Last Updated: 2009-01-30 22:38:49 UTC
by Mark Hofman (Version: 1)
Two readers brought something interesting to our attention and we're asking if you have some info that may help us determine what is happening.
Port scan sourcing from ports: [1-9]345
A reader noticed that the scans hitting his network have something in common. The source ports are all 4 digits and end in 345. The target IP addresses and destination ports seem random. So if you have some logs that display the same characteristics we'd be interested in taking a peek. Of course if you happen to know off the top of you head what tool might be generating these, that would be good to know as well. The source IPs are predominantly in China, but US IP addresses are starting to show up as well.
Brute forcing webmail passwords and then sending SPAM using those webmail accounts is nothing new. One reader however noticed that in their network the volume of messages sent through one account was very high, suggesting that it may have been automated. Again if you have some logs we'd be interested in taking a look. (The logs I'm looking for are not the brute force attack, but the web/mail log of the account being used to send mail). The source IPs of the few examples I've seen are IP addresses in Nigeria.
Mark H - Shearwater
Last Updated: 2009-01-30 13:49:40 UTC
by Mark Hofman (Version: 1)
Loss of confidential information because of a USB stick is nothing new, but this one is quite amusing. A NZ guy buys a second hand MP3 player in the US. When he plugs it in there are files on the device with details of US Military personnel (article). Turns out the previous owner's house was broken into and the player was taken. That still doesn't explain why she had an MP3 player with work files on them, or does it? Well it actually makes sense.
I suspect her day went along these lines (and this is purely hypothetical). "Can I please have a USB drive to put some files on so I can work on them at home?". The answer was likely a resounding "No". After all, we know that certain information should not leave the organisation and USB drives are evil. She remembers her 10 year old nephew showing her how to place files on an MP3 player, which she has been allowed to plug into her PC so it can charge (music is good for morale in the office). So after sitting down at the desk, those files marked Confidential, Sensitive, Personal, etc are easily copied across in a flash. Of course she probably could have just emailed them to her hotmail/yahoo/gmail/webmail account. Actually just had a thought, maybe she used the MP3 player because the US Military banned USB drives back in November. Although it was a ban on all removable media.
There are numerous other examples, one of my other favourites for January is the article on 9000 USB drives left in dirty washing and picked up by dry cleaners. It is easy enough to do, I know. I've put the last 5 drives through the washing machine at home (all working again, thanks for asking). They are tiny, easy to loose and cheap so we don't look after them. You may also remember another example where a consulting firm, PA Consulting in the UK, disclosed details of 84,000 prisoners. And whilst not a USB drive you must have seen the McCain Blackberry sales. Which I suppose brings us to other devices through which data walks out the door. My 500GB drive isn't much bigger than pack of cards, my Iphone holds 16GB, my camera 8GB and the smallest USB drive I have is 4GB and no bigger than a thumb nail and I'm positive collectively we could come up with numerous other devices to store data. USB storage doesn't always look like a USB drive either. They come in a variety of shapes and sizes. Google USB and any of the following: pen, watch, duck, and lighter and you'll see a few examples. This is why we "love" USB drives.
So it is pretty clear that from a security perspective, USB drives are a major ..... Not the only way to get data out, but certainly a good old favourite. Addressing the issue is a bit of a challenge. A good place to start is of course with policy. Develop a policy that outlines the rules under which the devices can be used or there might even be a blanket ban. If you are going to allow the devices make sure that you include a statement in the policy that the information must be encrypted. Writing the policy is the easy part, getting people to do it is trickier.
When my dog was a pup it did something extremely unpleasant in the house. A mild whack with a rolled up news paper on its nose and the problem was sorted. Not just for that instance, but until the day she died a long long time later. If only it was that easy with people. In pentests and investigations you find information in the darnedest places. For example many encrypted drives have a small unencrypted portion where the decrypt software is so you can use the information in non work machines (that is a whole argument for a different day). So where do you think people store their files? Yep in the small unencrypted space on the drive. Where is that newspaper? So we need things to back up the policy.
There are plenty of products about in the market place that will help you secure devices. In Windows world you can use group policies In linux, OSX, etc the USB devices can be disabled. Have a look at the NSA document that describes how to disable USB devices on different platforms (the site was a bit slow when I looked). Once thing the commercial products I know off do nicely, is log what is placed onto or taken off the device, which is handy in investigations. BTW if you have a nice way to provide an audit trail using opensource tools I'd be interested in hearing from you.
So we have a policy and some technology to back it up. To finish things off you'll need some processes to monitor things and you will need to educate the users. Most importantly you need to have your version of the rolled up newspaper.
If you have a nice way of dealing with this particular issue, let me know. For example I know of one site where epoxy glue is their friend, remarkably few USB issues at the site.
Mark H - Shearwater