Penetrating an organization’s shell security and accessing its internal data, quite possibly permanently and with the capability to taint or poison it, is ridiculously easy. If managers knew how easy it was, they would take immediate actions, the first of which would probably be to throw out Microsoft Windows in favor of secure free-software alternatives.

These methods have gotten the military’s attention in the past few months. I was at a hearing with the Swedish Defence Research Agency last month which demonstrated this attack, and then at a NATO hearing last week which brought up the same again. No secrets or unknown security vulnerabilities are needed to execute this attack.

The method of attack is to get a staff member of the target organization to insert a USB memory stick into their work computer. This is easier than most people realize. While most staffers will flat out refuse to do so when asked, there are other methods. People are good-natured by heart and want to help their colleagues. The key is to make the staffers believe that they have found one of their co-worker’s forgotten USB sticks.

When the US Department of Defense tried this against part of the Pentagon, as a penetration test, they left USB sticks casually out in the parking lot, to see if people would pick them up and insert them into their computers to perhaps find out who had dropped it, pretty much like a good-natured person would examine a lost wallet to see who it belonged to. The penetration rate of dropped sticks was 75% — three of four sticks were inserted into target computers — and this was at a military target, albeit as an internal penetration test. I have not seen reports on the web about this, but it was reported in the hearings.

That means, that even in a hardened military facility, it is theoretically enough to drop two USB sticks in the parking lot to achieve penetration. Let’s not start discussing unwitting civilian agencies or corporations and what happens when you drop tens of sticks. The Pentagon has been penetrated like this in the past, with attackers gaining access to classified systems.

What happens when a USB stick is inserted?

So, let’s move on to practical details. Let’s first assume that the target is running Windows. Most are. In that case, the Windows machine will look for certain files as the USB stick is inserted into the computer, and if they are present, the target computer will execute them as programs. The program you’d put on such a stick is one that will give you immediate remote control over the target computer, invisibly to the person using the machine. There are plenty of examples of such remote-control programs.

It’s really as simple as putting a file called autorun.inf in the root of the USB stick. In this file, you put the name of the program to run when the USB stick is inserted.

In 75% of cases, the person using the Windows machine will also be a local administrator. In that case, congratulations. You are now the administrator of a machine in the target organization. The machine is permanently under your full remote control and is on the inside of every firewall; you can start looking around the network and siphon off any interesting data.

What if the target is not running Windows?

New attack packages posted just a week ago makes it irrelevant whether the target machine will automatically execute code, but the attack takes a little more effort to pull off. Imagine if the what-looks-like-a-memory-stick is actually something-else-than-a-memory-stick? Imagine, say, that the computer thinks it is a keyboard and mouse that has just been plugged in, and pre-recorded commands start being typed and executed in 200 km/h as soon as the “memory stick” is inserted, establishing a remote control beachhead in the target machine?

Again, this will give you full remote control over the target computer, and this time, any target computer. 90% of people inserting the attack stick won’t understand what happened, but will likely think that either their machine or the memory stick is broken, and ask a co-worker to see if it works on their machine, giving you control over that machine too. Only a handful of technical staff will recognize what just happened as terminal windows flash past over the course of a few seconds.

Finally, you don’t need to drop USB sticks in the parking lot like the classical example. Be creative. Send them out as marketing material for some obscure company, or place a bowl of free USB memory sticks at a trade fair at a large enough booth that everybody will assume it’s free giveaways. Some will be inserted. In the former case to see what is on them, in the latter case in the assumption that they are empty memory (“hey! free USB memory sticks!”).

So, what is the lesson here?

First, don’t run Windows. Never. Not in a remotely sensible environment, either from a business or citizens’ security standpoint. If you absolutely must run a Microsoft OS, do it in a sealed-off virtualized sandbox that can’t access the inside network. I know that it may be hard for businesses to take this point to heart, but it can be mandated across national authorities as an order from the parliament or administration to only run free-software operating systems such as GNU/Linux variants.

Second, security is hard. Really hard.

Third, educate your users in security. Even the ones just answering phones in the reception. Perhaps particularly the ones not doing technical work.

Fourth, assume you will be penetrated and prepare against data leakage and data loss. These are two different problems.

Fifth, limit access to data in bulk.

Sixth, it’s still trivial to penetrate any organization.

…

UPDATE: On February 8, 2011, Microsoft patched the Autorun feature as described above for all versions of Windows to never allow AutoRun from USB media. Thanks to Johan Svensson in the comments for pointing this out. What remains, then, is the HID attack vector — to seed the parking lot with what-looks-like-USB-memory but in reality is prerecorded keyboards to the computer.