The Honey Stick Project – Part 2 (Experiment Design and Execution) – Security Catalyst

The Honey Stick Project – Part 2 (Experiment Design and Execution)

This is the second part of our three-part guest series with Scott Wright, discussing the motivation, ideas and findings of the newly launched Honey Stick Project. — Michael

By Scott Wright

The basic concept of the project’s initial phase (called Stream 0) was to drop USB drives loaded with files that contained HTML links to files on a website. When each file was opened by double-clicking, the native application (e.g. default browser, MS Word or Adobe Acrobat) would launch and try to load a referenced file automatically. All of the links contained on each USB drive would include a unique ID number, so I could identify which device was being used when the HTTP requests were logged at the website.

There was certainly a temptation to gather the IP addresses of the hosts from which devices were being accessed, primarily to identify the organization that owned the IP address space by doing reverse DNS lookups. However, the only value I could see in doing this was to identify organizations that might benefit from security awareness training to teach their staff about these risks. While this might be a source of leads for my business, I felt that using the information in this way would probably put the organization on the defensive in any sales call I could imagine.

“Hi Mr. CSO. I’m calling to let you know that one of your staff picked up a Honey Stick and used it from within your network.” Responses I expect might range from, “Go away, you pervert! You don’t know anything about my network, so stop following my staff around.” to “So what? I have more important things to worry about, like the auditor waiting for me in the President’s office.”

Consequences, Considerations and Responsible Handling
I was also concerned about the potential worst-case consequences of the requests being made without the user’s consent (regardless of the fact that the device they were using was clearly not their own). What those consequences might be, I was not quite sure. However, if somebody were to get fired from their job because they were found to be using unauthorized devices on their employer’s networks, I did not want there to be any uncertainty about the liabilities. So, I started drafting a paper to describe the scenarios related to data collection through “Trackable Content” on devices deliberately meant to be “found” and used. This paper is now posted on the Honey Stick Website at White Paper on Privacy Considerations for Trackable Content on Mobile Storage Devices.

In the paper, I describe the basic scenarios where different types of content could be placed on Honey Sticks (both for research and for active attacks such as something I called “Stick Phishing”). I also described what I felt to be the best approaches to deploying Honey Sticks safely for legitimate purposes, as well as safeguards that individuals could use to render these initiatives ineffective. After all, the intent was to educate people on the risks around using unknown devices. The feedback from reviews of the paper were very helpful, and led me to the decision not to capture IP addresses at all, as they could be seen as being used for profiling or targeting people. The related privacy issue really depends on how you use IP addresses. So, once again I tried to steer clear of any grey areas to keep the experiment safe for everyone.

Finally, I was confident enough in the concept to start creating a file set and website that would support the experiment. In Stream 0, all the files are identical, with the exception of the parameters in the URLs that reference the website. I am keeping the exact filenames, content and websites confidential, since the experiment is ongoing, and I want to avoid having somebody in the lunatic fringe trying to skew the results.

While most of the files have meaningful filenames, and some have meaningful text links within them, the only content that is meaningful to the user is contained in two of the files. One file briefly explains the Honey Stick Project, and offers the user the chance to indicate whether they plan to: (1) discard the device, (2) keep the device, (3) redeploy the device, or (4) return the device. By clicking on a link in the file, a request gets logged with a unique URL. The other file is a plain text file called “owner_contact_info.txt”. This file contains information about how to contact me in several ways, in case the user decides to take action to return it. (Don’t laugh, it has already happened more than once…) There is also a website reference to the Honey Stick Project for more information.

Device Selection
The devices I’m using are the cheapest USB drives available; currently between 256MB and 1GB, and costing between $6 and $8 Canadian from large retailers. As you can see by visiting the “Stream 0 Results” page of the Honey Stick Project website, I’ve been leaving them in various publicly accessible locations, including coffee shops, libraries, hospitals, office buildings, hotels, recreation centers, etc. So far, I have not been putting any labels on the devices, except for some chicken scratches that mean something to me, but could easily appear to be normal wear and tear to the Finder.

It turns out that the exact location within each site can cause a difference in response rates. For quick response, I want people to pick them up and be able to get to a connected computer as soon as possible. In many retail product and service companies, it’s too easy for people to turn them in to a cashier or desk and have them sit in a “lost and found” for several weeks, or longer. Phone stalls, washrooms and elevators seem to be good for having them picked up almost immediately. So, Stream 0 is helping me learn about these subtleties. Perhaps I’ll be able to target specific types of locations that will allow me to get higher response rates in future.

Budgeting
As for budgeting, I will do 10 or 15 at a time, as I can afford it. I am accepting sponsorships on the site to allow for the purchase of more devices. It may also be possible for me to package device “loads” for indoctrinated “HSP Fellows” to distribute in their own cities, or when they are traveling.

Stay tuned for the next installment, when I discuss some of the findings so far, and what the future may hold for the Honey Stick Project.

Sharing is caring...
Michael Santarcangelo
 

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.