Endpoint Security: Security/Hacking applications that run on a USB flash drive
There have been quite a collection of applications ported to run on USB flash disks. Most of these applications seem innocent enough, however some are deliberatly developed to get around IT software use policies in the workplace, such as P2P filesharing applications, instant messaging applications, FTP clients and podcast managers to name a few. Although these can be seen as a moderate security risk in the wrong hands they are more of a nuisance. However a new breed of applications are making their way to a USB drive near you that you should be more concerned with.
Applications which are used by security professionals (and hackers alike) to test the security of their networks and scan for vulnerabilities now have the capability to run independently from a USB flash drive and no longer require that WinPCap or other third-party packet capture drivers to be installed on a system. Applications such as Nmap, Ethereal, Showtraf, TCPDump, Nemesis and John the Ripper are now appearing online via sites in a modified form that contain an internal packet driver that is loaded when the application is launched.
What this means is that a hacker no longer needs to even have a laptop with them in order to compromise a network, simply bring a USB flash drive in a company and plug it into the USB drive of an available system.
Nmap is a free open source tool used for network exploration and vulnerability auditing. Using Nmap a user can quickly scan large networks as well as target specific hosts. Nmap uses IP packets in unique ways to figure ouw what hosts are available on a given network and can determine what operating system it is running as well as determine what services (including versions) it is running and can also discover what type of packet filters and firewalls are in use.
Ethereal is a free protocal analyzer, also called a packet sniffer that is used for network troubleshooting, analysis and protocol development. The tool allows the user to see all traffic being passed over a network when putting a network card into what is known as “promiscuous mode”.
Showtraf is a tool that monitors network traffic on a network and displays the traffic continuously via a GUI.
TCPDump is similar in functionality to Ethereal, however works via the command line and does not have a graphical user interface. The application allows the user to intercept and display TCP/IP and other packets transmitted and received over a network.
Nemesis works on the command line and is used for packet crafting and injection. It is used primarily for testing Network Intrusion Detection Systems, firewalls and IP stacks and other networking tasks.
John the Ripper *
John the Ripper is a password cracking tool which works to detect weak password. There are several other password cracking tools that run via USB, in fact most can. Interestingly many anti-virus applications will detect the presence of these files and quarantine them, however all one needs to do is temporarily disable the anti-virus which most users have the rights to do and it can be run without a problem.
Netpass is a utility used to recover network passwords on Windows 98/ME, however can also discover other passwords on XP such as .NET Passport passwords etc.
A “podslurping” application that allows users to copy large quantities files from a system in a matter of seconds. A version that simply audits a system as an example of how such an application works is downloadable from here.
This is just a sampling of security related applications that can be run directly from a USB drive, this is by no means complete. More applications are appearing on a daily basis that can run straight from a USB flash drive. Although this can be incredibly convenient it can also prove to be a severe security issue for network administrators. With the strong focus of network security being focused on the perimeter also known as “The Great Wall Syndrome,” endpoint security has taken a back seat. Given that 70% of security breaches and data thefts occur behind the firewall and increasing cases of data theft in the news, it is time for IT professionals to seriously reconsider their endpoint security strategy.
Simple Solutions : Endpoint Security and USB Lock Down
Disabling USB ports is not difficult, however in a corporate environment this can cause problems, as many USB removable media devices are critical to business productivity. To provide granular access controls, there are products such as DeviceWall’s endpoint security solution, which allow administrators to decide who can plug-in what devices and whether they should have read/write access to these devices.