<a href="http://www.darkreading.com/document.asp?doc_id=95556&amp;WT.svl=column1_1">http://www.darkreading.com/document.asp?doc_id=95556&amp;WT.svl=column1_1</a><br /><br /><i>"We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network."</i><br /><br />8O Wow! I must admit, it never occurred to the this is a problem. The article isn't clear, but it seems that the program would automatically run. I don't own a USB drive and the few I have used have been solely for giving large files to someone rather than trying to email a 20MB file across the hallway. If USB drives can run programs automatically when inserted into a PC without the users knowledge this is indeed a scary scenario. As one who has a dozen or so SD/MiniSD/CF cards, I can say I'd be tempted to insert a found card to examine the contents. Will PCs also run those when the card slot is built into the machine? It will certainly put me on my guard from now on before slipping a card or USB drive in my machine.

I read through this yesterday (and even posted a link on my personal blog), and assumed that the user actually had to click on the trojan. It sounded like they laced the drives with images to make users start looking through the contents, and either had a dummy exe file on there or were really crafty and made an exe look like an image file.

Scary stuff, which is why i don't join credit unions :mrgreen:

If you don't know where it's been, don't stick it in.

I would bet that there wasn't anything exceptionally devious on those drives. Anything like AtomicBanana.exe or DuckHunt.exe would probably have been run. Play a game, load a trojan. They are all over.

What is interesting is that those 15/20 folks apparently didn't share their good fortune. If you found that 19 of your colleagues also fond a thumb drive outside that morning, wouldn't you be a bit suspicious. Almost like they new it was wrong and didn't want to be found out. :roll:

Heh, its funny you mention this since the development group at work has started to take threat modeling more seriously lately and we were discussing this particular scenario yesterday.

This reminds me of an article I read a while ago about a London computer security firm doing a publicity stunt. It was around Valentines Day or something similar and they handed out CDs with a "special offer" from a jewlery store. When people inserted the disk it popped up a message.

Social engineering has always been the easiest way to get into anything. Unfortunately, the only way to prevent it is education of all your employees (or lock down your computer systems to where they're almost unusable).

What is interesting is that those 15/20 folks apparently didn't share their good fortune. If you found that 19 of your colleagues also fond a thumb drive outside that morning, wouldn't you be a bit suspicious. Almost like they new it was wrong and didn't want to be found out. :roll:

I hadn't thought of it, but these credit union people sure were all about finders-keepers. I found a lost USB memory stick a few months back outside a building on campus, and did pop it in to see the contents (Yes yes, it could have been a virus... although since no auto-run exists for these things and I'm fairly proficient at spotting viruses, I took the risk) to look for a name or address or something. Why did I do this? Well, the next stop was campus police to turn it in - I just had a sinking feeling that they wouldn't do more than just hold it - I wanted to have the party who lost it be notified.

But apparently these people didn't bother turning it into a receptionist or to their designated lost-and-found, because if they had, they would have noticed a strangely high amount of these things popping up that day!

Actually USB Flash Drives are not supposed to able auto-run. Windows XP does not support "AutoPlay" nor "AutoRun" for removable drives.

That being said, it wasn't long before enterprising folks discovered how to make USB drives do just that. There are two ways you can have a USB drive self-start: Set it up as a fixed drive by assigning a permanent drive letter to it and designating it as a drive, and...

Place an .INI file in its root that directs an accompanying application to start immediately.

While this is helpful in many instances, it can also present new problems for IT managers.

Eg, MedicAlert has a division called eHealth Key that markets a USB drive programmed with an application that, upon insertion in a USB port, auto-installs a program that allows a user to access and edit their MedicAlert emergency medical profile data and both save it to the drive as well as update MedicAlert's database. The key is worn around the neck on a lanyard or chain and can be inserted in a PC at any hospital. Emergency care workers at an ER will then be able to access their emergency medical instructions on the key. (But not alter it without an account number, username, and password).

Of course those with less noble intent can inject other programs onto a PC using the same methods.

Not too long ago I bought a 4 gig Thumb drive. As soon as I plugged it in to my computer a program was launched. It is called a U3 Smart Drive. There are two partitions on it with one containing the U3 software. I was suprised and annoyed as I could not get rid of it!

I finally found a program provided by the Geek Squad at Best Buy that reformats the drive and removes the boot partition.

If you want to read what it is all about goto www.u3.com.

During network room 'GI party' we would always come up with drives that were taken out of PC's for one reason or another with no note taped to it. And lately we've seen a lot of various flash cards that were found on the floor and turned into us, etc., etc....

We have a couple of PC's set up for things like QA and going through various media. These machines always have network cable unplugged. As a matter of fact we even have a sign taped to the front of these PC's that the network cables are not to be connected under any circumstances to any network or other PC without the approval of the current operations room supervisor. No ifs, ands or buts.

Most of the flash cards (SD/CF/etc.) are usually lost cards from cameras or sometimes personal backups. HDD's are not such a problem but the plug-in USB drives are worrisome since people now have the ability to unknowingly bring in a virus on them or knowingly (or worse, stupidly not knowing that they shouldn't be) taking data off premises.

At least in our organization PC's are starting to show up without USB ports accessible from outside the case and soon none at all on the motherboard. Floppy and silicon cards have not been seen on our PC's for ages. This is for the rule for general office staff (aka users). For technical people such as programmers, researchers and these types backups of their work are made nightly so again nothing has to be offloaded from PC to other media. We do have a number of scenarios where we have to download to QA, laptops and customers to mention a few. Sales personnel are supplied with the latest and greatest on their laptops (USB and cards are disabled). No salesperson has 'their' own laptop setup 'their' own must have way (ah, well almost. Bring in 3meg a year and we can make an adjustment).

So far this system works out OK but there are always tweaks to who, what and where. Bottom line is that if someone wants to be able to get stuff off or on to a machine there has to be a reason and all sorts of approvals. And I'm sure with the latest high profile theft of a government laptop we will be tightening the screws on who, what and where. This tends to keep dishonest people honest and stupid people smart :wink: .

Jeff-

If the computer(s) are members of a domain then a simple "Disable USB" Group Policy Object takes care of it.

For non-domain computer &amp; work group computers in START>RUN>(type)regedit>OK

Navigate to HKEY_LOCAL_MACHINE>CurrentControlSet>Services>USBSTOR

edit the registry value "Start" from "3" to "4"

Exit &amp; restart.

USB storage devices, flash cards etc are locked. Regular USB devices that do not act as storage devices still work. (i.e. a USB multi-function printer with a multi-card reader might be blocked, or might be a loop-hole, not sure) But it is a bit more noticeable to bring in a multi-function printer to work 8O than a USB storage media device :mrgreen:

"Hey uh..Bob,..whatcha got there?" ..... "Oh,..uh..nothin..nothin really." :roll:

If the computer(s) are members of a domain then ...
While this was (or something like it) was the original tempory fix we wanted to lock down the machines a little better to avoid the people that can undo the fix. We started modifying the PC's ourselves but are now able to get the manufacturer to do it for us. This way there are no ports (USB, Firewire) on the machine that do not work making people wonder why. Operations would get calls from users that their USB port doesnt' work and we would have to explain that for security reasons we disabled those 'things'. Then they would ask why we didn't trust them. People seeing these newer machines just see a plain vanilla machine that comes without USB or floppy. No questions being asked, nobody has their feelings hurt and everybody is happy all around.

Jeff-

Even though this news item was posted as OT, but PPC may be affected as well, since autorun is available on PPC. On WM5, I think the system might throw a warning since the program to be run is usually not signed. WM2003 and earlier system will simply run whatever is instructed as soon as the memory card is inserted into the slot.

Not too long ago I bought a 4 gig Thumb drive. As soon as I plugged it in to my computer a program was launched. It is called a U3 Smart Drive. There are two partitions on it with one containing the U3 software. I was suprised and annoyed as I could not get rid of it!.

Actually U3 is not a bad thing. It offers a range of products that run solely on the drive. When I say solely, I mean it. No remnants get left behind on any PC you use the device on (no files/registry keys/etc.)

Currently we have a version of eWallet available for U3 (free for any owner of the desktop software...email us for info). It's a nice way to securely move data between multiple PCs without fear of leaving something behind you shouldn't.

The program that launched is the U3 interface which allows you to access the U3 store or launch your U3 software.

I can certainly understand why you might not want it but I wanted to clarify that it isn't actually a bad thing. Some people buy those devices just to get the U3 functionality and typically they sell the same device in both U3 and normal versions. Sounds like you ended up with the U3 version.

Marc Tassin
Ilium Software
--------------------
[email protected]
+1 (734) 973-9388
---------------------
http://www.iliumsoft.com

If the computer(s) are members of a domain then ...
While this was (or something like it) was the original tempory fix we wanted to lock down the machines a little better to avoid the people that can undo the fix. We started modifying the PC's ourselves but are now able to get the manufacturer to do it for us. This way there are no ports (USB, Firewire) on the machine that do not work making people wonder why. Operations would get calls from users that their USB port doesnt' work and we would have to explain that for security reasons we disabled those 'things'. Then they would ask why we didn't trust them. People seeing these newer machines just see a plain vanilla machine that comes without USB or floppy. No questions being asked, nobody has their feelings hurt and everybody is happy all around.

Jeff-

It's not a bad thing to hurt people's feelings - a simple response to the "why don't you trust us" question is simply "you wouldn't trust a computer technician to know all the details of your job and perform it without training, would you?". Security should never suffer because people who ARE security risks are treated as if they AREN'T a security risk!

That being said, the plain vanilla approach sounds great because it cuts down on calls in general. Just glad you guys didn't wait until you had plain vanilla to cut the USB!

It's not a bad thing to hurt people's feelings - a simple response to the "why don't you trust us" question is simply "you wouldn't trust a computer technician to know all the details of your job and perform it without training, would you?". Security should never suffer because people who ARE security risks are treated as if they AREN'T a security risk!
This is true but it's just another question that doesn't have to be answered. Not all people have the gift of speech to answer a question appropriately when asked :? .

I think that people realize it's because of security issues that there are no USB or other ports on their machines at work it just becomes a non-issue because it's just not there. Other items such as passwords having to be changed every three months keep security on peoples minds as a daily item just as has having to turn the lights on in the morning is.

Also there have been reception areas set up that are apart from off-the-street traffic (deliveries etc.) where a friend of an employee can drop in and have a cup of coffee - neat. Non employees are not allowed on premises without a business reason or approval from some manager type. Bottom line is that there has to be a reason for someone being on premises. Of course the employees immediate family are allowed in since this is not a top secret missile installation. Absolutely nobody (employees, managers, etc.) goes in to operations without clearance or an escort.

A nice thing about this level of security that my wife noticed is that women have no problem leaving their pocketbooks in draws or on tables (my wife doesn't even bring her pocketbook to her job). People in general feel safer about their valuables and surroundings. If an outside serviceperson (i.e. copy machine repair person) is on premises everyone will know that he/she's been asked numerous time what they're doing.

While it's not Fort Knox I think that it's a basic level of security that all businesses should implement. Security becomes an everyday item and non-issue. Security without the stress :wink: .

Jeff-

Love your sig, Jeff...

But you really need to add FORTRAN to it!

Love your sig, Jeff...

But you really need to add FORTRAN to it!
Yeah I could but ... I started as an assembler programmer on Data General machines. I wanted to do 'C' but I was volunteered to the prestigious position of enhancing our on-line database (400 offices around the world - big stuff those days) which of course was written in Fortran. I must admit I had a good time with it so it does have a place in my heart even though I did it for only 2 years. Besides when Dijkstra penned those words we all looked at Cobol as Cobwebs, Fortran was still going strong (on the 'street') but C was the place I wanted to be.

Besides I can't since they are Dijkstra's words. He also had some choice words about the use of the 'goto' statement in programming languages. Very interesting guy to say the least. Of course I know of him since one of my papers in school was about some of his algorithms. But the quote is still appropriate today. Even with billions of lines of code written with Cobol it's still crippling the mind of anyone using it. Once you use it your infected and everything is over: your career, your freedom, your..., you're done.

Jeff-