USB devices - "sudden" threat

A new study by Honeywell found that removable USB drives "suddenly" pose a threat, described as "significant and deliberate", to protect industrial process control networks.

The report states that at least one file that threatened security was detected and blocked by 44% of the analyzed USB drives. A quarter (26%) of the files found were capable of causing serious damage, as a result of which operators could lose the ability to see or control the progress of operations. Among the detected threats were TRITON, Mirai, various forms of the Stuxnet worm. A comparative analysis also showed that traditional anti-malware tools could not detect up to 11% of identified threats.

Considering that the traditional task of protecting and restricting access to corporate networks is traditionally more attention than controlling devices, the vulnerability of organizations to removable USB storage becomes even more obvious.

But they often pay too little attention. Thus, one of the sensational themes that accompanied the 2016 presidential elections in the United States was the hacking of the mail server of the Democratic Party (DNC) with theft of a huge amount of correspondence. According to Democrats and officials, hacking was carried out from Romania, and Russian hackers or special services participated in the case, and this was done to try to intervene in the elections - and all other versions are nothing but a "conspiracy theory."

An alternative study of the technical background of the scandal was conducted by independent groups of qualified experts with experience in exploration, forensic and forensics. The experts' conclusions were based on an estimate of the volume of the allegedly cracked material and the data transfer rate. Analysis of the metadata showed that on the evening of July 5, 2016, 1976 megabytes of data were downloaded from the DNC server. The operation took 87 seconds, which means a data transfer rate of 22.7 MB / s. At the same time, not a single Internet service provider, which a hacker of 2016 could use, did not allow to transmit data at such a speed, and also through the transatlantic transmission to Romania. The highest average ISP speeds in the first half of 2016 were reached by providers Xfinity and Cox Communications and averaged 15.6 and 14.7 MB / s, respectively. Peak speeds with higher speeds were recorded intermittently, but so far have not reached the required 22.7 megabytes per second. This means that the speed required for external hacking is still unattainable, which disproves the theory of hacking the mail server from the outside.

At the same time, a speed of 23 MB / s is a typical transfer speed when using a USB 2 flash drive! In addition, experts believe that the amount of stolen data is too large for transmission over the Internet. All this allows us to conclude that theft of data from the DNC mail server was made by a person who had physical access to the server by transferring data to an external USB drive.

Not so long ago, another very interesting study was published by Australian experts from the University of Adelaide. They tested more than 50 computers and external USB hubs and found that more than 90 percent of them transfer information to an external USB device that is not a direct destination when transferring data. “ It was believed that since the information is transmitted only via a direct path between a USB device and a computer, it is protected from potentially compromised devices ,” said Yuval Yarom, “ But our research showed that if malicious devices are connected to neighboring ports on one and the same external or internal USB hub, this confidential information may be captured by a malicious device . ” Researchers have discovered that there is a leakage of crosstalk inside a USB hub, similar to the distribution of water in pipes, which means that you can use the neighboring ports on a USB hub for maliciously stealing data. As a test to confirm the hypothesis, the researchers used a modified inexpensive device with a plug-in USB connector to read each keystroke from a nearby USB keyboard interface, after which the captured data was sent via Bluetooth to another computer.

Both the research of the Australian University and the analysis of the leakage of mail correspondence from the DNC server directly indicate that the tendency of recent years to forget and underestimate the level of data leakage threat associated with the use of USB devices is totally wrong and even harmful. Yes, today messengers and cloud storages are in use, but the good old USB interface and a primitive flash drive for a couple of gigabytes are still available to every potential intruder in any organization, which means that their use for stealing confidential information is still relevant, and moreover - much simpler and more effective than an attack through an external perimeter or data dumping through clouds and mail. Moreover, the possibility of a malware attack from a removable USB drive should also be kept in mind as a potential threat.

To some organizations that have ignored the threat of USB for many years, the problem still comes. As they say, better later than never. For example, in spring 2018, IBM banned its employees from using removable storage devices. In a newsletter for employees of the Global CIO, Shamla Naidoo reported that the company "is expanding the practice of banning data transfer to all removable portable data storage devices (USB, SD card, flash drive) ." As an argument, possible financial and reputational damage from the loss or incorrect use of removable storage devices was cited. The approach was chosen radical - just ban USB. At the same time, developers were encouraged to use their own cloud-based synchronization and exchange service for storing and transmitting data.

Another monster of the global economy, online retailer Amazon.com, in the name of combating employee fraud, merging inside information to independent vendors, went to dismiss suspected employees in the US and India for allegedly illegally gaining access to insider information. To prevent fraud and leaks, Amazon restricted technical support staff to search the internal database, and also prohibited the use of USB ports.

We do not know which methods and tools to block USB have chosen IBM and Amazon, but given the information that IBM is thinking about the possibility of providing exceptions when blocking the USB port for individual employees, this is hardly a full-featured DLP product.

Unfortunately, many solutions positioned as DLP still work with the USB interface and connected through it at the Device Manager level, simply turning off the device at the application level, or preventing the device driver from starting. Such a “defense” is not only frankly weak, but also potentially dangerous, since it creates a false sense of security - and certainly cannot in any way prevent the malware from attacking the computer from a USB flash drive.

High-quality neutralization of threats associated with the use of the USB interface is achieved through a flexible combination of monitoring and access control functions for devices connected via the USB interface and control of the USB interface itself in order to control devices that are not classified by the OS as a storage device but are a potential leakage channel data or malware infiltration.

In conclusion, I would like to note that our DeviceLock DLP product since DeviceLock 5.5, published back in 2003, provides full control of USB and FireWire ports. Using DeviceLock DLP, information is prevented from being stolen by internal intruders via USB devices, removable drives, disks and other connected external devices, as well as a print channel, email, instant messengers, file sharing services and other data transfer channels. In addition, support for event logging and shadow copying in DeviceLock DLP provides legal documenting and evidence of access attempts and facts of copying specific data.