The Security Catalyst

This is the first in a series of three guest posts from Scott Wright. Scott approached me with the Honey Stick Project a few weeks (or months) ago - and I look forward to participating and learning from the results. As such, I have asked him to share with us the genesis of the project and help us better understand the goals. — Michael Santarcangelo

By Scott Wright
Security Views Blog

Part 1 – The Inspiration and Purpose

For the umpteenth time, I was hearing about the touchstone penetration test that was done by Secure Network Technologies, as documented in Dark Reading’s June 2006 column “Social Engineering, the USB Way”. It was almost a year after I first heard about it, and this was still one of the most compelling story about risks from USB devices.

It was certainly a brilliantly designed test, and the results were shocking. It illustrated how easy it was to use these devices to attack an organization without even entering their doors or scanning their network. But even though it is a well-known story by now in security circles, it was but a single data point. This was just one organization, and while many Information Security bloggers, including myself, had written of it, I got the feeling that most CSO’s or executives could marginalize the story as being irrelevant to their world.

So, as I sat listening to a presenter relating the Dark Reading story to the amazed attendees (“15 of the 20 devices were picked up, and all 15 were plugged in to company computers…”), I asked myself, “How hard would it be to create a similar study in the public arena that could raise the awareness of these risks on an ongoing basis?” As I followed a few hunches I realized two things:

1) It would be very risky to the public (and probably to me) to implement the same kind of study with an executable program flying around on USB devices that would probe and send data from unwitting study subjects’ computers.

2) It would probably still be possible to gather some information about what people do with these devices without violating their privacy rights, or risking damage to their computers. The amount of information might be less, but some measure of the public’s propensities might still be worthwhile.

As I thought more about the issues around doing such an experiment, I thought about what might be measurable. Then there were the ethical and privacy issues, which I will discuss in Part 2. I had become intrigued with this experiment.

I decided on simply trying to measure whether or not somebody who found a device would plug it into their computer and try to open files on it. So, I thought about how you might be able to use programs already on the user’s computer, so no new software would be required. What about using the default browser?

Proof of Concept
I then demonstrated my hypothesis in a 5 minute experiment (it would have been quicker, but I had to look up the syntax for creating a barebones HTML file!). This proved that an HTML file with an “IMG SRC” tag in the body was enough to trigger an HTTP request to a website that could be logged, as long as the computer had access to the Internet at the time the file was opened. This was too simple. I felt like James Watson discovering the DNA molecule’s double-helix!

Next, I decided that, while putting a single HTML file on each USB drive would be enough, it might not necessarily be enough to prompt the person who found the device to actually open the file. So, I decided to create a spectrum of file names that might pique the curiosity of a broad segment of the population. For example, topics such as banking, passwords, funny, confidential, teen pop idols, cool, etc.

But, if you can identify which files people actually open, and in what order, the experiment suddenly becomes much more about psychology than technology. It also started to remind me of the old decoy technique called “Honey Pots” that are used to attract network hackers and distract them long enough for an operations center to identify and thwart an attack. So, I decided to call it the Honey Stick Project.

More questions came to mind such as, “What do people go for first?”, “Will they follow links to get what they want?”, and “Will they try to locate and contact the owner, if enough information is available?”

But before I could go shopping for USB drives, I had to deal with an important aspect of the project that otherwise might cause a lot of uneasiness amongst privacy folks, and of course the subjects of the study.

… Continued in Part 2 – The Experiment Design and Execution

In the meantime, to learn more, check out: http://www.honeystickproject.com/

If you enjoyed this post, make sure you subscribe to my RSS feed!