.

Putting your removable storage policies to the test, ideas and solutions please.

<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Jun 01, 2009 9:04 am

Putting your removable storage policies to the test, ideas and solutions please.

I have been thinking, we all know how policies and education are important, and we are continuously reminded in the media about data leakage on removable media.

So I was thinking of getting some removable media, and then when a user inserts the device it drops an email to say the machine it was run on.
The idea being that I leave said media in one of the office buildings, and see if people hand it in, or do what they have been instructed not to and insert the device.

The idea here is to identify where awareness needs to be improved, and bringing about a more security aware culture.

I know there are tools like hacksaw and switchblade, but I am not looking for something thats going to rip information of a machine, and start the AV flashing, just something basic and simple.

Any ideas? Also bearing in mind many organisations should now have disabled autorun,

Thanks in advance guys.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon Jun 01, 2009 7:32 pm

Re: Putting your removable storage policies to the test, ideas and solutions please.

I don't have the money to invest, but SAINT exploit has a removable media payload in their framework.  I don't think that they'd have repackaged an autorun dependent delivery for the kind of money they are asking.  Depending on your budget it might be worth it to contact them and see if they are depending on autorun.

Hope that helps.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jun 01, 2009 10:59 pm

Re: Putting your removable storage policies to the test, ideas and solutions please.

If you want something benign, why not write a small program or script that simply increments a counter on a web server and downloads an image?  You could run the web server on your laptop while you are doing the test (to make an internal server).  You would get a log of the visiting IP address, provided you are internal. 

Sounds like your clients are Windows boxes.  You can distribute WGET.exe on your thumb drive and script that.  You can also use some vbscript, like this. 

http://blog.netnerds.net/2007/01/vbscript-download-and-save-a-binary-file/

Oooh...  You could even Rickroll them, like timmedin did in his meterpreter script.
~~~~~~~~~~~~~~
Ketchup
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Jun 01, 2009 11:51 pm

Re: Putting your removable storage policies to the test, ideas and solutions please.

If you are trying to do education, you may be able to leverage 2 things.  First you can directly call iexplore to launch an educational page, along with causing an anti-virus alert to pop up.  As part of the auto-run for the drive, cause a web page to open to a pre-setup educational site on your internal network that is tracking IP's, maybe integrated windows auth, etc so you know who you have gotten.  Put something useful with action items for employees to understand the risk of this type of behavior.  Then, to drive the point home, put EICAR as the next autorun to have it copy over to the hard drive.  Most AV's with real time protection will freak out at that point and pop up a "hey you have a virus" warning.  Make sure whatever you do that you make the most of the education aspect.  Unless folks truly understand what just happened to them and tell their friends about it, you are probably not getting the most for your effort.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

jimbob

Post Tue Jun 02, 2009 2:38 am

Re: Putting your removable storage policies to the test, ideas and solutions please.

1. Send out pen drives with an executable which displays a message to contact a given phone number or email address for a cool prize.
2. Wait for the calls.
3. ????
4. Profit!

It sounds low-tech but this technique is pretty good at hooking phish if you offer something cool like an iPod. And remember if you can convince someone to call a number you can convince them to do many other things. Why not cover social engineering and removable device policy in one fell swoop?

Jimbob
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jun 02, 2009 2:43 am

Re: Putting your removable storage policies to the test, ideas and solutions please.

I am not aware of a program which can do what you need yet, but it shouldn't be too hard to code if you have some basic knowledge in programming.

Rather than just rely on (just) such a tool I would recommend to do for example every month a little presentation about social engineering and make them aware of possible scenarios how a social engineering attack could look like. In my opinion it is not enough to tell people this once as with time they will forget or become careless.

Instruct them on a regulary basis what to do and what not to do. Consider also, that there can be ways to hide or erase information that a device was plugged in or didn't get detected by your program for various reasons.

In my experience it also helps not only to tell them about SE (or other topics) but also discuss about it and let them ask questions. When people talk by themselfs about it it often will remain longer in their brains because it was something active (talking) and not only passive (listening).
Last edited by UNIX on Tue Jun 02, 2009 2:46 am, edited 1 time in total.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Jun 02, 2009 5:09 am

Re: Putting your removable storage policies to the test, ideas and solutions please.

Thanks for all the responses guys.

Obviously education and awareness is a continual process, this was just an idea I had for verification really.
I like the idea of having it open a webpage and have the policy displayed, and some awareness of whats happened, and perhaps even a little known AV trigger.

I also like the idea of prompting someone to call a number to win a prize, vary humerous.

Cheers for the comments and feedback. That Saint offering looks a bit to pricey for something I wanted to do on the cheap.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue Jun 02, 2009 6:37 am

Re: Putting your removable storage policies to the test, ideas and solutions please.

Yeah, definitely pricey.  I must have misunderstood.  I thought you were trying to get around people having autorun disabled on their machines rather than what to do with them once you hooked them.  The coding on an autorun type solution isn't too hard.

Best of luck.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

charlottebandit

Newbie
Newbie

Posts: 49

Joined: Sat Jun 10, 2006 4:26 pm

Post Sat Jun 20, 2009 5:31 am

Re: Putting your removable storage policies to the test, ideas and solutions please.

Data leakage is a huge concern in various vertical markets such as finance, healthcare, and public companies.  To combat that while teaching users on the importance of it is found in solutions that focus on Endpoint Security. 

There are several EPS vendors out there although I'm mostly familiar with Cisco Security Agent.  Apart from focusing on 0-day protection, it allows you to enforce acceptable use policies to end users such as preventing offloading info onto USB devices, screen capture extraction, data loss prevention (from tagging), and even data extraction through email (with Ironport email security also).

And when a policy is violated, a pop-up occurs when teaches the end user that this specific function is in violation of said policy, and may even require them to input info for auditing purposes.
MS, CCSP, CCNP, CCDP, CEH, CHFI, CPTS

Return to Hardware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software