USB:

The Trojan Horse of Digital Technology

8
If you're not much of a computer user, you
might not be fami liar with the term USB.
It stands, in geek-speak, for Universal
Seri al Bus -- and it's the "universal" part
of its name that can cause no end of
security headaches. Most people just don't
understand how the USB port on most
computers can open a back door into any
secure facility.
The best way to explain this is by way
of analogy. Think about Fort Knox. The
place is protected five ways to Sunday to
prevent unauthorized access -- and more
importantly, to prevent the America's gold
reserves from leaving without permission.
N
ow imagine that the Starship
Enterpri se was orbit ing above,
and Scotty could just beam the
gold ri ght out of the place. Or,
imagi ne that someone working inside the
bulli on depository could somehow shrink
a1l4,60310115 of gold bullion down to abollt
the size and we ight ora small nail clipper.
She could just wa lk Ollt with it all , and no
one woul d be the wiser.
Farfetched? Yes, of course. But if you
substitute informati on for the gold and the
problem is no longer farfetched. It 's scary.
And it 's all made possible because of the
tiny USB connectors in the side, front, or
back of most comput ers.
Teeny, Tiny Terrors
If you' ve ever used an iPod or a thumb
dri ve, you' ve used one of these USB COIl-
nectors. USB connec tors connec t data
storage devices! printers! scanners, wireless
network transmitters, and a lot more to al-
most any computer. In most cases, YOll just
plug them in and they work. You often don' t
even need to restart the computer.
And these devices are small. Some network
transmitters are less than a half-inch deep,
and almost impossible to not ice when in-
stalled on a computer, especiall y ifplugged
into the back of the box.
It 's al so possible to insta ll a USB transmit-
ter inside a comput er -- without turning the
computer olT Most computer cases can be
opened relati vely easily, and, with a small
adaptcr, a USB transmitter can be installed
inside the computer and remain completely
in visible to everyonc.
Big Trouble From Little Gadgets
There arc two kinds of USB devices that
posc the biggest ri sks: USB storage devices
and USB nctwork transceivers. Let 's look
at the storage devices, first.
A fcw days ago, I was i ll Stapl es, and
bought a 16 gigabyte USB thumb dri ve for
undcr $50. It weighs all of two ounces and
is small er than my pinky. Apple sell s 32
gigabyte iPhoncs and 160 gigabyte iPods.
You can storc a 101 on these devices.
You' rc holding a magazine in your hands
ri ght now. According to the "How Much
Information?" a projcct of the Uni versity
of Cali fornia, a typi calmagazinc cont ains
about half a megabyte of text for a full
year 's worth of' issues.
Then, of course, there's what you could
bring in. Many computers are often precon-
figured to not only all ow the USB device
connected in to run, these computers often
aut omat ically run programs on the USB
devices, without any human intervention.
That means someone with nefarious intent
could bring in spyware, a root kit (software
that instal ls on the computer and hides
invisibl y), a key logger, or a network virus
and install it on a PC, simply by plugging
the thumb drive into the computer, waiting
30 seconds, and unplugging it.
All of a sudden, all the protections of the
main firewall , installed by the IT guys at con-
siderable effort and expense to block outside
invasions, has been completely bypassed. It 's
almost as if a Trojan Horse were wheeled
inside the fortress, right past the guards, and
an amlY jumped out and anacked.
In a digital se nse, that ' s exac tl y what
could happen.
An entire, boatable Windows or Linux in-
stall ati on can fit on a small thumb drive. In
fact ! a small thumb drive could fit a whole
number of di ffercm, speciali zed Linux "di s-
In digita l form, you could fit
376,000 copies or th is ma ga-
zine a ll a typi cal i Phone. I f you
bou g ht o ne or thos e
COUNTER
5249 160 gigabyte iP-
ods, YOll could ca r ry
3.8 million di gital cop-
ies of thi s ma gaz ine
around ill your pocket,
wh ich is the equi valent
of giving a fr ee copy to
eve ry singl e res ident of
Los Angeles. In other
words, you can put a lot
all a small devi ce. Even
that tiny thumb drive I
mentioned ear li er can
store 384,000 copi es of
thi s magazine.
By that measure, any or
these portable dev ices
is a spy's drealll . You
can sneak one of these
th ings right in plain site
(how many people in your
orli ce have i Pods?), fi ll them
with confident ial information,
and carry them back Ollt , plain
as da y_
rfRIORISM'-'------,-
The JoImJI rJ COurrterli!f'rtII'I!.mand liorT>Nnd Seeunly IrIll!ma!lt>l\1l
By that measure, any of these
portable devices is a spy's dream.
You can sneak one of these things
right in plain site (how many people
in yo ur office have iPods?) , fi ll
them with confidential information,
and carry them back out, plain as
day.
\vww. thc ournalofcountcrtcrrorisnl.or
tros" (di stributions), many of restrict how Windows allows
whi ch are used for I I use of the USB ports. These
eracklllg: and other acts products include DeviceWall
digital mi sbehavIOr. I from Ce ntennial
. ,. The JQumald al'ld IlomeloJnd Secunty IntemJtJDnaI '
l
Software Sanctu-
Although It s a bIt my DeviceCol1lrol
more work, orten from SecureWave,
requiring a worksta- And then there are the network G FI LANGuard
tion to be rebooted, from GF I So ft-
these di gital hack- devices. Anyone can buy a wireless ware, DeviceLock
ing di st ributions can network router that's Ihe size of a from SmartLine
slice through a com- Inc., and SEP II by
put e r ' s password thumb drive. If that's inslall ed on a Symantec (disclo-
sec urit y like a hot sure: I was a direc-
knife through butt er. PC inside the fi rewall , all of a sudden, tor at Symantec a
There are instruc- very iol1gt imeago,
the entire internal , secured network is
tions allover the
Internet discussi ng
free- t o-down load
speciali zed Li nux
di stributi ons that do
nothing but instant ly
vapori ze computer
password security.
And then there are
th e netwo rk d e -
vices. Anyone can buy
a wireless network ro ut e r
that 's the size of a thumb
dri ve. If that 's installed on a
PC inside the firewa ll , all of
a sudden, the entire internal,
sec ured network is acces-
sible outside, especia ll y if a bit
of additi ona l antenna work is
done with the transcei ver.
I've had a number of discus-
sions with very seri ous profes-
sional s working for three-ini-
tial agencies, who've informed
me they were perfect ly safe
beca use they've made s ure
no computer on thei r internal
network is connected to the
Internet. I've heard the same
from people who work in
hospi tals and for power com-
panies. Their network is secure
because they ' ve isolated it
frol11 the Internet.
Yeah, we ll , that 's true un-
til someone ins ta ll s a 539
wirel ess ne t work adapter
and opens up a ll that juicy,
secret , netwo rk goodness to
the out side world. And whil e
there might be some bad guys
trying to stea l informat ion, the
far more li kely scenario is th at
10
COUNTER
but at thi s point, I
accessible outside, especi ally if a bit have no financial
of additional antenna work is done
interest).
with the transceiver.
of a bored empl oyee who just
wants to check hi s Facebook
page from hi s work computer
during lunch. Bad intent is not
necessary to make it a serious
security breach.
What Can You Do?
There are some simple and not-
so-simpl e ways to protect your
organi zati on from these sorts of
penetrations. Beli eve it or not, one
of the more common approaches
is to dump glue or epoxy into all
the USB ports on all the comput-
ers, effectively filli ng them and
making them useless. This ap-
proach works line until one person
--just one -- is al lowed to bring his
personal laptop in from home and
plug it in. And, or course, glued
USB POl1S can be vel)' inconve-
nient i f the IT geeks need to do any
maintenance on that machine.
There arc also some network soft-
ware products that are designed to
Vol. IS, No.4
You cou ld also
di sable the USB
dri ve rs in Win-
dows (on a ma-
chine-by-machine
bas is) o r make
a l l USB po rt s
read-on ly (also on a
machine-by-machi ne ba-
s is) , but both of th ese
approaches are subj ect to
some level of error.
You cou ld s impl y ban a ll
USB devices from e nt e ring
or leav ing the fa ci lit y, but
that wou ld practicall y e nt ai l
ha v ing to X-ray everyone
who e nter s or lea ves, a nd
pe r form st rip searc hes
and cavi ty sea rches.
Obviously, none of these
last approaches is going
to be popular among your
staff, but you can set some
limit s. You can set up lock-
ers outs ide the entrance
to the workspace, and re-
quire employees to deposit
phones, iPods, and all other
personal electronics.
In the rea l world , most
employees will not toler-
ate ha ving the ir personal
electroni c devices confis-
cated. They' ll say it 's not
fair fo r their employers to
expect them to be reach-
able whenever they' re not
at work, and that they need
to extend that abilit y to the
people who are important to
them in their persona l lives.
Like it or not, these devices arc
here to stay.
You can also make sure all your
servers are properl y configured.
be sure that you have good IJellnis-
sions security, encl),pt as much as
possible, and practice good IT.
There is no uni versa l answer
to bloc king these pe rvas ive
pot e nti a l securit y breaches.
As with most areas or security,
awareness, diligence, and a
certain amount of creativit y are
probabl y your best defenses.
About the Author:
For more tllelll 20 /)(lI'id Gewirt:,
'lie alllilor ol ll'lIere N(II'e All rite
Gone? alld rite Flexible Enterprise
has (l/wly: ed current. historical. (1/ 1(1
emerging issl/es relmill}!, to reclmologl:
competitilelless. (lnd policy. /)odd is
Ihe Edilor-ill- Chielol 2117Z PI/blishing.
lI"riles c.VlJllllelltW) (lnd
lor CNN:\' Allder.wm Cool'er 360, (llid
h(l.\' II'rillelllJlore ,hall 700 ol'fide.l (lbollt
techllology. /)(JlIid 1I1orlller plVle.l'.mr
01 cOlJlpllter .w:ience. leCll/red (If
Prillceloll. Berkele) : UCLA.lIl1dSllmlorcl
has beell mmrded the fJ1l!sligiol/s Sigma
Xi Research AII'lIrd ill Engineerillg. (Illd
lI'lIS (I c(l/ulidtlre lor Ihe 20{)8
Pulirzer Pri:e in Le fl ers. He ,
is the Cybel'ferrorislII IIdl'isor .
l or /A CSP
Join the
IACSP's Linkedln
Homelond Security Network
of Counterterrorism &
Securi ty Professionols.
TERRORISM
Jo urnal of Counterterrorism & Homcland Security International