The Dangers of USB Drives

The Dangers of USB Drives:

http://www.slate.com/id/2270003/pagenum/all/#p2

 

I use a hidden partition which is easily activated with the right program and password before I connect to my machine with an USB data drive.

I only access this drive with the modem OFF. This may not be foolproof but it is near to it.

I feel confident with this method.

 

From the article:

After Stuxnet made the news, I spoke with an acquaintance who is a Systems Administrator for a local organization which has 300 computer workstations on a network.

I asked his thoughts about the USB threats these days. He smiled and said that he didn't give it much thought because their workstations run under a Group Policy that denies any executable from running from any USB port.

This way, employees can still transfer files, including PowerPoint presentations.

This reinforces my contention that Management should dictate policy, not employees.

It's as simple as that, notwithstanding the comment from the expert at F-Secure.

Articles such as these are always frustrating because the authors usually don't add anything useful as far as protection; instead, just parroting the sensational aspects of the story or topic.

The author comments,

I certainly wouldn't ask him do to a security presentation!

Here is a telling comment quoted from another expert, at Sophos:

Human nature, indeed! As illustrated in the Biblical story of Eve being tempted to eat the apple.

A first rule-of-thumb should be never to accept a free thumb drive, rather purchase one. Organizations can give their employees a thumb drive. They aren't that expensive, after all!

People I know who work with home users have stressed this for years. Once people see a demonstration of how a USB drive can infect their system, they understand the possible dangers and are receptive to learning to protect accordingly.

It's not all that difficult!

----
rich

 

I raise the bull-ony flag, Could someone please enlighten me how this might work. Perhaps I am missing something.

Most of my systems run Linux, on my all windows systems I have autorun disabled and also disabled the use of autorun.inf. Inserting a USB device will do nothing. Opening a folder will do nothing but show the files. I know this as fact. I do it all the time on infected USB devices.

Were I live all I need to do is take my USB device to a photo developing shop and it will get infected. Nothing autoruns on any of my families computers. User action is the only way to get infected from a USB device around here.

I'd say I won the battle on the USB front.

 

This exploit (now patched) does not depend on autorun.inf. See:

Espionage Attack Uses LNK Shortcut Files
http://www.f-secure.com/weblog/archives/00001986.html

Exploit demonstrates critical Windows .lnk vulnerability
http://www.h-online.com/security/ne...itical-Windows-lnk-vulnerability-1040285.html

----
rich

 

This is latest .lnk exploit, though patched now. Disabling Autoruns will not mitigate this exploit.

https://www.wilderssecurity.com/showthread.php?t=276994

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm-

-http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435-

https://www.wilderssecurity.com/showthread.php?t=284188

 

lnl that's a new one on me

 

Thanks for the links. Brain cell sparked!

I do remember reading about that.

Edit: Make me glad most of my systems are not Windows.

 

Yep, it,s coming in windows 8.

 

Testing the POC provided in the ssj100 link, have to admit it's a luxury having AppLocker Although even without dll rules in place, the exploit only works by double-clicking suckme.lnk (the effects of the patching, I guess.

 

Nice indeed.

 

Only trouble is I had to create global appdata dll rules for the users of this pc to prevent numerous blocks. Even though I could have gone with more granular rules, I couldn't be bothered with all the painstaking work to create them. This is still a nice balance between decent security without sacrificing too much time invested in creating numerous individual rules for three different standard accounts. At least the system critical directories, (%Windir%, %Programfiles%), and of course any other directories not included in the rules are protected.

 

I have tried the POC but first I have to retrieve the old shell32.dll(as it is already patched) back to the system directory replacing the new one. On testing just renaming the file back to .lnk extension would trigger the shellcode.

Binary planting or "known dlls" vulnerability or lnk exploit is the new autorun security hole for those running SP2 and below.

 

You mean the patch does not work for these new exploits?

**EDIT** never mind, I got it (...for those running SP2 and below)