USB Threats - Hacksaw & Switchblade

Digital 'Jemmy' released 'into the wild' by 'The Software Jedi'

A powerful set of tools to make data theft - including identity theft - easier than ever before, based on handheld removable drives typically the size of a keyfob (also known as memory sticks, pendrives etc) has been made freely available on an America website (www.hak5.org).

The tools - called USB Swichblade and USB Hacksaw - can be downloaded to an inexpensive pendrive which are readily available on the high street for a few pounds creating a potent weapon capable of acquiring large amounts of sensitive information from any unprotected PC. These have been shown to be used in call centres for example to abstract large amounts of customer data including such items as credit card and other identity data. They can equally be used on any user's home PC to capture personal information about surfing habits, passwords, electronic banking and email records, creating a major threat to privacy.

Removable drives come in many shapes and sizes - up to 4GB, enough for a huge quantity of personal data and email etc - and tiny in size - often now available invisibly integrated into a mobile phone, a pen or even a wrist watch.

Because the young hackers behind this (who call themselves 'the software Jedi') have released not just the information but the tools themselves as well as full instructions, anyone with just a moderate degree of IT skill can create and use such a tool.

They have also released the programming 'source code' which means that anyone with the programming skills can adapt and build on the toolkit to create yet more illicit tools.

The tools released are featured in a programme/download on the 'YouTube' network just acquired by Google and include:

USB SwitchBlade
A tool for secretly removing (copying) files, password information etc from a PC automatically by just inserting a USB drive. This employs a technique called 'MaxDamage' to silently run the hacking software and copy the information when the drive is plugged in - with no action needed from the user. (More detail: see WARP News below).

USB HackSaw
This goes two steps further: It infects the target machine with a silent agent which can also recognise when other removable drives are plugged in and harvest their content. It then uses Google's Gmail to secretly e-mail the stolen data, in convenient packets, back to the perpetrator. This will reportedly run from a guest account as well as as an administrator.

I have described these further in a threat alert (attached below) published on the WARP network (the government sponsored Warning, Advice and Reporting Point network - www.warp.gov.uk).

I ran a seminar last May with MERIT (www.merit.org.uk) to highlight this issue and alert businesses to the problem - also creating PodSnaffler (www.podsnaffler.co.uk) to demonstrate precisely this threat prior to the 'DTI Information Security Breaches Survey 2006' - which also highlighted the continuing rise in high tech crime in general and data-theft in particular - and its potential impact for businesses small and large. This also identified removable devices as a key 'emerging threat'.

Barry E James
MD
The TakeWare Company
www.takeware.co.uk


Subject: News v1.0: USB SwitchBlade and USB Hacksaw

WARP News
Categories: InfoSec News, Incident/Threat
Date and Time issued: Oct 10 2006 9:24AM

USB SwitchBlade and USB Hacksaw

As previously predicted the threat to business and education networks has now increased significantly as a result of open source tools which have now been released via the web. www.PodSnaffler.co.uk drew attention to this earlier this year - and the danger that such tools could pose if released. This has now happened.

A very powerful suite of tools is now freely available from the American site HAK.5 (www.hak5.org). Including:

USB SwitchBlade

A tool for secretly removing (copy) files, passwords, information etc from a PC automatically by just inserting a USB drive. This employs a technique called 'MaxDamage' to automatically run the covert agent. Where autorun has been disabled the  technique of using social engineering to trick a user into running the autorun when choosing "Open folder to display files upon insertion" is advocated.

USB HackSaw

This goes two steps further: It infects the target machine with a silent agent which can also recognise when other USB drives are plugged in and harvest their content, secretly using a secure connection to e-mail the resultant data, in convenient packets, back to the perpetrator. This will reportedly run from a guest account as well as as an adminstrator.

It's clear that these techniques can be combined - all the source code and copious information is freely avalable - to also infect and harvest data on a regular basis from a single infection.

Advice

Advice is available at www.podsnaffler.co.uk and www.takewaregatekeeper.co.uk- key points include:

- Consider disabling autorun on systems where this is not required.

- Don't allow unknown devices to be used wherever possible.

- Consider installing software to monitor and control the use of all mass storage devices (not all storage devices use USB).

The warnings and advice in this item originate from a source (a MYWARP subscriber) with a commercial interest in protecting systems against this type of attack, who is an expert in this field. As usual the item is presented for information, not as an endorsement or advertisement for products or services offered through any of the links provided.

Jim Sunderland MYWARP Operator

The DTI's "Security Breaches Report 2006" contains a wealth of information and links.

To get the protection you need click here

 


Copyright ©2006 The TakeWare® Company -

Click here for Contact information