The Dangers of USB Drives

Discussion in 'other security issues & news' started by TheKid7, Oct 11, 2010.

Thread Status:
Not open for further replies.
  1. TheKid7
    Offline

    TheKid7 Registered Member

  2. Beto
    Offline

    Beto Registered Member

    I use a hidden partition which is easily activated with the right program and password before I connect to my machine with an USB data drive.

    I only access this drive with the modem OFF. This may not be foolproof but it is near to it.

    I feel confident with this method. :cool:
  3. Rmus
    Offline

    Rmus Exploit Analyst

    From the article:
    After Stuxnet made the news, I spoke with an acquaintance who is a Systems Administrator for a local organization which has 300 computer workstations on a network.

    I asked his thoughts about the USB threats these days. He smiled and said that he didn't give it much thought because their workstations run under a Group Policy that denies any executable from running from any USB port.

    This way, employees can still transfer files, including PowerPoint presentations.

    This reinforces my contention that Management should dictate policy, not employees.

    It's as simple as that, notwithstanding the comment from the expert at F-Secure.

    Articles such as these are always frustrating because the authors usually don't add anything useful as far as protection; instead, just parroting the sensational aspects of the story or topic.

    The author comments,
    I certainly wouldn't ask him do to a security presentation!

    Here is a telling comment quoted from another expert, at Sophos:
    Human nature, indeed! As illustrated in the Biblical story of Eve being tempted to eat the apple.

    A first rule-of-thumb should be never to accept a free thumb drive, rather purchase one. Organizations can give their employees a thumb drive. They aren't that expensive, after all!

    People I know who work with home users have stressed this for years. Once people see a demonstration of how a USB drive can infect their system, they understand the possible dangers and are receptive to learning to protect accordingly.

    It's not all that difficult!

    ----
    rich
  4. chrisretusn
    Offline

    chrisretusn Registered Member

    I raise the bull-ony flag, Could someone please enlighten me how this might work. Perhaps I am missing something.

    Most of my systems run Linux, on my all windows systems I have autorun disabled and also disabled the use of autorun.inf. Inserting a USB device will do nothing. Opening a folder will do nothing but show the files. I know this as fact. I do it all the time on infected USB devices.

    Were I live all I need to do is take my USB device to a photo developing shop and it will get infected. Nothing autoruns on any of my families computers. User action is the only way to get infected from a USB device around here.

    I'd say I won the battle on the USB front.
  5. Rmus
    Offline

    Rmus Exploit Analyst

  6. aigle
    Online

    aigle Registered Member

    This is latest .lnk exploit, though patched now. Disabling Autoruns will not mitigate this exploit.

    http://www.wilderssecurity.com/showthread.php?t=276994

    -http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm-

    -http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435-

    http://www.wilderssecurity.com/showthread.php?t=284188
    Last edited by a moderator: Oct 11, 2010
  7. CloneRanger
    Offline

    CloneRanger Registered Member

    lnl that's a new one on me :D ;)
  8. chrisretusn
    Offline

    chrisretusn Registered Member

    Thanks for the links. Brain cell sparked! :)

    I do remember reading about that.

    Edit: Make me glad most of my systems are not Windows. :)
  9. aigle
    Online

    aigle Registered Member

    Yep, it,s coming in windows 8. :D
  10. wat0114
    Offline

    wat0114 Guest

    Testing the POC provided in the ssj100 link, have to admit it's a luxury having AppLocker :) Although even without dll rules in place, the exploit only works by double-clicking suckme.lnk (the effects of the patching, I guess.

    Attached Files:

    Last edited by a moderator: Oct 11, 2010
  11. aigle
    Online

    aigle Registered Member

    Nice indeed.
  12. wat0114
    Offline

    wat0114 Guest

    Only trouble is I had to create global appdata dll rules for the users of this pc to prevent numerous blocks. Even though I could have gone with more granular rules, I couldn't be bothered with all the painstaking work to create them. This is still a nice balance between decent security without sacrificing too much time invested in creating numerous individual rules for three different standard accounts. At least the system critical directories, (%Windir%, %Programfiles%), and of course any other directories not included in the rules are protected.

    Attached Files:

    Last edited by a moderator: Oct 11, 2010
  13. trismegistos
    Offline

    trismegistos Registered Member

    I have tried the POC but first I have to retrieve the old shell32.dll(as it is already patched) back to the system directory replacing the new one. On testing just renaming the file back to .lnk extension would trigger the shellcode.

    Binary planting or "known dlls" vulnerability or lnk exploit is the new autorun security hole for those running SP2 and below.
  14. wat0114
    Offline

    wat0114 Guest

    You mean the patch does not work for these new exploits?

    **EDIT** never mind, I got it (...for those running SP2 and below)
    Last edited by a moderator: Oct 11, 2010
Thread Status:
Not open for further replies.