IT Risks Rise on USB Drives

Computerworld - Insiders stealing relatively large amounts of data on tiny USB memory sticks have already made the ubiquitous devices a potent security threat. But the emergence of flash drives capable of storing and auto-running applications straight off the device will likely make them an even greater security headache.

This danger is not going unnoticed by IT professionals.

USB thumb drives “pose a pretty big threat within the medical industry” if not properly managed, said Chris Anderson, an assistant analyst at John C. Lincoln Health Network in Phoenix. And his company has already deployed tools to protect against these new problems.

Demonstrating the potential risks, Hak.5, a security-related podcast run by self-described white-hat hackers, last month showed how a USB memory stick can be turned into a device capable of automatically installing back doors, retrieving passwords or grabbing software product codes.

“What makes it a security nightmare is that it’s a faster and automated way to do existing threats,” said Darren Kitchen, one of the hackers who hosts the Hak.5 podcasts from his home in Williamsburg, Va. “What could have been done before in four to five minutes can now be done in a few seconds,” he said.

The Hak.5 demonstration involved the use of a relatively new technology from Redwood City, Calif.-based U3 LLC that lets software execute directly from USB drives. Unlike traditional USB flash drives, U3 memory sticks are self-activating and can automatically run applications when inserted into a system by appearing to be a CD-ROM to a computer.

U3’s technology is designed to increase mobility by letting a user store his personal desktop with his programs, passwords and other data on a memory stick and then use them on any computer without worrying about whether those applications are installed. It’s among an emerging set of similar “smart” flash drives from vendors such as Migo Software Inc. in Redwood City, Calif., and Route 1 Inc. in Toronto.

But this boon to mobile end users gives malicious hackers another way to compromise systems, said John Pescatore, an analyst at Gartner Inc.

For instance, Hak.5 has already developed and made publicly available payloads that make it possible to use U3 thumb drives to automatically retrieve Windows password hashes, browser histories and AOL Instant Messenger and MSN passwords. For the moment, they only work if the user has full administrative privileges on the computer in which the USB device is inserted. But in the works is a hack that automatically escalates user privileges via a U3 drive. Another pending hack deposits code on a computer that steals information off any USB key that is subsequently inserted into the machine by e-mailing the data to another location.