Forgot your password?
typodupeerror
Security

Yet Another "People Plug In Strange USB Sticks" Story 639

Posted by CmdrTaco
from the gets-me-going dept.
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
This discussion has been archived. No new comments can be posted.

Yet Another "People Plug In Strange USB Sticks" Story

Comments Filter:
  • >> The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks." Couldn't it still be a little of both?
    • You're right, the problem is that people (read: IT-Stuff) trusts an OS which trusts random USB-Sticks OR are too dumb to configure it correct.
      • Re:hrmmph.. (Score:4, Informative)

        by Shadow99_1 (86250) <{theshadow99} {at} {gmail.com}> on Wednesday June 29, 2011 @12:38PM (#36612572)

        Yes, it's always because IT 'trusts' the OS... It has nothing what-so-ever to do with management complaining in the 'your about to be fired!' fashion if they can't simply plugin x device at their whim... As an admin my job was to make things as secure as I couldn't, without pissing off the people writing my paycheck. Just as I have to leave the OS to automatically access USB devices, so to the OS must trust these devices because otherwise the people with the money get pissy.

  • No... (Score:3, Insightful)

    by Anonymous Coward on Wednesday June 29, 2011 @11:30AM (#36611518)

    The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.

    • If you want a machine you can make perform in the manner you want it to, you have to have an OS that trusts you. It would irritate the hell out of me to be asked "Is this a device you trust?" every damned time I use one.
  • Windows (Score:5, Insightful)

    by Kagetsuki (1620613) on Wednesday June 29, 2011 @11:31AM (#36611526)

    AutoRun!

    But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.

    • by gstoddart (321705)

      But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.

      I couldn't agree with this more ... I've always hated the fact that Microsoft (in their on-going attempt to pander to drooling idiots) has set it up by default so that it will pretty much run anything that comes near it, without asking the user or any level of assumption th

    • not just autorun! (Score:5, Interesting)

      by Anonymous Coward on Wednesday June 29, 2011 @11:39AM (#36611656)

      autorun is NOT the only problem.
      The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.

      • by KhabaLox (1906148)

        That's pretty clever. Insidious, but clever.

      • by h4rr4r (612664)

        DO NOT PLUG IN UNKNOWN HARDWARE.

        A usb device can be anything not just mass storage. Also, do not fucking log in as admin.

        • Re: (Score:3, Insightful)

          by cvtan (752695)
          If you go to the store and buy a new USB flash, isn't that still an unknown device? I have tried not being the admin on my home computer and it just doesn't work. Lots of things require admin status to install (my wife's TaxWise tax prep program for example). When I worked at Kodak they ended up giving many engineers and scientist admin privileges because we were constantly bugging IT about installing drivers for strange image processing hardware, National Instruments software, programming environments
          • by Dynedain (141758)

            Right click -> run as admin

            Then you don't need to always be admin when using your computer, but still get access to it as needed when installing things.

      • by linebackn (131821) on Wednesday June 29, 2011 @01:27PM (#36613222)

        Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?

        I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.

        Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.

    • Re:Windows (Score:4, Insightful)

      by wvmarle (1070040) on Wednesday June 29, 2011 @11:41AM (#36611678)

      It would be great to have a sandbox option to run such software. I'd also be curious what's on a found USB key. And wondering what that .exe would be doing.

      Best solution may be if software run from an external and thus untrusted source (like a USB key) would be automatically sandboxed, and running into its own environment, separated from the rest of the OS. If it tries to do anything bad, just kill it, finish. Then we can satisfy our natural curiousity, while still being protected from anything nasty that may be done.

      This could also be a solution to make autorun useful AND safe.

    • AutoRun was removed from USB sticks in Windows XP and above.
      • by 0123456 (636235)

        AutoRun was removed from USB sticks in Windows XP and above.

        Does Windows still have '.' at the start of the DLL loading path by default? If so, eliminating autorun doesn't necessarily help that much; you click on 'Fluffy Kitty.jpg', Windows loads some image viewer which loads some JPEG-reading DLL, and instead of getting the real one it loads the trojan version from the USB stick.

      • by Culture20 (968837)
        Partially correct. A patch for Windows XP and above was recently released that finally disabled autorun as a important patch (so it would auto install if people have auto update enabled). If someone plugs an infected USB disk into an unpatched machine, it still works.
      • Re:Windows (Score:5, Informative)

        by fuzzyfuzzyfungus (1223518) on Wednesday June 29, 2011 @12:24PM (#36612354) Journal
        Unfortunately, while this does preclude the lowest form of hackers, the ones with firmware-level access can still do their thing...

        The most famous example are those fuckers at U3 [wikipedia.org]. In order to allow the delight of having an autorunning launcher pop up and annoy you every time you pop a flash drive in, they produced a little firmware modification that causes the flash drive to show up as a composite device containing one flash drive, and one CD-ROM. Since autoplay is generally still enabled on CDs, the CD contained the payload that executed the launcher.

        They, as a commercial venture, weren't truly bent on malware-style evil; but they provide a good example of how it could be done.
  • yet (Score:5, Insightful)

    by arth1 (260657) on Wednesday June 29, 2011 @11:31AM (#36611528) Homepage Journal

    The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.

    You can never make systems fully foolproof through technology, and Bruce of all people should know this.
    It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

    • It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

      And nature has a several million year head start on engineers.

      Who do you think is going to win this game?

      • by KhabaLox (1906148)

        Well, if it were legal for engineers incorporate electroshock feedback then we might have a fair contest.

    • by gstoddart (321705)

      You can never make systems fully foolproof through technology, and Bruce of all people should know this.
      It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

      But, surely government employees and contractors have been through some training that tells them to be careful with stuff like this. They get told to be careful and suspicious because they have sensitive data ... but when DHS throws a bunch of USB sticks into a parking lot, these same peo

  • by kermyt (99494) on Wednesday June 29, 2011 @11:31AM (#36611536) Homepage
    You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.
  • I dunno... (Score:2, Insightful)

    by mswhippingboy (754599)

    The problem isn't that people are idiots...

    Seems to me this is exactly the problem.

    • Re: (Score:2, Insightful)

      by creat3d (1489345)
      My thoughts exactly. The OS shouldn't have to realize if a USB stick is legit and belongs there... people should realize you don't pick up a stick in a parking lot and put it in your computer, which may or may not hold for-your-eyes only information. It's like telling an adult they shouldn't pick up a syringe in a park and stick it in their arm.
      • Re:I dunno... (Score:5, Insightful)

        by djmurdoch (306849) on Wednesday June 29, 2011 @12:44PM (#36612658)

        Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.

        You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:

          - trust files that your colleague is giving you via USB
          - trust a USB stick distributed as a promotion
          - trust your own USB stick, if you've used it to give a presentation on someone else's computer.

        Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.

      • Joe (picks up stick in parking lot): Hmm, I could use an extra one of these. (tosses in desk drawer)
        (next week)Sally: Hey Joe, I've got to bring some files to a meeting at the customer site. Got a spare stick?
        Joe: Sure, Sally, use this one.

        Now between them Joe and Sally have not only infected their own network, but also their customer's. No amount of user training provided to Sally and the customer would have been sufficient to stop this - only the OS is in a position to save the day here.

        People are inher

      • "people should realize you don't pick up a stick in a parking lot and put it in your computer"... "It's like telling an adult they shouldn't pick up a syringe in a park and stick it in their arm."

        Well aside from the fact that I dont usually loose medical devices on the street... How about a more fitting analogy. You are in the parking lot and see a wallet that looks like it has fallen out of someones pocket. Now do you open the wallet to see whats inside? Most people would probably say YES, for a multitude

    • no, problem is admins not having turned on the correct settings to making it impossible for users to be stupid. they will only do once something big happens.
    • I'm sure you've never plugged in an unknown USB device, but for the other 99.9% of people, it will probably happen. That doesn't make them idiots.
  • by dyingtolive (1393037) <brad.arnett@NOspam.notforhire.org> on Wednesday June 29, 2011 @11:36AM (#36611612)
    Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!
    • by dingen (958134)
      That's exactly what I was thinking. I wouldn't insert some random device into my own laptop, but I wouldn't hesitate a second to plug it into a computer at work. The worst thing that could happen is IT gets me a new PC. Actually, that's the best case scenario.
  • by ugen (93902) on Wednesday June 29, 2011 @11:38AM (#36611644)

    The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)

    People are not idiots, they just have their own objectives that are not very well aligned with yours.

    • People are not idiots, they just have their own objectives that are not very well aligned with yours.

      I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.

      Crappy opsec ends up making everything hard to do with the, usually unstated, goal of making the wrong actions harder than the right actions. That usually fails because it's super hard to figure out all of the possible wrong actions ahead of time, but users will always seek the easiest possible route.

      When designing a security system yo

  • YES, THEY ARE! As someone who worked as a security engineer, the biggest threat to the network wasn't an external threat, that is fairly easy to prevent if you know what you are doing and don't be cheap about it. It is however hard to prevent you employees from doing something dumb. Clicking on links in emails, connecting laptops to their home networks riddled with viruses, plugging in USB's that they don't know where they came from! I mean yes, you could lock down USB drives so that you can read or write t
  • Well it's not the OS's fault unless it's a Microsoft OS, then you can go ahead and blame Microsoft if you want.

    This "automatic run" stuff is a crappy idea. Even MacOS doesn't do that. So yeah, it's kind of Microsoft's fault.

    But people will always be stupid. They were stupid thousands of years ago, and they are stupid today. They will be stupid a thousand years from now.

  • by LifesABeach (234436) on Wednesday June 29, 2011 @11:47AM (#36611770)
    I've made a comfortable living consoling the computers of owners that are stupid.
  • Autorun is bad..very bad!
  • Where I work, all the USB ports are disabled. The most you can hope from plugging anything into them is a recharge. If you *really* need to use a USB stick, you get an encrypted one from in house and your local permissions are tweaked to allow just that model and not much else. Plus you get a very clear message that if a virus does get onto the system, you're in a world of trouble, possibly dismissal.
  • Autorun is disabled (might not be out of the box... might need Windows Update patches). And you can disable it in any other Windows OS where it is enabled by default.... so the problem is the IT department is not properly securing their network with existing OS controls against USB sticks.
  • by rossdee (243626)

    Don't Antivirus and other security software disable autorun on USB hardware? I know I have some program that does.

  • by meerling (1487879) on Wednesday June 29, 2011 @11:53AM (#36611882)
    Even before USB based storage was on the market, people were still infecting computers with their junk. Even supposedly 'isolated' computer that had the media drives removed, and with non-worms. The only common denominator was humans doing something that was against policy. So, no - it's not the specific technology, yes- the problem is people.

    I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.
    • by dingen (958134)
      If people are constantly breaking policies, the problem is that the policies are incompatible with human behavior. You can't expect people not to check out a floppy disk / CD-ROM / USB drive / attachment / link / whatever, because people are curious. You cannot ignore that fact or try to make people into something they are not. When designing a work environment, you have to take human behavior into account, or it will be broken all the time and thus be utterly useless.
  • by WhiteDragon (4556) on Wednesday June 29, 2011 @12:12PM (#36612202) Homepage Journal

    but I put it in a linux box with no net connection. I also have my contact info on my usb stick that I use at work. I lose things a lot and have been very grateful when somebody emailed me and said they had my stick. Now the OS autorunning sticks is a terrible idea, that is blocked at my company by domain policy (on Windows workstations).

  • by NeverNow (611234) on Wednesday June 29, 2011 @12:32PM (#36612472)
    ...why would their want to put their home systems at risk?
  • by brainzach (2032950) on Wednesday June 29, 2011 @12:46PM (#36612682)

    People are conditioned to think that USB drives aren't dangerous because 99% of the their experiences with them aren't dangerous. They are just harmless devices to store your files on.

    When they see one on the ground, they will think it is that someone lost their files and they would like to see who it belongs to. It is stupid to expect people not to do this and the security should be designed around that. You don't go against human nature

PLUG IT IN!!!

Working...