Your Security Nightmare - Covert USB Sticks

He has in his pocket a seemingly torn and frayed piece of USB cabling. Who is he? A psycho nerd with his lucky charm, or a spy?

He pulls a cigarette lighter from his pocket. Who is he? A smoker, a pyro or a spy?"

He walks in wearing a nice watch; carrying a USB cable. Who is he? Who knows why? Spy?

"Woh, dude, a cassette tape! But, uh, why does it have a USB cable attached to it?" What do we have here; a Luddite or a Black Knight?

And, that hip flask?!? Or is it? Who is he - a data drunkard, or a spy?
Hint: This is really a 250GB USB drive – disguised as a flask! (more)

The reality is, you really don't know. These devices can carry a small library of your business secrets out the door, and make you smile at the same time. Conversely, they can also be used to inject spyware and viruses.

If you see these in your workplace don't be amused, be suspicious. ~Kevin

Spybusters Tip # 385 - Roll your own Mac Encrypted Memory Stick, FREE!

Step 1 - Go to your junk drawer.
Grab one of your regular old USB memory sticks.

Step 2 - Go to TrueCrypt.org.
Grab their FREE encryption software.

Step 3 - Read the Beginner's Tutorial. Load & Lock.

Ta-daaaa!
Instant FREE encrypted memory stick!!!
(clap, clap, clap)
Thank you.
Kevin
P.S. You can also roll Free Windows XP/Vista/2000/Linus sticks the same way.
Additional Spybusters Tips.

"Pod Slurping", or...

...how to suck the brains out of a PC in 3 minutes or less – via sharp-ideas.net

The Scenario
An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod (or similar portable storage device). He walks from computer to computer and "slurps" up all of the Microsoft Office files from each system. Within an hour he has acquired 20,000 files from over a dozen workstations. He returns home and uploads the files from his iPod to his PC. Using his handy desktop search program, he quickly finds the proprietary information that he was looking for.

Sound far fetched?

An experiment
I conducted an experiment to quantify approximately how long it takes to copy files from a PC to a removable storage device (iPod, thumbdrive, et cetera) if you have physical access. The quick answer: not very long.

I wrote a quick python application (slurp) to help automate the file copy process. Slurp searches for the "C:Documents and Settings" directory on local hard drives, recurses through all of the subdirectories, and copies all document files.

Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (*.doc, *.xls, *.htm, *.url, *.xml, *.txt, etc.) off of my computer as a logged in user. Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds. (more... including a free "pod slurping" program you can try yourself!) (much more)

"What's that slurping sound I hear?"

India - A Bangalore-based construction company lost a multi-core tender by a thin margin. Baffled company officials vowed there was no way the rival firm could have come so near to their bid...

Computer forensic tests revealed somebody had accessed the Universal Serial Bus (USB) port to download the tender documents. What surprised the company's top heads was that one of their employees had used his iPod to download the data.

The data was then passed to the rival company for a price and to evade detection, the file was promptly deleted from the iPod. Investigators, however, retrieved it using advanced data-recovery software. (more) (how "pod slurping" is done)

This "pod slurp" didn't have to happen. Computers with especially sensitive data should have their ports and drives locked down. Don't know how? Call me, or any of my Geek Chorus Colleagues. Any of us can save you from going through an iPod high-jack.

More about "pod slurping", and an even scarier USB story. ~ Kevin

Stolen Cell Phone Tracker - Available NOW!

Ken Westin, founder of Gadgettrak advises...
PhoneBak is a unique patent-pending theft recovery solution that allows phone owners to have their phones "call them" in the event they are lost or stolen.

PhoneBak is triggered when the Subscriber Identity Module (SIM) in your phone is replaced with an unauthorized one. When this occurs PhoneBak will silently send SMS messages) to pre-defined numbers you have entered (spouse, IT department etc), the information gathered will depend on the platform, but will usually include:
• The new phone number of your phone
• The IMEI (International Mobile Equipment Identity)
• The IMSI (International Mobiel Subscriber Identity)
• GSM Area Code
• Cell ID - GSM Localization
With this information you can contact the person who has your phone in the event it was simply "lost," or contact law enforcement with the details who can follow up with the service provider to get locate the phone.

Operating Systems include: Blackberry, Windows Mobile and Symbian. Network Type: GSM. Not compatible with CDMA networks such as Verizon and Sprint.

OK, so GadgetTrak's PhoneBak doesn't turn your phone into a screamin' mimi, or let you spy on the cretin who glommed your phone, but... you can get protected today ($24.95), and "in the coming weeks," iPhone protection as well!

Other innovative products Ken has developed include:
• Lost & Found Tags (Use them on anything!)
• Laptop Theft Recovery Software
(Mac version also takes a photo of the thief.)
(PC version allows remote destruction of your data!)
• Removable Media Tracking

Survey - IT Savvy Employees Likely to Steal Company Data Before They Leave

Most IT staff would steal sensitive company information, including CEO's passwords and customer details, if they were laid off, according to a new survey from Cyber-Ark.

• 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant. The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords.

• ...a third would take the privilege password list to gain access to valuable documents such as financial reports, accounts, salaries and other privileged information.

• 35 percent admitted to sending highly confidential information via email or couriers.

• ...one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails.

• A quarter of companies surveyed admitted to suffering from internal sabotage and/or cases of IT security fraud.

• One third of companies believe that industrial espionage and data leakage is rife, with data being leaked out of their companies and going to their competitors or criminals, usually via high gigabyte mobile devices such as USB sticks, iPods, Blackberry's and laptops or even sent over email. (more)

CSI Stick - The Cell Phone Mosquito

If someone asks to borrow your cell phone, or you leave it unattended, beware!

Unless you actually watch them use it, they may be secretly grabbing every piece of your information on the device, even deleted messages. If you leave your phone sitting on your desk, or in the center console of your car while the valet parks it, then you and everyone in your contacts list may be at risk, to say nothing of confidential e-mails, spread sheets, or other information. And of course, if you do not want your spouse to see who you are chatting with on your phone, you might want to use extra caution.

Paraben's CSI Stick can be used to make a copy of all data on a cell phone.

...a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is called the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is a self-contained module about the size of a BIC lighter. It plugs directly into most Motorola and Samsung cell phones to capture all data that they contain. More phones will be added to the list, including many from Nokia, RIM, LG and others, in the next generation, to be released shortly. (more)

ID Theft News - 8% ?!?! (seems high, or are high)

...and this is just in the past two weeks...

• Eleven people from at least five different countries are facing charges for their involvement in a wide-ranging scheme to hack into nine US companies and steal and sell more than 40 million credit and debit card numbers. "As far as we know, this is the single largest and most complex identity theft case that's ever been charged in this country," Attorney General Michael Mukasey said. Officials said the ring had stolen hundreds of millions of dollars. (more) ...when federal prosecutors disclosed that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it. That's because only four of the chains clearly alerted their customers to breaches. (more)

• About 150,000 people in the US have been affected by the theft of laptops with personal information about current and former employees of brewing giant Anheuser-Busch. (more)

• A new report from the California Department of Public Health discovered that 127 UCLA Medical Center employees viewed celebrities' medical records without permission between January 2004 and June 2006, which is nearly double the number first reported earlier this year. (more)

• UK - Data protection experts have called for hospitals to use more effective encryption techniques after a laptop containing the personal data of thousands of patients was stolen. An unnamed manager at Colchester Hospital in Essex has been sacked as a result of the theft... (more)

• Security researcher Joe Stewart has identified a Russian gang that infected 378,000 computers with malware over a 16-month period in an effort to steal passwords and other information. (more)

• Ireland - The loss of a laptop containing 380,000 records of social welfare and pension recipients is a wake-up call for the Government and public and private sector bodies to ensure all staff are trained properly in data protection and use of encryption. (more)

• The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing.

The company, based in New York, lost possession of the laptop at San Francisco International Airport. The laptop contained unencrypted pre-enrollment records of individuals... (more) UPDATES: ...unencrypted laptop was found in the same office from which it was reported missing. (more) The U.S. Transportation Security Administration has cleared Verified Identity Pass to resume enrollments in its Registered Traveler program... (more) The laptop had been stolen, but was returned, according to the Sheriff's Department.

• The University of Michigan Credit Union in Ann Arbor confirmed that a data theft has resulted in some of its members becoming identity theft victims. The credit union said that so far, "less than 100" people have had their identities stolen -- mostly to open fraudulent credit card accounts. The theft, involving documents that were supposed to have been shredded... (more)

• Greece - Hundreds of bank clients in Greece and other European countries have turned into hostages because of actions of groups that steal data from bankcards and do uncontrolled drawings, the Greek To Bhma daily reports. (more)

UK - The BBC has apologised after a memory stick containing details of hundreds of children who applied to take part in a TV show was stolen. (more)

• Wells Fargo & Co. is notifying some 5,000 people that their personal information might have been seen by someone using a bank access code illegally. (more)

Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc. (more)

Crypt Your Stick - USB Vaults to Go

Remember?
• Nato Secrets USB Stick Lost
• Airport Laptop Searches - No Probable Cause Needed
• Lax USB stick security causing havoc
• More than 100 USB memory sticks lost admits Ministry of Defence

Don't want to be next?
Get a cryptstick.
There is no excuse not to.
Many models to choose from...
• Ironkey
• Kingston DataTraveler Secure
• Kingston DataTraveler Secure - Privacy Edition
• Kingston DataTraveler Vault
• Kingston DataTraveler Vault - Privacy Edition
• Kingston DataTraveler BlackBox (government version)
• SanDisk Cruzer® Titanium Plus
• SanDisk Cruzer® Professional
• SanDisk Cruzer® Enterprise FIPS Edition
• SanDisk CMC (Central Management and Control) for IT Departments

"And now for something completely different..."

UK - More than 100 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it has emerged.

The department also admitted that more than 650 laptops had been stolen over the past four years - nearly double the figure previously claimed.

The Mod said it has no idea on when, where and how the memory sticks were lost.

The official total is now 658 laptops stolen, with another 89 lost. Just 32 have been recovered. (more)
Solution 1
Solution 2

Spy-Sized Flash Drives - "SWALLOW IF CAUGHT"

Available in sizes up to 8 GB.















imation • Brando • Sony • Super Talent

New Bug Hides In USB Cable

A normal USB 2.0 cable?
Acts like a normal USB cable.
But, U BS and this SOB will UHF it up to several hundred feet away! UBF'ed.

A wired wireless eavesdropping device. Weird.

This bug is just one of scores of Internet-available eavesdropping devices. Bugs bugging businesses - happens every day.

So, who cleans up these problems?
SOP... US.

New Gadget Can Spy On Text Messages

Suspicious spouses can check out their husband or wife's deleted texts with a new gadget. The £76 ($149.00) device can get all the data off a mobile telephone's sim card - including messages and numbers that have been deleted. The information can then be transferred to a PC or laptop through a USB port. BrickHouse Security say it is ideal to "spy on your wife, husband, teens or colleague". (more)

UPDATE (5/28/08)
(source)
Comments from secret sources who KNOW...
"Could not read any more information than I could with SIMCon or SIM Seizure. Save your money." - S.H.

"Interesting marketing strategy, but the statement on their website that "This is the only SIM Card reader in the world that can actually see the *deleted messages*" is completely false. It is certainly not the _only_ product. You can do the same thing with any SIM/smartcard reader and a copy of Smartcard Commander (manually) or many other SIM analysis packages do it automagically (such as SIM Analyzer Pro), and it will cost you less than half of what Brickhouse is charging for this product. Deleted SMS's are very very simple to recover, as only one byte of the SMS entry changes to mark it as "deleted." Recovery of SMS from the SIM will depend on whether the phone stores SMS (and the other data this product claims to recover) on the SIM card or on the phone itself. Not all GSM phones store SMS/phonebook/etc to the SIM, and it can be a user-defined option where to store the data. Also, a typical SIM card may only hold a maximum of 30 SMS messages." - P.K.

Nato Secrets USB Stick Lost

A Cautionary Tale...
The discovery of a USB memory stick containing classified NATO information in a library in Stockholm has prompted a meeting between the Swedish Military Intelligence and Security Service and foreign defence officials.

According to Swedish daily Aftonbladet, the stick contained (http://www.aftonbladet.se/nyheter/article1563893.ab) material on NATO's ISAF peace-keeping force in Afghanistan, as well as an intelligence report on the attempted assassination of Lebanon's defense minister and the murder of Sri Lanka's foreign minister.

Colonel Bengt Sandström of the Swedish Military Intelligence and Security Service says this kind of carelessness is intolerable and can result in up to six months in prison. It is unclear how the USB stick ended up in the library.

It isn't the first time the military has lost USB sticks with secret files. In 2006, a memory stick containing files on the Dutch military mission to Afghanistan was lost in a rented car. The documents also included information about the rules of engagement for Dutch troops in Afghanistan and the personal protection of Dutch Defense Minister Henk Kamp.

Also in 2006, the Dutch Defense Ministry reported the loss of another memory stick containing sensitive information about military intelligence agency MIVD. (more)

By this time, you should be convinced that you have to do something immediately about YOUR USB memory stick.
(more USB stories) (IronKey solution) (a great movie ...cheap!)

A Solution to USB Leaks and Injections of Malware

from the manufacturer's web site... The proliferation of data loss due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels.

Sanctuary Device Control allows you to regain control of the peripheral storage devices that your user community attempts to connect to your network assets. Through granular policy-based controls, Sanctuary Device Control reduces risk of data theft, data leakage and malware introduction via unauthorized removable media and assures compliance with the landslide of regulations governing privacy and accountability.

Positive Approach to USB Security
Hardware such as USB memory sticks, FireWire external hard-drives, scanners, music players, digital cameras, PDAs, and CD/DVD burner drives are scattered throughout offices around the world. Their proliferation amplifies the threats posed by outsiders or users who plug in devices that could compromise the security of sensitive data.

By employing a whitelist approach, Sanctuary enables only authorized devices to connect to a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organization. (more) (our earlier warnings 1, 2, 3, 4)

Foreign Intelligence Services Spy on German Companies

Germany is the land of ideas and innovations. Yet it is not only business competitors who may try to gain secret access to German expertise, it is also foreign intelligence services that are spying on German companies.

Whether it's research results, strategies for development, product information, client data or budget plans -- business secrets of successful companies are increasingly becoming coveted by industrious spies.

Andreas Blume, who is responsible for protecting new scientific findings at the chemicals company Evonik-Degussa, said small and mid-sized companies that are leaders in their field are especially at risk.

...some of the tricks the intelligence services use: supposed document shredders that are actually equipped with internal shredders and UMTS transmitters, beamers that record presentations and USB sticks with so-called Trojan Horse programs that allow hackers to spy on computers. ... A company in Thailand, for instance, offers monitoring of cell phone conversations. (more)

We hear this complaint from corporations in other countries, as well.

SpyToy Alert - Voice Recorders hidden in pens

Key Specifications:
• Hidden LED indicators in pen
• USB flash drive (capacity: 128MB, 256MB, 512MB, 1GB)
• MP3 / WMA player
• Digital voice recorder / player
• Built-in rechargeable battery
• Play MP3 for 5+ hours
• Record voice for over 6 hours
• Standby time over 20 days
• Color: black or silver
• Size: 150 x 16mm
• Weight: 60g
• and, of course, the pen writes! (more) (more)

Be alert to the possibility of someone covertly recording you.
• Does the pen look funny?
• Watch how they handle and position their pen.
• Do they leave the pen behind when they leave the room?
• Ask to use their pen. What is its center of gravity?
• Watch their reaction.

One on-line seller actively promotes recording meetings.
1. "Bring your digital voice recorder pen to your next meeting."
2. "Start recording your conversation."
3. "Plug your pen recorder into the USB on any computer to listen and save audio recordings." (more)

Need Extended WI-FI Range?

Try...
The Wi-Fire. It is a compact, range-extending USB device that enables you to access a wireless Internet connection from up to 1,000 feet away--three times the range of your internal wireless adapter.

Every Wi-Fire works with Windows XP and Vista and on Mac OS X 10.3 and up, including Leopard. (more)

Just when you thought your prohibition against bringing USB memory sticks into sensitive work areas was working...

"In lieu of lighter fluid and a flint, this lighter uses resistance coils to create heat. It’s the same technology found in car lighters.

The small rechargeable battery cell powering the coil can be recharged via USB. On top of that, there’s some flash memory in there to store files. Designer: Nathan Gabriele (more)

Although this particular camo-stick is still stuck in Nathan's brain as a concept piece, real camo-sticks available for sticking in your computer. Some are outragious. Some are clever. The last one could really cause you problems if it were repackaged.
• The Memory Stick Stick
• The Top 10 weirdest USB drives ever
• Stick Doll
• Sushi
• Watch
• Swiss Army Knife USB
• Keystroke Logging "Memory Stick"
• Mini-mini I & Mini-mini II
• The "pull my finger" Thumb Drive
AND
• The Snoopstick! A memory stick that inserts spyware code to allow remote eavesdropping.








(more)

IRONKEY

"The World's Most Secure USB Flash Drive with Internet Protection Services."

One of these is on its way here for testing. I'll let you know how we make out.

In the meantime, make yourselves aware of it. The concept alone - a super-secure USB memory stick - makes this the 'authorized' info-fob of choice for business and government.

One really cool 'Mission Imposible' feature...
"To prevent unauthorized people or crimeware (malicious software such as viruses and Trojans) from gaining access to your encrypted drive, the IronKey prevents password guessing attacks (e.g. brute-force or dictionary attacks). After 10 incorrect password attempts (and ample warnings), the IronKey locks out all further password attempts. It initiates a patent-pending self-destruct sequence that securely and permanently erases your encryption keys and data."

If self-destruction doesn't produce a puff of smoke, I'll suggest it to them. (more) (datasheet)
-----------------
(UPDATE 1 - One week later.)
-----------------
I received an IronKey for testing and have been putting it through its paces for about a month now. Flawless, easy to use; as security should be. We are recommending this to our clients.
-----------------
(UPDATE 2 - One year later.)
-----------------
11/6/08 - Ironkey has made slow progress in getting itself to work with systems other than Windows XP and Vista. A Linux 2.6+ version was released last June.

The Macintosh version is at the same "alpha-level" it was at a year ago. "We continue to work on developing Mac support, and plan to have Mac functionality available in a future release." Not acceptable.

More and more people are switching over to Macintosh at work. Some switch back and forth between work and home. This situation makes recommending Ironkey as a sole solution difficult for security consultants. Other companies, offer multi-platform support for their sticks – Windows Vista, 2000 SP4, XP, Mac OS10.x and above. (directions)

Idea... Roll your own Mac Encrypted Memory Stick, for FREE!

(I neither sell, nor receive commissions from, the products I recommend. Recommendations are made based solely on my client's best interests.)

USB BUG

Another good reason not to allow laptops into proprietary meetings and conferences...

"This is the