it dear."
There a few companies that treat these things seriously, and I'll bend over backwards to help them, but in most cases I've simply given up.
This post has been deleted by its author
"So how do you transfer things too complex for a human to enter into an airgapped device?"
In the context of my reply about epoxy - which I assume is what you're questioning - the immediate reply is learn to read a statement of requirements which in this case was "So, what actions does a user need to take -- a real user, not a Reg reader, mind-- to protect themselves from nasties on the stick when they plug it in?" No mention of Stuxnet there.
The moral you need to take from my reply is that it's a trade-off. If you want to be secure there are things you shouldn't do, sticking random USB devices into a PC is one of them. Self-discipline would be better but if physically preventing yourself or those around you from doing things is the only way of doing that, take the physical route.
As a free-standing question, however, it deserves an answer and the answer, as with so many things in IT is that you have to analyse each situation as you meet it. If you have to make provision for data from random USB devices or the like for a single air-gapped machine a good starting point might be another air-gapped triage machine. You should be prepared to write that one off on that in the event of the sort of nasties you've mentioned elsewhere and, as several of us have said, a Raspberry Pi is cheap enough to make that painless; you can do it out of petty cash. For an air-gapped network LeeD's approach is the way to go. For a stand-alone machine your triage device could have the further level of protection of burning the data onto a write-once optical drive.
In different circumstances there are other options. For instance in the situation I mentioned elsewhere in the thread the main security concern was confidential information in the production side of the business leaking and there they had a factory network separate from the production network. Data incoming to that from customer sources was carefully routed and checked; e.g. incoming XML data was checked against an agreed schema - any file consisting of anything other than a conforming document was dumped.
To reiterate, you analyse the particular requirements and devise a solution that fits. If you need further help my rates are exceedingly immoderate these days.
What's the obsession with vulnerability and sticks? A kind of TITSUSB of the 21st?
My own obsession is mandatory (electricity) smart meters. They provide a vector for devilry that will cost lives, destroy buildings. Only the existence of lower-hanging fruit will delay the conflagration.
Malware can effectively be removed from any freebie USB device by placing it in the office microwave for 30 seconds.
The same works with company phone SIM cards when you change jobs - I found 20 seconds to be sufficient actually. You should always follow company policy and use the office microwave and not your own that has not been inspected by the security group.
Not even Internet Anarchy, just Anarchy really ! Slowly & not so slowly being introduced into the system.
Chaos is the disruption to systems by the "unknown", But Anarchy is the disruption to systems by the "known".
It will fall, the system.
Now anarchy is to destroy the existing system so one can introduce another, in time, if one actually thought that far ahead, rather than just to pull down this government. What then is the new system that eAnarchy will introduce?
Better watch out !