Gone in a flash, Part 1

In the movie “The Recruit,” an agent for the Central Intelligence Agency (played by Bridget Moynahan) downloads sensitive information onto a tiny USB flash drive. She then smuggles the drive out in the false bottom of a travel mug. Could this security breach (technically described as “data leakage”) happen in your organization?

Yep, it probably could – because most organizations do not control whether such devices enter the building or how they are used within the network.

These drives pose a serious threat to security. With capacities currently ranging up to 2G bytes (and increasing steadily), these little devices can bypass all traditional security mechanisms such as firewalls and intrusion detection systems. Unless administrators and users have configured their anti-virus applications to scan every file at the time a file is opened, it’s even easy to infect the network using such drives.

Disgruntled employees can move huge amounts of proprietary data to a flash drive in seconds before they are fired. Corporate spies can use these devices to steal competitive information such as entire customer lists, sets of blueprints, and development versions of new software. Attackers no longer have to lug laptops loaded with hacking tools into your buildings. USB drives can store password crackers, port scanners, keystroke loggers, and remote-access Trojans. An attacker can even use a USB drive to boot a system into Linux or other operating system and then crack the local administrator password by bypassing the usual operating system and accessing files directly.

On the positive side, USB flash drives are a welcome addition to a security tester’s tool kit. As a legitimate penetration tester, one of us (Bumgarner) carries a limited security toolset on one and still has room to upload testing data. For rigorous (and authorized) tests of perimeter security, he has even camouflaged the device to look like a car remote and has successfully gotten through several security checkpoints where the officers were looking for a computer. So far, he has never been asked what the device was by any physical security guard.

This threat is increasing in seriousness. USB flash drives are replacing traditional floppy drives. Many computer vendors now ship desktop computers without floppy drives, but provide users with a USB flash drive. Several vendors have enabled USB flash drive support on their motherboard, which allows booting to these devices. A quick check on the Internet shows prices dropping rapidly; Kabay was recently given a free 128M-byte flash drive as a registration gift at a security conference. The 2G-byte drive mentioned above can be bought for $850 as this article is being written; a 1G-byte drive for $240; a 512M-byte drive for $180; a 256M-btye drive for $80; and a 128M-byte drive for $40.

In the next part of this two-part series, John and I will look at preventive measures for safe use of these devices.

Guest author John Bumgarner is President of Cyber Watch, Inc. http://www.cyberwatchinc.com, a security consulting firm based in Charlotte, N.C. John has a rich background in national security and international intelligence and security work. He can be reached at mailto:john.bumgarner@cyberwatchinc.com