The Honey Stick Project

One thing I’m observing from the early results of the HSP is that a significant number of people are trying to find out how to locate the owner of the device they have found.

In Stream 0, there are no outside markings with contact. In the first two cases of people making contact, they took enough care in opening the files that they didn’t trigger a request to the website, and were not tracked. They did find a plain text file entitled “owner_contact_info.txt”, which contained a phone number, email address and physical address, as well as the HSP website address.

Both finders called the phone number to indicate that they had found the device, and were presumably willing to return it. So, it may facilitate recovery to some extent if you have such a file on your mobile device with enough information to enable somebody to contact you if they find it. Of course, depending on the type of information on the device and on your sensitivity to being identified, you may not want to divulge any personal information, as you don’t know if the potential finder will have good or bad intentions.

Depending on how you look at the Honey Stick Project, it could be considered a technical project or a psychology project… or something in between.

It was actually inspired by the now-legendary social engineering penetration test that I wrote about on the Security Views website (click HERE).

The bottom line in that story was that a credit union hired a penetration tester to use whatever means he could to try to compromise their network. By scattering 20 USB memory sticks with a specially designed trojan horse autorun program around their parking lot, he was able to detect that 15 of them got inserted into company computers connected to the internet.
This project is starting out differently in that it is being done in public places (at my own cost, so far), but with passive tracking instead of a custom program that runs. The results won’t be quite as exciting, but they may be interesting. Since it is being done over a period of time, and across a larger geographic area, I won’t be sitting around in the parking lot waiting for the results.

What I think the results may tell us is that certain places have a higher chance of having people who will pick these things up and use them, and other places will have more people who return them.

I look forward to hearing anyone else’s comments and ideas.

While leaving the gym one day, tired and hungry, you look down and see a large, slice of all-dressed pizza sitting on the freshly cleaned hallway floor. Nobody’s around. Do you pick it up and eat it? … Why not? Germs, you say? But the floor looks so clean. Surely it can’t have that many germs on it, and you are VERY hungry… still no?

OK, so you are normal and sane.

Now imagine that same hallway, and nobody else is around, but you find a USB memory stick lying there. What do you do? (more…)

Since this site is dedicated to researching and educating people about security and privacy risks, issues and solutions, I wanted to have a place to allow for stories, anecdotes and comments, primarily about Mobile Storage Devices such as USB Memory Drives, Digital Cameras, MP3 Players, Digital Picture Frames, PDAs, Phones,  and even Laptops. I prefer verifiable stories and case studies, but even hypothetical situations may be discussed here.

Examples I will start with include some of the case studies I’ve already posted on the Security Views website (click HERE).

Please remember that you should not disclose private or confidential information that is not already in the public domain.

In a nutshell, if you are collecting information about somebody who visits your website, then that information may be Personally Identifiable Information (PII). Things like credit card numbers, group affiliations, etc. may be considered PII.

One thing I was concerned with in designing the HSP was the fact that my original plan included capturing the IP addresses of people accessing the files on the Honey Sticks. This would potentially allow me to do a lookup in order to find out what company the network was registered to. It might be an ISP, but it might also be a private company.

One could argue that collecting the company name might be considered PII. In the beginning, I did not want to be collecting and handling PII.  So, based on wordings found on the OECD website (www.oecd.org) the collection of IP addresses may or may not be considered PII, depending on how you were using it. In the case of using IP addresses for website maintenance and performance tuning, they would not be PII. However, if used for “profiling or targeting” it might be. So, I decided to steer clear of this issue in Stream 0.

As a result, I do not collect IP addresses for the study, even though they do show up in my logs. Logs get rolled over after a period of time.

For all practical purposes, I can not identify individuals who use the Honey Sticks. There may be situations where other logs record a user’s actions and might be able to correlate them. But I do not receive or handle these logs.

For a more detailed discussion of privacy and Honey Sticks, please click HERE to review the paper I wrote on this subject.
In future streams, I may collect PII from Honey Stick users or other individuals, but will have a formal process for handling it.

A Honey Stick is the name I use to describe any Mobile Storage Device, such as a USB Flash Memory Drive, configured in a way that is designed to do specific things when found and viewed by individuals who use it. In its most dangerous form, a Honey Stick could carry viruses or Trojan Horse programs. But it may only be configured to “phone home” in case it is lost by its original owner, and is picked up by another individual and inserted into a computer that is connected to the Internet. There are many scenarios in between these that rely on a user inserting the device in to a computer to see what’s on it.

Other examples of devices that can be configured as Honey Sticks are: Memory Cards (SD, Memory Stick, FlashMedia, XD, etc.), and even iPods, MP3 Players, Digital Cameras, Digital Picture Frames, or other electronic devices such as toys and PDAs. Virtually anything with digital memory and a connector can be configured this way.

The most important thing to know is that any device you pick up can be risky to connect to a computer. There are even examples of brand new Digital Picture Frames being sold with Trojan Horse programs already on them. The questions arise, what can you trust, and how do you protect yourself?

The Honey Stick Project was initiated to provide a forum for investigating and publishing information about the implications of using Mobile Storage Devices for collecting information. As we all know USB Memory Sticks are getting cheaper, can hold massive amounts of data, and are very easy to lose. This means that you will be seeing more of these things lying around.

The term “Honey Stick” was derived from the computer network security term “Honey Pot”. A Honey Pot is essentially a decoy placed somewhere on a computer network that looks to be an interesting target for hackers exploring the network. However, they are designed to keep the attacker busy, and provide them with interesting information and challenges to keep them busy while the network owner can identify and investigate the attacker.

A Honey Stick is also not what it seems. It may look like a lost USB drive, but may contain malicious programs, or other mechanisms for gathering information about whoever picks it up, or whatever system it gets connected to.

At this point, I have many ideas and questions about how these devices will be used. This is just a starting point for something that has piqued the interest of most people I’ve discussed it with. If you are interested in joining the community, please register so you can contribute comments and maybe help with the research.

Please come back often to see what’s happening.

- Scott Wright