13:34 Threats inside initialize channels leakage of corporate information | |
| Inside - perhaps the most flawed phenomenon in the corporate environment. Both in direct and figurative sense. Now the corporate perimeter is protected not only and not by external perpetrators, but also, indeed, from ourselves. We look at this issue from an insider, which combines the art of stealing confidential information from the edge of the sharp blade. Currently the business is an "arms race": who is faster and better to offer his services, he is a leader. "Arms" in this area differ in their specificity, but the subject of "race" does not change - relevant information with the right to use it can provide its owner with a bright future and put an end to its competitors. How to get a "useful" information, depending on its type and infrastructure, in which it circulates, so it is difficult to classify the methods of extraction. However, there are two fundamentally different methods, which, one way or another, engaged in its collection and processing. Competitive Intelligence - collect and process information in a "legitimate" business. The data obtained solely from analysis of reports from various media outlets, and similar sources in the law. Industrial espionage - the illegal acquisition and (or) the use of classified information in terms of unfair competition. Both methods are present in all spheres and levels of business, but in different manifestations. I would like to focus on the latter, by reason of the use of techniques of obtaining confidential information. Of the most common practices of industrial espionage can cite a few examples: blackmail a person or group of persons having access to certain information, bribery of the same group of persons; theft of media; insayding - civic activity associated with information leakage and, therefore, in violation of the law. Last point hides an entire class of crimes that can be implemented as intentionally (using specially introduced and trained agents) and inadvertent (crimes committed by the target organization because of his incompetence, etc.). The most dangerous from the standpoint of protecting information are embedded with a special insiders, technical expertise and resources to collect confidential information. However, according to an annual study of the analytical center of Perimetrix, and those and other internal information security violators receive approximately the same severity of punishment, which depend only on the cost of lost information: from severe reprimand to dismissal from the company. Seldom it comes to court. Perhaps this fact is a consequence of the fact that many companies do not want to spoil his reputation in the eyes of potential customers, but nevertheless, the offender does not receive due punishment, which leads to "illusory" impunity insaydinga as a means of competition and its dissemination in the business. Poison USBThe man himself without realizing it, may be an insider. For example, as a result of social inzheneringa or in Russian saying: divorce. We are not interested in personality, good with them, in most cases cope policy information security company governing the handling of information for each employee. Much more dangerous than insiders, specially trained and have a definite goal. What to say about ordinary users, who daily risk of being (and fall) under the hood Trojans. Where does insider? With that, everyone can use a weapon "mishandled Cossack" for their own purposes, and in your environment to make it much more efficient than the corporate. Politics permission to connect USB-devices can play into the hands of an attacker. Even if many organizations do not think about these questions, then what is happening for ordinary users ... Any flash-drive player, etc. usb-device, having the presence of special software, can gather the necessary information from the target computer so that the administrator did not appear suspicious. Creating a platform for the functioning of such software for usb-devaysov we are going to do. Click the shutterA preliminary step will be preparation of flash-memory. To begin, define its characteristics. Any usb-flash drive has a controller - a chip, which acts as a gateway between the memory chip and a USB computer. Determine the type of controller, not razlamyvaya body stick, will help the utility ChipGenius (look for a link to this program in the list of Web resources to the article). From the list of USB-controller select our stick and in the field «The details of selected device» looking information. We need to field «Chip Vendor», which contains the name of the manufacturer's chips; field «Chip Part-Number» shows the firmware version. This information is sufficient for flashing devaysa. In my case (Kingston DataTraveler 4GB): Chip Vendor: phison Chip Part-Number: UP10 ~ UP14. Definition of the manufacturer of the memory controller and a rough version of the firmware: Some time ago, the stores could be seen USB-flash memory technology supporting U3. Nothing fundamentally new flash drives are not contained, except for special software that lets you run software contained in the memory of the drive in startup mode. The main feature - a special section (the analog section of CD-ROM), which was read-only and which contained a portable (portable) versions. Currently, these Soup on counters missing, as contained specific "Bagua", which allows to overwrite the Startup area, and run any software or. Bat-file, which in some cases, may facilitate the spread of malicious software, supply cross on a confidential information and, in general, lead to disastrous consequences. Next step - the modernization of the trigger mechanism of our arms. It is to reflash the controller flash memory. The condition of the task: input - normal usb-flash; output - usb-flash with support for U3. Go to the site and find the right flashboot.ru pack for our controller. Producer: Phison. With the version to experiment, because each pack contains the features for each unique devaysa. Requires the creation of a flash drive special CD-ROM section, so that it began to support U3 or, in other words, work in 21 mode (Mode 21). Run located in Pak flashing utility ParamEdt-F1-v1.0.20.2.exe and immediately open a tab «F1-1" and set everything as in the screenshot: Go to the tab «F1-2" and in the CD-ROM select an image CD, which will autorun. It can be any LiveCD operating system. However, it is worth noting that in the future we will use a specially prepared. Iso-image, the creation of which Let us shortly. Next, go to the tab «Controller», where in the field «IC Type» («Controller Type") Choose «Previous vision» («Maybe the old instance), and in the field« Used MP Tools »select the item« Last Version ». Save all the settings in the file boot.ini, by clicking on the button «Save As». Start F1_90_v196_00.exe and select the newly created boot.ini. Press «Start» and observe the testing process and records the image. The process ends when the window is colored green (the LED drive at the same time will flash). As a result, all the manipulations we get the stick with two partitions: CD-ROM drive and a standard type. ChargesFrom the company released a patch for the Kingston U3-drives, which is unprotected RAR-archive that allows you to modify the content of your choice. This is what the author took advantage of the aforementioned article, by modifying the autorun file protected disk so that he directed the implementation of the code, first to a special handler, and then to the files LaunchU3-handler. The result of these studies was the collection of files that must be present on the secure section of the stick. For details, refer to recommend the article "Trojan in the brains of Flash». Before you write files of grabbing files, using the methods described in the previous section, in a secure portion perekinem them. Iso-image with which to work normally archiver. We now turn to the contents of the working part - that she (or rather script) control is transferred to the lockbox. The basis of the work area can be found in the archive. I was a little easier for the system, removing unnecessary functionality (eg, listening), and removing not relevant to the system files. The contents of the working part of each can "grind" to fit their needs (of course, do not forget about copyright), the benefit in this case, any change will not have to reflash the device. Shoot!There is no doubt that this system works and does what is actually required. While the administrators will not leave his innocence - as the data was decanted, and will merge. And this concept - only proof of this theorem. Notable is the fact that the channel leakage in this case are the peripherals, in particular the usb-storage devices (on board of its controller chips have not only stick, but also any other less "visible" device). If you look reality in the eye, in large organizations and institutions looking for the safety of your work in general is a ban on the connection of external drives (USB in the first place). About Startup it is often overlooked or sacrificed. Often still possible to connect devices on other ports (LPT, COM) and interfaces (SATA, IDE). If possible, this method has the right to exist. Ingenuity insider is not limited to the active scheme "had access to a PC -> connected device -" received information ", but to develop the classic passive circuits to penetrate into the infrastructure, such as" leave the stick in the smoking -> initialize curious victim attack vector. " Integrity Controlto large enterprises as a means of protecting information against unauthorized access and monitor the integrity often use specialized hardware and software solutions. In the Russian market of information security one of the most common remedies, perhaps, is the hardware-software complex "Accord". Once installed on the target computer, the controller is configured by the system administrator with the help of specialized software, which creates a software environment for each unique user. Integrity monitoring equipment hardware controller completely deprives an attacker to connect peripheral devices, or from boot its operating system for mobile carriers. However, devices of this class often lose all meaning when the attacker has physical access to the target computer on which they are installed. For example, the aforementioned "Accord" that looks like a network card, similarly incorporated into the computer. During configuration of the controller metal fasteners to the PC chassis to be absent so that the device can record in its memory area, and save the settings. Next, the administrator fastens a metal fastener to the controller using the two bolt to contact closure, thereby blocking the further reconfiguration of the controller. Insider is actually sufficient to unscrew a bolt to gain control of the target PC to bypass the security of hardware and software and, alternatively, safely use the "poisonous" stick. Infrastructure, in which the circulating information, and imperfect in its leaks. If the major organizations of the technical aspects and have been paying more attention, the organizational and staffing for the IB contains potential flaws in almost any individual company. Domestic statutes of companies, primarily designed for "convenience" rather than to protect the information. Of course, these arguments are relative, but can make judgments - the proper organization vnutrekorporativnyh codes and charters is often one of the key steps to ensure information security, along with disconnecting the I / O ports on the critical hardware. Distort "critical" information often more dangerous than its theft or loss. Firstly, the fact that data changes can roll back the level of development of the company, redefining the direction of its business as a whole and, secondly, the distortion - hard to keep track procedure that can only be avoided logging of all user actions with the "critical" data, and archiving of all documents . Even those few of the above facts lead to the conclusion: only a comprehensive approach to information security can prevent the theft of information by authorized users. Useful resources: http://flashboot.ru/index.php?name=Files&op=view_file&lid=131 - Utility ChipGenius, which will help in determining the type of flash-memory controller. Http://www.xakep.ru/magazine/xa/126/058/1.asp - article "Trojan in the brains of Flash». Http://defec.ru/sites/default/files/System.rar - the source code of the system under consideration (author: Vadim Dan'shin). Http://www.xakep.ru/magazine/xa/122/016/1.asp - article "Through the eyes of insiders. Http://perimetrix.ru/ - the official resource of the company Perimetrix | |
|
| |
| Total comments: 0 | |