I imagine that they must feel a bit like high school teenagers walking into a baby’s clothing store… They don’t have much interest, even though - someday soon - they know they will need to know about the stuff.

The Honey Stick Project was my first attempt to raise awareness among small business managers and others who should be aware of the real risks in today’s information world. I still have some new ideas for testing the psychology of how people think about mobile storage devices they find or lose. But the small business problem is much bigger than this, in my view.

I think there are two main problems that we must address, particularly for small businesses.

1. Small business managers don’t have the time to spend on learning the big picture - or even the basics - about information security in a way that makes sense to their operations.
2. Even if they did have time to make the effort, they see it as far too expensive to bring a consultant in to teach them, objectively, about what security issues they need to worry about for their unique situation.

So, I have created a collaborative website called The Streetwise Security Zone at http://www.streetwise-security-zone.com, where there is a growing body of free information, directly relevant to small business managers - presented in a casual and fun environment.
There is a membership element to this site, which is free to join while the community is in this introductory phase. The SWSZ has a number of categorized forums for Q&A, and all content is as non-technical as possible - with fair warnings where technical explanations are necessary.

The SWSZ is home to a growing stash of coaching tools - free to members - together with easy-to-consume multi-media materials on various important information security topics. My aim is to leverage video and audio to provide small segments that are designed to be easily digestible by busy managers and their staff.

Guest contributors, authors and links to other websites will be chosen carefully to remain in keeping with my aim of providing quick, simple shots of relevant information security information - what I call Governance by Graffiti - an idea I plan to explain in more detail at a later time.

The problem today is not that the information isn’t available, it’s that it must be put into the right context for it to be of value. This is what Chris Anderson says in his book, The Long Tail. I hope The Streetwise Security Zone will serve the long tail of the small business manager.

So, please stop by The Streetwise Security Zone, and tell others about it if you think they would benefit. And, by all means, feel free to provide comments.

According to The Register (click HERE):

SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

The first is a story of a digital camera that was stolen (click HERE). The owner was surprised to receive an email with pictures of the thieves. Apparently, the owner had forgotten that they had a $100 special SD card with Wi-Fi built in, called Eye-Fi (click HERE), and the ability to upload files to the owner’s site. It actually sends its data via email or upload to a file repository. It’s not clear to me exactly how this works yet, but if it can do it without spending cycles on the finder’s computer it would solve a lot of the privacy and liability issues I’ve written about in my paper.

Another thing I heard about this week was the Trackstick II Personal Tracker (click HERE). It looks like a USB Drive that has GPS tracking on board, and track and store its own location and movement information. However, I’m not sure if this one can store user files or data, and it doesn’t look like it can “phone home”. But it’s only a matter of time…

If a “phone home” program was added to it in case of loss, I’d see this as having some liability issues, if the finder’s computer were damaged during the program’s unauthorized execution.

It looks like we’ll be seeing a lot more devices integrating different technologies. All the more reason to be very careful what you stick into your computer. If you thought Double-click’ and web bugs had privacy issues, just wait until your new camera registers itself and sends your picture and PC configuration to their server.for more “personalized” support services.

Or what about something like Napster for cameras? Camster anyone? Will you be able (or knowlegeable enough) to prevent your camera from “sharing” your photos and files with other devices nearby. After all, sharing sounds good, right? A lot of manufacturers have not figured out that allowing open access and sharing by default in new devices usually creates serious and fast-spreading privacy and security issues.

This is becoming a fun project, finding places to drop them as we travel around the globe. Thanks to Mike Sues for sponsoring devices for Stream 1. I’m aiming for 1,000 deployed devices, so I can say there is some statistical significance in these results that people will notice. But it is already an interesting response rate.

What does this data mean? I have some ideas, but I’d like to hear your thoughts. Feel free to comment below on this post.
Scott Wright

Subsequently, (in episode #139) a listener wrote to Steve to tell him some horror stories from auto shops of how the mechanics at some places (even some big name dealerships) will routinely snoop through cars in for service to see if there are any MP3s, CDs, etc. Mostly, they just want to “harmlessly” expand their music collections, but who knows what they might find.

On top of that, one listener pointed out that TrueCrypt uses an executable on the key to do encryption and decryption of the data. If that executable were replaced maliciously, any program could be made to run when you think you are decrypting the data on the drive.

My concern is that such a program might even give what looks like a valid error message saying something like, “TrueCrypt system error - data file corrupted. Please enter your password to attempt a recovery”. If you entered a password, it could be snagged and sent back to the mothership.

This logically begs another question. Are mechanics being paid to plant malicious code on media devices left in your car? Best not to let them have access to any of your media or devices while its in the shop.

Of course, one might leave a honey stick in one’s car to test their integrity. On the other hand, perhaps car dealers wanting to keep their teams honest might be interested in planting test devices that can be tracked.

DON”T ENTER PASSWORDS WHERE YOU AREN’T EXPECTING THEM!!!

I recently came across a suspicious email in my spam folder. It appeared to be from a payroll service I’ve actually dealt with.  There was almost no way to tell for sure if it was from them.

The subject line included a recent date and the word “Paystub”. There was a PDF attachment and even with image loading turned off, there was a label that said “This PDF is password protected”. It had a single field with the word “Password” beside it.

I have yet to determine if this email was authentic or a real phishing attack, aimed at gathering passwords. But if this is a phishing attack, here’s what could happen if I entered a password:

1. The password gets collected, and an error message is produced saying “Invalid password, please try again”.  Knowing that we should all be using different passwords for each site or program “to be secure”, I may simply think I should have used one of my other dozen passwords (don’t we all use that many password variations?!)
2. Hitting “Enter” or clicking on a button causes the password to be sent back to a mothership, including enough information for them to identify my email address as being valid.
3. No only do they now know that this email address is valid, but they have at least one version of my password. If I tried several different ones, they could have them all.

This is dangerous because people think they “NEED TO SEE WHAT’S INSIDE” then encrypted email. It’s like arriving at your office with a wrapped package that has lots of heavy tape sealing it up. The more tape there is protecting it, the more you want to open it to see what it is that could be so sensitive.

To make things worse, there aren’t a lot of easy ways to automatically check for the authenticity of such a package. It can have a digital signature on it, which you could verify. But there are a lot of usability issues yet to be solved in verifying digital signatures in the wild. Enterprises that use Public Key Infrastructure regularly would have an easier time letting people ensure the authenticity of emails and attachments. But most people won’t have that luxury.

So, if you aren’t expecting to be asked for a password (even on a website - which can effectively trick you the same way) you should call up somebody in the originating organization to verify that it is valid, and that it is important. I would also notify them that they should not present password protected information without an easy way to securely verify that it is real.
I am actually surprised that I haven’t seen more evidence of this type of phishing, but I’m sure we will in the future.

It looks like my decision to let sleeping Honey Sticks lie was the right thing to do. I had initially discovered that if I returned to places where sticks had been dropped, people would sometimes have turned them in. This was interesting to know. However, I found it hard to consistently follow up on this practice, as the locations were not always convenient.

So, I knew that sometimes sticks would get found and be turned in to authorities, where they would sit in a Lost and Found for some period of time. But this raised a question whose answer would be just as interesting.

This week, a Honey Stick that I had left at a pay phone in a hotel lobby back in February got activated. While I don’t collect IP addresses permanently, I do run an IP address to Domain Name conversion to find out if the user was on a public ISP or a private domain.

In the case of this stick, the domain came back clearly as the hotel’s subdomain within an ISP. (I discard the actual domain name for privacy reasons, once I determine whether or not it was a private domain belonging to the site where the stick was dropped.) So, clearly, the stick had been either turned in to, or found by, a hotel staff member. They either put it into a Lost and Found or sat on it for a month.

At about 5am, more than a month after finding it, the stick was inserted into a hotel computer connected to the internet, and the user opened almost every file on the stick. As soon as they hit the file that informed them of the project, they stopped opening files and links. They could have tried to indicate whether they were going to keep it, return it, discard it, or continue the experiment. However, all contact ceased at that point.

So, maybe I’m learning about some “statute of limitations” on hotel lost and founds, or maybe curious and impatient staff members just can’t leave these things alone.

I’ve put a few sticks in various hotels, and I think these are good locations for having them picked up by bored, transitory business people.

If you have any comments or questions about the Honey Stick Project, want to contribute, or want to set up a private test for your organization, please let me know by adding a comment, or sending an email to inquiries@honeystickproject.com

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”.

The USB drive, when plugged into William’s computer, sucked a number of contents from his “My Documents” folder onto the device without any warning dialogs or indications of what was happening. This fits my broad definition (in the more “active” sense) of a Honey Stick, as defined in my privacy paper (click HERE).

The demonstration worked perfectly, but I suspect it also had a double-edged sword effect. Despite the note that the recipient could “delete the contents” and re-use the device for their own purposes, Senforce apparently also clearly entertained and spelled out the possibility of using the device to pull jokes on friends or demonstrate the risks to others. This has to be a violation of some gift-giving rule in the business world. My guess is that many recipients would have become uncomfortable at the thought of a vendor not only facilitating this activity, but practically suggesting that people use it. I don’t know if Senforce got any negative feedback on this one, but I wouldn’t be surprised.
It’s one thing for a security professional to do such a demonstration, or to run a commissioned test with potentially dangerous software in a controlled environment. It’s another thing to release the device into the wild, with unknown consequences.

In comparison, the Honey Stick Project uses only passive HTML links, the same as any simple link found on every Web site. In addition, I publish a privacy policy that covers how any Personally Identifiable Information, if collected, is handled. So, there is no danger that a Honey Stick can be used in a way that causes any damage to anyone.
The relevant point here is that I think there is a fine line between a company giving away something cool and valuable to members of the public as an aide-memoire for their brand, and that same company giving away a device with an embedded booby trap that has the potential to cause a plethora of unwanted, and likely embarrassing outcomes.

Perhaps Senforce didn’t think of the potential consequences or the psychological impact on the recipients. Or, maybe they knew the risks and were just pushing the envelope.
Whatever their intent was, my belief is that you should NEVER plug an unknown device into your home or work computer. And don’t count on any help from your Anti-Virus or end-point security solutions for a while, although they will surely have a solution to this risk in the future by intercepting anything that tries to run automatically from a USB drive.
In the meantime, just tell the gift-giver “It’s my policy not to accept any gifts with USB plugs on them…”

1. Data can be copied, or even broadcasted, instantaneously to many locations around the world. Once the bytes are out of the bag, you’ll never be able to round up all the copies. Just ask any celebrity who has had lies and slander written about them in the tabloids. You might get a retraction printed by the original source, but it’s too late.
2. Public data often gets indexed for free. If it’s on a server connected to the Internet, there’s a good chance it will get indexed by Google or any one of the dozens of search engine crawlers. This means that it can be found by anyone, with the right search query.

You can start to get the feel for how common data breaches are becoming by scanning through the history at the Data Breach Blog of SC Magazine (click HERE), the Breach Blog (click HERE), or simply doing a search on things like “data breach”, “breach disclosure”, or similar terms in places like Google News.

You might then notice that a large percentage of the breaches being reported these days are due to mobile copies of operational data that should not have left an Operations Zone unprotected. Whether it is via e-mail, laptop hard drive or USB memory drives, the result is usually the same:

1. The organization does it’s civil duty by reporting the breach and being publicly humiliated (although not as humiliated as its clients)
2. The organization announces that there is “No evidence of the personally identifiable information (PII) being misused for fraudulent purposes”… something they can only say until there IS evidence
3. The organization announces that it is providing a years’ worth of “Identity Theft Insurance” to the affected victims as a consolation prize… that’s just great, assuming the data has only monetary value, as opposed to embarrassment value, competitive value, trust value, etc….

Sorry, but it’s too late at this point, and you will never know for sure if the data has been contained to the point that nobody can use it further. It’s like telling SETI to recall all the messages we’ve been sending into outer space to announce our existence and location on planet earth (the ultimate PII). If there are bad aliens out there, they are going to find out about us now for sure.

Well, let’s get back to worrying about things we CAN do something about. We need to get organizations that handle our personal data to take this data persistence problem seriously. That means making sure they have policies for how they are going to PREVENT data loss before it happens. It means imposing tough love on all the sales, marketing and finance people (everybody, really) who feel they are immune to operational procedures for protecting data because their project is “special”. Sadly, this even includes the IT Department, who probably feels most entitled to be exempt from the rules, but need to set the example more than anyone.
The penalties should actually be so great that employees and contractors should not want to be in the position of having to carry any kind of PII out of their secure office building without it being encrypted.

So, the next time you’re copying data from an office computer onto your USB memory stick, think about what will happen to it if anyone else gets their hands on it. In fact, think about the data that’s on your USB memory stick RIGHT NOW. Do you know where it is? Do you know what you and your organization, not to mention your customers, will have to go through if it gets into the wrong hands, or even gets out of your possession for a moment?

You might be able to tell the jury to disregard the evidence, but they probably won’t.

In Stream 0, there are no outside markings with contact. In the first two cases of people making contact, they took enough care in opening the files that they didn’t trigger a request to the website, and were not tracked. They did find a plain text file entitled “owner_contact_info.txt”, which contained a phone number, email address and physical address, as well as the HSP website address.

Both finders called the phone number to indicate that they had found the device, and were presumably willing to return it. So, it may facilitate recovery to some extent if you have such a file on your mobile device with enough information to enable somebody to contact you if they find it. Of course, depending on the type of information on the device and on your sensitivity to being identified, you may not want to divulge any personal information, as you don’t know if the potential finder will have good or bad intentions.