IT Risks Rise on USB Drives

Auto-run apps add to security threats

Insiders stealing relatively large amounts of data on tiny USB memory sticks have already made the ubiquitous devices a potent security threat. But the emergence of flash drives capable of storing and auto-running applications straight off the device will likely make them an even greater security headache.

This danger is not going unnoticed by IT professionals.

USB thumb drives “pose a pretty big threat within the medical industry” if not properly managed, said Chris Anderson, an assistant analyst at John C. Lincoln Health Network in Phoenix. And his company has already deployed tools to protect against these new problems.

Demonstrating the potential risks, Hak.5, a security-related podcast run by self-described white-hat hackers, last month showed how a USB memory stick can be turned into a device capable of automatically installing back doors, retrieving passwords or grabbing software product codes.

“What makes it a security nightmare is that it’s a faster and automated way to do existing threats,” said Darren Kitchen, one of the hackers who hosts the Hak.5 podcasts from his home in Williamsburg, Va. “What could have been done before in four to five minutes can now be done in a few seconds,” he said.

The Hak.5 demonstration involved the use of a relatively new technology from Redwood City, Calif.-based U3 LLC that lets software execute directly from USB drives. Unlike traditional USB flash drives, U3 memory sticks are self-activating and can automatically run applications when inserted into a system by appearing to be a CD-ROM to a computer.

U3’s technology is designed to increase mobility by letting a user store his personal desktop with his programs, passwords and other data on a memory stick and then use them on any computer without worrying about whether those applications are installed. It’s among an emerging set of similar “smart” flash drives from vendors such as Migo Software Inc. in Redwood City, Calif., and Route 1 Inc. in Toronto.

But this boon to mobile end users gives malicious hackers another way to compromise systems, said John Pescatore, an analyst at Gartner Inc.

For instance, Hak.5 has already developed and made publicly available payloads that make it possible to use U3 thumb drives to automatically retrieve Windows password hashes, browser histories and AOL Instant Messenger and MSN passwords. For the moment, they only work if the user has full administrative privileges on the computer in which the USB device is inserted. But in the works is a hack that automatically escalates user privileges via a U3 drive. Another pending hack deposits code on a computer that steals information off any USB key that is subsequently inserted into the machine by e-mailing the data to another location.

This Thursday, Hak.5 will podcast its latest refinement of the USB hacks, Kitchen said.

“Most people think of these things as storage sticks. What they don’t realize is the U3 is a little computer on a thumb drive,” Pescatore said.

Companies need to think seriously about managing USB storage devices, said Jonathan Singer, an analyst at Yankee Group Research Inc. in Boston. “You canhave a user walk away with awhole bunch of information, or someone’s PCs could get owned by a USB device they picked up in a parking lot,” he said.

Anderson said those concerns prompted Lincoln Health to install software from SecureWave SA that lets administrators manage access of USB drives to computers. SecureWave’s product lets Lincoln Health prevent multiple USB device types from being connected to its systems. IT can also monitor and audit activities in the cases where end users are permitted to connect USB devices to their systems.

Fabi Gower, vice president of IT at Martin, Fletcher, a health care company in Irving, Texas, has also deployed similar technology from SecureWave. She said she is reasonably confident that it should protect against threats such as those associated with the U3 flash drives. “Our security measures prohibit any applications from being installed or running on the network unless it has been authorized,” Gower said. SecureWave provides a way to enforce this at the USB device level, she said.

In one sense, the threat is not new, said Robert Wesley McGrew, a research student in computer security at Mississippi State University in Starkville. For example, the ability to install malicious code on removable systems via CD-ROMs has existed for several years, he said. What makes the U3 threat dangerous, though, is the fact that the devices can retrieve and store data, he added.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon