Threats Inside: we initialize channels of leakage of corporate information
Inside - perhaps the most flawed phenomenon in the corporate environment. Both literally and figuratively. Now the corporate perimeter is protected not only and not so much from external violators, but, in fact, from themselves. We look at this problem from an insider who combines the art of stealing confidential information with the edge of a sharp blade.
At present, business is an “arms race”: who can offer their services faster and with better quality, he occupies a leading position. “Armaments” in this area are distinguished by their specificity, but the subject of the “race” does not change - actual information, if used properly, can both provide its owner with a bright future and put an end to its competitors.
Ways of obtaining “useful” information depend on its type and the infrastructure in which it circulates, so it is difficult to classify its production methods. However, there are two fundamentally different methods that, one way or another, are engaged in its collection and processing.
')
• Competitive intelligence - collecting and processing information in a “legal” business environment. The data is obtained solely by analyzing reports from various media and similar sources within the framework of the law.
• Industrial espionage - illegal receipt and (or) use of classified information in the conditions of unfair competition.
Both methods are present in all areas and levels of business, but in different manifestations. I would like to focus on the latter, due to the peculiarities of the used techniques of obtaining confidential information.
Of the most common practices of industrial espionage, there are several examples:
• blackmail of a person or a circle of persons having access to certain information;
• bribing the same circle of persons;
• theft of media;
• Insiding - civil activity associated with the leakage of information and, as a result, in violation of the law.
The last point hides a whole class of crimes that can be carried out both intentionally (using specially introduced and trained agents) and unintentionally (crimes committed by employees of the target organization due to their incompetence, etc.).
From the point of view of information security, the most dangerous are specifically embedded insiders who have the technical knowledge and means to collect confidential information. However, as Perimetrix’s annual research center’s research shows, both intruders of internal information security receive roughly the same severity of punishment, which depend only on the cost of the lost information: from strict reprimand to dismissal from the company. Rarely it comes to court. Perhaps this fact is due to the fact that many companies do not want to spoil their reputation in the eyes of potential customers, but nonetheless, violators do not receive proper punishment, which leads to the “illusory” impunity of insider trading as a means of competition and its dissemination in business.
A person, himself without realizing it, may become an insider. For example, as a result of social engineering or in Russian speaking: divorce. Such individuals are not interesting to us, since most of the time, the information security policies of the company that regulate how to work with the information of each employee cope with them. Much more dangerous than insiders, specially prepared and having a specific goal.
What to say about ordinary users who every day risk getting (and falling) under the hood of Trojans. And then the insider? Given that everyone can use the weapon of the “misguided kazachka” for their own purposes, and in the user environment it is much more efficient to do this than in the corporate one.
The policy of allowing USB devices can play into the hands of an attacker. Even if many organizations do not think about these issues, then what is happening with ordinary users ... Any flash-drive, player, etc. usb-device, having available special software, can collect the necessary information from the target PC in such a way that the administrator does not even have any suspicions. Creating a platform for the operation of such software for usb-devices we will do.
The preliminary stage will be the preparation of flash-memory. First, let's define its characteristics.
Any usb-flash drive has a controller - a chip that acts as a gateway between the memory chip and the USB interface of the computer. The ChipGenius utility will help determine the type of controller without breaking the case of the flash drive (look for a link to this program in the list of web resources to the article).
From the list of USB controllers, select our USB flash drive and in the area “The details of selected device” we look at the detailed information. We need the “Chip Vendor” field, which contains the name of the chip manufacturer; The “Chip Part-Number” field shows the firmware version. This information is sufficient for flashing the device.
In my case (Kingston DataTraveler 4GB):
Chip Vendor: phison
Chip Part Number: UP10 ~ UP14.
Determination of the manufacturer of the memory controller and the approximate version of the firmware:
Some time ago on the shelves of stores you could watch USB-flash memory supporting U3 technology. Nothing fundamentally new such flash drives did not contain, with the exception of special software, which made it possible to run the software contained in the drive's memory in autoload mode. The main feature is a special section (similar to the CD-ROM section), which was read-only and which contained portable (portable) versions of the programs.
Currently, these devices are missing on the shelves, as they contained a specific “bug” that allowed overwriting the area being loaded and running any software or .bat file, which, in some cases, could contribute to the spread of malicious software, put an end to confidential information and, in general, lead to disastrous consequences.
The next stage is the modernization of the “trigger mechanism” of our weapons. It consists in flashing the flash controller. Current task condition:
• at the entrance - the usual usb-flash;
• output - usb-flash with support for U3.
Go to the site flashboot.ru and find the right pack for our controller. Manufacturer: Phison . You need to experiment with the version, because each pack contains its own features for each unique device. You need to create a special CD-ROM partition on a flash drive so that it can support U3 or, in other words, work in 21 mode (Mode 21).
Run the ParamEdt-F1-v1.0.20.2.exe utility located in the flashing package and immediately open the F1-1 tab and set everything as in the screenshot:
Go to the tab "F1-2" and in the CD-ROM field, select the CD image that will be autoload. This can be any LiveCD operating system. However, it is worth noting that in the future we will use a specially prepared .iso-image, the creation of which will deal with a little later. Next, go to the “Controller” tab, where in the “IC Type” area (“Controller type”) select the “Previous vision” item, and in the “Used MP Tools” area, select the “Last Version” item. We save all settings to the boot.ini file by clicking on the “Save As” button.
Run F1_90_v196_00.exe and select the newly created boot.ini . Click "Start" and watch the process of testing and recording the image. The process will end when the window is colored green (the drive LED will flicker).
As a result of all the manipulations, we get a flash drive with two partitions: a CD-ROM and a drive of a standard type.
From the company Kingston released a patch for U3 flash drives, which is an unprotected RAR-archive that allows you to modify its contents at will. This is precisely what the author of the above article took advantage of by modifying the autorun file of the protected disk in such a way that he directed the execution of the code first to a special handler and then to the LaunchU3 handler files. The result of this research was the selection of files that should be present on the protected section of the flash drive. For details, I recommend referring to the article "Troyan in the brains of Flash . "
Before writing the files of the grabbing system using the methods described in the previous section to the protected part, transfer them to the .iso image with which you can work with a regular archiver. Let us turn to the contents of the working part - it is to her (or rather the scripts) that control is transferred from the secure repository. The basis of the workspace can be found in the archive.
I made the system a bit easier by removing unnecessary functionality (for example, playing music) and deleting non-system files. Everyone can “sharpen” the contents of the working part to fit their needs (of course, do not forget about copyrights), since in this case, with any change, you will not have to re-flash the device.
There is no doubt that this system works and does what, in fact, was required to prove. As long as administrators do not leave their naivety - the data as poured, and will merge. And this concept is just a proof of this theorem.
Noteworthy is the fact that the leakage channel in this case is peripheral devices, in particular usb-carriers (I have not only flash drives, but also any other less "noticeable" devices onboard my microchips). If you look at the reality in the eyes, in large organizations and organizations that monitor the security of their activities, in general, there is a ban on connecting external media (USB in the first place). About autoloading while often forget or clog. Often, there is still the possibility of connecting devices through other ports (LPT, COM) and interfaces (SATA, IDE). With such an opportunity, this method has the right to exist.
The ingenuity of the insider is not limited to the active scheme “got access to the PC -> connected the device -> received the information”, but develop the classics before the passive infrastructure penetration schemes, for example, “leave the USB flash drive in the smoking room -> initialization by the curious victim of the attack vector”.
In large enterprises, specialized software and hardware solutions are often used as a means of protecting information from unauthorized access and monitoring integrity. On the Russian information security market, one of the most common means of protection is perhaps the Accord software and hardware complex.
Once installed on the target computer, the controller is configured by the system administrator using specialized software that creates a software environment for each unique user. Monitoring hardware integrity with a hardware controller completely prevents an intruder from connecting to peripheral devices or loading his operating system from mobile media. However, devices of this class often lose all meaning when an attacker has physical access to the target PC on which they are installed.
For example, the aforementioned “Accord”, which looks like a network card, is built into a computer in the same way. At the controller configuration stage, the metal attachment to the PC case should be absent in order for the device to record to its memory area and save the settings. Further, the administrator fastens the metal fastening to the controller with two bolts in order to close the contacts and thereby blocks the further reconfiguration of the controller.
It is actually enough for an insider to unscrew one bolt to get control to the target PC, bypassing the protection of the software and hardware complex and, alternatively, safely use a “poisonous” flash drive.
The infrastructure in which information circulates is also imperfect to its leaks. If in serious organizations they began to pay more attention to technical aspects, then the organizational and staffing of information security systems contains potential gaps in almost every single company. Internal charters of companies, above all, are designed for "convenience of work", rather than to protect information. Of course, these arguments are very relative, but they allow us to make a conclusion - the proper organization of intra-corporate codes and statutes is often one of the key steps in ensuring information security, along with disabling I / O ports on critical hardware.
Distorting “critical” information is often more dangerous than its theft or loss. First, the fact of changing the data can roll back the level of the company’s development, redefining the direction of its business as a whole, and, second, distortion is a difficult to follow procedure that can be avoided only by logging all user actions with “critical” data and archiving all documents .
Even these few facts listed above allow us to conclude: only an integrated approach to ensuring information security allows you to stop attempts of information theft by authorized users.
Useful resources:
http://flashboot.ru/index.php?name=Files&op=view_file&lid=131 is a ChipGenius utility that will help in determining the type of flash memory controller.
http://www.xakep.ru/magazine/xa/126/058/1.asp - article "Trojan in the minds of Flash."
http://defec.ru/sites/default/files/System.rar - source codes of the reviewed system (author: Vadim Danshin).
http://www.xakep.ru/magazine/xa/122/016/1.asp - article "Insider's eyes."
http://perimetrix.ru/ - the official resource of the company Perimetrix
At present, business is an “arms race”: who can offer their services faster and with better quality, he occupies a leading position. “Armaments” in this area are distinguished by their specificity, but the subject of the “race” does not change - actual information, if used properly, can both provide its owner with a bright future and put an end to its competitors.
Ways of obtaining “useful” information depend on its type and the infrastructure in which it circulates, so it is difficult to classify its production methods. However, there are two fundamentally different methods that, one way or another, are engaged in its collection and processing.
')
• Competitive intelligence - collecting and processing information in a “legal” business environment. The data is obtained solely by analyzing reports from various media and similar sources within the framework of the law.
• Industrial espionage - illegal receipt and (or) use of classified information in the conditions of unfair competition.
Both methods are present in all areas and levels of business, but in different manifestations. I would like to focus on the latter, due to the peculiarities of the used techniques of obtaining confidential information.
Of the most common practices of industrial espionage, there are several examples:
• blackmail of a person or a circle of persons having access to certain information;
• bribing the same circle of persons;
• theft of media;
• Insiding - civil activity associated with the leakage of information and, as a result, in violation of the law.
The last point hides a whole class of crimes that can be carried out both intentionally (using specially introduced and trained agents) and unintentionally (crimes committed by employees of the target organization due to their incompetence, etc.).
From the point of view of information security, the most dangerous are specifically embedded insiders who have the technical knowledge and means to collect confidential information. However, as Perimetrix’s annual research center’s research shows, both intruders of internal information security receive roughly the same severity of punishment, which depend only on the cost of the lost information: from strict reprimand to dismissal from the company. Rarely it comes to court. Perhaps this fact is due to the fact that many companies do not want to spoil their reputation in the eyes of potential customers, but nonetheless, violators do not receive proper punishment, which leads to the “illusory” impunity of insider trading as a means of competition and its dissemination in business.
Poisonous usb
A person, himself without realizing it, may become an insider. For example, as a result of social engineering or in Russian speaking: divorce. Such individuals are not interesting to us, since most of the time, the information security policies of the company that regulate how to work with the information of each employee cope with them. Much more dangerous than insiders, specially prepared and having a specific goal.
What to say about ordinary users who every day risk getting (and falling) under the hood of Trojans. And then the insider? Given that everyone can use the weapon of the “misguided kazachka” for their own purposes, and in the user environment it is much more efficient to do this than in the corporate one.
The policy of allowing USB devices can play into the hands of an attacker. Even if many organizations do not think about these issues, then what is happening with ordinary users ... Any flash-drive, player, etc. usb-device, having available special software, can collect the necessary information from the target PC in such a way that the administrator does not even have any suspicions. Creating a platform for the operation of such software for usb-devices we will do.
Click shutter
The preliminary stage will be the preparation of flash-memory. First, let's define its characteristics.
Any usb-flash drive has a controller - a chip that acts as a gateway between the memory chip and the USB interface of the computer. The ChipGenius utility will help determine the type of controller without breaking the case of the flash drive (look for a link to this program in the list of web resources to the article).
From the list of USB controllers, select our USB flash drive and in the area “The details of selected device” we look at the detailed information. We need the “Chip Vendor” field, which contains the name of the chip manufacturer; The “Chip Part-Number” field shows the firmware version. This information is sufficient for flashing the device.
In my case (Kingston DataTraveler 4GB):
Chip Vendor: phison
Chip Part Number: UP10 ~ UP14.
Determination of the manufacturer of the memory controller and the approximate version of the firmware:
Some time ago on the shelves of stores you could watch USB-flash memory supporting U3 technology. Nothing fundamentally new such flash drives did not contain, with the exception of special software, which made it possible to run the software contained in the drive's memory in autoload mode. The main feature is a special section (similar to the CD-ROM section), which was read-only and which contained portable (portable) versions of the programs.
Currently, these devices are missing on the shelves, as they contained a specific “bug” that allowed overwriting the area being loaded and running any software or .bat file, which, in some cases, could contribute to the spread of malicious software, put an end to confidential information and, in general, lead to disastrous consequences.
The next stage is the modernization of the “trigger mechanism” of our weapons. It consists in flashing the flash controller. Current task condition:
• at the entrance - the usual usb-flash;
• output - usb-flash with support for U3.
Go to the site flashboot.ru and find the right pack for our controller. Manufacturer: Phison . You need to experiment with the version, because each pack contains its own features for each unique device. You need to create a special CD-ROM partition on a flash drive so that it can support U3 or, in other words, work in 21 mode (Mode 21).
Run the ParamEdt-F1-v1.0.20.2.exe utility located in the flashing package and immediately open the F1-1 tab and set everything as in the screenshot:
Go to the tab "F1-2" and in the CD-ROM field, select the CD image that will be autoload. This can be any LiveCD operating system. However, it is worth noting that in the future we will use a specially prepared .iso-image, the creation of which will deal with a little later. Next, go to the “Controller” tab, where in the “IC Type” area (“Controller type”) select the “Previous vision” item, and in the “Used MP Tools” area, select the “Last Version” item. We save all settings to the boot.ini file by clicking on the “Save As” button.
Run F1_90_v196_00.exe and select the newly created boot.ini . Click "Start" and watch the process of testing and recording the image. The process will end when the window is colored green (the drive LED will flicker).
As a result of all the manipulations, we get a flash drive with two partitions: a CD-ROM and a drive of a standard type.
Chargeable
From the company Kingston released a patch for U3 flash drives, which is an unprotected RAR-archive that allows you to modify its contents at will. This is precisely what the author of the above article took advantage of by modifying the autorun file of the protected disk in such a way that he directed the execution of the code first to a special handler and then to the LaunchU3 handler files. The result of this research was the selection of files that should be present on the protected section of the flash drive. For details, I recommend referring to the article "Troyan in the brains of Flash . "
Before writing the files of the grabbing system using the methods described in the previous section to the protected part, transfer them to the .iso image with which you can work with a regular archiver. Let us turn to the contents of the working part - it is to her (or rather the scripts) that control is transferred from the secure repository. The basis of the workspace can be found in the archive.
I made the system a bit easier by removing unnecessary functionality (for example, playing music) and deleting non-system files. Everyone can “sharpen” the contents of the working part to fit their needs (of course, do not forget about copyrights), since in this case, with any change, you will not have to re-flash the device.
Shot!
There is no doubt that this system works and does what, in fact, was required to prove. As long as administrators do not leave their naivety - the data as poured, and will merge. And this concept is just a proof of this theorem.
Noteworthy is the fact that the leakage channel in this case is peripheral devices, in particular usb-carriers (I have not only flash drives, but also any other less "noticeable" devices onboard my microchips). If you look at the reality in the eyes, in large organizations and organizations that monitor the security of their activities, in general, there is a ban on connecting external media (USB in the first place). About autoloading while often forget or clog. Often, there is still the possibility of connecting devices through other ports (LPT, COM) and interfaces (SATA, IDE). With such an opportunity, this method has the right to exist.
The ingenuity of the insider is not limited to the active scheme “got access to the PC -> connected the device -> received the information”, but develop the classics before the passive infrastructure penetration schemes, for example, “leave the USB flash drive in the smoking room -> initialization by the curious victim of the attack vector”.
Integrity control
In large enterprises, specialized software and hardware solutions are often used as a means of protecting information from unauthorized access and monitoring integrity. On the Russian information security market, one of the most common means of protection is perhaps the Accord software and hardware complex.
Once installed on the target computer, the controller is configured by the system administrator using specialized software that creates a software environment for each unique user. Monitoring hardware integrity with a hardware controller completely prevents an intruder from connecting to peripheral devices or loading his operating system from mobile media. However, devices of this class often lose all meaning when an attacker has physical access to the target PC on which they are installed.
For example, the aforementioned “Accord”, which looks like a network card, is built into a computer in the same way. At the controller configuration stage, the metal attachment to the PC case should be absent in order for the device to record to its memory area and save the settings. Further, the administrator fastens the metal fastening to the controller with two bolts in order to close the contacts and thereby blocks the further reconfiguration of the controller.
It is actually enough for an insider to unscrew one bolt to get control to the target PC, bypassing the protection of the software and hardware complex and, alternatively, safely use a “poisonous” flash drive.
The infrastructure in which information circulates is also imperfect to its leaks. If in serious organizations they began to pay more attention to technical aspects, then the organizational and staffing of information security systems contains potential gaps in almost every single company. Internal charters of companies, above all, are designed for "convenience of work", rather than to protect information. Of course, these arguments are very relative, but they allow us to make a conclusion - the proper organization of intra-corporate codes and statutes is often one of the key steps in ensuring information security, along with disabling I / O ports on critical hardware.
Distorting “critical” information is often more dangerous than its theft or loss. First, the fact of changing the data can roll back the level of the company’s development, redefining the direction of its business as a whole, and, second, distortion is a difficult to follow procedure that can be avoided only by logging all user actions with “critical” data and archiving all documents .
Even these few facts listed above allow us to conclude: only an integrated approach to ensuring information security allows you to stop attempts of information theft by authorized users.
Useful resources:
http://flashboot.ru/index.php?name=Files&op=view_file&lid=131 is a ChipGenius utility that will help in determining the type of flash memory controller.
http://www.xakep.ru/magazine/xa/126/058/1.asp - article "Trojan in the minds of Flash."
http://defec.ru/sites/default/files/System.rar - source codes of the reviewed system (author: Vadim Danshin).
http://www.xakep.ru/magazine/xa/122/016/1.asp - article "Insider's eyes."
http://perimetrix.ru/ - the official resource of the company Perimetrix
Source: https://habr.com/ru/post/111512/
All Articles