Penetrating an organization’s shell security and accessing its internal data, quite possibly permanently and with the capability to taint or poison it, is ridiculously easy. If managers knew how easy it was, they would take immediate actions, the first of which would probably be to throw out Microsoft Windows in favor of secure free-software alternatives.
These methods have gotten the military’s attention in the past few months. I was at a hearing with the Swedish Defence Research Agency last month which demonstrated this attack, and then at a NATO hearing last week which brought up the same again. No secrets or unknown security vulnerabilities are needed to execute this attack.
The method of attack is to get a staff member of the target organization to insert a USB memory stick into their work computer. This is easier than most people realize. While most staffers will flat out refuse to do so when asked, there are other methods. People are good-natured by heart and want to help their colleagues. The key is to make the staffers believe that they have found one of their co-worker’s forgotten USB sticks.
When the US Department of Defense tried this against part of the Pentagon, as a penetration test, they left USB sticks casually out in the parking lot, to see if people would pick them up and insert them into their computers to perhaps find out who had dropped it, pretty much like a good-natured person would examine a lost wallet to see who it belonged to. The penetration rate of dropped sticks was 75% — three of four sticks were inserted into target computers — and this was at a military target, albeit as an internal penetration test. I have not seen reports on the web about this, but it was reported in the hearings.
That means, that even in a hardened military facility, it is theoretically enough to drop two USB sticks in the parking lot to achieve penetration. Let’s not start discussing unwitting civilian agencies or corporations and what happens when you drop tens of sticks. The Pentagon has been penetrated like this in the past, with attackers gaining access to classified systems.
What happens when a USB stick is inserted?
So, let’s move on to practical details. Let’s first assume that the target is running Windows. Most are. In that case, the Windows machine will look for certain files as the USB stick is inserted into the computer, and if they are present, the target computer will execute them as programs. The program you’d put on such a stick is one that will give you immediate remote control over the target computer, invisibly to the person using the machine. There are plenty of examples of such remote-control programs.
It’s really as simple as putting a file called autorun.inf in the root of the USB stick. In this file, you put the name of the program to run when the USB stick is inserted.
In 75% of cases, the person using the Windows machine will also be a local administrator. In that case, congratulations. You are now the administrator of a machine in the target organization. The machine is permanently under your full remote control and is on the inside of every firewall; you can start looking around the network and siphon off any interesting data.
What if the target is not running Windows?
New attack packages posted just a week ago makes it irrelevant whether the target machine will automatically execute code, but the attack takes a little more effort to pull off. Imagine if the what-looks-like-a-memory-stick is actually something-else-than-a-memory-stick? Imagine, say, that the computer thinks it is a keyboard and mouse that has just been plugged in, and pre-recorded commands start being typed and executed in 200 km/h as soon as the “memory stick” is inserted, establishing a remote control beachhead in the target machine?
Again, this will give you full remote control over the target computer, and this time, any target computer. 90% of people inserting the attack stick won’t understand what happened, but will likely think that either their machine or the memory stick is broken, and ask a co-worker to see if it works on their machine, giving you control over that machine too. Only a handful of technical staff will recognize what just happened as terminal windows flash past over the course of a few seconds.
Finally, you don’t need to drop USB sticks in the parking lot like the classical example. Be creative. Send them out as marketing material for some obscure company, or place a bowl of free USB memory sticks at a trade fair at a large enough booth that everybody will assume it’s free giveaways. Some will be inserted. In the former case to see what is on them, in the latter case in the assumption that they are empty memory (“hey! free USB memory sticks!”).
So, what is the lesson here?
First, don’t run Windows. Never. Not in a remotely sensible environment, either from a business or citizens’ security standpoint. If you absolutely must run a Microsoft OS, do it in a sealed-off virtualized sandbox that can’t access the inside network. I know that it may be hard for businesses to take this point to heart, but it can be mandated across national authorities as an order from the parliament or administration to only run free-software operating systems such as GNU/Linux variants.
Second, security is hard. Really hard.
Third, educate your users in security. Even the ones just answering phones in the reception. Perhaps particularly the ones not doing technical work.
Fourth, assume you will be penetrated and prepare against data leakage and data loss. These are two different problems.
Fifth, limit access to data in bulk.
Sixth, it’s still trivial to penetrate any organization.
…
UPDATE: On February 8, 2011, Microsoft patched the Autorun feature as described above for all versions of Windows to never allow AutoRun from USB media. Thanks to Johan Svensson in the comments for pointing this out. What remains, then, is the HID attack vector — to seed the parking lot with what-looks-like-USB-memory but in reality is prerecorded keyboards to the computer.
[…] This post was mentioned on Twitter by Falkvinge, planetinspace, Piratpartiet Live!, steeph, lillebrorsan and others. lillebrorsan said: Falkvinge: How to Penetrate ANY Company or Agency http://bit.ly/fpXDJY […]
Don’t use Windows? The problem is that when companies and organizations start to use open source viruses, trojans etc will be developed for those systems. You know that. Why do you act as a Jesus with all the answers when you know that what you say is a female cows feces?
Haha. Obvious (and ignorant) troll is trolling. Badly, at that.
Ah, well. Seriously:
“The problem is that when companies and organizations start to use open source viruses, trojans etc will be developed for those systems.”
Oh, really? Any facts supporting that argument? No?
“You know that.”
Nobody knows that. Some believe that, but nobody knows that.
“Why do you act as a Jesus with all the answers when you know that what you say is a female cows feces?”
Rich. Not only is the whole sentence just silly, you also managed to forget that it’s not “cows feces” but “cow’s feces”. So not only are you a troll, but you are also ignorant and stupid, and to finish it all off you can’t even spell correctly. Bravo, you actually made me chuckle a bit.
“Oh, really? Any facts supporting that argument? No?”
Considering that 95% of the world’s computers run a Windows based operating system, it’s not hard to see why the majority of viruses are created with Windows in mind: pure saturation. Just like Rick said in the article, more people have a Windows-based PC, so it’s incredibly easy to simply throw out a bunch of USB sticks with executables written for Windows, knowing that a few will come through.
Viruses aren’t written for Windows simply because of how “weak” it is from a security stand point. They’re written for Windows because it is used world wide and is the first step between sensitive information and the crackers who want it.
If 95% of the world’s computers ran Linux, it’s not like everyone would just pack up their bags and say, “Well, it was a good run, but clearly we can’t beat a Linux set up.” Of course not! Crackers are an ever-evolving group of people. They wouldn’t stick with writing malicious code for Windows if every business in the world started working with Linux. They’d switch over in a heart beat. And considering how smart a lot of them are, they probably are already very familiar with Linux as it is, so the transition wouldn’t be much of a problem. They would start probing for every vulnerability they could find, and before you know it, it would be the same battle, only this time everyone would be scratching their heads wondering what had happened to the “secure Linux.”
@thegh0st:
Valid and maybe even plausible reasoning on your part, which is all well and good.
But there are still no hard facts supporting the argument. It’s conjecture.
So my point (directed at the troll, not you) remains:
Nobody knows. Some believe (you too, perhaps) but nobody knows.
Personally, I am not convinced – were the client OS proportions reversed – that we would consequently see the same volume of viruses (and other malware) and successful infections and spread. Not convinced one bit.
(My point of view is no more supported by actual fact than yours, merely based on 20+ years experience from the field and a solid background in software and computer engineering, networking and information security. Whatever that may be worth. I am not a friend of the appeal-to-authority fallacy, just stating where I come from.)
Ah, well. Perhaps we’ll see, one day.
Block this troll.
I have a quite clear troll policy. Anybody countering with real arguments instead of (only) “you’re an idiot” is considered to be contributing to the discussion, as long as it’s not overly rude, and I don’t think that was (albeit a tad bit condescending).
Alternatively, if the autorun attack won’t work, for whatever reason, just put a malicious PDF file with an interesting sounding filename on the stick.
New vulnerabilities in Adobe Reader pop up faster than Adobe can release patches for them, and certainly faster than a typical organization can apply the patches. And with a little work, you can make the attack work cross-platform.
In many cases there is not even any need for any kond of attack, it is already open if you are enough partner with Microsoft, or if you are DoD, NSA or such. All the back doors needed is already there, those get installed by default, the same goes for any firewall made of closed software too. Do i have any proof? Of course not, but no one can prove me wrong either since the source code is not open for scrutiny by any one any time. Yes there could be free software with malicious back doors, but the likelyhood is a lot smaller since any one can take a peak inside the code.
Oh, every now and then backdoors get planted in open source software. For example, google for “e107 backdoor”. The backdoor was found pretty quickly, but there are *still* vulnerable e107 installations out there being compromised.
One of the oldest known backdoors:
http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php
How about not having ordinary users with admin privilege and set only admins to be able to connect new HID devices and turn off idiotic autoexec “feature”?
But, yes, security is hard, and we’re always one step behind/ahead (depending on who you are :).
Sadly, at least here in the US, it seems that most mid-sized business owners think that “Office Administrator” and “Network Administrator” are the same thing, so sweet little Sally who always brings in an awesome apple pie on Fridays and knows only how to launch a program from her desktop shortcuts is also unknowingly in complete control of the office network. It won’t take long before that email from that nice Nigerian fellow starts getting passed around the office and Sally opens it up.
Maybe USBs and CDs are threats, just like software downloaded from the internet. For me, at least on Windows 7 at the office, there is always a warning or error message from TrendMicro that “autorun.inf” on the USB has been blocked. So it may not be that bad about USBs, actually. But I agree that open source is safer.
What are much bigger threats in terms of security are employees that are unhappy with their bosses or their employer. I really think that the number of price lists, customer lists or other sensitive data that have left companies or institutions because of this, is much higher that most can imagine. Just look at what Wikileaks has received.
It does not matter what kind of technology you are using. What matters is to keep the employees happy an loyal.
In the 1990s, the Russian government refused to use Windows on their computers unless Microsoft showed them the source code. Microsoft complied and now offers what they call the Government Security Program. Under this licence, government agencies such as the military can sign strong NDA:s and get access to the source code and compile Windows themselves. That might prevent from trojans inserted into Windows by the US military-security apparatus but not the other vulnerabilities in Windows.
PS. If you are forced to use Windows, install two user profiles on your PC: Admin and User. Make it a habit to always use the limited account User and only use Admin when you need to install software or change the system settings.
The simple admin/user approach will not protect your data (as it is mostly created when running as “user”).
I’d like some kind of automatic “run as less privilegied user” when browsing the web, but i surely don’t want my documents, pictures from my digital camera e.t.c. to be protected any less than the operating system itself…
The admin/user approach is really only good for the IT guys, it saves them work but won’t save any work for most non-IT guys…
Look at just about any company or public organisation, do they manage their own IT? Very seldom. Most companies, and organisations has outsourced all their IT, they do not control their own IT anymore. Do this have consequences? Of course it has. People in these organisations can assume all their information is leaking and even covertly sold to the highest bidder.
How about tightening security? It takes 10 seconds in Group Policy to disable the very mechanisms you speak of in this article.
This is typical anti-Microsoft fear mongering pure and simple. And I say this as I type on my Debian VM with an XP VM running on a Windows 7 host.
Don’t dismiss Windows simply because you cannot master systems/network security or haven’t put enough effort into learning it.
Sorry, but this article is all FUD.
1) It’s FUD the day penetration tests fail.
2) I said Windows (XP, specifically) is insecure from this aspect. I didn’t say switching was a panacea, only that I regard it as necessary. Not just from a security standpoint, but also from a national security one: no foreign power should hold a kill switch to this nation’s administration.
In the meanwhile, http://www.bbc.co.uk/news/uk-12371056
I particularly enjoyed the last paragraph: ‘He added that the UK was determined to be at the forefront of attempts to safeguard liberties on the net, but warned that many countries were “actively working against us in a hostile manner.”‘ – of which I interpret to read ‘get ready, as we’re going to need to strip you of your liberties for our security. the internet is to be configured to serve our interests at your expense. still, we like to think ourselves the better side here, so we will work hard to portray an image of this being absolutely necessary, that you may agree with us, and justify our action.’
I have to agree with a_anj_rez, Rick, this is serious FUD. The whole USB attack vector is trivially countered by a few GPO:s. If a GNU/Linux network is run by incompetent amateurs, it’s just as easily penetrated.
Just another tiresome anti-Microsoft tirade.
Dear Oldtimer,
I have worked at Microsoft.
First, this article is not aimed at Microsoft specifically, but tells of how to penetrate any organization, regardless of what they are running.
Second, anybody who would design a product as “default insecure” would get their ears blasted off post-2002 at Microsoft. Unfortunately, this was after XP shipped, and what you are describing is just that: default insecure.
Cheers,
Rick
Interesting example.
It’s not enough to get inside the system though, you also need to get information out again. Granted, most organisations have internet access these days, but hopefully outgoing traffic is filtered through a firewall/proxy. Not always possible perhaps, but in many cases at least. And in my experience of bigger corporations, most users are actually not administrators (but they do allow usb-sticks).
To those who say this is an anti-microsoft rant:
Windows XP and older is extremely insecure. Windows was originally designed without security features in favor of convenience features (such as autorun.inf) this was a deliberate design decision. Windows and DOS was originally single user systems with no network connectivity and didn’t have much need for multiuser security features according to Microsoft, they would be too annoying for the end-user. Not anti Microsoft rant, just fact.
But you don’t really need an autorun file, you can use a trojan in an executable, image or pdf file as has been pointed out.
I don’t think it would be terribly hard to execute a similar attack against an organisation using free software either but at least it would require a little bit more work and it also gives the administrators a better chance to secure their systems more effectively.
This is fairly standard pentesting. Normally you don’t want autorun features enabled in a large organization.
Related and interesting:
http://www.youtube.com/watch?v=ovfYBa1EHm4
Interesting coincidence: Microsoft finally plugged that hole. http://blogs.pcmag.com/securitywatch/2011/02/microsoft_update_trims_usb_aut.php
Up to the organization to stop intruders. Open doors are just that…open.
With closed source there is a problem in knowing if a door is open, or to even know if there is a door to begin with (remeber that goes for many firewalls too.). Or even worse in the case of outsourcing IT, they do not know anything.