USB coffee-cup warmer could be stealing your data

via New Scientist...

Are you sure that the keyboard or mouse you are using today is the one that was attached to your computer yesterday? It might have been swapped for a compromised device that could transmit data to a snooper.

The problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This allows almost all USB-connected devices, such as mice and printers, to be turned into tools for data theft, says a team that has exploited the flaw.

Welcome to the murky world of the "hardware trojan". Until now, hardware trojans were considered to be modified circuits. For example, if hackers manage to get hold of a microchip when it is still in the factory, they could introduce subtle changes allowing them to crash the device that the chip gets built into. (more)

Security Directors - You already know about the dangers of plugging in dirty USB memory sticks. Now, you need to consider the possibility that foreign governments are loading other "legitimate" USB devices with spyware at the chip level. (Hey, they did it with hard drives.) Alert the employees. Convince them to resist the "Oh, isn't it cute. Let's plug it in," temptation.

USB Warning: Treat Unsolicited USB Sticks Like Junk Mail

Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes.

The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.”... 

(...and who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM?) more

Your Security Nightmare - Covert USB Sticks

He has in his pocket a seemingly torn and frayed piece of USB cabling. Who is he? A psycho nerd with his lucky charm, or a spy?

He pulls a cigarette lighter from his pocket. Who is he? A smoker, a pyro or a spy?"

He walks in wearing a nice watch; carrying a USB cable. Who is he? Who knows why? Spy?

"Woh, dude, a cassette tape! But, uh, why does it have a USB cable attached to it?" What do we have here; a Luddite or a Black Knight?

And, that hip flask?!? Or is it? Who is he - a data drunkard, or a spy?
Hint: This is really a 250GB USB drive – disguised as a flask! (more)

The reality is, you really don't know. These devices can carry a small library of your business secrets out the door, and make you smile at the same time. Conversely, they can also be used to inject spyware and viruses.

If you see these in your workplace don't be amused, be suspicious. ~Kevin

Controlling Brain Sucking Spiders - DeviceLock

from the manufacturer's website...
"Firewalls and antivirus software are no defense against acts of data theft and corruption from within your organization at local endpoints. You don't have to be an administrator to connect a small digital camera, MP3 player, or flash memory stick to the USB and begin uploading or downloading whatever you want. If you are a system administrator, you know you can't manage such device-level activity via Group Policy.

Using endpoint device security solution called DeviceLock®, network administrators can lock out unauthorized users from USB and FireWire devices, WiFi and Bluetooth adapters, CD-Rom and floppy drives, serial and parallel ports, PDAs and smartphones, local and network printers and many other plug-and-play devices. Once DeviceLock® is installed, administrators can control access to any device, depending on the time of day and day of the week.

For enterprises standardized on software and hardware-based encryption solutions like PGP® Whole Disk Encryption, TrueCrypt and Lexar® SAFE PSD S1100 USB drives, DeviceLock® allows administrators to centrally define and remotely control the encryption policies their employees must follow when using removable devices for storing and retrieving corporate data. For example, certain employees or their groups can be allowed to write to and read from only specifically encrypted USB flash drives, while other users of the corporate network can be permitted to "read only" from non-encrypted removable storage devices but not write to them. (more)

"Is that your thumb, or are you just glad to see me?"

from the seller's Web site...
"Do personal Investigations Do Secret Surveillance Gather Evidence"

Thumbcorder (AJ-024TC) is the smallest real USB Flash Drive Spy Cam hands free Camcorder in the world with Built in 8Gb USB Flash Disk, Use it as a normal flash drive, spy pen camera in your pocket

Record with single switch
Just slide the Switch to Rec. will start recording, just slide switch to off to stop recording that's all... it will record sound and video. Really very easy to use.

View Recorded files
Simply connect the Thumbcorder to any USB port of your computer and view or copy the files to view. No need for any cable or extension.
Also, you can use it as USB disk drive. (more)

BTW, they plan to advertise this on television (USA Network).
Why do I mention it?
So you will know it when you see it.

Just when you thought your prohibition against bringing USB memory sticks into sensitive work areas was working...

"In lieu of lighter fluid and a flint, this lighter uses resistance coils to create heat. It’s the same technology found in car lighters.

The small rechargeable battery cell powering the coil can be recharged via USB. On top of that, there’s some flash memory in there to store files. Designer: Nathan Gabriele (more)

Although this particular camo-stick is still stuck in Nathan's brain as a concept piece, real camo-sticks available for sticking in your computer. Some are outragious. Some are clever. The last one could really cause you problems if it were repackaged.
• The Memory Stick Stick
• The Top 10 weirdest USB drives ever
• Stick Doll
• Sushi
• Watch
• Swiss Army Knife USB
• Keystroke Logging "Memory Stick"
• Mini-mini I & Mini-mini II
• The "pull my finger" Thumb Drive
AND
• The Snoopstick! A memory stick that inserts spyware code to allow remote eavesdropping.








(more)

What can hide in books and record for 69 hours?

This credit card size digital voice recorder measures in at just 6.5 millimeters in thickness and features 1GB of built-in storage, a flip-out USB connector, and flush-mounted controls. It can also be used as a MP3 player and USB flash drive. It records in high quality WAV file format and files can be easily copied or deleted just as with a standard USB storage device.

With only 36g weight the Ultra-thin Digital Voice Recorder offers a 69-hour recording time and built-in Li-Ion battery that is rechargeable via USB connection. (more)
Why do we mention it?
So you know what you are up against.

The USB Stick-it-to-ya - Bad Practical Joke or Brilliant Security?

Imagine this...
You come into the possession of a USB memory stick. You think it has valuable information on it. Not your information, but valuable nonetheless.

You're smart enough to know it might contain spyware so you plug it into an isolated computer where spyware can do no harm. Then... Fab-a-dab-a-ZAP! Fizzle. Smoke. WTF?!?!

Your USB port is fried.

You inspect the stick more closely and pop open the cover. Someone has soldered all four of the output pins together! Grrr, a 100% short circuit. 

Bad practical joke or brilliant security? You decide.

Did the owner safeguard the information (the solder can be removed quite easily) in case of accidental loss, or did the owner just set you up for a nasty surprise?

Removing the solder and analyzing the information on the stick might yield the answer.

Why do I mention this? 

1. It is another reason to avoid USB sticks from untrusted or unknown sources.

2. It's a true story.

~Kevin

The Mail Room Guy and the USB Spy Cable

Someone "lost" a USB charging cable. You found it. Lucky you? Maybe not...

USB spy cables look exactly like legitimate ones... exactly. 

In this example, the competition has paid an inside employee (the Mail Room guy) to drop a few cables around certain parts of the corporate headquarters. They didn't tell him why. And, he doesn't care. Why should he? He gets $50 per cable dropped.

Once plugged in, the cable takes control of your device. (cell phone, laptop, desktop, etc.) All your data becomes accessible. Next, pre-loaded penetration tools spring into action.

The connection can be used as a pivot point to attack other computers on the network. This is controlled remotely by the spy/hacker, via Wi-Fi to the internet, or via their nearby smartphone.

Once the hacker has infiltrated your network, more data can be extracted, viruses planted, or a ransomware attack staged. Obviously, this is dangerous in a business environment.

Recommendations:
• Mark your cables so if swapped you'll notice.
• Call us. We test USB cables as part of our debugging sweeps.
• If you use our services, we will give you a free test instrument so you can test new cables yourself.

Air-Gapped Computers to be Ticked-off via USB Tick-Sticks

A cyber-espionage group is targeting a specific type of secure USB drive created by a South Korean defence company in a bid to gain access to its air-gapped networks. 

According to a blog post by researchers at Palo Alto Networks, this attack was carried out by a group called Tick which carries out cyber-espionage activities targeting organisations in Japan and Korea.

Researchers said that weaponisation of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, these networks are normally not connected to the internet. more

Murray's USB Stick Warnings
 

World's Smallest USB Stick, nah... Shtik

Psst... It's the thingy on the right.

Think it's hard to stop USB stick info-espionage now? Just wait. And, wait until they come as promotional give-a-ways. The urge to use them will be uncontrollable. Gee, what if they are pre-loaded with spyware? Losing them will be equally uncontrollable. What more could the spies of 2012 ask for?

The new 19.5 x 14.5 x 2.9 mm USB stick will be available in 4, 8 or 16GB capacity versions when it's launched. (more)

BTW, do you have a program to deal with USB vulnerabilities?

Proof Almost 50% of People are Computer Security Morons

In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait.

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location. Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions... more

Espionage Group Using USB Devices to Hack Targets

USB devices are being used to hack targets in Southeast Asia, according to a new report by cybersecurity firm Mandiant.

The use of USB devices as an initial access vector is unusual as they require some form of physical access — even if it is provided by an unwitting employee — to the target device.

Earlier this year the FBI warned that cybercriminals were sending malicious USB devices to American companies via the U.S. Postal Service with the aim of getting victims to plug them in and unwittingly compromise their networks...

The hackers behind it are concentrating on targets in the Philippines. The researchers assess the group has a China nexus, although it did not formally attribute the cyber espionage operation to a specific state-sponsored group. more

Got a stick? You can spy!

According to Mugil all you need is a USB stick and a FREE program called “USBThief_Modified_by_NEO”. 

USB Thief is a simple program which makes your standard USB stick into a spying USB stick, if you plug it into someone’s PC, it will extract all the passwords from it.

This improved version also steals ALL of the following:
• Visited Links List
• Internet Explorer Cache List
• Internet Explorer Passwords List
• Instant Messengers Accounts List
• Installed Windows Updates List
• Mozilla Cache List
• Cookies List
• Mozilla History List
• Instant Messengers Accounts List
• Search Queries List
• Adapters Report
• Network Passwords List
• TCP/UDP Ports List
• Product Key List
• Protected Storage Passwords List
• PST Passwords List
• Startup Programs List
• Video Cache List

The question is, "Do you trust him?"

Feeling lucky?

His program is here.

As always... 

Why do I mention it?

So you will know what you are up against.

• Never let someone else stick you with their stick.

• Never stick yourself with a dirty stick.

Crypt Your Stick - USB Vaults to Go

Remember?
• Nato Secrets USB Stick Lost
• Airport Laptop Searches - No Probable Cause Needed
• Lax USB stick security causing havoc
• More than 100 USB memory sticks lost admits Ministry of Defence

Don't want to be next?
Get a cryptstick.
There is no excuse not to.
Many models to choose from...
• Ironkey
• Kingston DataTraveler Secure
• Kingston DataTraveler Secure - Privacy Edition
• Kingston DataTraveler Vault
• Kingston DataTraveler Vault - Privacy Edition
• Kingston DataTraveler BlackBox (government version)
• SanDisk Cruzer® Titanium Plus
• SanDisk Cruzer® Professional
• SanDisk Cruzer® Enterprise FIPS Edition
• SanDisk CMC (Central Management and Control) for IT Departments

More Bad Publicity About USB Security

Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers.

Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.

The duo said there is no practical way to defend against the vulnerability.

The body responsible for the USB standard said manufacturers could build in extra security.

But Mr Nohl and Mr Lell said the technology was "critically flawed". (more with videos)

Murray's TSCM Tip # 623 - Hiding in Plain Sight - The USB Microphone

USB microphones have many legitimate uses, students recording lectures, for example. Much more sensitive than a laptop's built-in microphone, they are perfect for that application. They also make eavesdropping on co-workers very easy.

The Plausible Deniability Bonus... Hey, it's not a bug. It's a legitimate piece of office equipment.

If you see one of these in a laptop, always assume it is recording. Some USB microphones have a red tally light, but a dot of black paint (or a piece of electrical tape) can cripple that tip-off. 

From the seller...
"This microphone is capable of picking up all of the sounds in large room (range of approximately 80 feet) or it can pick up small area its up to you, because you control the amplifier power! It's small size makes it perfect for situations where you don't want to draw attention to the fact that you are recording audio right into your computer."

Visit counterespionage.com to learn more about what you can do to detect and deter electronic eavesdropping.

Yet another USB thumb-drive hitchhikes

South Australia's Health Minister John Hill says sensitive files on planning for the new Royal Adelaide Hospital (RAH) have disappeared.

He says the files kept on a USB drive were lost by an employee from SA Health's Major Projects Office this month...

The SA Opposition says a review must find out why it took nine days for Government ministers to be told the sensitive material had been lost.

Opposition health spokeswoman Vickie Chapman says loss of the files could sabotage the tendering process for the project.

"The biggest item of infrastructure promised by this Government is now at risk," she said.

"Now the most serious interpretation of this is that these documents contain material perhaps even the public sector comparative figures that will just give a field day for prospective tenderers." (more)

You know you are going to loose your USB drive some day.
Why not encrypt it today?
It's FREE. Click here.
Want an easy OTS solution? Click here.
Pick one, or risk being a NIT.
(Negligent Idiot Twit)

Apple T2 Security Chip Has Unfixable Flaw

Intel Macs that use Apple's T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to team of software jailbreakers.... 

On the plus side, however, it also means the vulnerability isn't persistent, so it requires a "hardware insert or other attached component such as a malicious USB-C cable" to work. more 

Malicious USB cables are the latest, and arguably the most insidious, threats on the corporate information security landscape. Every USB cable on premises, and those being used elsewhere by employees, needs to be vetted for authenticity. Security directors are enlisting the aid of technical counterespionage consultants to perform this task.

SpyCam Story #503 - WatchCam

"Nothing like a spycam that screams, 'Look at me! I'm dorkey!'"

No, no, no... Give it a chance.
Think Transformer!
The seller says so...
MP4 Player + Music Player + Video/Voice Recorder + Digital Camera + Digital Watch + Photo Album + E-book reader + PC Camera!!!

"MP4 Watch + Video Camera is a novel and fashionable design Portable Media Player (PMP) device. Just plug and play into USB port to transfer music files and data. Save all your media files on your wrist, you can listen to music, watch movies, take photos, record voices and videos wherever you go.

With Internal Speaker, you can share your lovely videos with your friends!

Moreover, you can plug it into your PC as a Web camera, convenient to use. Enjoy the high-tech life on the go!"

1.8" TFT screen, 160*128 pixel image
MP4 Player + Music Player + Video/Voice Recorder +Digital Camera + Digital Watch + Photo Album + E-book reader + PC Camera, all in one featured product
Built-in 8GB flash memory
Built-in Video Camera - Photo resolution: 640 x 480, Video Resolution: 352 x 288
Built-in speaker
PC Web Camera feature
MP4 watch, support MP4(AVI/3GP) video
Shows time/date and watch design is outstanding
Supports MP3, WMA and MP4(AVI) format, up to 8 hours of music playback
Supports JPEG format, also displays lyrics and picture
High-quality digital record, song circulation function and support several languages
5-equalizer modes: common, popular, rock classic, jazz
E-book browse function
USB 2.0 High Speed transfer
Auto Power Off Function
Package Contents:
MP4 Watch + Video Camera
USB Cable
Earphone
Driver CD
AC adapter
User's Manual
$129.00 (seller)

Laugha while you can, monkeyboy. Some day this will be super camp, and worth much more. Seriously. Remember the first TV wristwatch? (Seiko, 1982) Occasionally these turn up on ebay and sell for more than they originally cost.