Hacker gadgets, tools make data leakage prevention more difficult

Bob Lewis helped to convict some of the world's most serious cybercriminals, but he admits new gadgets and technologies are making it too easy for anyone to steal information.

"Take a look at this," says Bob Lewis, holding up what looks like an ordinary wristwatch. "I got it for £8 on eBay."

He then peels off part of the watchstrap to reveal a small USB memory device, which came loaded with BackTrack3, a bootable version of the Linux operating system.

Lewis then went on to demonstrate how it is possible to plug the device into a Windows PC and by working from the Linux drive, bypass all the Windows permissions and gain access to the machine's folders and files. In the demo, he dragged and dropped the 'protected' customer file from the PC on to the USB drive, pulled out the USB drive, and simply folded it up in the watchstrap again.

Lewis has a growing collection of such devices that come disguised as ordinary objects (such as pens and phones) just to show sceptical customers how easy it is to steal information without being noticed.

An associate director within the investigations and assurance practice of London-based Risk Advisory Group plc, Lewis cut his teeth as a police officer with the RAF and worked in counter-intelligence.

He then became a founder member of the National Hi-Tech Crime Unit (NHTCU), where he was involved in the sharp end of fighting cybercrime. He worked on Operation Catterick, which led to the arrest of Russian hackers who carried out DDoS attacks on U.K. gaming sites, and earned an MBE for his efforts in the process.

He also worked on Operation Tertiary, which tracked down a criminal gang that was using the Web to steal credit card and bank account details, and resulted in the conviction of gang leaders Anton Gelonkin and Aleksei Kostap.

Having seen criminals close up, he is worried about many of the new technologies that are now freely available to consumers, and which can easily be used maliciously. USB sticks, with greater capacities and in smaller form factors, are just one of many dangers.

Take Bluetooth, for instance, which comes as standard in most laptops. Lewis said signals can be detected from up to a kilometre away and can pass through walls. How many of us bother to turn off Bluetooth on our laptops? Who might be listening from the office on the next floor?

Then, what about in-the-cloud storage services like 123-drive, which are designed to allow PC users to back up their files to a safe place on the Internet? As Lewis said, they can be equally employed to let users steal sensitive information without detection. A simple drag-and-drop action can make a copy of a complete folder of information on the remote service.

Furthermore, would-be hackers no longer need to be very clever. "It's easy to download the tools and use a simple point and click to make them work," Lewis said. "And there are tons of step-by-step guides on the Web on how to use them."

The problem, he added, is that many of these technologies are below the radar of senior security management. "Some of the geeks in the IT department may be aware of them, but they don't see their potential significance to the business, so they don't raise it with senior management. It's hard to defend against what you're not aware of," he said.

Another demonstration highlights the problem of catching culprits. Lewis displays a library of MP3 tracks, as you would see on a standard MP3 player. All of them play music -- except one. This is a file encrypted using Truecrypt, a free, open source software that is downloadable from the Web.

As the demo continues, Lewis decrypts the file using a password, revealing a couple of harmless PowerPoint presentations. He then uses a different password and reveals a completely different file that could contain an organisation's most valuable intellectual property. "If I was caught with my iPod and people wanted to see what was on it, I could decrypt that file and still hide the stolen information, and they would have no way of knowing it was there," he said.

This is not just a problem for companies protecting their data. The dual-password feature, or the use of what is called a duress password to conceal the data instead of decrypting it, has already been raised as a major problem for law authorities wanting to inspect encrypted files under the Regulation of Investigatory Powers Act. Criminals could just hand over the duress password to destroy evidence.

The answer for companies, especially in times of an economic downturn where users may be facing financial pressures, is to be extra vigilant. Hard-disk encryption would thwart the theft of information using penetration tools like Backtrack3, and closing down USB ports would stop a lot of problems.

But how far are we prepared to go? USB ports are useful for many legitimate purposes, as are Bluetooth and Wi-Fi. And although full-disk encryption sounds appealing, it can be expensive to implement and support.

Some organisations may ban staff from bringing in USB devices or MP3 players, but are they prepared to inspect their wristwatches and pens as well, Lewis asked.

And anyway, he said many organisations fail to take even minimum steps to restrict access to sensitive information. "When I start working with a new client, I always ask to sit with the secretaries and get them to show me what they can access on their systems. That is always very revealing," Lewis said.

Lewis adds that the IT department is usually given free rein to access what it likes without any independent logs being kept. "They might keep logs of what everyone else does, but not log what the IT department itself does, which obviously leaves a vulnerability," he said.

Most companies rely on trust, but when they need to cut back -- Barclays plc., for instance has just announced it is making 400 IT staff redundant -- too much trust may prove to be misplaced.

Read more on Privacy and data protection