News

USB Ports as Cyber Threats—More than just a Thumb Drive

As a young computer geek, I still remember the excitement when USB was introduced. One connector that offered so much—no more special cables per device type, the ability to “hub” multiple devices, the flexibility—and the new hardware devices in stores.

Years later, as an older computer geek ;), I remember the first time I was introduced to the potential of USB as a security threat. There is not one organization today that is immune to this threat. Many organizations—from financial institutions and critical infrastructure to governments—have been infected.

USB ports offer virtually unlimited functionality including Human Interface Devices (HIDs) such as keyboards, mice, barcode scanners and card readers; communication interfaces such as Ethernet, Wi-Fi, Bluetooth and Cellular; and multimedia devices such as microphones and speakers. This unlimited functionality comes with unlimited threats and potential attack vectors.

Many cyber security vendors have introduced—and continue to introduce—good solutions that are focused on protecting against malicious “detachable media” (such as thumb drives). Most of these solutions are offered as part of an endpoint security platform.

The problem with these solutions is they focus on a small part of the problem—but neglect to address the total threat. The “small” part is an important part—but absolutely not sufficient. Some of these solutions offer a way to control the USB functionality on a device type or on a device instance level. But upon device approval (“whitelisted”), they lack the ability to protect the port. Current USB threats are far more than that—attacks can start by connecting innocent looking barcode scanners or any other entry device (i.e. keyboard, mouse, magnetic card readers). Once connected, these devices turn out to be malicious and abuse these connections.

Malicious USB devices are delivered and installed in financial institutions, data centers and other critical infrastructure facilities. These devices are delivered as legitimate devices—by a breached supply chain—starting with vendors and subcontractors, through shipping and distribution channels, to the integrators that install them at target locations. They can, in many cases, be altered later by on-site, trusted visitors.

Sepio is focused on securing computer infrastructure against supply chain cyber threats. Our state of the art USB Cyber Security Solution secures the host’s USB ports and allows the safe connection of different entry devices without concern about infected malicious applications.

Securing endpoints is critical. Existing endpoint security platforms provide a good solution to dangerous threats, but are not sufficient. Other measures, such as the Sepio USB Security Solution, should be added for optimal security.

Please share our blogs and send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter andLinkedIn.

The Safest Barcode Scanner in The World

A study on barcode scanners shows that a significant percentage of these devices— manufactured in China—were infected with the Zombie-Zero malware to send customer proprietary information to Chinese vendors.

When my daughter turned 2, she received a toy cash register with a barcode scanner. I am beginning to think it is the safest barcode scanner in the world.

 

Barcode scanners, magnetic card readers, RFID readers and similar entry devices used in Point Of Sale (POS), warehouses and other back-office applications are connected to computer endpoints via USB. Even if the connection is wireless, the receiver is eventually connected to a USB port.

When these entry devices are connected to the host computer, they appear as keyboards and the host cannot distinguish between them and “normal” keyboards. When a user scans a barcode, swipes a magnetic card or touches an RFID card, the programmed code is sent to the host PC as a series of keystrokes. Then, the host application (i.e. the POS software) reads these keystrokes.

When entry devices are integrous and do not abuse this connection, they work as expected and offer ease of installation, use and maintenance. But many of these devices are NOT TRUSTED and ARE MALICIOUS. They are used by criminals to attack the computing environment. Since the host computer has no way to distinguish between barcode scanners and “normal” keyboards, a malicious device might be used in order to run scripts that execute misconfiguration attacks, ransomware attacks and many other kinds of “goodies” without even being connected to the internet. It may also run a reverse-command-shell, allowing a remote command and control channel to the host computer and to the entire computing infrastructure.

The barcode scanner story is one example of a much broader security problem we face. Most connected peripherals are manufactured by vendors and delivered via unprotected and vulnerable supply chains. They have become a serious cyber threat to our computing infrastructure.

Sepio focuses on securing computer infrastructure against supply chain cyber threats. We deliver solutions to ensure real-world applications are as secure as my daughter’s toy.

Our state-of-the-art USB Cyber Security device secures the host’s USB ports. It ensures a safe connection for different entry devices, preventing network infection by malicious applications.

Please share our blogs and send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter andLinkedIn.

Supply Chain Cyber Attacks—from Infected Software to Malicious Hardware

Cyber-attacks on supply chains have become a major threat to critical infrastructure. Compromising supply chain integrity by inserting malicious components has become a central discussion topic in black-hat-hacker forums. While most conversations are focused on insertion methods of infected software modules, there has been a recent swell in communications regarding penetration methods of malicious hardware components.

Software Infection vs. Malicious Hardware
Various methods can be used to insert infected software modules into an organization’s software supply chain including code-alteration of 3rd party software libraries and intentional exploitation of zero-day vulnerabilities through code-execution. Once attackers find a way in, the challenge becomes finding a way out. With modern multi-layer security platforms installed in most secured networks, the hacker’s challenge becomes ejecting the stolen data.

Since security solutions have focused on sealing the way out, criminals have sought an alternative–the insertion of malicious hardware.

The insertion of malicious hardware into a secured organization requires “on-the-ground” capabilities, including knowledge of supply chain management and logistics.

Malicious hardware attacks were first thought to be executed by governments. But terrorist and criminal organizations have gained supply chain management capabilities—and understand inserting malicious hardware into a top-secured supply chain is easier and more lucrative than maintaining a cache of illegal weapons and drugs. Inserting malicious hardware may still be considered more difficult than inserting infected software—but the data-way-out path is easier—offering unlimited out-of-band communication paths that avoid monitoring or security measures.

The “50 Keyboards” Question
During a recent meeting with a CISO of a large bank, I posed a theoretical question: “If I send 50 boxes containing keyboards with an authentic-looking bank label and a note that reads:

‘Your division has been selected by the bank IT department to test this new keyboard. We will contact you soon to get your feedback.’

How many keyboards would be installed the next morning?”

The answer was shocking, “More than 45”.

This attack would involve 50 keyboards at $13 each, plus shipping fees. Criminals would need only one to be installed to launch the attack and “kill the bank”.

Building a Malicious HID
Human Interface Devices (HIDs) including keyboards, mice, barcode scanners, andKVM switches can be easily altered to become malicious devices. By “hub-ing” the USB connection to the host and connecting rubber-ducky keyboard emulation devices and wireless communication devices (wifi/bluetooth/cellular) in a parallel , a multi-phased attack can be executed against the computer infrastructure. In less than one business day, a malicious device can be shipped to its destination and an attack is launched the next morning (thanks to overnight shipments). At a cost of less than $500, this malicious device can penetrate a secured facility. Once inside, it runs a script and via a hidden wireless connection (i.e. a cellular modem) sends proprietary data out, injects data and executes commands from a remote location.

Sepio Systems has introduced its USB Security Device that protects against such threats. In the next post we will describe the Sepio solution in greater detail.

Share our blogs and please send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter andLinkedIn.

Supply Chain Cyber Attacks – from Governments to Rubber Ducks

Cyber-attacks on supply chains were considered a strategic weapon to be used against enemy nations to harm critical infrastructure. This type of weapon required advanced technical skills to develop—and massive logistical and tactical capabilities to deploy.

In early 2000, very few countries—USA, China and Israel—were thought to have the technical capability of executing such attacks.

Stuxnet

The cyber-attack on the Iranian’s nuclear enrichment plant in Natanz is considered one of the first supply chain cyber-attacks known to the public.

Many assume the USA or Israel (and some say, both) installed a computer virus into the Siemens SCADA controllers before arriving at their target location in Iran. After installation, controllers falsely reported normal readout values while burning nuclear enrichment centrifuges. The Stuxnet attack was successful—it delayed Iran’s entire nuclear program by more than 3 years. Strategic advisers across the globe agree—the Stuxnet cyber-attack caused more damage than a conventional attack could have caused.

Governments Technology

Stuxnet and similar attacks could have been developed and deployed by the NSA, Israel’s 8200 and the cyber army of China. It required teams of expert engineers, computer hackers and logistics experts to find the black-hole along the supply chain. It required millions of dollars and months of planning. The technology was soon published and discussed in conferences. Once it became public, hackers were able to reverse-engineer and propagate the technology.

New Attack Vector

Most organizations are protected against common and trivial cyber-attacks. All have installed firewalls, anti-spam, anti-malware, anti-viruses, endpoint security and more. Every month, the market is introduced to new and better technologies to protect against cyber-attacks. There are effective solutions to protect against attacks from the Internet or data files. Protecting one door—many claim—sends criminals to another. Rather than breaking through a secured door, they look for the one that was left open. Since networks and IT are relatively secure—attackers view the supply chain as the open door. Attackers may reach their target through the supply chain—which is hardly secured against such attacks.

Rubber Ducky

In the last 2 years, the know-how of executing a simple supply chain cyber-attack has been discussed in various forums. With additional leaks—like the NSA leak—a family of products has been developed that enables novices to deploy attacks in a matter of hours—and for less than $50.

An easy-to-deploy hardware attack on human interface devices (HIDs), such as keyboards, can cause massive damage to critical infrastructure while being implemented by your neighbor’s teenager.

We invite our friends to share our blogs and to send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter and LinkedIn.

Welcome to Sepio

Welcome to our first post on Sepio’s new website. 
Today, we celebrate our media presence and the end of stealth mode.

About Us

We are a group of serial entrepreneurs who have worked together for more than 25 years—beginning in the early 90’s in the technological division of the Israeli Army Intelligence (Unit 8200). We’ve since been involved directly and indirectly in the foundation of several startup companies. Some have been acquired by market leaders.

We’ve added a new team member with 30 years of sales leadership experience to create Sepio Systems. With strong support from our investors, we are prepared for the challenge.

We are excited to introduce our company—and our different approach.

What is SEPIO?

The Latin word “Sepio” means Protect and Seal.  It is the reason we’ve founded the company.

Sepio Systems’ mission is to protect critical infrastructure against threats on their supply chains.  Malicious groups poison the chain between vendors and end customers with infected components, modules and systems.

Why Focus on Supply Chains?

Because supply chains are not protected. Because we don’t have adequate visibility. Because by providing stronger and more resilient security to threats via internet connections, emails, and files, we are pushing criminals and our enemies to attack supply chains.

(and…because we thought it would be nice to start something new…)

Our Challenges

Since 2000, supply chain attack technology has moved from top classified government agencies to common hackers. While cost and time dramatically decreased, the spread of such attacks became a major threat to critical infrastructure and enterprises.

These criminals now have strategic weapons at almost no cost–we need to mitigate without changing the way we run our businesses, our infrastructure and our supply chains.

SAME THREATS. DIFFERENT APPROACH.

We chose these words as our (catchy) slogan for distinct reasons.  

Since attacks on supply chains started more than 40 years ago, security managers developed a common approach to “certify” vendors and suppliers and “clean” deliverables before installation. This is the approach adopted by governments and top-classified agencies around the world.

It’s not working!

Smart attackers easily penetrate supply chains and deliver infected equipment to end users. Our different approach is simple—attacks are in place; security has been compromised. Let’s isolate the attack and eliminate the poison.

We invite our friends to share our blogs and to send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter and LinkedIn.

Enjoy and good luck to all,

Yossi Appleboum and the Sepio Team