Solve : USB security risk is going up.?

1.	Solve : USB security risk is going up.?
Answer» The USB security risk is going up. All right, this is not a scandalous headline about something that happened just yesterday. But it is a trend that has been increasing this past year and may soon affect computer near you. Please bear in mind that anything that plugs into your USB port is a USB device. And capable of harming your computer experience. At the end of this rant I have some recent news stories that have appeared in the media. And besides these, there is a little column in the new issue of Computerworld that basically says the same thing. Here's what you need to remember. Application-specific integrated circuits (ASIC) are becoming very very small. Like smaller than your fingernail on your little finger. Some of these devices can now be mass-produced or just a few dollars. I mean less than three dollars in reasonable quantities. Anybody who makes any kind of USB gadget that sticks into your USB port COULD incorporate one of these in the device and take advantage of Windows auto play function to start this thing up. And don't tell me your computer doesn't do it. If you want one, I'll mail one the goes into your USB port and you won't be able to stop it from coming up and doing something you didn't expect. Unless, of course, you have a hammer and smash the thing before it finishes its job. Now here are the citations I promised. Quote USB devices are handy ways to transport information -- and trouble, according to a recent survey of more than 10,000 small businesses. Panda Security, which conducted the research, estimates a whopping 25 percent of malware today is developed to disseminate through the use of USB devices. By KIM Boatman \| Nov 15, 2010 Malware Takes Aim at USB Devices Quote A reported ban by the U.S. Army on USB devices underscores the growing prevalence of USB-based malware. Researchers at Symantec say they have observed an increase in USB security threats going back at least a year. By: Brian Prince 2008-11-20 Symantec Sees Rise in USB-Based Malware as Reports of U.S. Army Ban Surface Some of this info also can be found on the Symantec web site. Just Google Symantec Swiss Army Knife After you get off the floor, please leave a comment.FIRST, This is hardly news at all. Although to be fair you didn't put it in the news section. Autorun, as I'm sure you are aware, was originally designed without any concept of security. You may think "well, golly gee, that's stupid" But considering in 1994 WORM drives were several thousand dollars and CD-ROM, a read-only, unchangable format, was the only type of removable disk it was aimed at, any such "security" would have been extraneous. They couldn't have possibly seen the advent of USB drives. (which I might add require special drivers in win98SE and don't autoplay anyway, making it sort of moot) Of course now you can make CD-R's that have auto-run's that can automatically pass along malware to a win98 or whatever machine since they were designed before writable CD's were even close to being affordable. Quote The USB problem isnt an autorun problem at all. Its a problem of trust. There could be any sort of specialy crafted file on that USB device that some program is going to scan, and get the idea that it should automatically parse its contents simply because of its name. Without a autorun.inf, of course, nothing happens at all. When you plug in a USB drive, if it has a valid autorun.inf, you get a dialog on XP, Vista, and 7. For example, let's say this is the autorun.inf: Code: [Select][AutoRun] OPEN=C:\windows\system32\cmd.exe ACTION=PAWNZ0R YOUR MACHINE LABEL=Pawnz0r'd drive The Windows XP, Vista, and Windows 7 Autoplay dialogs that result are shown below. I couldn't get windows 2000 to even recognize the USB drives and I'm too lazy to fix it... I think that OS more or less treats it like Windows 98, but I don't remember. Windows XP: Windows Vista: Actually, as a matter of fact, this was generally what would appear with Conficker infected flash drives; of course instead of being direct and saying "PAWNZ0R your machine" it was actually something like this: . An analysis of Conficker's Autorun.inf can be found here; Basically, it's not a USB security issue at all; nothing is being done automatically. Clearly, there are two options there that are the same; the first runs the conficker infector, the second really opens the drive for display. The latter does not result in an infection at all; of course if you unplug and replug it in again or plug it into another machine it will still show the same prompt and eventually unless somebody starts to inquire as to why there are two of the same item there they might run the first one and infect themselves, which of course makes the worm resident which proceeds to infect any writable drives with the same infection information, and so forth. The key here is that despite your allegations to the contrary nothing is being done automatically, except of course for the display of the autorun prompt that was created entirely to address the growing concerns over how control can be simply handed off to a program via autorun.inf without user interaction. (Also, I mgiht point out that irregardless of all this holding down shift while inserting a removable device or DVD or CD disables autorun entirely) Despite I note to the contrary above, there is no windows 7 autorun prompt. There is no special configuration here; I just checked, I have all the autoplay options enabled. Turns out that autorun.inf does not work in windows 7 anymore. From what I can tell, it does read the disk though, judging from running process monitor while plugging the device CONTAINING the aforemention "pawnz0r" autorun.inf: So, it does look at the drive, readthe autorun.inf, and then, it does nothing. I imagine that autorun-enabled programs can hook the autoplay routines in some way here (much as win95 could start CD player when you inserted an audio CD automatically, I think there was an exploit that fooled win95 into running something else using specially crafted data tracks on mixed-mode data/audio disc, but I'm not sure); important to note is that nothing is executed. cmd.exe never appears; no errors a re displayed, the autorun.inf is, for all practical purposes, ignored. It would appear that while some legacy but if code is still reading it, rather then trust the device to say how to "autoplay" it, instead Win7 goes around asking if the various installed autoplay handlers recognize the device. OF course, since autoplay and autorun are completely different, autorun has essentially been obsoleted. Before Windows executes anything specified in autorun.inf, it prompts you. It requires user interaction. it becomes a question of trust by the user and not one of an inherent security flaw in the OS. Thank you BC. On this laptop I have XP pro running. I plug the a USB device and it starts a program. Even while I am doing something. But this program is not malicious, bit it is intrusive and wants my attention. But there is no polite prompt asking if I want to run this program. It does have an auto run file. How do I turn off the auto run? Now other USB devices I have bring up a polite thing that asks what I want to do. Not this thing. It runs anyway. And I can not remove the program from the device. It is not really a USB flash drive, but it has some behaviors like a flash drive. As I mentioned earlier, these devices can have nASIC instead of pure flash memory. There is not easy way to know what it has in it. I can not format erase the ting, just remove some files in certain directories. BTW, it came from China. Quote from: Geek-9pm on December 09, 2010, 01:07:09 AM Thank you BC. On this laptop I have XP pro running. I plug the a USB device and it starts a program. Even while I am doing something. But this program is not malicious, bit it is intrusive and wants my attention. But there is no polite prompt asking if I want to run this program. It does have an auto run file. How do I turn off the auto run? Now other USB devices I have bring up a polite thing that asks what I want to do. Not this thing. It runs anyway. And I can not remove the program from the device. It is not really a USB flash drive, but it has some behaviors like a flash drive. As I mentioned earlier, these devices can have nASIC instead of pure flash memory. There is not easy way to know what it has in it. I can not format erase the ting, just remove some files in certain directories. BTW, it came from China. Those aren't handled by either autorun or autoplay. sounds like it's managed by a piece of software that is installed. Saying you have a "USB device" is rather vague. You don't mention what kind of device it is, just that it uses a different kind of memory, it's hard to know what is on it, and you can't format or erase it. You could very well be talking about a Mac OS System 7 boot disk for all I know, excepting the bit about it being a USB device. Also, many U3 smart enabled devices are different. it uses some sort of device-level protocol or something, I don't know: http://en.wikipedia.org/wiki/U3 Could somebody craft a device that has this "U3 Smart" technology intended to be malicious? Of course. Just as somebody could infiltrate a hard drive company and insert malicious data into the boot sector or something. Wether it's economically feasible is another, and the country of origin is largely irrelevant.Apparently it is the device you mentioned. I didn't know that Microsoft had done that. The thing I have is called a photo-frame. The display area is just 1.5 inch diagonal. It is for your key-chain. Holds 50 tiny JPG photos. Used by proud Grandparents to show pix of the new child. Does a slide show or one at a time. It cots about $10 and up retail in some places here in the USA. Here is a picture of my photo frame with my grand child. http://geek9pm.com/jpg/grad-child.jpg

Answer» The USB security risk is going up.

All right, this is not a scandalous headline about something that happened just yesterday. But it is a trend that has been increasing this past year and may soon affect computer near you.

Please bear in mind that anything that plugs into your USB port is a USB device. And capable of harming your computer experience.
At the end of this rant I have some recent news stories that have appeared in the media. And besides these, there is a little column in the new issue of Computerworld that basically says the same thing.

Here's what you need to remember. Application-specific integrated circuits (ASIC) are becoming very very small. Like smaller than your fingernail on your little finger. Some of these devices can now be mass-produced or just a few dollars. I mean less than three dollars in reasonable quantities. Anybody who makes any kind of USB gadget that sticks into your USB port COULD incorporate one of these in the device and take advantage of Windows auto play function to start this thing up. And don't tell me your computer doesn't do it. If you want one, I'll mail one the goes into your USB port and you won't be able to stop it from coming up and doing something you didn't expect. Unless, of course, you have a hammer and smash the thing before it finishes its job.

Now here are the citations I promised.

Quote

USB devices are handy ways to transport information -- and trouble, according to a recent survey of more than 10,000 small businesses. Panda Security, which conducted the research, estimates a whopping 25 percent of malware today is developed to disseminate through the use of USB devices.
By KIM Boatman | Nov 15, 2010

Malware Takes Aim at USB Devices

Quote

A reported ban by the U.S. Army on USB devices underscores the growing prevalence of USB-based malware. Researchers at Symantec say they have observed an increase in USB security threats going back at least a year.
By: Brian Prince
2008-11-20

Symantec Sees Rise in USB-Based Malware as Reports of U.S. Army Ban Surface

Some of this info also can be found on the Symantec web site.
Just Google Symantec Swiss Army Knife

After you get off the floor, please leave a comment.FIRST, This is hardly news at all. Although to be fair you didn't put it in the news section.

Autorun, as I'm sure you are aware, was originally designed without any concept of security. You may think "well, golly gee, that's stupid" But considering in 1994 WORM drives were several thousand dollars and CD-ROM, a read-only, unchangable format, was the only type of removable disk it was aimed at, any such "security" would have been extraneous. They couldn't have possibly seen the advent of USB drives. (which I might add require special drivers in win98SE and don't autoplay anyway, making it sort of moot) Of course now you can make CD-R's that have auto-run's that can automatically pass along malware to a win98 or whatever machine since they were designed before writable CD's were even close to being affordable.

Quote

The USB problem isnt an autorun problem at all. Its a problem of trust. There could be any sort of specialy crafted file on that USB device that some program is going to scan, and get the idea that it should automatically parse its contents simply because of its name.

Without a autorun.inf, of course, nothing happens at all.

When you plug in a USB drive, if it has a valid autorun.inf, you get a dialog on XP, Vista, and 7. For example, let's say this is the autorun.inf:

Code: [Select][AutoRun]
OPEN=C:\windows\system32\cmd.exe
ACTION=PAWNZ0R YOUR MACHINE
LABEL=Pawnz0r'd drive

The Windows XP, Vista, and Windows 7 Autoplay dialogs that result are shown below. I couldn't get windows 2000 to even recognize the USB drives and I'm too lazy to fix it... I think that OS more or less treats it like Windows 98, but I don't remember.

Windows XP:

Windows Vista:

Actually, as a matter of fact, this was generally what would appear with Conficker infected flash drives; of course instead of being direct and saying "PAWNZ0R your machine" it was actually something like this:
.

An analysis of Conficker's Autorun.inf can be found here;

Basically, it's not a USB security issue at all; nothing is being done automatically. Clearly, there are two options there that are the same; the first runs the conficker infector, the second really opens the drive for display. The latter does not result in an infection at all; of course if you unplug and replug it in again or plug it into another machine it will still show the same prompt and eventually unless somebody starts to inquire as to why there are two of the same item there they might run the first one and infect themselves, which of course makes the worm resident which proceeds to infect any writable drives with the same infection information, and so forth. The key here is that despite your allegations to the contrary nothing is being done automatically, except of course for the display of the autorun prompt that was created entirely to address the growing concerns over how control can be simply handed off to a program via autorun.inf without user interaction. (Also, I mgiht point out that irregardless of all this holding down shift while inserting a removable device or DVD or CD disables autorun entirely)

Despite I note to the contrary above, there is no windows 7 autorun prompt. There is no special configuration here; I just checked, I have all the autoplay options enabled. Turns out that autorun.inf does not work in windows 7 anymore. From what I can tell, it does read the disk though, judging from running process monitor while plugging the device CONTAINING the aforemention "pawnz0r" autorun.inf:

So, it does look at the drive, readthe autorun.inf, and then, it does nothing. I imagine that autorun-enabled programs can hook the autoplay routines in some way here (much as win95 could start CD player when you inserted an audio CD automatically, I think there was an exploit that fooled win95 into running something else using specially crafted data tracks on mixed-mode data/audio disc, but I'm not sure); important to note is that nothing is executed. cmd.exe never appears; no errors a re displayed, the autorun.inf is, for all practical purposes, ignored. It would appear that while some legacy but if code is still reading it, rather then trust the device to say how to "autoplay" it, instead Win7 goes around asking if the various installed autoplay handlers recognize the device. OF course, since autoplay and autorun are completely different, autorun has essentially been obsoleted.

Before Windows executes anything specified in autorun.inf, it prompts you. It requires user interaction. it becomes a question of trust by the user and not one of an inherent security flaw in the OS.

Thank you BC.
On this laptop I have XP pro running.
I plug the a USB device and it starts a program. Even while I am doing something. But this program is not malicious, bit it is intrusive and wants my attention. But there is no polite prompt asking if I want to run this program.

It does have an auto run file. How do I turn off the auto run?

Now other USB devices I have bring up a polite thing that asks what I want to do. Not this thing. It runs anyway. And I can not remove the program from the device. It is not really a USB flash drive, but it has some behaviors like a flash drive. As I mentioned earlier, these devices can have nASIC instead of pure flash memory. There is not easy way to know what it has in it. I can not format erase the ting, just remove some files in certain directories.

BTW, it came from China.

Quote from: Geek-9pm on December 09, 2010, 01:07:09 AM

Thank you BC.
On this laptop I have XP pro running.
I plug the a USB device and it starts a program. Even while I am doing something. But this program is not malicious, bit it is intrusive and wants my attention. But there is no polite prompt asking if I want to run this program.

It does have an auto run file. How do I turn off the auto run?

Now other USB devices I have bring up a polite thing that asks what I want to do. Not this thing. It runs anyway. And I can not remove the program from the device. It is not really a USB flash drive, but it has some behaviors like a flash drive. As I mentioned earlier, these devices can have nASIC instead of pure flash memory. There is not easy way to know what it has in it. I can not format erase the ting, just remove some files in certain directories.

BTW, it came from China.

Those aren't handled by either autorun or autoplay. sounds like it's managed by a piece of software that is installed. Saying you have a "USB device" is rather vague. You don't mention what kind of device it is, just that it uses a different kind of memory, it's hard to know what is on it, and you can't format or erase it. You could very well be talking about a Mac OS System 7 boot disk for all I know, excepting the bit about it being a USB device.

Also, many U3 smart enabled devices are different. it uses some sort of device-level protocol or something, I don't know: http://en.wikipedia.org/wiki/U3

Could somebody craft a device that has this "U3 Smart" technology intended to be malicious? Of course. Just as somebody could infiltrate a hard drive company and insert malicious data into the boot sector or something. Wether it's economically feasible is another, and the country of origin is largely irrelevant.Apparently it is the device you mentioned.
I didn't know that Microsoft had done that.

The thing I have is called a photo-frame. The display area is just 1.5 inch diagonal.
It is for your key-chain. Holds 50 tiny JPG photos. Used by proud Grandparents to show pix of the new child. Does a slide show or one at a time.
It cots about $10 and up retail in some places here in the USA.

Here is a picture of my photo frame with my grand child.
http://geek9pm.com/jpg/grad-child.jpg

Solve : USB security risk is going up.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment