Cyberattacks using USB hardware as a vector

[mtnbkr]

A while back, I made a comment about not being so quick to jump on every attractive gadget that came by because they might nothing more than malware with an attractive packaging.  Here's another example of that:

http://www.computerworld.com.au/article/338752/energizer_bunny_software_infects_pcs/

True, the virus came via the software portion, but it was still part of an otherwise attractive and commercial toy.  It wasn't an infected email or download, but a shrink-wrapped product from a brick and mortar store...

Chris

[Marnoot]

It's certainly always a possibility. That's why I took precautions when I first tried out my cheap chinese video camera; never know what you might get.

[mtnbkr]

Read in the Slashdot Comments:

Another commenter notes that the language code of the trojan is Chinese.

I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

Chris

[mtnbkr]

Another comment worth considering:

Some time back, when USB chargers started to appear at airports, I warned that this might happen. A public charging port is such an attractive attack vector.

Of course, the real problem is Windows's "autorun". It was a truly awful idea to have Windows run any executable that appears on any removable device or medium. That went in (in Windows 95, I think) when CDs were only manufactured by major vendors, before home CD writers or USB storage devices. So it probably seemed "safe" at the time.

Chris

[RevDisk]

Yea, that's been a trick for quite some time.  Salt the area around a business with thumb drives with something special for autorun. 

Best way to test something is a clean Windows virtual image.  Makes it ridiculously easy to noodle out what the malware is trying to accomplish.

[Nick1911]

Yea, that's been a trick for quite some time.  Salt the area around a business with thumb drives with something special for autorun. 

Mmm.. road apples.

Been there, done that. 

[RevDisk]

My favorite was when a pen test crew tried that.  Someone *cough* collected up all of the flash drives, formatted them in a sterile linux VM, and when the pen test company asked for them back...  "What flash drives...?"

 

[Nick1911]

My favorite was when a pen test crew tried that.  Someone *cough* collected up all of the flash drives, formatted them in a sterile linux VM, and when the pen test company asked for them back...  "What flash drives...?"

 

That would be why I used CD-R's.

With "HIST141 Final exam, Ver 2" written on it.

 

[Leatherneck]

For about the last year there's been a complete ban on USB devices throughout DoD. Just last month Stratcom partially lifted the ban for USGOV-owned flash devices. Huge pain when work involves presentations or briefing at other than home base.

TC

[Phantom Warrior]

For about the last year there's been a complete ban on USB devices throughout DoD. Just last month Stratcom partially lifted the ban for USGOV-owned flash devices. Huge pain when work involves presentations or briefing at other than home base.

TC

<DOIM>Just burn it to a CD!</DOIM>
(Or whoever the proponent for that policy was...)

[Brad Johnson]

10gb presentation copied to a flash drive, 10 minutes.  10gb presentation burned to Blu-Ray, half hour.  Then you must have a machine with a BR drive to run the presentation.  I doubt that everyone is sporting a BR-ready machine just yet, especially in the .gov or .mil.

It's not hard to have a 10gb presentation when dealing with coporate level (or upper-echelon.gov level) settings.  A bunch of large image files, couple of video clips, sound files, etc, and you can hit that number pretty quick.

Brad