The Dangers of USB Drives

[TheKid7]

The Dangers of USB Drives:

http://www.slate.com/id/2270003/pagenum/all/#p2

[Beto]

I use a hidden partition which is easily activated with the right program and password before I connect to my machine with an USB data drive.

I only access this drive with the modem OFF. This may not be foolproof but it is near to it.

I feel confident with this method.

[Rmus]

From the article:

Quote:

There is, of course, a failsafe way to prevent Stuxnet from infecting high-security machines-why not just prohibit users from sticking USB devices into computers that have been purposefully separated from the Internet? "That would have worked," says Sophos' Wisniewski, "but the reality is the world is still pretty crappy at security." Companies either don't have such policies or don't enforce them-maybe, perhaps, because selfish employees (like yours truly) consider USB sticks extremely convenient. If you want to hand over a huge PowerPoint presentation to your colleagues down the hall, what's easier than sticking it on a USB disk?

If a company wants to ratchet up security, it's not as simple as banning all thumb drives. To be extra careful, you'd have to ban iPods, cameras, and every other USB-based doohickey-all of those devices are capable of carrying Stuxnet-like viruses, too. I asked Sean Sullivan, of F-Secure, if he could imagine any failsafe IT policy that would have worked to thwart Stuxnet. "Well, in our malware test machines, sometimes we put glue in the USB ports," he joked.

After Stuxnet made the news, I spoke with an acquaintance who is a Systems Administrator for a local organization which has 300 computer workstations on a network.

I asked his thoughts about the USB threats these days. He smiled and said that he didn't give it much thought because their workstations run under a Group Policy that denies any executable from running from any USB port.

This way, employees can still transfer files, including PowerPoint presentations.

This reinforces my contention that Management should dictate policy, not employees.

It's as simple as that, notwithstanding the comment from the expert at F-Secure.

Articles such as these are always frustrating because the authors usually don't add anything useful as far as protection; instead, just parroting the sensational aspects of the story or topic.

The author comments,

Quote:

What makes USB drives so great at carrying malware? They're the mosquitoes of the digital world—small, portable, and everywhere, so common as to be nearly invisible. I've got half a dozen USB disks on my desk right now, several of unknown origin—I know I purchased a couple of them, but I've also picked up USB drives from friends, colleagues, and at trade shows, where they're handed out as freely as pens and candy.

I certainly wouldn't ask him do to a security presentation!

Here is a telling comment quoted from another expert, at Sophos:

Quote:

"But I don't know if we're ever going to win that battle," Wisniewski says. "It's human nature. If I were a normal person and I didn't work in this bubble of security? If I found a USB drive, the first thing I would want to do is want to plug it in, too."

Human nature, indeed! As illustrated in the Biblical story of Eve being tempted to eat the apple.

A first rule-of-thumb should be never to accept a free thumb drive, rather purchase one. Organizations can give their employees a thumb drive. They aren't that expensive, after all!

People I know who work with home users have stressed this for years. Once people see a demonstration of how a USB drive can infect their system, they understand the possible dangers and are receptive to learning to protect accordingly.

It's not all that difficult!

----
rich

[chrisretusn]

Quote:

But Stuxnet evades those measures; it can infect PCs even when AutoRun is turned off. "All you have to do is open up the folder and view the contents, and you're infected," Sullivan says. "It's such a minimal action that's required—something anyone would do just to see what's on the disk. That's why it spread."

I raise the bull-ony flag, Could someone please enlighten me how this might work. Perhaps I am missing something.

Most of my systems run Linux, on my all windows systems I have autorun disabled and also disabled the use of autorun.inf. Inserting a USB device will do nothing. Opening a folder will do nothing but show the files. I know this as fact. I do it all the time on infected USB devices.

Were I live all I need to do is take my USB device to a photo developing shop and it will get infected. Nothing autoruns on any of my families computers. User action is the only way to get infected from a USB device around here.

I'd say I won the battle on the USB front.

[Rmus]

Quote:

Originally Posted by chrisretusn

...on my all windows systems I have autorun disabled and also disabled the use of autorun.inf.

This exploit (now patched) does not depend on autorun.inf. See:

Espionage Attack Uses LNK Shortcut Files
http://www.f-secure.com/weblog/archives/00001986.html

Exploit demonstrates critical Windows .lnk vulnerability
http://www.h-online.com/security/new...y-1040285.html

----
rich

[aigle]

Quote:

Originally Posted by chrisretusn

I raise the bull-ony flag, Could someone please enlighten me how this might work. Perhaps I am missing something.

This is latest .lnk exploit, though patched now. Disabling Autoruns will not mitigate this exploit.

http://www.wilderssecurity.com/showthread.php?t=276994

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm-

-http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435-

http://www.wilderssecurity.com/showthread.php?t=284188

[CloneRanger]

Quote:

Originally Posted by aigle

This is latest .lnl exploit

lnl that's a new one on me

[chrisretusn]

Thanks for the links. Brain cell sparked!

I do remember reading about that.

Edit: Make me glad most of my systems are not Windows.

[aigle]

Quote:

Originally Posted by CloneRanger

lnl that's a new one on me

Yep, it,s coming in windows 8.

Testing the POC provided in the ssj100 link, have to admit it's a luxury having AppLocker Although even without dll rules in place, the exploit only works by double-clicking suckme.lnk (the effects of the patching, I guess.

[aigle]

Nice indeed.

Quote:

Originally Posted by aigle

Nice indeed.

Only trouble is I had to create global appdata dll rules for the users of this pc to prevent numerous blocks. Even though I could have gone with more granular rules, I couldn't be bothered with all the painstaking work to create them. This is still a nice balance between decent security without sacrificing too much time invested in creating numerous individual rules for three different standard accounts. At least the system critical directories, (%Windir%, %Programfiles%), and of course any other directories not included in the rules are protected.

[trismegistos]

Quote:

Originally Posted by wat0114

Testing the POC provided in the ssj100 link, have to admit it's a luxury having AppLocker Although even without dll rules in place, the exploit only works by double-clicking suckme.lnk (the effects of the patching, I guess.

I have tried the POC but first I have to retrieve the old shell32.dll(as it is already patched) back to the system directory replacing the new one. On testing just renaming the file back to .lnk extension would trigger the shellcode.

Binary planting or "known dlls" vulnerability or lnk exploit is the new autorun security hole for those running SP2 and below.

Quote:

Originally Posted by trismegistos

Binary planting or "known dlls" vulnerability or lnk exploit is the new autorun security hole for those running SP2 and below.

You mean the patch does not work for these new exploits?

**EDIT** never mind, I got it (...for those running SP2 and below)