Security Focus

Hacksaw Cuts Road Warriors

After checking into the conference hotel two days early, I proceeded to the hotel's business center where I briefly plugged my USB Flash Drive in each of the computers available to guests. I then returned to my room to prepare for an evening on the town. The next morning I checked out of the conference hotel and checked into nearby hotel because many of the arriving conference attendees might recognize me as the CTO of their primary competitor. That evening I begin checking a bogus e-mail account that I had set up earlier, and, sure enough, data was beginning to come in. By the second day it was pouring in so fast it was hard for me to keep up. The contents of any USB flash drive plugged into any of the computers in the business center at the conference hotel were being sent to me. I quickly trashed items such as family photos, music and spreadsheets of personal investments. By the end of the conference I had gigabits of confidential information from my company's top competitor.

Fortunately, the preceding paragraph is fiction; I really didn't to that. But I could have, and that's scary. Instead of a hotel business center, it could have been the computers that line the halls of many conferences so that attendees can check their e-mail or a computer kiosk at the airport or even your computer that has been momentarily left unattended.

The Offender: Hacksaw
USB Hacksaw is a hack that infects Windows PCs with a payload that will retrieve documents from USB memory drives plugged into the infected PC and then transmit them to an e-mail account. USB Hacksaw was featured on an episode of Hak5, an Internet Television show for hackers, modders (a slang term for people who modify a piece of hardware or software to do something it wasn't intended to do), and do-it-yourselfers. (If you haven't bookmarked Hak5, you should.)

Hacksaw is based on USBDumper, which silently copies the contents of an inserted USB drive onto the PC; Blat, which sends e-mail using SMTP and a Win32 utility; Stunnel, which encrypts arbitrary TCP connections inside SSL; and Gmail, which is the end repository of the data.

USB Hacksaw is a proof of concept. When I installed it on a 2 GB SanDisk flash drive and infected one of my old computers, I found it cumbersome and confusing. But, then, I'm a Mac user, and my knowledge of Windows leaves a lot to be desired. The bottom line is that a competent hacker can use this concept to steal the stuff you carry around on your USB flash drive: things like that PowerPoint presentation describing commercial applications of your research or a spreadsheet containing your institution's donors and their credit card numbers.

Even worse, it doesn't take a lot of imagination to think of even more malignant ways to exploit this concept. Say installing a Trojan horse that logs passwords and logons. (One security expert did this by leaving a bunch of USB drives lying around in the parking lot of a company that had hired him to test their internal security.)

The U3 Open Standard
The key to USB Hacksaw is the emergence of the open-standard U3 smart drive, which was co-developed by SanDisk and M-Systems. U3 allows users to take their applications, along with their data, to any USB-equipped Windows PC and launch applications from the flash drive itself.

How does a U3 drive work? Within a U3 drive there are two partitions, a large data partition that shows up as a regular flash drive and a small 4 MB read-only partition that pretends to be a CD-ROM. Believing that the small partition is a CD, Windows automatically runs the U3 "LaunchPad" program using the "AutoPlay" feature in Windows 2000, XP, and Vista. In the case of "Hacksaw," some additional programs have been placed on the flash drive. Because it is based on "AutoPlay," U3 devices are not compatible with the Mac, Linux, or Windows 98/ME operating systems. When I plug a U3 flash drive into my Mac, I see the large data partition and an icon for a CD/DVD drive, which I can't read.

Why would anyone consider using such a dangerous device? Why not just ban U3 flash drives? The short answer is that portability, ease of use, and convenience trump security every time. How often have you tried to run a PowerPoint presentation from a flash drive on someone else's computer only to find that they are running a different version of the software? Or suffered the frustrations of Web browsing from a computer lacking your own bookmarks? Or dealt with the hassle of synchronizing e-mail downloaded on the road with your primary e-mail program at home?

For road warriors resigned to lugging a laptop through airport security, recreating your home base environment on a remote computer--for example, a hotel business center or remote corporate site--with a something that fits comfortably in your pocket is a very appealing feature. While one vendor (Kingston) has dropped support for the U3 standard, citing lackluster sales, a poll by GetUSB.info of their users in March of this year found that 64 percent owned a flash drive with U3 software. Finally, the biggest players in the industry, SanDisk, Verbatim, and Memorex, all offer U3 products. U3 is probably here to stay.

The problem of someone stealing data from an unattended computer using small USB memory devices has been around for some time. Hacksaw adds a new dimension. Monitoring what is plugged into a corporate computer doesn't address this problem. Disabling AutoRun probably isn't a viable solution, as that would inhibit valid applications. Banning U3 devices will probably work as well as banning iPods other USB memory devices. Encryption helps, but in the real world most of the information we carry around on isn't encrypted or even protected.

So what should security conscious Road Warriors do? Is it our fate to lug our laptops around forever? I'd like to hear from readers about what, if anything, can or should be done about this new threat. You can reach me at the e-mail address below.

comments powered by Disqus

Campus Technology News

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.