Yet Another "People Plug In Strange USB Sticks" Story 639
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
hrmmph.. (Score:2)
Re: (Score:2)
Re:hrmmph.. (Score:4, Informative)
Yes, it's always because IT 'trusts' the OS... It has nothing what-so-ever to do with management complaining in the 'your about to be fired!' fashion if they can't simply plugin x device at their whim... As an admin my job was to make things as secure as I couldn't, without pissing off the people writing my paycheck. Just as I have to leave the OS to automatically access USB devices, so to the OS must trust these devices because otherwise the people with the money get pissy.
No... (Score:3, Insightful)
The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.
Re: (Score:2)
Windows (Score:5, Insightful)
AutoRun!
But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.
Re: (Score:3)
I couldn't agree with this more ... I've always hated the fact that Microsoft (in their on-going attempt to pander to drooling idiots) has set it up by default so that it will pretty much run anything that comes near it, without asking the user or any level of assumption th
Re: (Score:2)
but I don't think I know of an OS that won't just work if you plug in a keyboard or mouse. You could just as easily make a USB stick that opens up a terminal and runs 'rm -rf ~';
Windows key, up arrow, up arrow, enter, "run something nasty.exe", enter, "boom"
not just autorun! (Score:5, Interesting)
autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.
Re: (Score:2)
That's pretty clever. Insidious, but clever.
Re:not just autorun! (Score:5, Insightful)
I'll see your "clever" and raise you a "completely terrifying". I'm ashamed that it never occurred to me that something in a USB flash drive form factor wouldn't be a flash drive. I just got done lecturing a coworker about SQL injection, but I would've been utterly vulnerable to a "USB injection" attack up until 5 minutes ago.
Re: (Score:2)
DO NOT PLUG IN UNKNOWN HARDWARE.
A usb device can be anything not just mass storage. Also, do not fucking log in as admin.
Re: (Score:3, Insightful)
Re: (Score:3)
Right click -> run as admin
Then you don't need to always be admin when using your computer, but still get access to it as needed when installing things.
Re:not just autorun! (device to filter?) (Score:5, Informative)
Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?
I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.
Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.
Re: (Score:3)
Re:not just autorun! (Score:5, Informative)
Not really.
When you connect a USB device, Windows automatically polls information from the device, called descriptors. This is a process called enumeration. If Windows recognizes the device class (e.g. HID Keyboard), it will automatically install drivers without user intervention. So will Linux and Mac OS; it has to, otherwise when you plug in a keyboard or mouse it wouldn't work until you activated it, and how can you activate a keyboard or mouse without either one?
I'm not sure it's even possible to stop this process. The best you can do is eavesdrop on the data using a USB Sniffer to see what the device is sending for its descriptors, but by the time the sniffer sees the data it's too late.
What's worse is that you can craft special descriptors which can exploit the OS! This is how the PSJailbreak worked.
The only solution I can think of is to use an embedded host to read the descriptors without attaching it to a computer.
Re:not just autorun! (Score:5, Informative)
USB doesn't have a "one device per port" rule. You could plug in an evil USB stick, it could behave just like an ordinary storage device, and then, in the middle of the night (if the computer is still on) it could start up another device, say a "keyboard" which is preprogrammed to send you to a webpage with a known exploit or to run a program in a previously hidden directory that connects to an SSH server and gives whoever is listening at the other side shell access to your computer. This could also be hidden in an USB mouse, or a USB webcam, or absolutely anything USB.
I think I'm getting some ideas for a DIY project...
Re:not just autorun! (Score:4, Informative)
Re:Windows (Score:4, Insightful)
It would be great to have a sandbox option to run such software. I'd also be curious what's on a found USB key. And wondering what that .exe would be doing.
Best solution may be if software run from an external and thus untrusted source (like a USB key) would be automatically sandboxed, and running into its own environment, separated from the rest of the OS. If it tries to do anything bad, just kill it, finish. Then we can satisfy our natural curiousity, while still being protected from anything nasty that may be done.
This could also be a solution to make autorun useful AND safe.
Re: (Score:2)
Re: (Score:3)
AutoRun was removed from USB sticks in Windows XP and above.
Does Windows still have '.' at the start of the DLL loading path by default? If so, eliminating autorun doesn't necessarily help that much; you click on 'Fluffy Kitty.jpg', Windows loads some image viewer which loads some JPEG-reading DLL, and instead of getting the real one it loads the trojan version from the USB stick.
Re: (Score:3)
Re:Windows (Score:5, Informative)
The most famous example are those fuckers at U3 [wikipedia.org]. In order to allow the delight of having an autorunning launcher pop up and annoy you every time you pop a flash drive in, they produced a little firmware modification that causes the flash drive to show up as a composite device containing one flash drive, and one CD-ROM. Since autoplay is generally still enabled on CDs, the CD contained the payload that executed the launcher.
They, as a commercial venture, weren't truly bent on malware-style evil; but they provide a good example of how it could be done.
Re: (Score:2)
yet (Score:5, Insightful)
The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.
You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
Re: (Score:3)
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
And nature has a several million year head start on engineers.
Who do you think is going to win this game?
Re: (Score:3)
Well, if it were legal for engineers incorporate electroshock feedback then we might have a fair contest.
Re: (Score:2)
But, surely government employees and contractors have been through some training that tells them to be careful with stuff like this. They get told to be careful and suspicious because they have sensitive data ... but when DHS throws a bunch of USB sticks into a parking lot, these same peo
Re: (Score:3)
Man, if you can't have idiots working for the government then the whole system would collapse!
OS trust not really the issue. (Score:4, Insightful)
Re: (Score:2)
OS trust definitely is an issue. It's exactly why Microsoft got rid of USB autorun [sophos.com] without user permission.
Granted that won't stop users from running programs, opening files, etc., but it's a start.
I dunno... (Score:2, Insightful)
The problem isn't that people are idiots...
Seems to me this is exactly the problem.
Re: (Score:2, Insightful)
Re:I dunno... (Score:5, Insightful)
Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.
You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:
- trust files that your colleague is giving you via USB
- trust a USB stick distributed as a promotion
- trust your own USB stick, if you've used it to give a presentation on someone else's computer.
Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.
What about this scenario (Score:3)
Joe (picks up stick in parking lot): Hmm, I could use an extra one of these. (tosses in desk drawer)
(next week)Sally: Hey Joe, I've got to bring some files to a meeting at the customer site. Got a spare stick?
Joe: Sure, Sally, use this one.
Now between them Joe and Sally have not only infected their own network, but also their customer's. No amount of user training provided to Sally and the customer would have been sufficient to stop this - only the OS is in a position to save the day here.
People are inher
Re: (Score:3)
Well aside from the fact that I dont usually loose medical devices on the street... How about a more fitting analogy. You are in the parking lot and see a wallet that looks like it has fallen out of someones pocket. Now do you open the wallet to see whats inside? Most people would probably say YES, for a multitude
Re: (Score:2)
Re: (Score:2)
Makes sense to me actually (Score:5, Funny)
Re: (Score:2)
People are not idiots - just different motivation (Score:5, Insightful)
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
Re: (Score:3)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Crappy opsec ends up making everything hard to do with the, usually unstated, goal of making the wrong actions harder than the right actions. That usually fails because it's super hard to figure out all of the possible wrong actions ahead of time, but users will always seek the easiest possible route.
When designing a security system yo
The problem isn't that people are idiots? (Score:2)
No, it's not the OS's fault (Score:2)
Well it's not the OS's fault unless it's a Microsoft OS, then you can go ahead and blame Microsoft if you want.
This "automatic run" stuff is a crappy idea. Even MacOS doesn't do that. So yeah, it's kind of Microsoft's fault.
But people will always be stupid. They were stupid thousands of years ago, and they are stupid today. They will be stupid a thousand years from now.
You Can't Fix Stupid (Score:3)
People are curious (Score:2)
The IT department are idiots (Score:2)
Windows 7 does not trust random USB sticks (Score:2)
But (Score:2)
Don't Antivirus and other security software disable autorun on USB hardware? I know I have some program that does.
No, the problem really is people. (Score:3)
I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.
Re: (Score:3)
I do this (Score:3)
but I put it in a linux box with no net connection. I also have my contact info on my usb stick that I use at work. I lose things a lot and have been very grateful when somebody emailed me and said they had my stick. Now the OS autorunning sticks is a terrible idea, that is blocked at my company by domain policy (on Windows workstations).
No surprise people plug found sticks in work PCs.. (Score:3, Insightful)
Social engineering (Score:3)
People are conditioned to think that USB drives aren't dangerous because 99% of the their experiences with them aren't dangerous. They are just harmless devices to store your files on.
When they see one on the ground, they will think it is that someone lost their files and they would like to see who it belongs to. It is stupid to expect people not to do this and the security should be designed around that. You don't go against human nature
Re: (Score:3)
But that aside, if you found a candy bar laying on the street, would you eat it?
Possibly, but certainly not one floating in a pool.
Re:Only one way to fix this (Score:5, Insightful)
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.
Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.
Re: (Score:3)
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Re: (Score:3)
Also, people who get mugged don't blame themselves. Had they stayed in door it wouldn't have happened.
It's more like people walking drunk through a bad neighborhood at night wearing a Rolex and with their wallet sticking visibly out of their pocket. That the pickpocket or mugger is to blame doesn't preclude that they too are to blame for being reckless.
Again, there's enough blame to go around. The moral dualism that many people (and especially Americans) are raised with has to go. Just because X is wrong doesn't imply that Y is right.
Re:Only one way to fix this (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
Re:Only one way to fix this (Score:4, Insightful)
It's a
Re:No, that's a job for the police! (Score:5, Insightful)
I really feel for your situation. That said, I'm still going to trust people. I trust people knowing that that trust could blow up in my face at any time; that's just a risk one takes. I will continue to trust people because without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.
Re: (Score:3, Insightful)
Re:No, that's a job for the police! (Score:5, Insightful)
You know what? Fuck that. I'm not going to let the fact that there are bad people out there make me live my life in fear. For every robber/rapist/murderer out there, there are probably between a hundred and a thousand people who just need a few minutes of your time to help with a flat tire. I'll take my chances. The world has *not* changed. You've allowed the media and a tragic event to convince you that the world has changed. There have always been bad people. There have always been good people. There have always been the vast majority of people who are just going to get along. I choose how I live my life, not some asshole who thinks a gun makes him powerful.
Doesn't mean be stupid. If the news is reporting a "Flat tire robber", maybe you want to adjust your behavior for a while, but in general I'm going to help people who need help. I've lived my life that way for 37 years and I'm not changing it now. I've lived in downtown New Orleans. I spent a year in Iraq. The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.
Re:No, that's a job for the police! (Score:5, Insightful)
I love these stories that have details that, if the story were actually true, no one would actually know.
Re: (Score:3)
Same here. Everyone you bump in asks "Hey! You got a problem or what?"
Re: (Score:2, Interesting)
Came here to post the same thing. I found a USB stick in a restaurant near a college campus. I plugged it in to see if I could identify the owner to return. Yes, I realize the dangers of accessing strange memory. Why do you think I used my computer at work rather than expose my home system?
I blame the corporate IT folks. If you don't want people using the USB ports on your computers, why do you your computers have functioning USB ports?
Re: (Score:3)
Because USB is the electrical slut. People need to be able to plug in keyboards and mice, this means there are going to be usb ports that are open. A user can simply put a usb hub in and get some more ports. Even if you disable USB mass storage there is no reason an evil USB stick could not act as a keyboard and using keystrokes download evil software.
Re:Only one way to fix this (Score:5, Insightful)
Guns and sledgehammers don't reveal their owners as a strong potential consequence of use. Hitting something with a hammer isn't going to tell you whose hammer it is. Opening "resume.doc" on a USB stick is likely to net you not only a name, but an address, e-mail, and phone number.
Re: (Score:3)
It's none of your business whose it is. Hand it to your IT-Security. First of all, they have the means to test whether it's evil (and if they're not, at least you get a good laugh out of it when they spread the infection), and they should definitely learn QUICKLY about it if some "evil dude" distributes USB keys on the sidewalk in front of your company. Second, if it was really lost by someone important and contains sensitive files, what are you going to do? Worse, what if these files somehow end up where t
Re:Only one way to fix this (Score:5, Funny)
Judging by the contents of my own key drives, there is almost never any user-identifiable information on these things. Any "I was just trying to see who's it was" argument is probably just cover for "I wanted a free key drive and didn't think to format it before I used it..."
Judging by the content of my own key drives, most people watch too much porn.
Re:Only one way to fix this (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
I worked for the USG and the computer would not let you connect a USB drive that wasn't owned by that agency (and all the USB drives were encrypted to NIST standards), or read or write a CD/DVD.
Re: (Score:3)
Considering that what you propose is near impossible, I am going to side with them. Imagine this, on the inside of the USB stick there are a bunch of caps charging from the 5v line and discharging onto the data lines. So how do you avoid running that "malware"?
Re: (Score:3)
No harm can come to a computer from having the 5v lines get shorted to D+ or D-.
Having a high voltage boost circuit and enough capacitor to do serious damage would result in a physically HUGE stick.
If you short +5v and ground, most USB host chipsets have current limiters and soft-breakers built-in.
Re: (Score:3)
rm -rf /lib/modules/$kernelnumber/kernel/drivers/usb/storage/*
Or put the the USB storage driver in /etc/modules/blacklist (I prefer this method, since I doesn't require any extra effort on kernel upgrades, but our IA guy wants teh drivers completely gone, so we do the first)
On Windows I don't know the procedure, but I definitely know you can do it. DOD disables USB storage (but not all USB devices) on every computer it owns. It's a pretty trivial procedure in Linux, and not any harder in Windows; and yo
Re: (Score:3)
These are not solutions. USB devices come in more than just Storage flavors. What if I design my usb "key" to instruct the host machine that I am a "sound card" and I abuse a sound card driver bug?
Sounds crazy right? Except that exact behavior has been done on none other than: Linux.
See: CVE-2011-0712
Re: (Score:3)
Again, FTFA: "And if the drive or CD had an official logo on it, 90% were installed."
The USER installed the crap! The system is helpless against PEBKAC.
Re: (Score:3)
IN my life, I ahve misplaced my wallet twice, and my wife left her purse behind once.
IN all three case, the items where mailed to us from people who happened to find them.
Overall most people are decent people who intend to do the right thing. Crime statistics also reflect that.
Re: (Score:2)
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in
I'm surprised no one in the sandbox has tried IEDs like this.. Or at least no declassified or wikileaked reports, so far. Maybe it depends on the audience, soldiers aren't dumb enough, but cube dwellers are?
Re: (Score:2)
USB sticks are kinda small for a good bang. A dvd player or another piece of portable electronics would be far better.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
If you can figure out how to do that in USB, it's worth a lot more than teaching people a lesson about security. (I suppose you could do some of it with a trojan, but that's cheating.) Sadly, USB isn't FireWire.
Re: (Score:2)
Re: (Score:3)
The main problem(outside of environments where "Security" is taken seriously enough that IT has carte blanche to do whatever they deem necessary) is that USB mass storage devices are So. Damn. Useful. In my Admin-hat capacity, I could disable ac
Re: (Score:2)
I'm thinking no software at all . . . capacitor and charge pump with a usb plug, made to look like a USB storage device. Capacitor charges from power pins, then discharges to power and data pins. All this happens while the user is still going "What's wrong with this thing?"
The problem, of course, is that destroying hardware doesn't accomplish much that is of value. Collecting data is far more useful.
Re: (Score:2)
Already exists. Small USB drive enclosure bombs that use the power pins to ignite a small quantity of black powder / blasting cap & plastic explosive. Certain to at least maim an individual considering the proximity of their hand to the explosives. I've not seen any instance of this in any World Police countries, yet...
Dropping a few hundred of these in a city would spread a decent amount of terror. You'd only be able to do it once, the public would learn not to trust the USB drives they find.
H
Re: (Score:3, Funny)
Re: (Score:2)
WTF ?
60% of the people use those randomly found USB keys in their office computer, and if the icon was official looking, 90% of them installed the applications found on it... What a good trojan attack!
Re: (Score:3)
1) They picked up USB Sticks laying on the ground. I dunno about them, but my mommy always said I shouldn't do that. And she was right in this case!
2) They put this USB stick into their office computer INSTEAD OF informing their security department (ok, that is an assumption, if they did and their CSO said "go ahead", he's not only an idiot but he should be fired. Out of a howitzer).
3) They executed software on a foreign USB stick they found on the ground. Aside of the question why they had the privileges t
Re: (Score:2)
This is true. Employees shouldn't be able to harm the company or government computers, or expose sensitive company/government data.
Also, people who try to do that should be penalized. It doesn't have to be much, but you must raise awareness that such actions can do a lot of damage.
Re: (Score:2)
Re: (Score:2)
Just because it's tedious doesn't mean the admin doesn't have a responsibility to do it.
Re: (Score:3)
Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.
According to KB 967715 [microsoft.com] it can be done in 2000/XP/2003 and newer via GPO's in the domain.
Re:Dumb story (Score:5, Insightful)
Part 1
http://www.youtube.com/watch?v=q6UIrdLAkFM [youtube.com]
Part2
http://www.youtube.com/watch?v=osF6FS2KS_E [youtube.com]
Rule #1 -- If you're going to narrate a video, get a personality. Seriously, I had to turn it off after the first minute because it was so boring.
Re: (Score:3)
A lot of governments and corporations block Dropbox and the like as these services are hosted in the USA. Patriot act strikes again.