(...and who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM?) more
Showing posts with label USB. Show all posts
Showing posts with label USB. Show all posts
Wednesday, September 21, 2016
USB Warning: Treat Unsolicited USB Sticks Like Junk Mail
Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes.
The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.”...
(...and who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM?) more
(...and who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM?) more
Thursday, September 15, 2016
Security Director Alert: USB Sabotage Kills Devices in Split-Second - Only $49.95
For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it.
Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it.
It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.
On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware"...
The lesson here is simple enough. If a device has an exposed USB port -- such as a copy machine or even an airline entertainment system -- it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.
"Any public facing USB port should be considered an attack vector," says the company. "In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack."
Not every device is vulnerable to a USB Kill attack. The device maker said that Apple "voluntarily" protected its hardware. more
From USBKill.com...
USBKill.com strongly condems malicious use of its products.
The USB Killer is developed and sold as a testing device. Use of the device can permanently damage hardware. Customers agree to the terms and conditions of sale, and acknowledge the consequences of use.
In a nutshell, users are responsible for their acts.
A hammer used maliciously can permanently damage to a third party's device. The USB Killer, used maliciously, can permanently damage a third party's device.
As with any tool, it is the individual, not the manufacturer of the tool, responsible for how the individual uses the tool.
The USB Killer was used on our equipment
Please see above. We suggest pursuing the individual responsible, or reporting the act to the appropriate authorities.
This is only one spy trick.
We know hundreds more.
Call us for a TSCM / Information Security Survey.
Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it.It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.
On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware"...
The lesson here is simple enough. If a device has an exposed USB port -- such as a copy machine or even an airline entertainment system -- it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.
"Any public facing USB port should be considered an attack vector," says the company. "In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack."
Not every device is vulnerable to a USB Kill attack. The device maker said that Apple "voluntarily" protected its hardware. more
From USBKill.com...
USBKill.com strongly condems malicious use of its products.
The USB Killer is developed and sold as a testing device. Use of the device can permanently damage hardware. Customers agree to the terms and conditions of sale, and acknowledge the consequences of use.
In a nutshell, users are responsible for their acts.
A hammer used maliciously can permanently damage to a third party's device. The USB Killer, used maliciously, can permanently damage a third party's device.
As with any tool, it is the individual, not the manufacturer of the tool, responsible for how the individual uses the tool.
The USB Killer was used on our equipment
Please see above. We suggest pursuing the individual responsible, or reporting the act to the appropriate authorities.
This is only one spy trick.
We know hundreds more.
Call us for a TSCM / Information Security Survey.
Friday, August 5, 2016
Does dropping malicious USB sticks really work?
Of course it does.
Common sense.
I warned about this years ago.
Now, we have empirical evidence!
Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.
However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more
Common sense.
I warned about this years ago.
Now, we have empirical evidence!
Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:
- …we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more
Sunday, November 15, 2015
The $8 USB Memory Stick Lock
3 Digit Combination USB Flash Drive Security Lock.
A physical lock for your USB Flash Drive.
Set your own 3 digits code to prevent your flash drive from being inserted into another computer.
Of course, it won't stop everyone, but it may thwart general snoops. more
A physical lock for your USB Flash Drive.Set your own 3 digits code to prevent your flash drive from being inserted into another computer.
Of course, it won't stop everyone, but it may thwart general snoops. more
Tuesday, July 7, 2015
Screening of Staff Made Mandatory to Check Info Leak
India - To plug information leak in the wake of corporate espionage case, the Centre has issued stringent guidelines for its departments, making security screening of personnel outsourced from elsewhere mandatory and avoiding doing confidential work on computers with net connection.
The guidelines, which say external memory devices must not be connected to the USB drives on these computers and that misuse of photocopying machines should be prevented, were issued by the Ministry of Home Affairs last week.
The MHA came out with the guidelines against the backdrop of the leak of classified information from some ministries including the Ministry of Petroleum and Natural Gas. more
The guidelines, which say external memory devices must not be connected to the USB drives on these computers and that misuse of photocopying machines should be prevented, were issued by the Ministry of Home Affairs last week.
The MHA came out with the guidelines against the backdrop of the leak of classified information from some ministries including the Ministry of Petroleum and Natural Gas. more
Sunday, January 18, 2015
60 Seconds + 1 USB Necklace = A Spy Hiding in Your Computer
The necklace, called USBdriveby, it’s a USB-powered microcontroller-on-a-chain, rigged to exploit the inherently awful security flaws lurking in your computer’s USB ports. In about 60 seconds, it can pull off a laundry list of nasty tricks...
...this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed..
So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky. A lot of these flaws are inherent to the way the USB protocol was designed and implemented across so many hundreds of millions of computers; short of filling your USB ports with cement or never, ever leaving your computer’s ports unattended while out and about, there’s no magic fix.
(more)
...this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed..
So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky. A lot of these flaws are inherent to the way the USB protocol was designed and implemented across so many hundreds of millions of computers; short of filling your USB ports with cement or never, ever leaving your computer’s ports unattended while out and about, there’s no magic fix.
(more)
Friday, December 5, 2014
Malware Planted In Chinese E-Cigarettes
Electronic cigarette manufacturers may have highlighted its numerous benefits to let you lead a healthy, stress-free life.
What they certainly did not highlight was that the device can be used for malware distribution as well...
To avoid such risks, it is advised to disable data pins on the USB and keep only cable charge to prevent any information exchange between the devices it connects.
Alternatively, use a USB Condom, a gadget that connects to USB and makes data pins ineffective. (more)
To avoid such risks, it is advised to disable data pins on the USB and keep only cable charge to prevent any information exchange between the devices it connects.
Alternatively, use a USB Condom, a gadget that connects to USB and makes data pins ineffective. (more)
Wednesday, December 3, 2014
The Amazon is Full of Bugs, or...
...14 more reasons you should have us check your office for electronic eavesdropping devices.
I received the following in my email. It dispels the myth that bugging devices are expensive and difficult to obtain. Most of these are under $100.
One is $8.06 and holds 150 hours of audio.
Last summer it was reported that Ford Motor Company found similar voice recorders under about eight of their conference room tables.
A Technical Surveillance Countermeasures (TSCM) inspection (conducted by qualified security technicians) is the quickest and most economical way to protect yourself against being a victim.
Want to know more? Call me.
I received the following in my email. It dispels the myth that bugging devices are expensive and difficult to obtain. Most of these are under $100.
One is $8.06 and holds 150 hours of audio.
Last summer it was reported that Ford Motor Company found similar voice recorders under about eight of their conference room tables.
A Technical Surveillance Countermeasures (TSCM) inspection (conducted by qualified security technicians) is the quickest and most economical way to protect yourself against being a victim.
Want to know more? Call me.
 |
| Click to enlarge. |
Monday, October 13, 2014
Thursday, October 2, 2014
The Unpatchable Malware That Infects USBs Is Now on the Loose
...two independent security researchers, who
declined to name their employer, say that publicly releasing the USB
attack code will allow penetration testers to use the technique, all the
better to prove to their clients that USBs are nearly impossible to
secure in their current form. And they also argue that making a working
exploit available is the only way to pressure USB makers to change the
tiny devices’ fundamentally broken security scheme. (more)
Thursday, September 11, 2014
You Like Business Class. Trade Secrets Like USB Class.
TX - A state district judge has dismissed a lawsuit brought by Houston-based Schlumberger Ltd. against a former employee who had left the company for a vice president job at a rival oilfield services company, Baker Hughes Inc.
Schlumberger had accused former employee Humair Shaikh of allegedly stealing trade secrets, but the two parties have reached a settlement...
The initial lawsuit alleged that Shaikh had violated confidentiality and noncompete agreements by taking trade secrets on four different USB drives when he left. (more)
Business espionage goes undiscovered, ignored, swept under the carpet, and settled out of court all the time.
Espionage is difficult to stop without a real commitment to protection.
The common thread is that the stolen digital data often travels via USB memory sticks, and this is preventable. We can show you how.
The initial lawsuit alleged that Shaikh had violated confidentiality and noncompete agreements by taking trade secrets on four different USB drives when he left. (more)
Business espionage goes undiscovered, ignored, swept under the carpet, and settled out of court all the time.
Espionage is difficult to stop without a real commitment to protection.
The common thread is that the stolen digital data often travels via USB memory sticks, and this is preventable. We can show you how.
Saturday, August 9, 2014
More Bad Publicity About USB Security
Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers.
Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.
The duo said there is no practical way to defend against the vulnerability.
The body responsible for the USB standard said manufacturers could build in extra security.
But Mr Nohl and Mr Lell said the technology was "critically flawed". (more with videos)
Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge. The duo said there is no practical way to defend against the vulnerability.
The body responsible for the USB standard said manufacturers could build in extra security.
But Mr Nohl and Mr Lell said the technology was "critically flawed". (more with videos)
Monday, August 4, 2014
USB - Unfixable Security Broken
It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality.
The findings will be laid out in a presentation next week from security researchers Karsten Nohl and Jakob Lell who claim the security of USB devices is fundamentally broken. More to the point they said it has always been fundamentally broken, but the holes have only just been discovered.
BadUSB
To demonstrate this the researchers created malware called ‘BadUSB’. It can be installed on any USB device and take complete control over any PC to which it connects. This includes downloading and uploading files, tracking web history, adding infected software into installations and even controlling the keyboard so it can type commands.
“It can do whatever you can do with a keyboard, which is basically everything a computer does,” explains Nohl... (more)
The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. ...or, treat USB sticks the same way you would hypodermic needles. (more)
The findings will be laid out in a presentation next week from security researchers Karsten Nohl and Jakob Lell who claim the security of USB devices is fundamentally broken. More to the point they said it has always been fundamentally broken, but the holes have only just been discovered.
BadUSB
“It can do whatever you can do with a keyboard, which is basically everything a computer does,” explains Nohl... (more)
The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. ...or, treat USB sticks the same way you would hypodermic needles. (more)
Wednesday, October 30, 2013
Kremlin Alledegly Slipped Spy Gadgets into G20 Summit Gift Bags
Russian hosts of the Group of 20 summit near St. Petersburg in September sent world leaders home with gifts designed to keep on giving: memory sticks and recharging cables programmed to spy on their communications, two Italian newspapers reported Tuesday.
A Kremlin spokesman denied the allegations reported by Il Corriere della Sera and La Stampa, both of which attributed their stories to findings of technical investigations ordered by the president of the European Council and carried out by German intelligence.
The USB thumb drives marked with the Russia G20 logo and the three-pronged European phone chargers were "a poisoned gift" from Russian President Vladimir Putin, Turin-based La Stampa said in its report.
“They were Trojan horses designed to obtain information from computers and cellphones,” the paper said.
The bugging devices were included in gift bags given to all delegates who attended the Sept. 5-6 summit at the palace in Stelna, outside of St. Petersburg, the newspapers said. (more)
Too obvious to be true?
You decide.
A Kremlin spokesman denied the allegations reported by Il Corriere della Sera and La Stampa, both of which attributed their stories to findings of technical investigations ordered by the president of the European Council and carried out by German intelligence.
“They were Trojan horses designed to obtain information from computers and cellphones,” the paper said.
The bugging devices were included in gift bags given to all delegates who attended the Sept. 5-6 summit at the palace in Stelna, outside of St. Petersburg, the newspapers said. (more)
Too obvious to be true?
You decide.
Saturday, February 2, 2013
Alerts sent in by our Blue Blaze Irregulars this week...
• "Time to take the glue gun to your USB ports." Data exfiltration using a USB keyboard.
• "Dust off your information security policy (or start putting one in place…)" Do you have a comprehensive information security program? Many businesses are still operating without one, leaving them open to preventable data breaches.
• "Enough already: encrypt those portable devices" The U.S. Federal Trade Commission (FTC) announced it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. ...The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car.
• “This call may be recorded” - Ninth Circuit says disclaimer not always necessary. But it’s still a good idea!
• "Man cleared of spying on his wife via computer software..." His attorney argued that prosecutors could not prove why Ciccarone used the software.
• "Nestlégate" Court convicts Nestle of "spying" on Swiss activists. (vintage commercial)
• "Dust off your information security policy (or start putting one in place…)" Do you have a comprehensive information security program? Many businesses are still operating without one, leaving them open to preventable data breaches.
• "Enough already: encrypt those portable devices" The U.S. Federal Trade Commission (FTC) announced it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. ...The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car.
• “This call may be recorded” - Ninth Circuit says disclaimer not always necessary. But it’s still a good idea!
• "Man cleared of spying on his wife via computer software..." His attorney argued that prosecutors could not prove why Ciccarone used the software.
• "Nestlégate" Court convicts Nestle of "spying" on Swiss activists. (vintage commercial)
Wednesday, January 16, 2013
Cautionary Tale - Unsafe Sex, USB Style
Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.
Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter... (more)
(reiteration time) - "If you are not sure where it has been, don't stick it in."
~ Kevin
(reiteration time) - "If you are not sure where it has been, don't stick it in."
~ Kevin
Thursday, August 2, 2012
The USB Stick-it-to-ya - Bad Practical Joke or Brilliant Security?
Imagine this...
You come into the possession of a USB memory stick. You think it has valuable information on it. Not your information, but valuable nonetheless.
You come into the possession of a USB memory stick. You think it has valuable information on it. Not your information, but valuable nonetheless.
You're smart enough to know it might contain spyware so you plug it into an isolated computer where spyware can do no harm. Then... Fab-a-dab-a-ZAP! Fizzle. Smoke. WTF?!?!
Your USB port is fried.
You inspect the stick more closely and pop open the cover. Someone has soldered all four of the output pins together! Grrr, a 100% short circuit.
Bad practical joke or brilliant security? You decide.
Did the owner safeguard the information (the solder can be removed quite easily) in case of accidental loss, or did the owner just set you up for a nasty surprise?
Removing the solder and analyzing the information on the stick might yield the answer.
Why do I mention this?
1. It is another reason to avoid USB sticks from untrusted or unknown sources.
2. It's a true story.
~Kevin
Wednesday, July 11, 2012
Not All USB Spy Sticks Are Found This Easily
An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation's car park has failed.
Instead of plugging the discarded drives into a workstation, which would have infected the machine, the worker who first found one of the devices handed it in to DSM's IT department.
Sysadmins subsequently found an unspecified password-stealing keylogger, according to local reports by Elsevier.nl (Google translation here).
The spyware was designed to upload stolen usernames and passwords to a server under the control of hackers. This site was blocked by DSM's sysadmins, effectively thwarting the password-snatching object of the attack, so the company would be protected even should any other workers find and use the infected USB sticks on corporate laptops. It's unclear who was behind the plan, but regular cybercriminals or industrial spies are two strong possibilities. (more)
Sysadmins subsequently found an unspecified password-stealing keylogger, according to local reports by Elsevier.nl (Google translation here).
The spyware was designed to upload stolen usernames and passwords to a server under the control of hackers. This site was blocked by DSM's sysadmins, effectively thwarting the password-snatching object of the attack, so the company would be protected even should any other workers find and use the infected USB sticks on corporate laptops. It's unclear who was behind the plan, but regular cybercriminals or industrial spies are two strong possibilities. (more)
Thursday, June 7, 2012
Cautionary Tales of Laptops and Thumb Drives
Laptop Cautionary Tale
UK - The former Director-General of UK's internal security service MI5 has had her laptop stolen at London's Heathrow airport on Tuesday.
Dame Stella Rimington, who headed the agency from 1992 to 1996, has since then become a well-known spy thriller author. According to the report, he laptop contained research for her next book, but it could have also contained sensitive information such as contact details of her former colleagues.
"Dame Stella seems to have forgotten the tricks of her tradecraft since leaving MI5," commented a source... (more)
"Dame Stella seems to have forgotten the tricks of her tradecraft since leaving MI5," commented a source... (more)
Tip: Password protect your laptop. Encrypt confidential files. Carry only essential information. Install track and remote erase security software.
---
Memory Stick / Thumb Drive Cautionary Tale
The U.S. and Israel were responsible for creating the Stuxnet computer worm that wreaked havoc with Iranian nuclear facilities... And the first salvos in the massive cyberattack were launched via an unassuming piece of technology: a thumb drive... Thumb drives were “critical” in the initial Stuxnet attacks — which began in 2008 — although unspecified “more sophisticated” means were later used... “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand,” one of the program’s architects said. (more)
Tip: You know that thumb drive you "found" in the parking lot?
Don't plug it in.
Smash it.
Monday, April 16, 2012
A Memory Stick that Self-Destructs
Technology has now created the ultimate USB stick - used by the secret service. If you lose it you can track its location and if it falls into the wrong hands you can even remotely scramble its content. (video) (product)
Subscribe to:
Posts (Atom)