AIR GAP

There is reportedly a new particularly advanced USB-savvy malware being called "USB Thief" (Google Search) being discussed by many in the technology press.  

If you allow users (including system admins) to use USB storage devices on air gapped systems then this threat can be a potential attack vector a persistent attacker could deploy against your organization.

Basically an infected USB device could be inserted into an air gapped computer where it could collect considerable amount of "protected data" and then exfiltrate the "protected data" back to the infected USB device. Once the device is removed there is reportedly no trace of the malware on the compromised system and no record of the data collected.

Best defense would be not to allow USB storage media on air gapped systems.  Otherwise, restricting data migration from the air gapped network (i.e. the high-side) to the internet network (i.e. the low-side) would be another defensive measure.  Good physical security would also limit the effectiveness of this threat vector.

Some links with more coverage (some of it F.U.D.): techtimes.com, sci24h.com, arstechnica.com, pcworld.com, thestack.com, securitybrief.co.nz, slashdot.org, idgconnect.com, and itsecuritynews.info, 

There is a new open source effort to build out a working data exfiltration toolkit using radio frequencies.   The source code has been posted to GitHub.  More info on the news at Softpedia. 

The key defensive measure would be to make sure no malicious rogue capabilities make it to your air gapped networked systems, and that you consider RF shielding countermeasures.

Researchers preparing for a future conference presentation have released details (PDF paper here) of their successful electromagnetic (EM) attack against an air gapped system that included no additional software to be previously installed on the system being hacked.  The hardware costs to build the attacking system was around $3000.  The air gapped system had no TEMPEST protections (PDF reference for more information).

You can read more via:

• DailyMail
• TechWorm
• TimesOfIsrael
• Motherboard@Vice
• Softpedia
• OO7Software
• ComputerMagazine

The Register published news of a recent presentation by (@ynvb & @oppenheim1) that IP-enabled KVMs can be attacked in such a way to enable access on a closed network (no Internet connectivity).

The United States Department of Defense's definition of an insider threat:

An insider threat is defined as someone who uses his or her authorized access to damage the national security of the United States, whether through espionage, terrorism, unauthorized disclosures of classified information, or other harmful actions.