Shouldn’t you know if your staff makes the wrong risk decision 50 percent of the time?

Suppose the security safeguard you trust to handle your most critical information made the wrong risk decision about dangerous threats over 50% of the time. Wouldn’t you want to know about it, and well, maybe DO SOMETHING ABOUT IT? Perhaps the Honey Stick Project is not indicative of every decision your staff makes in a day, but the threats represented in this test are among the most dangerous.

After deploying 38 Honey Sticks, the statistics are becoming much more alarming than I had expected. So far, 21 of the devices deployed in public areas have been plugged into a computer on the Internet and accessed to see what’s on them. That’s exactly how some of the worst threats to your business’s information systems can take your operations out of commission, or cause major disruptions.

You can click on the Honey Stick Project’s results pages to see more details of the test locations used. Or, you can go to The Streetwise Security Zone (click HERE) to find out more about how to run your own Security Awareness Measurements internally. I can help you design several types of innovative tests to simulate attacks on your most critical information and systems, and then help design awareness and training programs that work to protect your operations.

Would your staff perform any better?

rate this post:

The real message is - Don’t let your employees become your accidental adversaries

When I started the Honey Stick Project, I thought it would be an interesting experiment. It never occurred to me that people wouldn’t understand why gathering these metrics was useful.

However, when I started explaining to people what the project was, and I got to the puch line… “I’ve discovered that over 40% of people who find these devices plug them into their computers to see what’s on them!”… all I got was a blank look, followed by a nod and a timidly uttered question - “Really? I guess that’s bad, eh?”

People wanted to care, so they nodded. But they really didn’t understand. It wasn’t until I was talking to my accountant, Mike, one day a few weeks ago, and he said, “Scott. I’ve heard you explain this project a few times now, but imagine you were talking to an executive at a networking reception who had no idea what it meant. After the first sentence, they’re quickly going to be looking right over your shoulder at the bar. They need to know what the ultimate impact is on their business, in just a few seconds. Why should they care?”

I thought about it for a few seconds, realizing I’d forgotten the golden rule of marketing (and security awareness is marketing)… what’s the end business benefit or impact?

So I tried one more time. “If an employee makes one wrong click on an email or a file on a rogue device, that computer could instantly become a slave that steals information, takes over your network or grinds your operational information systems to a halt,” I said.

“NOW I’m interested,” says Mike.

Since that day, a few weeks ago I have been refining the message. This is what the message has become…

“Don’t let your employees become your accidental adversaries!”

Employees don’t usually want to cause your business any damage, but often they don’t know any better. You must first determine if they know which information and systems are sensitive. Then, you have to see if they know how to properly protect them. The technology can’t do it all. Just ask NASA.

In August, they discovered a virus on computers in the International Space Station. You’d think if anyone had the technology to protect their computers, it would be them.

It really is possible for your employees to knock out an operational computer system with just a single click, without even knowing they are doing it.

If your business depends on information, and you are curious about its predisposition to being accidentally disrupted by your own staff, please contact me by sending an email to inquiries@securityviews.com. I can show you how you can use Honey Sticks to measure security awareness in your organization, and then to implement a program for engaging and educating your staff on how to identify and protect your critical assets.

If you join The Streetwise Security Zone, you can also download a slide deck entitled, “The Accidental Adversary: Measuring Security Awareness Before It’s Too Late” by clicking HERE.

rate this post:

Securing a USB Memory Stick means thinking about more than just encryption

When you are choosing a solution for protecting USB Memory Sticks via encryption, there are a number of trade-offs to consider. It’s worth thinking about them, because, depending on your situation, they may be less secure than you had hoped, or more difficult to work with than you expected.

You shouldn’t necessarily depend on the encryption software that runs on the device to be secure. If it isn’t built into the hardware design, it can be tampered with. IronKey has a device that covers this off nicely. The downside is a bit of a usability trade-off. In order to thwart brute-force password attacks, the IronKey device has a password failure threshold. Once you pass the limit, it destroys all the data on the device - permanently.

When using a software-based solution such as TrueCrypt, you will need some client-based software installed. Some solutions let you keep the software on the device, which sounds convenient, but the software itself is subject to attack or replacement without your knowledge.

So, it’s a good idea to look at all the solutions on the market, and look at your situation. The highest grade of security is tempting to go for, despite the increased price. But you may have to change your mindset to accept the fact that all your data could be lost if the device clears itself due to exceeding the limit on failed passwords. It really highlights the need to have a regularly scheduled, secure backup strategy any time you are using Mobile Storage Devices.

For a good article on side-by-side comparisons for a few models available today, click HERE.

rate this post:

Clickjacking is just one way that files on a malicious device can fool you

When you use an “unknown” device, the files may look innocent enough - maybe just some HTML files. If you click on one, and it seems to take you to a trusted site such as Paypal or a major banking site, it might not be what it looks like.

Clickjacking is a newly identified (but not new, in reality) risk that adds just another dimension to a “drive-by device” attack. But this is a powerful threat to your privacy, as well. With the right configuration of a spoofed website, you could be fooled into clicking on a button that causes you to unwittingly turn on your laptop camera and microphone. Compared to a static spoofed website, this is a very intrusive threat.

I have written up a set of tips for managing this risk, at least until vendors like Adobe and the browser manufacturers come up with a solution - which could take a significant amount of time. This problem is not easy to solve with technology, alone.

Here is a link to my write-up at The Streetwise Security Zone (click HERE). There are also links to sites with more information about this newly documented risk.

This just reinforces the need to be extremely cautious with “unknown” devices, that may attempt to launch attacks by taking you to a site that looks safe, but is far from it.

rate this post:

If you run a lost and found, train your staff to handle devices carefully

At various times during the Honey Stick Project, I have encountered Lost and Found facilities - some were well-managed, and others, I’m not so sure.

It’s worth mentioning to your staff that if a device is turned in, it should never be plugged in to a computer, even to see who owns it. The best thing to do is just mark the date it was found, and take the name and number of the person who turned it in.

There is no point in taking a risk that your computer or network could become infected with a virus or other type of malicious program. It may not be just an innocently lost device. With the rise in “spear-phishing” and “drive-by downloads”, the device may have been seeded with a program designed to infiltrate your network, or accidentally infected while the owner was using it to surf the Web.

I mentioned above that some lost and founds are not so careful.  I noticed that one Honey Stick left at a hotel was not used for just over 30 days. Then it was plugged in and accessed from that same hotel’s network. I have no way of knowing exactly what the situation was, but it looked to me as though the minute it passed it’s “expiry date” in the lost and found, a staff member decided to check out it’s contents.

Another hotel kept a device for 3 months, and then called the person who turned it in, saying they could have it. That person did use the device, but used the contact information in a file on the device to let me know they had found it. The hotel did a good job in protecting their network, but it would have been nice for them to have warned the person to handle it carefully, since nobody knows where it came from.

rate this post:

Drive-By Downloads can be initiated by websites or from infected USB drives

Sometimes, you just don’t hear it coming; and “zap”, your infected.

According to Ryan Naraine, an anti-virus expert who works for Kaspersky Lab, over 70 percent of all web-based malware is now hosted by legitimate websites that have been infected. Click HERE for an article with more info from Ryan. One way or another, the sites either host what’s called a “Drive-By Download”; or they redirect or link you to a site that hosts one.

Recently, for example, the Business Week website was hacked, and various parts of the site became infected with malware that caused visitors to be automatically redirected, or rerouted, to third party websites without them knowing it. At the new sites, a download is initiated, usually by trying to take advantage of security flaws in browsers that mistakenly trust a site that initiates a download, or by impersonating a legitimate download, such as a Flash Player upgrade that it says is “required” to continue.

While the website statistic is scary, this same risk can appear from USB drives, or other mobile storage devices, that are infected with malware, or which have file links to Drive-By Download sites.

Some newer browsers, like Firefox 3.0, have “Malware Blockers” that can detect some instances of this activity, but not all of them.

The moral: Keep your eyes open for anything suspicious, even when visiting what you think is a “trusted” website; and don’t ever use unknown or untrusted USB devices.

rate this post:

Using Honey Sticks can measure security awareness based on real human actions

Recently, I’ve been receiving a growing number of inquiries about how people can use The Honey Stick approach to test security awareness in their business. It turns out that there are a few good reasons to use this approach for doing baseline measurements, and as an indicator of how well your security awareness program is working.

As Michael Santarcangelo commented to me recently, it is much more valuable to measure real human actions instead of just asking people their opinions or to recall how often they perform various activities. The Honey Stick approach is a cheap, easy and safe way to get an indicator of what level of awareness staff has. As a result, I am in the process of putting together a guide book and a kit that can be used to do basic metrics for how safely an organization’s staff handles unknown devices.

It’s always good to have questions, comments and anecdotes from real industry people. So, if you provide a relevant story in this thread, I’ll consider including it in the book, and I’d be happy to give you a copy when it is published.  What would you like to see in the book or kit?

rate this post:

Practical security help for small business managers at The Streetwise Security Zone

It’s time to get streetwise about information security. One of the areas in which I think the security industry has been weak has been in giving small businesses affordable and practical tools for sifting through the mound of technical mumbo-jumbo created each day on the Web.

I imagine that they must feel a bit like high school teenagers walking into a baby’s clothing store… They don’t have much interest, even though - someday soon - they know they will need to know about the stuff.

The Honey Stick Project was my first attempt to raise awareness among small business managers and others who should be aware of the real risks in today’s information world. I still have some new ideas for testing the psychology of how people think about mobile storage devices they find or lose. But the small business problem is much bigger than this, in my view.

I think there are two main problems that we must address, particularly for small businesses.

   1. Small business managers don’t have the time to spend on learning the big picture - or even the basics - about information security in a way that makes sense to their operations.
   2. Even if they did have time to make the effort, they see it as far too expensive to bring a consultant in to teach them, objectively, about what security issues they need to worry about for their unique situation.

So, I have created a collaborative website called The Streetwise Security Zone at http://www.streetwise-security-zone.com, where there is a growing body of free information, directly relevant to small business managers - presented in a casual and fun environment.
There is a membership element to this site, which is free to join while the community is in this introductory phase. The SWSZ has a number of categorized forums for Q&A, and all content is as non-technical as possible - with fair warnings where technical explanations are necessary.

The SWSZ is home to a growing stash of coaching tools - free to members - together with easy-to-consume multi-media materials on various important information security topics. My aim is to leverage video and audio to provide small segments that are designed to be easily digestible by busy managers and their staff.

Guest contributors, authors and links to other websites will be chosen carefully to remain in keeping with my aim of providing quick, simple shots of relevant information security information - what I call Governance by Graffiti - an idea I plan to explain in more detail at a later time.

The problem today is not that the information isn’t available, it’s that it must be put into the right context for it to be of value. This is what Chris Anderson says in his book, The Long Tail. I hope The Streetwise Security Zone will serve the long tail of the small business manager.

So, please stop by The Streetwise Security Zone, and tell others about it if you think they would benefit. And, by all means, feel free to provide comments.

rate this post:

Does NASA need to train astronauts about Honey Sticks?

Thanks to Brian Honan (click HERE to view his site at BH Consulting) for noting The Honey Stick Project in this week’s SANS Newsbites newsletter (click HERE). Apparently, the virus infecting the NASA laptops brought aboard the International Space Station was a type of worm that usually spreads by way of infected mobile storage devices.

According to The Register (click HERE):

    SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

rate this post:

SD Phone Home - New potential Honey Stick threats

Recently, I heard about two interesting devices.

The first is a story of a digital camera that was stolen (click HERE). The owner was surprised to receive an email with pictures of the thieves. Apparently, the owner had forgotten that they had a $100 special SD card with Wi-Fi built in, called Eye-Fi (click HERE), and the ability to upload files to the owner’s site. It actually sends its data via email or upload to a file repository. It’s not clear to me exactly how this works yet, but if it can do it without spending cycles on the finder’s computer it would solve a lot of the privacy and liability issues I’ve written about in my paper (click HERE).

Another thing I heard about this week was the Trackstick II Personal Tracker (click HERE). It looks like a USB Drive that has GPS tracking on board, and track and store its own location and movement information. However, I’m not sure if this one can store user files or data, and it doesn’t look like it can “phone home”. But it’s only a matter of time…

If a “phone home” program was added to it in case of loss, I’d see this as having some liability issues, if the finder’s computer were damaged during the program’s unauthorized execution.

It looks like we’ll be seeing a lot more devices integrating different technologies. All the more reason to be very careful what you stick into your computer. If you thought Double-click’ and web bugs had privacy issues, just wait until your new camera registers itself and sends your picture and PC configuration to their server.for more “personalized” support services.

Or what about something like Napster for cameras? Camster anyone? Will you be able (or knowlegeable enough) to prevent your camera from “sharing” your photos and files with other devices nearby. After all, sharing sounds good, right? A lot of manufacturers have not figured out that allowing open access and sharing by default in new devices usually creates serious and fast-spreading privacy and security issues.

rate this post:

June 2008 Honey Stick statistics - 42% of all lost devices are accessed

While it has been a while since I updated the statistics on www.honeystickproject.com, there was still lots of activity. Stream 1 is now active with 8 sticks deployed in Las Vegas, Ottawa and Toronto (for a total of 33), and half of those have been accessed.

This is becoming a fun project, finding places to drop them as we travel around the globe. Thanks to Mike Sues for sponsoring devices for Stream 1. I’m aiming for 1,000 deployed devices, so I can say there is some statistical significance in these results that people will notice. But it is already an interesting response rate.

What does this data mean? I have some ideas, but I’d like to hear your thoughts. Feel free to comment below on this post.

rate this post:

Is your mechanic making a second living from your media and devices?

Listening to a recent episode (#134) of the Security Now! podcast by Leo Laporte and Steve Gibson (at http://www.grc.com/securitynow.htm), Steve noted that he had left his USB Drive with his key chain when he took his car in for service. He felt safe because the drive was encrypted using TrueCrypt (a public domain encryption product).

Subsequently, (in episode #139) a listener wrote to Steve to tell him some horror stories from auto shops of how the mechanics at some places (even some big name dealerships) will routinely snoop through cars in for service to see if there are any MP3s, CDs, etc. Mostly, they just want to “harmlessly” expand their music collections, but who knows what they might find.

On top of that, one listener pointed out that TrueCrypt uses an executable on the key to do encryption and decryption of the data. If that executable were replaced maliciously, any program could be made to run when you think you are decrypting the data on the drive.

My concern is that such a program might even give what looks like a valid error message saying something like, “TrueCrypt system error - data file corrupted. Please enter your password to attempt a recovery”. If you entered a password, it could be snagged and sent back to the mothership.

This logically begs another question. Are mechanics being paid to plant malicious code on media devices left in your car? Best not to let them have access to any of your media or devices while its in the shop.

Of course, one might leave a honey stick in one’s car to test their integrity. On the other hand, perhaps car dealers wanting to keep their teams honest might be interested in planting test devices that can be tracked.

rate this post:

Funny, I've never received a password-protected email from payroll before

Here’s a simple tip that can save you a lot of trouble.

DON”T ENTER PASSWORDS WHERE YOU AREN’T EXPECTING THEM!!!

I recently came across a suspicious email in my spam folder. It appeared to be from a payroll service I’ve actually dealt with.  There was almost no way to tell for sure if it was from them.

The subject line included a recent date and the word “Paystub”. There was a PDF attachment and even with image loading turned off, there was a label that said “This PDF is password protected”. It had a single field with the word “Password” beside it.

I have yet to determine if this email was authentic or a real phishing attack, aimed at gathering passwords. But if this is a phishing attack, here’s what could happen if I entered a password:

   1. The password gets collected, and an error message is produced saying “Invalid password, please try again”.  Knowing that we should all be using different passwords for each site or program “to be secure”, I may simply think I should have used one of my other dozen passwords (don’t we all use that many password variations?!)
   2. Hitting “Enter” or clicking on a button causes the password to be sent back to a mothership, including enough information for them to identify my email address as being valid.
   3. No only do they now know that this email address is valid, but they have at least one version of my password. If I tried several different ones, they could have them all.

This is dangerous because people think they “NEED TO SEE WHAT’S INSIDE” then encrypted email. It’s like arriving at your office with a wrapped package that has lots of heavy tape sealing it up. The more tape there is protecting it, the more you want to open it to see what it is that could be so sensitive.

To make things worse, there aren’t a lot of easy ways to automatically check for the authenticity of such a package. It can have a digital signature on it, which you could verify. But there are a lot of usability issues yet to be solved in verifying digital signatures in the wild. Enterprises that use Public Key Infrastructure regularly would have an easier time letting people ensure the authenticity of emails and attachments. But most people won’t have that luxury.

So, if you aren’t expecting to be asked for a password (even on a website - which can effectively trick you the same way) you should call up somebody in the originating organization to verify that it is valid, and that it is important. I would also notify them that they should not present password protected information without an easy way to securely verify that it is real.

I am actually surprised that I haven’t seen more evidence of this type of phishing, but I’m sure we will in the future.

rate this post:

Do bored hotel staff get curious about devices in their lost and found?

Dear Honey Stick Diary -

It looks like my decision to let sleeping Honey Sticks lie was the right thing to do. I had initially discovered that if I returned to places where sticks had been dropped, people would sometimes have turned them in. This was interesting to know. However, I found it hard to consistently follow up on this practice, as the locations were not always convenient.

So, I knew that sometimes sticks would get found and be turned in to authorities, where they would sit in a Lost and Found for some period of time. But this raised a question whose answer would be just as interesting.

This week, a Honey Stick that I had left at a pay phone in a hotel lobby back in February got activated. While I don’t collect IP addresses permanently, I do run an IP address to Domain Name conversion to find out if the user was on a public ISP or a private domain.

In the case of this stick, the domain came back clearly as the hotel’s subdomain within an ISP. (I discard the actual domain name for privacy reasons, once I determine whether or not it was a private domain belonging to the site where the stick was dropped.) So, clearly, the stick had been either turned in to, or found by, a hotel staff member. They either put it into a Lost and Found or sat on it for a month.

At about 5am, more than a month after finding it, the stick was inserted into a hotel computer connected to the internet, and the user opened almost every file on the stick. As soon as they hit the file that informed them of the project, they stopped opening files and links. They could have tried to indicate whether they were going to keep it, return it, discard it, or continue the experiment. However, all contact ceased at that point.

So, maybe I’m learning about some “statute of limitations” on hotel lost and founds, or maybe curious and impatient staff members just can’t leave these things alone.

I’ve put a few sticks in various hotels, and I think these are good locations for having them picked up by bored, transitory business people.

If you have any comments or questions about the Honey Stick Project, want to contribute, or want to set up a private test for your organization, please let me know by adding a comment, or sending an email to scott@streetwise-security-zone.com.

rate this post:

Beware security vendors (or anyone) bearing gifts with a USB plug

There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”.

The USB drive, when plugged into William’s computer, sucked a number of contents from his “My Documents” folder onto the device without any warning dialogs or indications of what was happening. This fits my broad definition (in the more “active” sense) of a Honey Stick, as defined in my privacy paper (click HERE).

The demonstration worked perfectly, but I suspect it also had a double-edged sword effect. Despite the note that the recipient could “delete the contents” and re-use the device for their own purposes, Senforce apparently also clearly entertained and spelled out the possibility of using the device to pull jokes on friends or demonstrate the risks to others. This has to be a violation of some gift-giving rule in the business world. My guess is that many recipients would have become uncomfortable at the thought of a vendor not only facilitating this activity, but practically suggesting that people use it. I don’t know if Senforce got any negative feedback on this one, but I wouldn’t be surprised.
It’s one thing for a security professional to do such a demonstration, or to run a commissioned test with potentially dangerous software in a controlled environment. It’s another thing to release the device into the wild, with unknown consequences.

In comparison, the Honey Stick Project uses only passive HTML links, the same as any simple link found on every Web site. In addition, I publish a privacy policy that covers how any Personally Identifiable Information, if collected, is handled. So, there is no danger that a Honey Stick can be used in a way that causes any damage to anyone.
The relevant point here is that I think there is a fine line between a company giving away something cool and valuable to members of the public as an aide-memoire for their brand, and that same company giving away a device with an embedded booby trap that has the potential to cause a plethora of unwanted, and likely embarrassing outcomes.

Perhaps Senforce didn’t think of the potential consequences or the psychological impact on the recipients. Or, maybe they knew the risks and were just pushing the envelope.
Whatever their intent was, my belief is that you should NEVER plug an unknown device into your home or work computer. And don’t count on any help from your Anti-Virus or end-point security solutions for a while, although they will surely have a solution to this risk in the future by intercepting anything that tries to run automatically from a USB drive.
In the meantime, just tell the gift-giver “It’s my policy not to accept any gifts with USB plugs on them…”

rate this post:

Data never dies, and we've already told the aliens where we are

Nobody really knows what the long term effects of data loss are. The main differences between losing data and losing solid assets are:

   1. Data can be copied, or even broadcasted, instantaneously to many locations around the world. Once the bytes are out of the bag, you’ll never be able to round up all the copies. Just ask any celebrity who has had lies and slander written about them in the tabloids. You might get a retraction printed by the original source, but it’s too late.
   2. Public data often gets indexed for free. If it’s on a server connected to the Internet, there’s a good chance it will get indexed by Google or any one of the dozens of search engine crawlers. This means that it can be found by anyone, with the right search query.

You can start to get the feel for how common data breaches are becoming by scanning through the history at the Data Breach Blog of SC Magazine (click HERE), the Breach Blog (click HERE), or simply doing a search on things like “data breach”, “breach disclosure”, or similar terms in places like Google News.

You might then notice that a large percentage of the breaches being reported these days are due to mobile copies of operational data that should not have left an Operations Zone unprotected. Whether it is via e-mail, laptop hard drive or USB memory drives, the result is usually the same:

   1. The organization does it’s civil duty by reporting the breach and being publicly humiliated (although not as humiliated as its clients)
   2. The organization announces that there is “No evidence of the personally identifiable information (PII) being misused for fraudulent purposes”… something they can only say until there IS evidence
   3. The organization announces that it is providing a years’ worth of “Identity Theft Insurance” to the affected victims as a consolation prize… that’s just great, assuming the data has only monetary value, as opposed to embarrassment value, competitive value, trust value, etc….

Sorry, but it’s too late at this point, and you will never know for sure if the data has been contained to the point that nobody can use it further. It’s like telling SETI to recall all the messages we’ve been sending into outer space to announce our existence and location on planet earth (the ultimate PII). If there are bad aliens out there, they are going to find out about us now for sure.

Well, let’s get back to worrying about things we CAN do something about. We need to get organizations that handle our personal data to take this data persistence problem seriously. That means making sure they have policies for how they are going to PREVENT data loss before it happens. It means imposing tough love on all the sales, marketing and finance people (everybody, really) who feel they are immune to operational procedures for protecting data because their project is “special”. Sadly, this even includes the IT Department, who probably feels most entitled to be exempt from the rules, but need to set the example more than anyone. The penalties should actually be so great that employees and contractors should not want to be in the position of having to carry any kind of PII out of their secure office building without it being encrypted.

So, the next time you’re copying data from an office computer onto your USB memory stick, think about what will happen to it if anyone else gets their hands on it. In fact, think about the data that’s on your USB memory stick RIGHT NOW. Do you know where it is? Do you know what you and your organization, not to mention your customers, will have to go through if it gets into the wrong hands, or even gets out of your possession for a moment?

You might be able to tell the jury to disregard the evidence, but they probably won’t.

rate this post:

Leaving a calling card on your USB Flash Drive can enable recovery

One thing I’m observing from the early results of the HSP is that a significant number of people are trying to find out how to locate the owner of the device they have found.

In Stream 0, there are no outside markings with contact. In the first two cases of people making contact, they took enough care in opening the files that they didn’t trigger a request to the website, and were not tracked. They did find a plain text file entitled “owner_contact_info.txt”, which contained a phone number, email address and physical address, as well as the HSP website address.

Both finders called the phone number to indicate that they had found the device, and were presumably willing to return it. So, it may facilitate recovery to some extent if you have such a file on your mobile device with enough information to enable somebody to contact you if they find it. Of course, depending on the type of information on the device and on your sensitivity to being identified, you may not want to divulge any personal information, as you don’t know if the potential finder will have good or bad intentions.

rate this post:

Social engineering research without the stake-out

Depending on how you look at the Honey Stick Project, it could be considered a technical project or a psychology project… or something in between.

It was actually inspired by the now-legendary social engineering penetration test that I wrote about on the Security Views website (click HERE).

The bottom line in that story was that a credit union hired a penetration tester to use whatever means he could to try to compromise their network. By scattering 20 USB memory sticks with a specially designed trojan horse autorun program around their parking lot, he was able to detect that 15 of them got inserted into company computers connected to the internet.
This project is starting out differently in that it is being done in public places (at my own cost, so far), but with passive tracking instead of a custom program that runs. The results won’t be quite as exciting, but they may be interesting. Since it is being done over a period of time, and across a larger geographic area, I won’t be sitting around in the parking lot waiting for the results.

What I think the results may tell us is that certain places have a higher chance of having people who will pick these things up and use them, and other places will have more people who return them.

I look forward to hearing anyone else’s comments and ideas.

rate this post:

Things your mother never told you about Mobile Storage Devices and USB Flash Drives

While leaving the gym one day, tired and hungry, you look down and see a large, slice of all-dressed pizza sitting on the freshly cleaned hallway floor. Nobody’s around. Do you pick it up and eat it? … Why not? Germs, you say? But the floor looks so clean. Surely it can’t have that many germs on it, and you are VERY hungry… still no?

OK, so you are normal and sane.

Now imagine that same hallway, and nobody else is around, but you find a USB memory stick lying there. What do you do?

Perhaps you pick it up, thinking somebody must have lost it. You take it to the front desk. They say, “I don’t want it… and I just started working here. They didn’t tell me where the lost and found is.”

So you are stuck with it. What do you do with it? You could:

a) Take it home and plug it in to see what’s on it, to see whose it might be;
b) Put it back where you found it, hoping they come back looking for it;
c) Something else?

I’m going to suggest that putting it in a computer, for any purpose, is roughly equivalent to picking up the piece of pizza you also found on the floor and putting it into your mouth. Now you hear your mother’s voice saying, “Don’t you dare put that thing in your mouth. You don’t know where it’s been…”

It seems that the problem lies in the fact that not many of us had a parental figure drilling into our heads that inserting things we find into whatever slot will accept them in our computer is a bad thing. There can be Germs that can make your computer very sick.

What are the chances? At the moment, maybe the chances aren’t very high that a device you find is “contaminated“. However, I think most security professionals would agree that the risk will be rising constantly, as hackers and social engineers realize that abandoned Mobile Storage Devices, such as USB Memory Drives, are an easy way to trick people into infecting their computers with viruses, spyware or other malicious software. This can easily enable them to take control of your computer and turn it into a Zombie, to be used for spamming or attacks on other computers or networks.

rate this post:

Stories about Mobile Storage Device security

Since this site is dedicated to researching and educating people about security and privacy risks, issues and solutions, I wanted to have a place to allow for stories, anecdotes and comments, primarily about Mobile Storage Devices such as USB Flash Drives, Digital Cameras, MP3 Players, Digital Picture Frames, PDAs, Phones,  and even Laptops. I prefer verifiable stories and case studies, but even hypothetical situations may be discussed here.

Examples I will start with include some of the case studies I’ve already posted on the Security Views website (click HERE).

Please remember that you should not disclose private or confidential information that is not already in the public domain.

rate this post:

How is the Honey Stick Project related to privacy?

A Honey Stick is the name I use to describe any Mobile Storage Device, such as a USB Flash Memory Drive, configured in a way that is designed to do specific things when found and viewed by individuals who use it. In its most dangerous form, a Honey Stick could carry viruses or Trojan Horse programs. But it may only be configured to “phone home” in case it is lost by its original owner, and is picked up by another individual and inserted into a computer that is connected to the Internet. There are many scenarios in between these that rely on a user inserting the device in to a computer to see what’s on it.

Other examples of devices that can be configured as Honey Sticks are: Memory Cards (SD, Memory Stick, FlashMedia, XD, etc.), and even iPods, MP3 Players, Digital Cameras, Digital Picture Frames, or other electronic devices such as toys and PDAs. Virtually anything with digital memory and a connector can be configured this way.

The most important thing to know is that any device you pick up can be risky to connect to a computer. There are even examples of brand new Digital Picture Frames being sold with Trojan Horse programs already on them. The questions arise, what can you trust, and how do you protect yourself?

rate this post:

What is a Honey Stick?

A Honey Stick is the name I use to describe any Mobile Storage Device, such as a USB Flash Memory Drive, configured in a way that is designed to do specific things when found and viewed by individuals who use it. In its most dangerous form, a Honey Stick could carry viruses or Trojan Horse programs. But it may only be configured to “phone home” in case it is lost by its original owner, and is picked up by another individual and inserted into a computer that is connected to the Internet. There are many scenarios in between these that rely on a user inserting the device in to a computer to see what’s on it.

Other examples of devices that can be configured as Honey Sticks are: Memory Cards (SD, Memory Stick, FlashMedia, XD, etc.), and even iPods, MP3 Players, Digital Cameras, Digital Picture Frames, or other electronic devices such as toys and PDAs. Virtually anything with digital memory and a connector can be configured this way.

The most important thing to know is that any device you pick up can be risky to connect to a computer. There are even examples of brand new Digital Picture Frames being sold with Trojan Horse programs already on them. The questions arise, what can you trust, and how do you protect yourself?

The ultimate purpose of the Honey Stick Project is to gather some data about how risky the decisions people make are when it comes to handling technology and sensitive information. Once we have some measurements, we can decide whether the data suggests that people need to be educated more on how to protect their information and systems. I have arbitrarily decided that any response rate of greater than 20% indicates that we need to improve the public, and our workforce's, awareness of information security risks, and how the decisions we make every day can affect our security and privacy.

rate this post:

The Honey Stick Project

The Honey Stick Project was initiated to provide a forum for investigating and publishing information about the implications of using Mobile Storage Devices for collecting information. As we all know USB Memory Sticks are getting cheaper, can hold massive amounts of data, and are very easy to lose. This means that you will be seeing more of these things lying around.

The term “Honey Stick” was derived from the computer network security term “Honey Pot”. A Honey Pot is essentially a decoy placed somewhere on a computer network that looks to be an interesting target for hackers exploring the network. However, they are designed to keep the attacker busy, and provide them with interesting information and challenges to keep them busy while the network owner can identify and investigate the attacker.

A Honey Stick is also not what it seems. It may look like a lost USB drive, but may contain malicious programs, or other mechanisms for gathering information about whoever picks it up, or whatever system it gets connected to.

At this point, I have many ideas and questions about how these devices will be used. This is just a starting point for something that has piqued the interest of most people I’ve discussed it with. If you are interested in joining the community, please register so you can contribute comments and maybe help with the research.

Please come back often to see what’s happening.

- Scott Wright

rate this post: