Data Guardian Services - LLC : Thumbsucking and physical barriers

Home

Wiki

Thumbsucking and physical barriers
By: System Administrator on: Wed 26 of March, 2008 08:38 EDT (389 Reads)

Thumbsucking and physical barriers

Maybe you trust your patrons too much. Maybe you just don't know how vulnerable you really are. Let me share an experience with you to demonstrate just how physical barriers to data theft can and should be deployed.

Have you ever visited a local doctors office and been left in a room with a full featured fully functional Windows PC with exposed USB or Firewire ports? I recently visited a doctors office where I was ushered into an examination room by a nurse who typed in her password to gain access to her Windows PC. Not only did she type in her password in front of me (not using a keycard, biometrics reader, or other more secure means), but she left me in the room for more than 10 minutes all by myself. The PC had all of it's USB and Firewire ports open and clearly exposed both on the front and the back of the PC..

Had I been an unethical person, all I would have had to do is slide a USB Thumbdrive into the PC to either suck information to my Thumbdrive, or have my programs sit and keyboard log (watching keyboard interaction) or worse yet, set a trojan upon the PC to send information from the PC to anywhere in the world through it's connection to the Internet.

Think it's not possible? Windows has this wonderful feature called Plug and Play which allows the auto-mounting and auto-running of applications regardless of whether or not the PC is screen locked.

Way back in 2005 Sony BMG exploited this weakness by using the autorun features when utilizing music CD's on PC's. For more information on this exploit read this: Sony BMG CD copy prevention scandal (external link)

Others have followed suit and have exploited this yet unclosed hole in the Windows operating system. To see how easily this can be done Irongeek has provided a how-to (external link)

This information is not provided to try to scare the crap out of you, but it should. There are products out there that run on Windows that protect your PC's from this type of exploit, but why do you expose yourself to this to begin with? And did you know that just having this software running on your fully exploitable PC doesn't stop a determined person from getting this information anyway? The software REQUIRES that the operating system that it's designed for is running.

Let's just glue the ports shut that we aren't using... Surely, that will stop them. Wrong! The US military tried removing wireless adapters, and gluing the USB and Firewire ports shut, this hasn't stopped determined unethical hackers from gaining access to these PC's. If you have a USB connected mouse, all you'd have to do is remove the mouse, power-cycle the PC with a Thumbdrive containing a bootable version of Linux and you have full access to the physical PC. You are free to put a trojan on the PC and simply remove the Thumbdrive and power the PC back on with the mouse re-attached. Scary!

The only real answer is a physical barrier between the PC and your patrons. This is where VDI comes into play. By having a KIOSK or Thinclient remotely accessing the real or virtual desktop, you preclude this type of behavior to begin with. The only access between the Thinclient and the virtual PC is through remote desktop protocols over encrypted tunnels (SSH or RDP). Unethical hackers can hook up a Thumbdrive which would give them access to the Thinclient, but with no data on it, the only hope that they would have would be to steal the encrypted key used for the communications with the real or virtual PC, then they would have to find a way to get to your network in order to exploit this information. You can obtain Thinclients which have only a ps2 style mouse and keyboard with no usb or firewire ports. This act stops this type of attack DEAD IN ITS TRACKS.

There really is no way to absolutely secure your environment. Putting a padlock on your shed only keeps the casual or opportunistic thief at bay. By placing a physical barrier between your virtual or physical PC's and the access points within the public areas of your establishment is the only way to make it harder for the determined hacker to obtain access to your data. Without a physical means of connecting to your virtualized or physical desktop's, the malicious or unknowing act of installing trojans and viruses is reduced. The casual act of bringing a potentially infected Thumbdrive or CD with pictures of the kids on it are precluded by this barrier.

To learn more about VDI and virtualization of your networked resources, see the articles section for more information.