Security Focus
Hacksaw Cuts Road Warriors
After checking into the conference hotel two days early, I proceeded to
the hotel's business center where I briefly plugged my USB Flash Drive
in each of the computers available to guests. I then returned to my
room to prepare for an evening on the town. The next morning I checked
out of the conference hotel and checked into nearby hotel because many
of the arriving conference attendees might recognize me as the CTO of
their primary competitor. That evening I begin checking a bogus e-mail
account that I had set up earlier, and, sure enough, data was beginning
to come in. By the second day it was pouring in so fast it was hard for
me to keep up. The contents of any USB flash drive plugged into any of
the computers in the business center at the conference hotel were being
sent to me. I quickly trashed items such as family photos, music and
spreadsheets of personal investments. By the end of the conference I
had gigabits of confidential information from my company's top
competitor.
Fortunately, the preceding paragraph is fiction; I
really didn't to that. But I could have, and that's scary. Instead of a
hotel business center, it could have been the computers that line the
halls of many conferences so that attendees can check their e-mail or a
computer kiosk at the airport or even your computer that has been
momentarily left unattended.
The Offender: HacksawUSB
Hacksaw is a hack that infects Windows PCs with a payload that will
retrieve documents from USB memory drives plugged into the infected PC
and then transmit them to an e-mail account. USB Hacksaw was featured
on an episode of
Hak5,
an Internet Television show for hackers, modders (a slang term for
people who modify a piece of hardware or software to do something it
wasn't intended to do), and do-it-yourselfers. (If you haven't
bookmarked Hak5, you should.)
Hacksaw is based on USBDumper, which silently copies the contents of an inserted USB drive onto the PC;
Blat, which sends e-mail using SMTP and a Win32 utility;
Stunnel, which encrypts arbitrary TCP connections inside SSL; and
Gmail, which is the end repository of the data.
USB
Hacksaw is a proof of concept. When I installed it on a 2 GB SanDisk
flash drive and infected one of my old computers, I found it cumbersome
and confusing. But, then, I'm a Mac user, and my knowledge of Windows
leaves a lot to be desired. The bottom line is that a competent hacker
can use this concept to steal the stuff you carry around on your USB
flash drive: things like that PowerPoint presentation describing
commercial applications of your research or a spreadsheet containing
your institution's donors and their credit card numbers.
Even
worse, it doesn't take a lot of imagination to think of even more
malignant ways to exploit this concept. Say installing a Trojan horse
that logs passwords and logons. (One security expert did this by
leaving a bunch of USB drives lying around in the parking lot of a
company that had hired him to test their internal security.)
The U3 Open StandardThe key to USB Hacksaw is the emergence of the open-standard
U3
smart drive, which was co-developed by SanDisk and M-Systems. U3 allows
users to take their applications, along with their data, to any
USB-equipped Windows PC and launch applications from the flash drive
itself.
How does a U3 drive work? Within a U3 drive there are
two partitions, a large data partition that shows up as a regular flash
drive and a small 4 MB read-only partition that pretends to be a
CD-ROM. Believing that the small partition is a CD, Windows
automatically runs the U3 "LaunchPad" program using the "AutoPlay"
feature in Windows 2000, XP, and Vista. In the case of "Hacksaw," some
additional programs have been placed on the flash drive. Because it is
based on "AutoPlay," U3 devices are not compatible with the Mac, Linux,
or Windows 98/ME operating systems. When I plug a U3 flash drive into
my Mac, I see the large data partition and an icon for a CD/DVD drive,
which I can't read.
Why would anyone consider using such a
dangerous device? Why not just ban U3 flash drives? The short answer is
that portability, ease of use, and convenience trump security every
time. How often have you tried to run a PowerPoint presentation from a
flash drive on someone else's computer only to find that they are
running a different version of the software? Or suffered the
frustrations of Web browsing from a computer lacking your own
bookmarks? Or dealt with the hassle of synchronizing e-mail downloaded
on the road with your primary e-mail program at home?
For road
warriors resigned to lugging a laptop through airport security,
recreating your home base environment on a remote computer--for
example, a hotel business center or remote corporate site--with a
something that fits comfortably in your pocket is a very appealing
feature. While one vendor (Kingston) has dropped support for the U3
standard, citing lackluster sales, a poll by GetUSB.info of their users
in March of this year found that 64 percent owned a flash drive with U3
software. Finally, the biggest players in the industry, SanDisk,
Verbatim, and Memorex, all offer U3 products. U3 is probably here to
stay.
The problem of someone stealing data from an unattended
computer using small USB memory devices has been around for some time.
Hacksaw adds a new dimension. Monitoring what is plugged into a
corporate computer doesn't address this problem. Disabling AutoRun
probably isn't a viable solution, as that would inhibit valid
applications. Banning U3 devices will probably work as well as banning
iPods other USB memory devices. Encryption helps, but in the real world
most of the information we carry around on isn't encrypted or even
protected.
So what should security conscious Road Warriors do?
Is it our fate to lug our laptops around forever? I'd like to hear from
readers about what, if anything, can or should be done about this new
threat. You can reach me at the e-mail address below.
