The Honey Stick Project

Thanks to Brian Honan (click HERE to view his site at BH Consulting) for noting The Honey Stick Project in this week’s SANS Newsbites newsletter (click HERE). Apparently, the virus infecting the NASA laptops brought aboard the International Space Station was a type of worm that usually spreads by way of infected mobile storage devices.

According to The Register (click HERE):

SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

This week I heard about two interesting devices.

The first is a story of a digital camera that was stolen (click HERE). The owner was surprised to receive an email with pictures of the thieves. Apparently, the owner had forgotten that they had a $100 special SD card with Wi-Fi built in, called Eye-Fi (click HERE), and the ability to upload files to the owner’s site. It actually sends its data via email or upload to a file repository. It’s not clear to me exactly how this works yet, but if it can do it without spending cycles on the finder’s computer it would solve a lot of the privacy and liability issues I’ve written about in my paper.

Another thing I heard about this week was the Trackstick II Personal Tracker (click HERE). It looks like a USB Drive that has GPS tracking on board, and track and store its own location and movement information. However, I’m not sure if this one can store user files or data, and it doesn’t look like it can “phone home”. But it’s only a matter of time…

If a “phone home” program was added to it in case of loss, I’d see this as having some liability issues, if the finder’s computer were damaged during the program’s unauthorized execution.

It looks like we’ll be seeing a lot more devices integrating different technologies. All the more reason to be very careful what you stick into your computer. If you thought Double-click’ and web bugs had privacy issues, just wait until your new camera registers itself and sends your picture and PC configuration to their server.for more “personalized” support services.

Or what about something like Napster for cameras? Camster anyone? Will you be able (or knowlegeable enough) to prevent your camera from “sharing” your photos and files with other devices nearby. After all, sharing sounds good, right? A lot of manufacturers have not figured out that allowing open access and sharing by default in new devices usually creates serious and fast-spreading privacy and security issues.

While it has been a while since I updated the statistics on www.honeystickproject.com, there was still lots of activity. Stream 1 is now active with 8 sticks deployed in Las Vegas, Ottawa and Toronto (for a total of 33), and half of those have been accessed.

This is becoming a fun project, finding places to drop them as we travel around the globe. Thanks to Mike Sues for sponsoring devices for Stream 1. I’m aiming for 1,000 deployed devices, so I can say there is some statistical significance in these results that people will notice. But it is already an interesting response rate.

What does this data mean? I have some ideas, but I’d like to hear your thoughts. Feel free to comment below on this post.
Scott Wright

Listening to a recent episode (#134) of the Security Now! podcast by Leo Laporte and Steve Gibson (at http://www.grc.com/securitynow.htm), Steve noted that he had left his USB Drive with his key chain when he took his car in for service. He felt safe because the drive was encrypted using TrueCrypt (a public domain encryption product).

Subsequently, (in episode #139) a listener wrote to Steve to tell him some horror stories from auto shops of how the mechanics at some places (even some big name dealerships) will routinely snoop through cars in for service to see if there are any MP3s, CDs, etc. Mostly, they just want to “harmlessly” expand their music collections, but who knows what they might find.

On top of that, one listener pointed out that TrueCrypt uses an executable on the key to do encryption and decryption of the data. If that executable were replaced maliciously, any program could be made to run when you think you are decrypting the data on the drive.

My concern is that such a program might even give what looks like a valid error message saying something like, “TrueCrypt system error - data file corrupted. Please enter your password to attempt a recovery”. If you entered a password, it could be snagged and sent back to the mothership.

This logically begs another question. Are mechanics being paid to plant malicious code on media devices left in your car? Best not to let them have access to any of your media or devices while its in the shop.

Of course, one might leave a honey stick in one’s car to test their integrity. On the other hand, perhaps car dealers wanting to keep their teams honest might be interested in planting test devices that can be tracked.

There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”. (more…)

Depending on how you look at the Honey Stick Project, it could be considered a technical project or a psychology project… or something in between.

It was actually inspired by the now-legendary social engineering penetration test that I wrote about on the Security Views website (click HERE).

The bottom line in that story was that a credit union hired a penetration tester to use whatever means he could to try to compromise their network. By scattering 20 USB memory sticks with a specially designed trojan horse autorun program around their parking lot, he was able to detect that 15 of them got inserted into company computers connected to the internet.
This project is starting out differently in that it is being done in public places (at my own cost, so far), but with passive tracking instead of a custom program that runs. The results won’t be quite as exciting, but they may be interesting. Since it is being done over a period of time, and across a larger geographic area, I won’t be sitting around in the parking lot waiting for the results.

What I think the results may tell us is that certain places have a higher chance of having people who will pick these things up and use them, and other places will have more people who return them.

I look forward to hearing anyone else’s comments and ideas.

Since this site is dedicated to researching and educating people about security and privacy risks, issues and solutions, I wanted to have a place to allow for stories, anecdotes and comments, primarily about Mobile Storage Devices such as USB Memory Drives, Digital Cameras, MP3 Players, Digital Picture Frames, PDAs, Phones,  and even Laptops. I prefer verifiable stories and case studies, but even hypothetical situations may be discussed here.

Examples I will start with include some of the case studies I’ve already posted on the Security Views website (click HERE).

Please remember that you should not disclose private or confidential information that is not already in the public domain.