USB ports pose a significant security risk by allowing easy transfer of large amounts of data both into and out of computers. USB storage devices like thumb drives can carry vast quantities of information, and USB network adapters no larger than a thumb drive can expose entire internal networks to the outside. While some software exists to restrict USB use, the most effective approaches such as disabling all USB ports are difficult to implement within most organizations due to inconvenience to users.
Original Description:
The USB port on most computers can open a back door into any secure facility.
USB ports pose a significant security risk by allowing easy transfer of large amounts of data both into and out of computers. USB storage devices like thumb drives can carry vast quantities of information, and USB network adapters no larger than a thumb drive can expose entire internal networks to the outside. While some software exists to restrict USB use, the most effective approaches such as disabling all USB ports are difficult to implement within most organizations due to inconvenience to users.
USB ports pose a significant security risk by allowing easy transfer of large amounts of data both into and out of computers. USB storage devices like thumb drives can carry vast quantities of information, and USB network adapters no larger than a thumb drive can expose entire internal networks to the outside. While some software exists to restrict USB use, the most effective approaches such as disabling all USB ports are difficult to implement within most organizations due to inconvenience to users.
8 If you're not much of a computer user, you might not be fami liar with the term USB. It stands, in geek-speak, for Universal Seri al Bus -- and it's the "universal" part of its name that can cause no end of security headaches. Most people just don't understand how the USB port on most computers can open a back door into any secure facility. The best way to explain this is by way of analogy. Think about Fort Knox. The place is protected five ways to Sunday to prevent unauthorized access -- and more importantly, to prevent the America's gold reserves from leaving without permission. N ow imagine that the Starship Enterpri se was orbit ing above, and Scotty could just beam the gold ri ght out of the place. Or, imagi ne that someone working inside the bulli on depository could somehow shrink a1l4,60310115 of gold bullion down to abollt the size and we ight ora small nail clipper. She could just wa lk Ollt with it all , and no one woul d be the wiser. Farfetched? Yes, of course. But if you substitute informati on for the gold and the problem is no longer farfetched. It 's scary. And it 's all made possible because of the tiny USB connectors in the side, front, or back of most comput ers. Teeny, Tiny Terrors If you' ve ever used an iPod or a thumb dri ve, you' ve used one of these USB COIl- nectors. USB connec tors connec t data storage devices! printers! scanners, wireless network transmitters, and a lot more to al- most any computer. In most cases, YOll just plug them in and they work. You often don' t even need to restart the computer. And these devices are small. Some network transmitters are less than a half-inch deep, and almost impossible to not ice when in- stalled on a computer, especiall y ifplugged into the back of the box. It 's al so possible to insta ll a USB transmit- ter inside a comput er -- without turning the computer olT Most computer cases can be opened relati vely easily, and, with a small adaptcr, a USB transmitter can be installed inside the computer and remain completely in visible to everyonc. Big Trouble From Little Gadgets There arc two kinds of USB devices that posc the biggest ri sks: USB storage devices and USB nctwork transceivers. Let 's look at the storage devices, first. A fcw days ago, I was i ll Stapl es, and bought a 16 gigabyte USB thumb dri ve for undcr $50. It weighs all of two ounces and is small er than my pinky. Apple sell s 32 gigabyte iPhoncs and 160 gigabyte iPods. You can storc a 101 on these devices. You' rc holding a magazine in your hands ri ght now. According to the "How Much Information?" a projcct of the Uni versity of Cali fornia, a typi calmagazinc cont ains about half a megabyte of text for a full year 's worth of' issues. Then, of course, there's what you could bring in. Many computers are often precon- figured to not only all ow the USB device connected in to run, these computers often aut omat ically run programs on the USB devices, without any human intervention. That means someone with nefarious intent could bring in spyware, a root kit (software that instal ls on the computer and hides invisibl y), a key logger, or a network virus and install it on a PC, simply by plugging the thumb drive into the computer, waiting 30 seconds, and unplugging it. All of a sudden, all the protections of the main firewall , installed by the IT guys at con- siderable effort and expense to block outside invasions, has been completely bypassed. It 's almost as if a Trojan Horse were wheeled inside the fortress, right past the guards, and an amlY jumped out and anacked. In a digital se nse, that ' s exac tl y what could happen. An entire, boatable Windows or Linux in- stall ati on can fit on a small thumb drive. In fact ! a small thumb drive could fit a whole number of di ffercm, speciali zed Linux "di s- In digita l form, you could fit 376,000 copies or th is ma ga- zine a ll a typi cal i Phone. I f you bou g ht o ne or thos e COUNTER 5249 160 gigabyte iP- ods, YOll could ca r ry 3.8 million di gital cop- ies of thi s ma gaz ine around ill your pocket, wh ich is the equi valent of giving a fr ee copy to eve ry singl e res ident of Los Angeles. In other words, you can put a lot all a small devi ce. Even that tiny thumb drive I mentioned ear li er can store 384,000 copi es of thi s magazine. By that measure, any or these portable dev ices is a spy's drealll . You can sneak one of these th ings right in plain site (how many people in your orli ce have i Pods?), fi ll them with confident ial information, and carry them back Ollt , plain as da y_ rfRIORISM'-'------,- The JoImJI rJ COurrterli!f'rtII'I!.mand liorT>Nnd Seeunly IrIll!ma!lt>l\1l By that measure, any of these portable devices is a spy's dream. You can sneak one of these things right in plain site (how many people in yo ur office have iPods?) , fi ll them with confidential information, and carry them back out, plain as day. \vww. thc ournalofcountcrtcrrorisnl.or tros" (di stributions), many of restrict how Windows allows whi ch are used for I I use of the USB ports. These eracklllg: and other acts products include DeviceWall digital mi sbehavIOr. I from Ce ntennial . ,. The JQumald al'ld IlomeloJnd Secunty IntemJtJDnaI ' l Software Sanctu- Although It s a bIt my DeviceCol1lrol more work, orten from SecureWave, requiring a worksta- And then there are the network G FI LANGuard tion to be rebooted, from GF I So ft- these di gital hack- devices. Anyone can buy a wireless ware, DeviceLock ing di st ributions can network router that's Ihe size of a from SmartLine slice through a com- Inc., and SEP II by put e r ' s password thumb drive. If that's inslall ed on a Symantec (disclo- sec urit y like a hot sure: I was a direc- knife through butt er. PC inside the fi rewall , all of a sudden, tor at Symantec a There are instruc- very iol1gt imeago, the entire internal , secured network is tions allover the Internet discussi ng free- t o-down load speciali zed Li nux di stributi ons that do nothing but instant ly vapori ze computer password security. And then there are th e netwo rk d e - vices. Anyone can buy a wireless network ro ut e r that 's the size of a thumb dri ve. If that 's installed on a PC inside the firewa ll , all of a sudden, the entire internal, sec ured network is acces- sible outside, especia ll y if a bit of additi ona l antenna work is done with the transcei ver. I've had a number of discus- sions with very seri ous profes- sional s working for three-ini- tial agencies, who've informed me they were perfect ly safe beca use they've made s ure no computer on thei r internal network is connected to the Internet. I've heard the same from people who work in hospi tals and for power com- panies. Their network is secure because they ' ve isolated it frol11 the Internet. Yeah, we ll , that 's true un- til someone ins ta ll s a 539 wirel ess ne t work adapter and opens up a ll that juicy, secret , netwo rk goodness to the out side world. And whil e there might be some bad guys trying to stea l informat ion, the far more li kely scenario is th at 10 COUNTER but at thi s point, I accessible outside, especi ally if a bit have no financial of additional antenna work is done interest). with the transceiver. of a bored empl oyee who just wants to check hi s Facebook page from hi s work computer during lunch. Bad intent is not necessary to make it a serious security breach. What Can You Do? There are some simple and not- so-simpl e ways to protect your organi zati on from these sorts of penetrations. Beli eve it or not, one of the more common approaches is to dump glue or epoxy into all the USB ports on all the comput- ers, effectively filli ng them and making them useless. This ap- proach works line until one person --just one -- is al lowed to bring his personal laptop in from home and plug it in. And, or course, glued USB POl1S can be vel)' inconve- nient i f the IT geeks need to do any maintenance on that machine. There arc also some network soft- ware products that are designed to Vol. IS, No.4 You cou ld also di sable the USB dri ve rs in Win- dows (on a ma- chine-by-machine bas is) o r make a l l USB po rt s read-on ly (also on a machine-by-machi ne ba- s is) , but both of th ese approaches are subj ect to some level of error. You cou ld s impl y ban a ll USB devices from e nt e ring or leav ing the fa ci lit y, but that wou ld practicall y e nt ai l ha v ing to X-ray everyone who e nter s or lea ves, a nd pe r form st rip searc hes and cavi ty sea rches. Obviously, none of these last approaches is going to be popular among your staff, but you can set some limit s. You can set up lock- ers outs ide the entrance to the workspace, and re- quire employees to deposit phones, iPods, and all other personal electronics. In the rea l world , most employees will not toler- ate ha ving the ir personal electroni c devices confis- cated. They' ll say it 's not fair fo r their employers to expect them to be reach- able whenever they' re not at work, and that they need to extend that abilit y to the people who are important to them in their persona l lives. Like it or not, these devices arc here to stay. You can also make sure all your servers are properl y configured. be sure that you have good IJellnis- sions security, encl),pt as much as possible, and practice good IT. There is no uni versa l answer to bloc king these pe rvas ive pot e nti a l securit y breaches. As with most areas or security, awareness, diligence, and a certain amount of creativit y are probabl y your best defenses. About the Author: For more tllelll 20 /)(lI'id Gewirt:, 'lie alllilor ol ll'lIere N(II'e All rite Gone? alld rite Flexible Enterprise has (l/wly: ed current. historical. (1/ 1(1 emerging issl/es relmill}!, to reclmologl: competitilelless. (lnd policy. /)odd is Ihe Edilor-ill- Chielol 2117Z PI/blishing. lI"riles c.VlJllllelltW) (lnd lor CNN:\' Allder.wm Cool'er 360, (llid h(l.\' II'rillelllJlore ,hall 700 ol'fide.l (lbollt techllology. /)(JlIid 1I1orlller plVle.l'.mr 01 cOlJlpllter .w:ience. leCll/red (If Prillceloll. Berkele) : UCLA.lIl1dSllmlorcl has beell mmrded the fJ1l!sligiol/s Sigma Xi Research AII'lIrd ill Engineerillg. (Illd lI'lIS (I c(l/ulidtlre lor Ihe 20{)8 Pulirzer Pri:e in Le fl ers. He , is the Cybel'ferrorislII IIdl'isor . l or /A CSP Join the IACSP's Linkedln Homelond Security Network of Counterterrorism & Securi ty Professionols. TERRORISM Jo urnal of Counterterrorism & Homcland Security International