USB Device security Craig Schiller, CISSP-ISSMP, ISSAP Hawkeye Security Training, LLC

Security for USB Flash Drives Incidents with USB Storage Devices Threats Detection Prevention

Incidents with USB Storage Devices

Threats

Detection

Prevention

USB Storage Device Security Incidents Recently, IBM found that a batch of USB memory cards it had shipped contained a boot sector virus. Sati Bains, Arthur Andersen "There are a number of tools that can be used through the USB port, such as DebPloit, which allows any user to gain full administrative privileges by executing a simple application” Laura Taylor , Relevant Technologies, Inc. A Black Hat talk entitled "Plug and root: the USB key to the kingdom," describes how researchers made a hardware-based Trojan horse using USB ports Darrin Barrall and David Dewey, SPI Dynamics Health bosses in Lancashire are facing awkward questions after confidential medical records of 13 cancer patients found their way onto a portable memory stick, which was repackaged and sold as new to a Crewe estate agent. John Leyden, The Register A small software startup based in India recently reported one of their employees was caught trying to steal their IP (work) from a computer using a USB thumb drive. Slashdot

Recently, IBM found that a batch of USB memory cards it had shipped contained a boot sector virus.

Sati Bains, Arthur Andersen

"There are a number of tools that can be used through the USB port, such as DebPloit, which allows any user to gain full administrative privileges by executing a simple application”

Laura Taylor , Relevant Technologies, Inc.

A Black Hat talk entitled "Plug and root: the USB key to the kingdom," describes how researchers made a hardware-based Trojan horse using USB ports

Darrin Barrall and David Dewey, SPI Dynamics

Health bosses in Lancashire are facing awkward questions after confidential medical records of 13 cancer patients found their way onto a portable memory stick, which was repackaged and sold as new to a Crewe estate agent.

John Leyden, The Register

A small software startup based in India recently reported one of their employees was caught trying to steal their IP (work) from a computer using a USB thumb drive.

Slashdot

USB Storage Device Security Incidents The P.I. Protector Mobility Suite, a software product by imagine LAN Inc., provides a USB drive (or other portable device) with an e-mail application, an Internet browser and file synchronization capabilities between a computer and the device. This means the user can send and receive e-mail to anyone and visit any type of Web site without leaving a trace of his activities on the host computer. Does this concern anyone? John Mallery, BKD, LLC Britain's Ministry of Defence has become the latest organization to add the iPod to its list of high-tech security risks. The pocket-sized digital music player, which can store thousands of songs, is one of a series of banned gadgets that the military will no longer allow into most sections of its headquarters in the UK and abroad. According to this years Global Information Security Survey by Ernst & Young, the ‘humble’ USB stick has overtaken viruses as the major worry of IT Security Managers around the world. As many as 75% of respondents recognized they would need to take action to combat the threat of rogue devices in the next six months In July 2005 a Japanese telecommunications company employee that lost a thumb drive containing 12,000 employee records. JETRO Japan Economic Monthly A 30-year-old man who worked for a subsidiary of Toshiba Corp. leaked confidential company information that could be used for military purposes to an official of the Trade Representation of the Russian Federation in Japan. The MPD said the man recorded the company's confidential data in a portable data storage device on nine occasions between September last year and May. He handed the data to the Russian official in bars and restaurants in Tokyo and Kanagawa Prefecture, resulting in damages to the company, the MPD said. In exchange for the information, the former employee received envelopes containing cash totaling about 1 million yen, the MPD said. The leaked information included data on semiconductor-related technologies that could be used for jet fighter radar, missile guidance systems and submarine periscopes. The Yomiuri Shimbun

The P.I. Protector Mobility Suite, a software product by imagine LAN Inc., provides a USB drive (or other portable device) with an e-mail application, an Internet browser and file synchronization capabilities between a computer and the device. This means the user can send and receive e-mail to anyone and visit any type of Web site without leaving a trace of his activities on the host computer. Does this concern anyone?

John Mallery, BKD, LLC

Britain's Ministry of Defence has become the latest organization to add the iPod to its list of high-tech security risks. The pocket-sized digital music player, which can store thousands of songs, is one of a series of banned gadgets that the military will no longer allow into most sections of its headquarters in the UK and abroad.

According to this years Global Information Security Survey by Ernst & Young, the ‘humble’ USB stick has overtaken viruses as the major worry of IT Security Managers around the world. As many as 75% of respondents recognized they would need to take action to combat the threat of rogue devices in the next six months

In July 2005 a Japanese telecommunications company employee that lost a thumb drive containing 12,000 employee records.

JETRO Japan Economic Monthly

A 30-year-old man who worked for a subsidiary of Toshiba Corp. leaked confidential company information that could be used for military purposes to an official of the Trade Representation of the Russian Federation in Japan. The MPD said the man recorded the company's confidential data in a portable data storage device on nine occasions between September last year and May. He handed the data to the Russian official in bars and restaurants in Tokyo and Kanagawa Prefecture, resulting in damages to the company, the MPD said. In exchange for the information, the former employee received envelopes containing cash totaling about 1 million yen, the MPD said. The leaked information included data on semiconductor-related technologies that could be used for jet fighter radar, missile guidance systems and submarine periscopes.

The Yomiuri Shimbun

USB Storage Device Threats Write Access related Loss of confidential data via loss of USB drive by authorized user Theft of intellectual property, economic espionage, ( L ) A base for hostile activity with no trace on the host computer ( L ) Compromise or loss of privacy restricted data ( L ) Storage of material prohibited by law or acceptable use policy (pornographic, prejudicial, extreme violence, hostile workplace, hacker software, etc) ( L ) Export controlled technology Read Access related Unauthorized access to internal systems (via collection of authentication data or privilege promotion) Introduction of virus or worms Introduction of trojans or other malicious code (unauthorized access, Integrity, Availability, Confidentiality(IAC) threats or DoS) Introduction of untested, uncertified, unknown quality software/data into production environments (IAC threats) ( L ) Introduction of illegal software (copyright restricted) ( L ) Introduction of material prohibited by law or by acceptable use policy (pornographic, prejudicial, extreme violence, hostile workplace, hacker software, etc) ( L ) – Potential legal liability other than negligence

Write Access related

Loss of confidential data via loss of USB drive by authorized user

Theft of intellectual property, economic espionage,

( L ) A base for hostile activity with no trace on the host computer

( L ) Compromise or loss of privacy restricted data

( L ) Storage of material prohibited by law or acceptable use policy (pornographic, prejudicial, extreme violence, hostile workplace, hacker software, etc)

( L ) Export controlled technology

Read Access related

Unauthorized access to internal systems (via collection of authentication data or privilege promotion)

Introduction of virus or worms

Introduction of trojans or other malicious code (unauthorized access, Integrity, Availability, Confidentiality(IAC) threats or DoS)

Introduction of untested, uncertified, unknown quality software/data into production environments (IAC threats)

( L ) Introduction of illegal software (copyright restricted)

( L ) Introduction of material prohibited by law or by acceptable use policy (pornographic, prejudicial, extreme violence, hostile workplace, hacker software, etc)

( L ) – Potential legal liability other than negligence

Detection of USB Mass Storage Windows operating systems use the file usbstor.sys to control USB Mass Storage devices. This is the USB storage port driver. How it operates: The first time a USB mass storage device is detected, the driver is loaded automatically using PnP hardware identifiers (HWID). Afterwards the the OS trys to match a compatible identifier in usbstor.inf. Normal users can install this driver without Admin or Power User privileges. To detect the presence of the usbstor.sys file look in either: winntsystem32drivers windowssystem32drivers Examine permissions to use the driver by right clicking on the file and selecting Properties. Select the Security tab to view the users with access to the driver. Windows 2000 and XP Pro default grants access to Administrator, Power User, and Users group System account Windows XP Home default grants access to the Everyone Group

Windows operating systems use the file usbstor.sys to control USB Mass Storage devices. This is the USB storage port driver.

How it operates:

The first time a USB mass storage device is detected, the driver is loaded automatically using PnP hardware identifiers (HWID). Afterwards the the OS trys to match a compatible identifier in usbstor.inf. Normal users can install this driver without Admin or Power User privileges.

To detect the presence of the usbstor.sys file look in either:

winntsystem32drivers

windowssystem32drivers

Examine permissions to use the driver by right clicking on the file and selecting Properties. Select the Security tab to view the users with access to the driver.

Windows 2000 and XP Pro default grants access to

Administrator, Power User, and Users group

System account

Windows XP Home default grants access to the Everyone Group

Prevention approach 1 Restrict access to all USB devices through BIOS settings Drawback - would prevent the use of USB keyboards, mice, printers, etc Would require using a BIOS password to prevent users from changing the setting T o o B r o a d

Restrict access to all USB devices through BIOS settings

Drawback - would prevent the use of USB keyboards, mice, printers, etc

Would require using a BIOS password to prevent users from changing the setting

Prevention approach 2 Manually set registry key prevent users from formatting and ejecting of USB devices HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonAllocateDASD Data type Range Default value REG_SZ 0 | 1 | 2 0 Description Determines which users can format and eject removable hard disks. ValueMeaning 0 Only administrators of the computer 1 Only administrators and power users 2 Only administrators and the local current user Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk

Manually set registry key prevent users from formatting and ejecting of USB devices

HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonAllocateDASD

Data type Range Default value

REG_SZ 0 | 1 | 2 0

Description

Determines which users can format and eject removable hard disks.

ValueMeaning

0 Only administrators of the computer

1 Only administrators and power users

2 Only administrators and the local current user

Prevention approach 2

Prevention approach 2 Ineffective

Prevention approach 3 Manually set local policy to prevent ejection of USB devices Local Policies > Security Options > Allowed to eject removable NTFS media Devices: Allowed to format and eject removable media Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options Description Determines who is allowed to format and eject removable NTFS media. This capability can be given to Administrators, Administrators and Power Users, or Administrators and Interactive Users. Default: Administrators. Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk

Manually set local policy to prevent ejection of USB devices

Local Policies > Security Options > Allowed to eject removable NTFS media

Devices: Allowed to format and eject removable media

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

Description

Determines who is allowed to format and eject removable NTFS media. This capability can be given to Administrators, Administrators and Power Users, or Administrators and Interactive Users.

Default: Administrators.

Prevention approach 3 Ineffective

Prevention approach 4 Prevent the user from installing the Windows built-in driver Remove all installed USB drives Uninstall the USB Mass Storage driver Deny all access to the driver usbstor.sys for each user individually or in a group (such as DenyUSBAccess) Set the same security permissions on the files usbstor.inf & usbstor.pnf Located in the winntinf or windowsinf directory. Remove the Administrator Group, Power User Groups and System Account from the security permission

Prevent the user from installing the Windows built-in driver

Remove all installed USB drives

Uninstall the USB Mass Storage driver

Deny all access to the driver usbstor.sys for each user individually

or in a group (such as DenyUSBAccess)

Set the same security permissions on the files usbstor.inf & usbstor.pnf

Located in the winntinf or windowsinf directory.

Remove the Administrator Group, Power User Groups and

System Account from the security permission

Prevention approach 4 Remove all installed USB drives If no USB Mass Storage device is present this will not show up

Prevention approach 4 Uninstall the USB Mass Storage Device Driver

Prevention approach 4 Deny all access to the files usbstor.sys, usbstor.inf, and usbstor.pnf for each user individually or in a group (such as DenyUSBAccess) Remove the Adminstrators, Power Users, & Users groups and the System Account

Prevention approach 4 ISSUES Effectively prevents Users and Power Users from installing the drivers for USB Mass Storage devices However, if an administrator uses the same system and plugs in a USB device it will install the device drivers. Once the drivers are there, Users and Powers users can also use it. To all authorized users to install the devices on systems you can add the users individually or create a group (AllowUSBAccess) then set the permissions of this group to allow access.

Prevention approach 4

Prevention approach 5 Deny all access to the registry key HKLMSYSTEMMicrosoftCurrentControlSetEnumUsbstor for each user individually or in a group (such as DenyUSBAccess) Remove the Adminstrators, Power Users, & Users groups and the System Account To all authorized users to install the devices on systems you can add the users individually or create a group (AllowUSBAccess) then set the permissions of this group to allow access.

Prevention approach 6 If a USB Storage Device Is Already Installed on the Computer Warning If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4: When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps: Click Start , and then click Run . In the Open box, type regedit , and then click OK . Locate, and then click the following registry key: HKLMSystemCurrentControlSetServicesUsbStor In the right pane, double-click Start . In the Value data box, type 4 , click Hexadecimal (if it is not already selected), and then click OK . Quit Registry Editor. Later if you choose to permit this user to access the USB Storage Device you should change this value back to a 3. Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

If a USB Storage Device Is Already Installed on the Computer

Warning

If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:

When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:

Click Start , and then click Run .

In the Open box, type regedit , and then click OK .

Locate, and then click the following registry key:

HKLMSystemCurrentControlSetServicesUsbStor

In the right pane, double-click Start .

In the Value data box, type 4 , click Hexadecimal (if it is not already

selected), and then click OK .

Quit Registry Editor.

Later if you choose to permit this user to access the USB Storage Device you should change this value back to a 3.

Prevention approach 7 Controlling block storage devices on USB buses (XP Pro Service pack 2) What does controlling block storage devices on USB buses do? This feature provides the ability to set a registry key that will prevent write operations to USB block storage devices, such as memory sticks. When this registry key is enabled, the devices function only as read-only devices. You can implement this setting as part of a security strategy to prevent users from transporting data using these devices. Who does this feature apply to? Users who do not want data to be written from their computer to a USB storage device. • IT professionals who want to implement organization controls over the use of USB block storage devices What settings are added or changed in Windows XP Service Pack 2? Setting name Location Default value Possible values WriteProtect HKEY_LOCAL_MACHINESystemCurrentControlSetControl StorageDevicePolicies DWORD=00 – Disabled 1 - Enabled

Controlling block storage devices on USB buses (XP Pro Service pack 2)

What does controlling block storage devices on USB buses do?

This feature provides the ability to set a registry key that will prevent write operations to USB block storage devices, such as memory sticks. When this registry key is enabled, the devices function only as read-only devices. You can implement this setting as part of a security strategy to prevent users from transporting data using these devices.

Who does this feature apply to?

Users who do not want data to be written from their computer to a USB storage device.

• IT professionals who want to implement organization controls over the use of USB block storage devices

What settings are added or changed in Windows XP Service Pack 2?

Setting name Location Default value Possible values

WriteProtect HKEY_LOCAL_MACHINESystemCurrentControlSetControl StorageDevicePolicies DWORD=00 – Disabled 1 - Enabled

Prevention approach 7 Controlling block storage devices on USB buses (XP Pro Service pack 2) Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps: Start the registry editor (regedit.exe). Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.) From the Edit menu, select New, DWORD Value. Type the name WriteProtect and press Enter. Double-click the new value and set it to 1. Click OK. Close the registry editor. Restart the computer. To disable this change, you can either set WriteProtect to 0 or delete it. Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Controlling block storage devices on USB buses (XP Pro Service pack 2)

Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:

Start the registry editor (regedit.exe).

Navigate to the

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies subkey.

(Create the StorageDevicePolicies subkey if it doesn't already exist.)

From the Edit menu, select New, DWORD Value.

Type the name WriteProtect and press Enter.

Double-click the new value and set it to 1. Click OK.

Close the registry editor.

Restart the computer.

To disable this change, you can either set WriteProtect to 0 or delete it.

Prevention approach 8 MOVE THE DRIVER.CAB FILE This approach requires moving the Driver.cab file found in the WinntDriver Cachei386 directory to a location that users can't access. Using the administrator profile logon and logoff policy, you can copy and delete this directory to make sure it's available when you install new devices or deploy OS updates. Moving the Driver.cab file is a network-centric approach that leaves the system state ready, and it puts the file in a location that's accessible only to the people with the authority to install new system devices. ISSUE Affects all devices, not just USB Storage Devices

MOVE THE DRIVER.CAB FILE

This approach requires moving the Driver.cab file found in the WinntDriver Cachei386 directory to a location that users can't access. Using the administrator profile logon and logoff policy, you can copy and delete this directory to make sure it's available when you install new devices or deploy OS updates.

Moving the Driver.cab file is a network-centric approach that leaves the system state ready, and it puts the file in a location that's accessible only to the people with the authority to install new system devices.

ISSUE

Affects all devices, not just USB Storage Devices

Third Party Solutions With DeviceLock® by Smartline you can: Control which users or groups can access USB and FireWire ports, WiFi and Bluetooth adapters, CD-ROMs, floppy drives, other removable devices Control access to devices depending on the time of day and day of the week Create the white list of USB devices which allows you to authorize only specific devices that will not be locked regardless of any other settings Set devices in read-only mode Protect disks from accidental or intentional formatting Flush unsaved file buffers (very useful for removable media) Control all functions remotely Install and uninstall it automatically GFILANguard DynaComm's i:scan real-time monitor enables a Systems or Network Administrator to centrally enforce policies for the use of removable media across networks. Cryptainer LE from Cypherix Software (free for both personal AND commercial use) How Cryptainer LE Works - Cryptainer LE functions as a driver for Win32 systems that allows the operating system to view a single encrypted file as a virtual disk. Essentially, once the virtual disk is mounted it is available to Windows just as if it were any other type of disk. A small program is required to mount the encrypted disk and that program can be included on the USB memory stick as well. The portable version does not require installation and can reside on the memory stick as well, making Cryptainer LE a self-contained encryption system. Cypherix uses strong encryption via the Blowfish algorithm. Blowfish is a highly efficient algorithm developed by cryptography expert Bruce Schnier. Provided that the password selected as the key is securely chosen, data encrypted by Cryptainer LE is secure as it gets, figuratively speaking.

With DeviceLock® by Smartline you can:

Control which users or groups can access USB and FireWire ports, WiFi and Bluetooth adapters, CD-ROMs, floppy drives, other removable devices

Control access to devices depending on the time of day and day of the week

Create the white list of USB devices which allows you to authorize only specific devices that will not be locked regardless of any other settings

Set devices in read-only mode

Protect disks from accidental or intentional formatting

Flush unsaved file buffers (very useful for removable media)

Control all functions remotely

Install and uninstall it automatically

GFILANguard

DynaComm's i:scan real-time monitor enables a Systems or Network Administrator to centrally enforce policies for the use of removable media across networks.

Cryptainer LE from Cypherix Software (free for both personal AND commercial use) How Cryptainer LE Works - Cryptainer LE functions as a driver for Win32 systems that allows the operating system to view a single encrypted file as a virtual disk. Essentially, once the virtual disk is mounted it is available to Windows just as if it were any other type of disk. A small program is required to mount the encrypted disk and that program can be included on the USB memory stick as well. The portable version does not require installation and can reside on the memory stick as well, making Cryptainer LE a self-contained encryption system. Cypherix uses strong encryption via the Blowfish algorithm. Blowfish is a highly efficient algorithm developed by cryptography expert Bruce Schnier. Provided that the password selected as the key is securely chosen, data encrypted by Cryptainer LE is secure as it gets, figuratively speaking.

Policy Establish an Acceptable Use Policy concerning the use of USB devices within their networks for employees, vendors, contractors, and visitors. Should cover all USB devices Mandate that all users who require USB devices obtain some form of authorization prior to using a device within the network Policy should establish audit requirements (used to identify unauthorized USB devices Guidelines should be established to govern removal of these devices from the premises. To counter the potential of loss of sensitive information, the policy should dictate a minimum level of encryption to protect the data. All USB flash drives should be required to contain a file with contact phone number and Mailing Address to use if the device is found. A legal disclaimer should be included that indicates “information on the drive is company proprietary or confidential and protected by law”

Establish an Acceptable Use Policy concerning the use of USB devices within their networks for employees, vendors, contractors, and visitors.

Should cover all USB devices

Mandate that all users who require USB devices obtain some form of authorization prior to using a device within the network

Policy should establish audit requirements (used to identify unauthorized USB devices

Guidelines should be established to govern removal of these devices from the premises.

To counter the potential of loss of sensitive information, the policy should dictate a minimum level of encryption to protect the data.

All USB flash drives should be required to contain a file with contact phone number and Mailing Address to use if the device is found. A legal disclaimer should be included that indicates “information on the drive is company proprietary or confidential and protected by law”

Policy Establish an Acceptable Use Policy concerning the use of USB devices within their networks for employees, vendors, contractors, and visitors. (Cont.) All removable drives should be scanned for viruses when used with a corporate computer When no longer needed, the removable drive should be “wiped” using an approved application User awareness programs should include an overview about the risks associated with USB storage media. Physical security personnel should receive training about the potential threat to the organization that unrestricted use of USB storage devices represents. They should also be taught how to recognize them. IT personnel should receive training about effective measures to control the use of this technology.

Establish an Acceptable Use Policy concerning the use of USB devices within their networks for employees, vendors, contractors, and visitors. (Cont.)

All removable drives should be scanned for viruses when used with a corporate computer

When no longer needed, the removable drive should be “wiped” using an approved application

User awareness programs should include an overview about the risks associated with USB storage media.

Physical security personnel should receive training about the potential threat to the organization that unrestricted use of USB storage devices represents. They should also be taught how to recognize them.

IT personnel should receive training about effective measures to control the use of this technology.

Sources Are USB Flash Drives a Security Threat to the Enterprise?, By John Bumgarner, Cyber Watch Inc., 2003, The ISSA Journal How to disable the use of USB storage devices , Microsoft KB 823732, 4/19/2005 How to disable any USB storage device , By Daniel Petri

Are USB Flash Drives a Security Threat to the Enterprise?, By John Bumgarner, Cyber Watch Inc., 2003, The ISSA Journal

How to disable the use of USB storage devices , Microsoft KB 823732, 4/19/2005

How to disable any USB storage device , By Daniel Petri