The Honey Stick Project

When I started the Honey Stick Project, I thought it would be an interesting experiment. It never occurred to me that people wouldn’t understand why gathering these metrics was useful.

However, when I started explaining to people what the project was, and I got to the puch line… “I’ve discovered that over 40% of people who find these devices plug them into their computers to see what’s on them!”… all I got was a blank look, followed by a nod and a timidly uttered question - “Really? I guess that’s bad, eh?”

People wanted to care, so they nodded. But they really didn’t understand. It wasn’t until I was talking to my accountant, Mike, one day a few weeks ago, and he said, “Scott. I’ve heard you explain this project a few times now, but imagine you were talking to an executive at a networking reception who had no idea what it meant. After the first sentence, they’re quickly going to be looking right over your shoulder at the bar. They need to know what the ultimate impact is on their business, in just a few seconds. Why should they care?”

I thought about it for a few seconds, realizing I’d forgotten the golden rule of marketing (and security awareness is marketing)… what’s the end business benefit or impact?

So I tried one more time. “If an employee makes one wrong click on an email or a file on a rogue device, that computer could instantly become a slave that steals information, takes over your network or grinds your operational information systems to a halt,” I said.

“NOW I’m interested,” says Mike.

Since that day, a few weeks ago I have been refining the message. This is what the message has become…

“Don’t let your employees become your accidental adversaries!”

Employees don’t usually want to cause your business any damage, but often they don’t know any better. You must first determine if they know which information and systems are sensitive. Then, you have to see if they know how to properly protect them. The technology can’t do it all. Just ask NASA.

In August, they discovered a virus on computers in the International Space Station. You’d think if anyone had the technology to protect their computers, it would be them.

It really is possible for your employees to knock out an operational computer system with just a single click, without even knowing they are doing it.

If your business depends on information, and you are curious about its predisposition to being accidentally disrupted by your own staff, please contact me by sending an email to inquiries@securityviews.com. I can show you how you can use Honey Sticks to measure security awareness in your organization, and then to implement a program for engaging and educating your staff on how to identify and protect your critical assets.

If you join The Streetwise Security Zone, you can also download a slide deck entitled, “The Accidental Adversary: Measuring Security Awareness Before It’s Too Late” by clicking HERE.

When you are choosing a solution for protecting USB Memory Sticks via encryption, there are a number of trade-offs to consider. It’s worth thinking about them, because, depending on your situation, they may be less secure than you had hoped, or more difficult to work with than you expected.

You shouldn’t necessarily depend on the encryption software that runs on the device to be secure. If it isn’t built into the hardware design, it can be tampered with. IronKey has a device that covers this off nicely. The downside is a bit of a usability trade-off. In order to thwart brute-force password attacks, the IronKey device has a password failure threshold. Once you pass the limit, it destroys all the data on the device - permanently.

When using a software-based solution such as TrueCrypt, you will need some client-based software installed. Some solutions let you keep the software on the device, which sounds convenient, but the software itself is subject to attack or replacement without your knowledge.

So, it’s a good idea to look at all the solutions on the market, and look at your situation. The highest grade of security is tempting to go for, despite the increased price. But you may have to change your mindset to accept the fact that all your data could be lost if the device clears itself due to exceeding the limit on failed passwords. It really highlights the need to have a regularly scheduled, secure backup strategy any time you are using Mobile Storage Devices.

For a good article on side-by-side comparisons for a few models available today, click HERE.

When you use an “unknown” device, the files may look innocent enough - maybe just some HTML files. If you click on one, and it seems to take you to a trusted site such as Paypal or a major banking site, it might not be what it looks like.

Clickjacking is a newly identified (but not new, in reality) risk that adds just another dimension to a “drive-by device” attack. But this is a powerful threat to your privacy, as well. With the right configuration of a spoofed website, you could be fooled into clicking on a button that causes you to unwittingly turn on your laptop camera and microphone. Compared to a static spoofed website, this is a very intrusive threat.

I have written up a set of tips for managing this risk, at least until vendors like Adobe and the browser manufacturers come up with a solution - which could take a significant amount of time. This problem is not easy to solve with technology, alone.

Here is a link to my write-up at The Streetwise Security Zone (click HERE). There are also links to sites with more information about this newly documented risk.

This just reinforces the need to be extremely cautious with “unknown” devices, that may attempt to launch attacks by taking you to a site that looks safe, but is far from it.

At various times during the Honey Stick Project, I have encountered Lost and Found facilities - some were well-managed, and others, I’m not so sure.

It’s worth mentioning to your staff that if a device is turned in, it should never be plugged in to a computer, even to see who owns it. The best thing to do is just mark the date it was found, and take the name and number of the person who turned it in.

There is no point in taking a risk that your computer or network could become infected with a virus or other type of malicious program. It may not be just an innocently lost device. With the rise in “spear-phishing” and “drive-by downloads”, the device may have been seeded with a program designed to infiltrate your network, or accidentally infected while the owner was using it to surf the Web.

I mentioned above that some lost and founds are not so careful.  I noticed that one Honey Stick left at a hotel was not used for just over 30 days. Then it was plugged in and accessed from that same hotel’s network. I have no way of knowing exactly what the situation was, but it looked to me as though the minute it passed it’s “expiry date” in the lost and found, a staff member decided to check out it’s contents.

Another hotel kept a device for 3 months, and then called the person who turned it in, saying they could have it. That person did use the device, but used the contact information in a file on the device to let me know they had found it. The hotel did a good job in protecting their network, but it would have been nice for them to have warned the person to handle it carefully, since nobody knows where it came from.

Sometimes, you just don’t hear it coming; and “zap”, your infected.

According to Ryan Naraine, an anti-virus expert who works for Kaspersky Lab, over 70 percent of all web-based malware is now hosted by legitimate websites that have been infected. Click HERE for an article with more info from Ryan. One way or another, the sites either host what’s called a “Drive-By Download”; or they redirect or link you to a site that hosts one.

Recently, for example, the Business Week website was hacked, and various parts of the site became infected with malware that caused visitors to be automatically redirected, or rerouted, to third party websites without them knowing it. At the new sites, a download is initiated, usually by trying to take advantage of security flaws in browsers that mistakenly trust a site that initiates a download, or by impersonating a legitimate download, such as a Flash Player upgrade that it says is “required” to continue.

While the website statistic is scary, this same risk can appear from USB drives, or other mobile storage devices, that are infected with malware, or which have file links to Drive-By Download sites.

Some newer browsers, like Firefox 3.0, have “Malware Blockers” that can detect some instances of this activity, but not all of them.

The moral: Keep your eyes open for anything suspicious, even when visiting what you think is a “trusted” website; and don’t ever use unknown or untrusted USB devices.

Recently, I’ve been receiving a growing number of inquiries about how people can use The Honey Stick approach to test security awareness in their business. It turns out that there are a few good reasons to use this approach for doing baseline measurements, and as an indicator of how well your security awareness program is working.

As Michael Santarcangelo commented to me recently, it is much more valuable to measure real human actions instead of just asking people their opinions or to recall how often they perform various activities. The Honey Stick approach is a cheap, easy and safe way to get an indicator of what level of awareness staff has. As a result, I am in the process of putting together a guide book and a kit that can be used to do basic metrics for how safely an organization’s staff handles unknown devices.

It’s always good to have questions, comments and anecdotes from real industry people. So, if you provide a relevant story in this thread, I’ll consider including it in the book, and I’d be happy to give you a copy when it is published.  What would you like to see in the book or kit?

It’s time to get streetwise about information security. One of the areas in which I think the security industry has been weak has been in giving small businesses affordable and practical tools for sifting through the mound of technical mumbo-jumbo created each day on the Web.

I imagine that they must feel a bit like high school teenagers walking into a baby’s clothing store… They don’t have much interest, even though - someday soon - they know they will need to know about the stuff.

The Honey Stick Project was my first attempt to raise awareness among small business managers and others who should be aware of the real risks in today’s information world. I still have some new ideas for testing the psychology of how people think about mobile storage devices they find or lose. But the small business problem is much bigger than this, in my view. (more…)

Thanks to Brian Honan (click HERE to view his site at BH Consulting) for noting The Honey Stick Project in this week’s SANS Newsbites newsletter (click HERE). Apparently, the virus infecting the NASA laptops brought aboard the International Space Station was a type of worm that usually spreads by way of infected mobile storage devices.

According to The Register (click HERE):

SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

This week I heard about two interesting devices.

The first is a story of a digital camera that was stolen (click HERE). The owner was surprised to receive an email with pictures of the thieves. Apparently, the owner had forgotten that they had a $100 special SD card with Wi-Fi built in, called Eye-Fi (click HERE), and the ability to upload files to the owner’s site. It actually sends its data via email or upload to a file repository. It’s not clear to me exactly how this works yet, but if it can do it without spending cycles on the finder’s computer it would solve a lot of the privacy and liability issues I’ve written about in my paper.

Another thing I heard about this week was the Trackstick II Personal Tracker (click HERE). It looks like a USB Drive that has GPS tracking on board, and track and store its own location and movement information. However, I’m not sure if this one can store user files or data, and it doesn’t look like it can “phone home”. But it’s only a matter of time…

If a “phone home” program was added to it in case of loss, I’d see this as having some liability issues, if the finder’s computer were damaged during the program’s unauthorized execution.

It looks like we’ll be seeing a lot more devices integrating different technologies. All the more reason to be very careful what you stick into your computer. If you thought Double-click’ and web bugs had privacy issues, just wait until your new camera registers itself and sends your picture and PC configuration to their server.for more “personalized” support services.

Or what about something like Napster for cameras? Camster anyone? Will you be able (or knowlegeable enough) to prevent your camera from “sharing” your photos and files with other devices nearby. After all, sharing sounds good, right? A lot of manufacturers have not figured out that allowing open access and sharing by default in new devices usually creates serious and fast-spreading privacy and security issues.

While it has been a while since I updated the statistics on www.honeystickproject.com, there was still lots of activity. Stream 1 is now active with 8 sticks deployed in Las Vegas, Ottawa and Toronto (for a total of 33), and half of those have been accessed.

This is becoming a fun project, finding places to drop them as we travel around the globe. Thanks to Mike Sues for sponsoring devices for Stream 1. I’m aiming for 1,000 deployed devices, so I can say there is some statistical significance in these results that people will notice. But it is already an interesting response rate.

What does this data mean? I have some ideas, but I’d like to hear your thoughts. Feel free to comment below on this post.
Scott Wright