Click here to receive your FREE subscription to Campus Technology
Security Focus
Hacksaw Cuts Road Warriors
8/10/2007
After checking into the conference hotel two days early, I proceeded to
the hotel's business center where I briefly plugged my USB Flash Drive
in each of the computers available to guests. I then returned to my
room to prepare for an evening on the town. The next morning I checked
out of the conference hotel and checked into nearby hotel because many
of the arriving conference attendees might recognize me as the CTO of
their primary competitor. That evening I begin checking a bogus e-mail
account that I had set up earlier, and, sure enough, data was beginning
to come in. By the second day it was pouring in so fast it was hard for
me to keep up. The contents of any USB flash drive plugged into any of
the computers in the business center at the conference hotel were being
sent to me. I quickly trashed items such as family photos, music and
spreadsheets of personal investments. By the end of the conference I
had gigabits of confidential information from my company's top
competitor. Fortunately, the preceding paragraph is fiction; I really didn't to that. But I could have, and that's scary. Instead of a hotel business center, it could have been the computers that line the halls of many conferences so that attendees can check their e-mail or a computer kiosk at the airport or even your computer that has been momentarily left unattended.
The Offender: Hacksaw
USB Hacksaw is a hack that infects Windows PCs with a payload that will retrieve documents from USB memory drives plugged into the infected PC and then transmit them to an e-mail account. USB Hacksaw was featured on an episode of Hak5, an Internet Television show for hackers, modders (a slang term for people who modify a piece of hardware or software to do something it wasn't intended to do), and do-it-yourselfers. (If you haven't bookmarked Hak5, you should.)
Hacksaw is based on USBDumper, which silently copies the contents of an inserted USB drive onto the PC; Blat, which sends e-mail using SMTP and a Win32 utility; Stunnel, which encrypts arbitrary TCP connections inside SSL; and Gmail, which is the end repository of the data.
USB Hacksaw is a proof of concept. When I installed it on a 2 GB SanDisk flash drive and infected one of my old computers, I found it cumbersome and confusing. But, then, I'm a Mac user, and my knowledge of Windows leaves a lot to be desired. The bottom line is that a competent hacker can use this concept to steal the stuff you carry around on your USB flash drive: things like that PowerPoint presentation describing commercial applications of your research or a spreadsheet containing your institution's donors and their credit card numbers.
Recommended Reading
- Sun, Stanford Working To Archive History
In May in San Francisco, experts from leading universities, libraries, and research institutions around the world met as part of an ongoing effort to address a pressing issue: archiving the world's history, right up to today.
- The Quilt Coalition Rolls Out XO Communications for High-Capacity Network Services
The Quilt, a coalition of 28 regional network organizations, has added XO Communications Services to its authorized vendor list. The Quilt represents 200 universities and thousands of other educational institutions across the United States. With this new relationship, Quilt members can purchase XO's high-speed IP transit and network transport services at competitive rates.
- Wimba Classroom 5.2 Expands Classroom Capture Support, Adds MP3 Downloads
At the NECC 2008 conference in Texas this week, Wimba launched a new version of Wimba Classroom, the virtual classroom component of the company's Collaboration Suite. The new 5.2 release expands options for classroom capture and adds a variety of other functional and ease of use features.
- Automation Chimera: Education Is Not Management
The lure of automating workflow online so human intervention is minimized is continually reinforced in the minds of higher education administrators by examples of automated campus systems such as financials, student information systems, and other enterprise systems. But what's good for management is not always good for learning.
- Cognos Releases BI Software for Linux-based IBM System z Mainframe
Cognos, which IBM acquired in January, has released an update to its business intelligence software that will run on the Linux operating system on IBM System z mainframes. IBM Cognos 8 BI was being developed by the two companies prior to the acquisition, but assimilation of Cognos into IBM accelerated development.
- Facebook and Collegiality: A Serendipitous Social Niche
Facebook is a way to greet a colleague as if she or he is on your own campus: a wave at a distance, a hello at the corner burrito place, a honk as you both leave the campus parking lot. Informal collegiality has been extended over the miles.
