Instead these unfortunate circumstances where they choose a period to Internet Payday Loan Internet Payday Loan it to go to wonder that means.

Sharp Ideas

Open Source, Future Technology, and the Web

Sharp Ideas header image 1

Social engineering and USB trojans

June 10th, 2006 · No Comments · USB, information security


I recently read a humorous (but simultaneously sobering) article on Dark Reading about a group of security engineers conducting an IT security audit at a credit union. They scattered 20 trojanized USB thumbdrives around the work area of the credit union. Within a day or so 15 of the USB drives had been plugged in my credit union employees. The 15 USB drives that were used installed covert trojans that then leaked company data out of the corporate network to the security firm.
Read the full story here:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

→ No CommentsTags:

Attack of the iPods

May 22nd, 2006 · No Comments · USB, information security


Dr. Simson Garfinkel wrote an interesting piece for CSO on-line, detailing a threat that I have been trying to educate the public about for two years. In his article Attack of the iPods Mr. Garfinkel explains security risks due to direct memory access (DMA) that USB and Firewire devices have, making mention of the famous article 0wned by iPod.
Mr. Garfinkel also briefly makes mention of autorun vulnerabilities that may/may not exist due to the new U3 specification that allows USB drives to run applications via a virtual CDROM (just like a standard windows CDROM autorun application). Interesting.

→ No CommentsTags:

New Common Vulnerability Scoring System (CVSS) holds promise for security community

February 18th, 2006 · No Comments · information security


NIAC* and the Forum of Incident Response and Security Teams (FIRST) recently release information on a Common Vulnerability and Scoring System (CVSS). CVSS is “is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone.” CVSS consists of three categories of measurement: base metrics which describe qualities intrinsict to any vulnerability, temporal metrics which measure the characteristics of a vulnerability over its lifetime, and environmental metrics which describe characteristics of a vulnerability which are tied to a specific implementation in a specific user’s environment.

CVSS metrics

Personally I think the CVSS is a bold step forward (beyond all of the FUD and hype that surrounds security information).

If you want more detail, feel free to check out the final report describing the CVSS.
*The National Infrastructure Advisory Council (NIAC) is an element of the Department of Homeland Security that advises the President on issues related to the security of information systems for public and private institutions.

→ No CommentsTags:

Sharp Ideas’ Slurp Audit Exposes Threat Of Portable Storage Devices For Corporate Data Theft

January 24th, 2006 · 4 Comments · USB, information security, press releases


Contact:
Abe Usher
Sharp Ideas, LLC
703-830-9505
info@sharp-ideas.net

New proof-of-concept application demonstrates how quickly and easily an insider can utilize USB-enabled devices to steal data

Arlington, VA - January 25, 2006
- Sharp Ideas, LLC, an information technology consultancy that specializes in testing and creating cost-effective IT security solutions, today announced the release of Slurp Audit - a second generation proof-of-concept application designed to demonstrate how easy it is to steal corporate data with portable storage devices (such as iPods, PDAs and USB Sticks). The application was designed to raise awareness within the corporate community about the risks associated with unmanaged portable storage devices in the workplace.

“Many of today’s businesses haven’t grasped the severity of risks associated with unmanaged portable storage devices on a corporate network,” said Abe Usher, Founder of Sharp Ideas, LLC. “Slurp Audit was created to show how easy it is to steal large amounts of data from corporate PCs using mobile devices like iPods, and it reinforces the fact that organizations desiring comprehensive security must have strategies in place that address the endpoint.”

What is Slurp and how does it work?
Slurp.exe was originally created in June 2005 as a proof-of-concept application for automatically downloading data from a networked PC to an iPod. Upon its release, the issue quickly became known as ‘PodSlurping,’ which raised corporate awareness around data theft (and has since moved beyond iPods to encompass all portable storage devices). By simply connecting a device running Slurp to a PC via USB, firewire or Bluetooth, the ‘PodSlurping’ application enables a device to quickly copy (in less than two minutes) all business documents (.doc, .xls, .ppt, .htm, .xml, .txt, etc.). The latest version of Slurp ” Slurp Audit ” does not allow users to actually download files, but instead generates an HTML report showing users what files would be stolen via a USB device had the download occurred.

These applications are not designed for use by hackers and should be considered similar to network vulnerability tools for assessing the state of endpoint security within an organization. To reinforce Slurp’s viability as an assessment tool, Slurp.exe was purposely limited in the number of files it could copy and time it could run to deter its use by hackers.

Strategies for controlling the endpoint
The proliferation of portable storage devices in the workplace has created a security nightmare for IT managers trying to ensure the integrity of corporate data. Disgruntled employees or consultants now have the ability to quickly download customer lists or proprietary data in a matter of minutes.

As a consequence, IT managers need to establish an acceptable use policy that outlines what devices can and can’t be used in the work environment, and select an appropriate application for enforcement. Complete PC lockdown is not the answer. Organizations should strive to allow the legitimate use of approved devices by authorized staff, ensuring that business productivity is not affected, while actively guarding against the removal of data by unauthorized parties. With large security providers focusing mainly on the network perimeter, new applications have hit the market from specialized security software vendors that focus on the endpoint.

For additional information on endpoint security strategies and for product suggestions, please visit
www.sharp-ideas.net/ideas/?p=4

About Abe Usher
Abe Usher is the founder of Sharp Ideas, LLC, an information technology consultancy that specializes in testing and creating cost-effective IT security solutions. He is an accomplished security expert who has been cited by numerous publications including Wired Magazine, Network World and New Scientist Magazine. Usher is the developer of Slurp.exe, a proof-of-concept application for portable storage devices. He holds a Master’s degree in Information Systems and is a Certified Information System Security Professional (CISSP). Usher participates in the Information Systems Security Association (ISSA) and Information Assurance Technology Framework Forum. He is also a member of American Mensa.

About Sharp Ideas, LLC
Sharp Ideas is an information technology consultancy that specializes in testing and creating cost-effective IT security solutions to meet the needs of professionals in the medical services, law and real estate fields. The company was founded by Abe Usher, an information security systems expert with more than 10 years experience designing, building and managing secure systems with high availability. For more information on Sharp Ideas or Abe Usher, please visit www.sharp-ideas.net.

→ 4 CommentsTags: