The Honey Stick Project

Depending on how you look at the Honey Stick Project, it could be considered a technical project or a psychology project… or something in between.

It was actually inspired by the now-legendary social engineering penetration test that I wrote about on the Security Views website (click HERE).

The bottom line in that story was that a credit union hired a penetration tester to use whatever means he could to try to compromise their network. By scattering 20 USB memory sticks with a specially designed trojan horse autorun program around their parking lot, he was able to detect that 15 of them got inserted into company computers connected to the internet.
This project is starting out differently in that it is being done in public places (at my own cost, so far), but with passive tracking instead of a custom program that runs. The results won’t be quite as exciting, but they may be interesting. Since it is being done over a period of time, and across a larger geographic area, I won’t be sitting around in the parking lot waiting for the results.

What I think the results may tell us is that certain places have a higher chance of having people who will pick these things up and use them, and other places will have more people who return them.

I look forward to hearing anyone else’s comments and ideas.

A Honey Stick is the name I use to describe any Mobile Storage Device, such as a USB Flash Memory Drive, configured in a way that is designed to do specific things when found and viewed by individuals who use it. In its most dangerous form, a Honey Stick could carry viruses or Trojan Horse programs. But it may only be configured to “phone home” in case it is lost by its original owner, and is picked up by another individual and inserted into a computer that is connected to the Internet. There are many scenarios in between these that rely on a user inserting the device in to a computer to see what’s on it.

Other examples of devices that can be configured as Honey Sticks are: Memory Cards (SD, Memory Stick, FlashMedia, XD, etc.), and even iPods, MP3 Players, Digital Cameras, Digital Picture Frames, or other electronic devices such as toys and PDAs. Virtually anything with digital memory and a connector can be configured this way.

The most important thing to know is that any device you pick up can be risky to connect to a computer. There are even examples of brand new Digital Picture Frames being sold with Trojan Horse programs already on them. The questions arise, what can you trust, and how do you protect yourself?

The Honey Stick Project was initiated to provide a forum for investigating and publishing information about the implications of using Mobile Storage Devices for collecting information. As we all know USB Memory Sticks are getting cheaper, can hold massive amounts of data, and are very easy to lose. This means that you will be seeing more of these things lying around.

The term “Honey Stick” was derived from the computer network security term “Honey Pot”. A Honey Pot is essentially a decoy placed somewhere on a computer network that looks to be an interesting target for hackers exploring the network. However, they are designed to keep the attacker busy, and provide them with interesting information and challenges to keep them busy while the network owner can identify and investigate the attacker.

A Honey Stick is also not what it seems. It may look like a lost USB drive, but may contain malicious programs, or other mechanisms for gathering information about whoever picks it up, or whatever system it gets connected to.

At this point, I have many ideas and questions about how these devices will be used. This is just a starting point for something that has piqued the interest of most people I’ve discussed it with. If you are interested in joining the community, please register so you can contribute comments and maybe help with the research.

Please come back often to see what’s happening.

- Scott Wright