Henry Dalziel | General Hacking Posts, Latest InfoSec News | June 26, 2013
Just like a 0.001 cent match can start a raging bushfire, or a butterfly can start a hurricane (according to the chaos theory), a simple 25 cent USB drive can result in an international and PR crisis for the United States and the United Kingdom.
How did Snowden personally export the ‘secrets’? By USB transfer? Yes sir.
According to the The Guardian in a videotaped interview, he said:
“When you’re in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you’re exposed to a lot more information on a broader scale than the average employee … Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets.”
“I’m no different from anybody else,” he said. “I don’t have special skills” [but I have a USB Stick I bought from Best Buy – our words!]
So, it seems that he had access to the data, but he did he remove it? It seems that the answer is by the dreaded USB. There are reports that Snowden stole ‘four laptops’ but that really is quite a heist: he would have have had to steal hardware such as laptops if the hard drives were completely encrypted and refused any form of data transfer.
Prison guards don’t carry guns
In a US prison, prison guards don’t carry guns when they patrol cell blocks. Surrounded by extremely violent offenders, often that have nothing to lose, you’d think that the guards would carry lethal weapons, but they don’t, and for a very good reason. That reason is simple: that can be used against you! The same principle should apply to USB’s. Why are they allowed, and why do work stations still have USB ports? They are archaic and belong to 2002 BC, Before Cloud. It would be easier to monitor network traffic rather than trying to control the importation and exportation of USB sticks and data. Simple solution: block the access of allowing USB’s to be mounted, or better still, buy PC’s that come without USB ports, surely that wouldn’t have been that difficult for the National Security Agency, NSA, to have procured terminals (work stations) to have been slightly modified to have their USB ports sealed-up?
The Pentagon, which is part of the NSA, had previously banned connecting thumb drives and other portable storage devices to classified computers. This ban was enacted after the agency discovered that their ‘secure’ networks had been compromised with malicious software that had been introduced by a USB drive in October 2008. The Russian intelligence service was the culprit (allegedly!) and investigators determined that the malware was introduced through a corrupted thumb drive.
Bradley Manning, an intelligence analyst in Iraq who is now infamously associated with WikiLeaks, also downloaded an abundance of sensitive data and transferred this via USB storage. Just as a little phosphorus match can start a forest fire causing billions of dollars in damage, like in 2007 Southern California, 15 wildfires from Simi Valley to the Mexican border were fanned by 50 to 60 mph winds and burned nearly half a million acres. With the death of three people, 25 injured firefighters and nearly 1,300 homes destroyed and 500,000 people were evacuated: all that might or were caused by something as lowly yet powerful as a match. The same principle applies to the USB. It is potentially lethal!
Stuxnet infection was also via USB
As if we needed another power example, we need not look any further than Stuxnet. Stuxnet spyware targeted industrial facilities, via USB memory stick. Stuxnet was a computer worm designed to specifically attack Iran’s nuclear facilities by infecting Windows operating systems embedded within Siemens industrial software and equipment.
We have blogged a lot about SCADA security and how it is and remains to be a security concern for the US Cyber Command. Taking the Stuxnet discussion further, one of our instructors, an expert within the SCADA security field, demonstrated how a hacker can create a SCADA Malware Infection In 2 Simple Steps” by – wait for this – using a USB Stick! The demonstration shows how a hacker can create a payload with Metasploit 4.0 and infect a SCADA Supervision Station using a USB stick.
What’s the moral of this story? It’s simple. Trash the USB, get rid of it. Completely. Just as a prison guard or correctional officer do not carry any weapons because inmates could wrestle the weapon away and then use the weapon against the guards, so the disgruntled employee or moral crusader can use the USB for malice, so get rid of it!
What are your thoughts? Is the cost prohibitive to order custom made PC’s that do not ship with USB’s ports? Is there any benefit with having USB ports? Clearly keyboards and mice use USB ports but surely there is a work-around by hard wiring those peripherals to the motherboard? Share your thoughts!