USB Hacks: Who needs endpoint security?

Banks and Endpoint Security

As you can guess we get a lot of inquiries regarding the tools on this site and USB security in general. A lot of people ask for help with various projects, ranging from academic papers, security penetration tests and even a few black hats looking for assistance with their packages. However, I think the more interesting ones are those that ask us to help someone create a special package to aid in compromising bank systems or other illegal acts, many using their real names. And to save you the suspense the answer is no, we do not commit, nor do we condone illegal acts. Our goal here is not to help hack systems or assist in committing criminal acts, but instead to help raise awareness of endpoint security threats. The tools on this site are kittens compared to some others that are out there in the wild.

This raises some interesting security questions though. I remember on one occasion while sitting in a bank (a credit union actually) at a desk. In front of me was a desk where a loan officer was filling out some paperwork on his computer. He had his computer on top of his desk with the back facing me…and some lovely shiny USB ports winking at me. The offices all shared printers outside the office, every time he printed something he left the office, walked a bit down the hall and into another cube, sometimes waiting a bit while the printer finished the job. In my right hand were my keys with USB flash drive (never leave home without it) chock full of some particularly tasty tools.

I never actually considered doing it, but the scenario did run through my mind. The particular banker we were dealing with was a manager. He probably has access to only customer records, but probably lots of other systems and tools, if his system were compromised with a backdoor trojan or even data I could slurp off his system in a matter of seconds it could lead to a larger compromise of the network and the bank itself. We have heard of banks being compromised in pen tests using USB drives, simply scatter infected drives around the parking lot and wait for the employees to pick them up and open them on their computers. Human curiosity is the hackers greatest tool.

Password Protected USB Thumb Drives…Not So Secure

You have probably seen quite a few of them come out recently. The “super secure” thumb drives that are password protected and come with various self-destruct mechanisms to keep you from tampering with them. Well, as we know when you have physical access to a system, or in this case a device it is only a matter of time before it is compromised. This is very true with these devices. Granted it takes some knowledge as to how the devices are wired.

One example is the “secure” thumb drive known as “Secustick” which advertises that the drive is used by multinational corporations, government agencies and other institutions where data integrity is important. The cost of these devices is well over $200 USD, so you would assume that your data is secure right? Wrong. The device can be easily removed from its casing, no tamper proof container. The actual flash memory is the same kind you find in el cheapo flash drives. The drive makes a partition secure by a switch connected to a controller. Simply soldering a connection between this switch and a ground removes the security. From here you can use a simple brute force app to run rainbow tables against the password prompt and it will not limit the number of guesses you need to open the drive.

Now since you have physical access to the drive, you can just leave it connected to your computer and you should have access to the device fairly quickly depending on your system. The key point here is that removable media devices such as flash drives are very difficult to secure. If your data needs to be secured, do not make it portable.

Know of more ways to hack password protecte and encrypted flash drives?