Who would consider the possibility of a USB exploit? Whether it’s malware prevention, detection, or removal, the sneaky critters are now getting so clever the challenge of dealing with them just seems to get harder. And sometimes people just get in the way.
You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.
A couple of months back, a fellow security hack told me the story of a simple but effective way hackers had found to break into a business simply by exploiting the curiosity of a CEO.
They started by visiting a trade show and picking up a handful of promotional USB drives that had the target company’s logo printed on it. After loading the drive with malware, they paid a visit to the company’s parking lot, identified the parking spot of the CEO, and then very surreptitiously dropped the infected USB drive on the ground next to the driver’s door.
Naturally the CEO eventually picked up the drive, probably assuming that he or a careless employee had dropped it. As soon as the CEO got back to the office, he plugged the USB into his computer to see what was on it and which employee should be chastised for their carelessness. Instead, he, the CEO, had just bypassed the company’s entire investment in security and introduced some very advanced malware directly into his own computer.
There have been many variations of this story, and in this case the hackers were allegedly the NSA. Whether it’s true or not, it supports something we all know about security. If a hack makes sense, it’s already happening. And tricking an unsuspecting employee into picking up and checking out a stray USB drive is about as easy a hack as they come.
Little wonder then that the USB drive may be one of the next big attack vectors facing big business. And a recently exposed series of hacks against USB drives should have all businesses worried about the risks.
In July 2014, a pair of researchers demonstrated at the Black Hat security conference in Las Vegas how it was possible to hide malware inside a USB drive that could infect a computer without being detected, and the malware itself couldn’t be detected on the USB drive either. Even erasing all of the contents of the drive wouldn’t remove the malware. No wonder that they simply called it BadUSB.
The researchers agreed not to publish details of the hack for fear of fueling widespread hacks based on the discovery. But just last week, a couple of fellow researchers decided that in the interest of security openness and knowledge sharing, they would indeed release the code to the world.
As the original researchers pointed out, if malware detection is almost impossible with the exploit, you’re limited to very few defenses against this attack. And they all come down to user behavior and choices, something we know represents the biggest security challenge in every organization.
As a defense, your organization could impose a rule that employees should never insert a USB drive into a computer they don’t own or don’t have complete control over. Something that’s almost impossible to police. Or you could create another rule that employees should never insert into any computer a USB drive they don’t own or have no control over.
In an interview with Wired, one of the researchers pointed out another obvious challenge “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
That would make it almost impossible for employees to use or share USB drives, never mind the enormous challenge of constantly having to remind employees of the new rules. Employees will break the rules, or they’ll just forget about them, and so they’ll be rendered useless.
I don’t think it’s the end of the USB drive as we know it, just an end to the way we so casually use it. A USB should be treated as though it may have come into contact with a potentially infectious disease, handled with great care, and shared only in the most sanitary of conditions.
What maybe the biggest lesson is that no matter how much we need and trust security technologies to protect us, the behavior and choices of people are what really make the difference.
SiteLock offers a variety of website security solutions to help keep your website secure. Visit our website to view the products we offer as part of our subscription plans, or call us at 855.378.6200.
Google Author: Neal O’Farrell