You may think of USB flash drives as little more than trade-show giveaways that can be used to ferry files and folders from a company laptop to a home computer. In reality, USB drives have evolved into something much more useful—and potentially dangerous.
One evolving threat comes from programs such as USB Dumper, which, installed on a computer, will suck data off any connected USB drive without any visible sign, says Brian McCarthy, vice president of marketing with Centennial Software. McCarthy says that Centennial’s researchers have been able to modify the program to pull data off an iPod or any other portable device that connects via a USB port.
Other hacks have been built on top of USB Dumper, such as USB Hacksaw, which takes the data pulled surreptitiously from a USB drive and quietly sends it out through a secure e-mail connection that it creates itself. The program can even cut the contents of large drives into chunks and compress them so that they’re easier to e-mail.
Vladimir Chernavsky, CEO of AdvancedForce InfoSecurity Solutions, Inc., says that the widespread use of USB drives has created a new way for attackers to socially engineer their way into corporate systems. He tells of a penetration test in which testers left USB drives in a company’s cafeteria and parking lot. Most of the people who found them plugged them into corporate desktops, despite the risk of doing so.
Another class of USB threats comes along with a technology called U3 that allows flash drives to run software programs. U3 allows users to, say, plug a flash drive into a computer at an airport kiosk and edit a Word document even if no Microsoft Office applications are installed.
But these devices can be used to circumvent a company’s security. For example, TorPark, a modified version of Firefox that runs on U3 drives, allows workers to visit prohibited Web sites via anonymous proxies. Because it runs from the flash drive, it leaves no audit trail.
The same approach could be used to surreptitiously e-mail proprietary data to a third party. All the IT administrator would see is a connection out to a single IP address, and nothing more.
DeviceWall, a software product from Centennial, can prevent users from plugging in and using USB drives, thus preventing TorPark from running and eliminating any threat from programs like USB Dumper, should they be installed. DeviceWall agents are automatically distributed from a central management console and can be customized for each user; DeviceWall can even allow only a single type of USB token to work, thus allowing some flexibility while eliminating the risk of a user plugging in and using his or her own drive.
Chernavsky’s company offers DeviceLock, which can also provide granular control over USB devices down to a specific model so that no other drive would work (if USB drives were authorized at all). DeviceLock can also prevent other digital devices, including cameras, Wi-Fi and Bluetooth adapters, and even CDs and floppy disks from functioning.