Hi, I received this "ecircular" today - does anyone have views on whether such "precautionary software" has any value?

A powerful set of tools to make data theft - including identity theft - easier than ever before, based on handheld removable drives typically the size of a keyfob (also known as memory sticks, pendrives etc) has been made freely available to everyone on an America website

The tools - called USB Swichblade and USB Hacksaw - can be downloaded to an inexpensive pendrive which are readily available on the highstreet for a few pounds creating a potent weapon capable of acquiring large amounts of sensitive information from any unprotected PC.

Such tools often depicted graphically in such programmes as 'Spooks' and '24' are now a reality and available to anyone who can download them.

They have already been shown to be used in call centres for example to abstract large amounts of customer data including such items as credit card and other identity data. They can equally be used on any user's home PC to capture personal information about surfing habits, passwords, electronic banking and email records, creating a major threat to privacy.

Removable drives come in many shapes and sizes - up to 4Gb, enough for a huge quantity of personal data and email etc - and tiny in size - often now available invisibly integrated into a mobile phone, a pen or even a wrist watch.

Because the young hackers behind this (who call themselves 'the software Jedi') have released not just the information but the tools themselves as well as full instructions anyone with just a moderate degree of IT skill can create and use such a tool.

They have also released the programming 'source code' which means that anyone with the programming skills can adapt and build on the toolkit to create yet more illicit tools.

The tools released are featured in a programme / download on the 'YouTube' network just acquired by Google and include:

USB SwitchBlade

A tool for secretly removing (copying) files, password information etc from a PC automatically by just inserting a USB drive. This employs a technique called 'MaxDamage' to silently run the hacking software and copy the information when the drive is plugged in - with no action needed from the user. (More detail: see WARP News below).



USB HackSaw

This goes two steps further: It infects the target machine with a silent agent which can also recognise when other removable drives are plugged in and harvest their content. It then uses Google's Gmail to secretly e-mail the stolen data, in convenient packets, back to the perpetrator. This will reportedly run from a guest account as well as as an administrator.


XXX XXXXXX, who is a leading security expert in the area of removable devices raised the alert (attached below) via the government sponsored Warning, Advice and Reporting Point (WARP) network - www.warp.gov.uk.

He commented "We have been aware for some years that these devices would become a major security threat and so important though this development is it is no surprise............ prior to the 'DTI Information Security Breaches Survey 2006' (www.security-survey.gov.uk) - which also highlighted the continuing rise in high tech crime in general and data-theft in particular - and it's potential impact for businesses small and large. This also identified removable devices as a key 'emerging threat'"

PodSnaffler is a tiny program that works on virtually any MP3 player, iPod or pendrive - even some mobile phones. You click on it, it starts and immediately seeks out interesting documents and other information on the computer it's plugged into. It's very fast and is capable of finding - and removing - thousands of documents and millions of bytes of information, in a matter of seconds.

It doesn't take too much imagination to realise how devastating this could be with the rise of identity theft and when 97% of companies now depend on their confidential data, patient records are increasingly electronic, as well as pupil and student records and databases.

For this reason the released version of PodSnaffler is de-fanged - it identifies documents and data which easily could have been stolen within a very short time - but does not in fact copy them

It was created to highlight how vulnerable we have become to data theft and to help security professionals and others make the case for putting the appropriate security in place.

...to look to more secure technology choices. Frankly, I find it bewildering that so many people store personal information on systems reknowned for their insecurity - i.e. MS Windows-based - and personally recommend all who come for a recommendation to look to alternatives, usually Apple OSX-based.

I made the switch two years back and haven't looked back. The Apple system tends to be largely immune (partly by being a minor player in the overall marketshare, but mainly by superior, secure design).

Of course, nothing will protect a user against the effects of clever social engineering (e.g. phishing) but the fact that these tools are even possible on a modern OS makes me really question whether anyone should be going anywhere near Windows.

Maybe Vista will be better. I'm not getting my hopes up...

Alright, So I read that but didn't really see anything startling.

which are readily available on the highstreet for a few pounds

Or from any electronic store...this whole article seems to be trying to make itself sound scary.

A program that seeks out personal information is now new, nor are usb drive or ways of transferring. hell...using a "keyfob" is actually kind of retro going back to the days of a sneakernet.

Hell, I remember 10 years ago using keylogging devices like this to gain passwords.

Thanks guys....has anyone heard of the WARP website before?

This is a known problem even without the extra software on the memory stick.

The answer for businesses is to restrict access to users so that they USB stick wont work. For genuine/trusted users the access levels can be raised so that memory sticks can be used.

In the callcentre there should be no reason why an agent should need to plug anything other than a mouse into a USB port. This also works for restricting downloads from the internet and using certain types of software.

Putting in Firewalls and Virus protection is only part of a secure network and only stops those outside getting in, many fraudsters place people on the inside because that's where the security normally falls down. If a business leaves it's IT open to abuse it only has itself to blame for any viruses, data loss and fraud that may occur.

I echo everything that Julian says, and I'm not even going to pay attention to John's Mac-lovers-bait!

A intention attack such as that deescribed is actually unlikely, but un-intention attack is a huge risk for any business. A good example is some free gifts that McDonalds recently sent out which had dodgy software loaded onto them by mistake:

http://www.theregister.co.uk/2006/10/16/mcd_spyware_mp3_recall/

I really have to stress that I don't think technology is the solution to this. I mean...if a person really wants...they will be able to find a way to get files onto a computer, or files off of a computer. Whether it be through a usbkey, ftp, network, e-mail, floppy, LAN, whatever.

Completely disagree with you there Justin.

I accept that technology is not the whole solution - you always need to look at other security measures (physical security, mostly) as well as the reasons that people are trying to do this kind of thing anyway (do they have access to too much data, are you treating staff badly).

Just because people will "always find a way" it doesn't mean you should not try to protect yourself. Fundamentally, there is always someone else they can target, so any measure you put in place makes you less likely to be attacked.

It is definitely a technology solution, but not through development of new tools but through effective security management of what you have.

Simple steps;
1. Lockdown the PC administration to only those with legitimate reasons to install software
2. Lockdown/disable USB ports
3. Standard build PC's with access to C:\drive restricted (this also saves IT costs on support as the PC is built from a standard image that can be used over and over)
4. Restrict access to network drives to legitimate users
5. Restrict use of mobile phones, personal mobiles should not be 'on' whilst the agent is working or at their workstation

The non technology solution of staff selection is also important so you spot potential fraudsters through ID checks where appropriate. But it won't stop the fraudsters getting in, they can be sophisticated and select carefully whom to plant so you will never solve the issue of managing fraud through non technology processes alone.