Do: use flash drives. Don't: use the ones you find on the street
You read Engadget, so you're probably smarter than the next guy when it comes to tech -- unless you're reading Engadget in a room full of nerds or something. So it probably goes without saying that if you picked up a USB flash drive off the street, you wouldn't risk compromising your machine, network, or employer's network by just plugging it in willy nilly, would you? Well, if only the rest of the world were as smart as you, friend; according to a recent Secure Network Technologies Inc. audit of a client credit union, 100% of the trojan-laden, password-collecting, network-compromising USB flash drives they planted outside the client's building were unwittingly plugged in, used, and infected their respective host machines. Should you go sounding alarms throughout your own company about the dangers of thumb drives? No, of course not, but it's probably safe to say end-user security begins with clamped down operating systems and aware, diligent employees -- so what else is new?[Thanks to everyone who sent this in]
Filed under: Peripherals, Storage
Reader Comments (Page 1 of 2)
lolersticks @ Jun 10th 2006 4:14AM
Hold.
Down.
Shift.
Dammit, it's a one-step, three-word process. Learn it, love it, and be protected by it, people.
dhruv @ Jun 10th 2006 4:14AM
thats news ??? i hope that engadget readers are smart enough 2 figure that out
newayz thanx 4 the public interest issue. i will have 2 keep my eyes open though. how come i never find flash drives on street corners. oh yeah thats coz half of india doesnt even have computers. lol
0bliv!on @ Jun 10th 2006 4:37AM
curiosity (or greed?) killed da comp...
soopergooman @ Jun 10th 2006 4:40AM
I use an armada v300 for any sticks cards i find. It's basically collecting dust. then just reformat the mem devices. glad to see comments back.
Carsten Otto @ Jun 10th 2006 4:54AM
I guess this is a Windows-only problem?
Keith @ Jun 10th 2006 5:04AM
im assuming the virus is for windows... so if you put the flash drive into a mac and then formated it with the mac file system then plugged it into a pc and formated it fat 32 or ntfs would it then be safe for a pc???
DarkFader @ Jun 10th 2006 5:10AM
I don't doubt it's impossible but...
Not many are able to create a working hardware driver exploit. Not counting blue-screens or the ones requiring special software to trigger it.
threefingeredlord @ Jun 10th 2006 5:32AM
Meh, id just plug it in to my linux pc, or give it to someone i hate as a present. Im so kind...
Alex @ Jun 10th 2006 5:45AM
It's like finding a needle on the street and injecting yourself with it - you might get a disease, but then again you might not
PAStheLoD @ Jun 10th 2006 6:55AM
Use some kind of anti-virus solution, when xp asks what to do with the just plugged-in flash-stic, say go-to-hell and use total commander, to examine its content. maybe free pr0n, maybe badass viruses.
Christopher @ Jun 10th 2006 7:04AM
Maybe this is a recent thing (autorun on USB flash drives) that I haven't encountered...
When I *tried* to create autorun (an autorun.inf file that worked successfully on a CD) on a USB memory key about half a year ago, it wouldnt boot on ANY windows computer I tried. I beleive that the USB keys in this test did not have autorun on them.
Holding down shift doesn't work half the time - (correct me if I'm wrong) try putting a Windows CD into your computer. It should autorun regardless of the shift key. Copying the autorun.inf file from the CD (or examining its contents) should provide information on how to autorun things anyway.
But autorun isn't the issue... the people physically *clicked* on the executable (knowingly) which was labelled Valentines day Specials... etc.
Also... you are late with this story... both Slashdot and Techdirt had it a couple of days in advance.
neosam @ Jun 10th 2006 7:59AM
Ha Ha, i have to admit that i was stupid enough to do that
actually, i found a usb flash drive in a classroom, in my college, just under my shoes
i pick it up, plug it into my laptop, found some pics and discover a moran with his gf half naked haha
that day, i had a really nice lecture! ;-)
dude @ Jun 10th 2006 8:28AM
I would, because I don't have to worry about viruses. Mac rules yay
ssleb @ Jun 10th 2006 8:33AM
Just take it to an internet cafe and see what's on.
Alex K. @ Jun 10th 2006 8:37AM
someone should make a small USB device that you can plug in USB flash drives into and just automatically wipe them. and that would be that.
Derrick @ Jun 10th 2006 10:02AM
Quick, tell me where I can pick one. I will plug it into my Ubuntu Linux and get a free flash drive. :)
Andymoorehouse @ Dec 31st 2007 7:18AM
Really?
a flash drive with Ubuntu? Im very surprised at that.
I got fed up with XP crashing on me and installed Ubuntu on my PC.
I found Ubuntu generally quite good, however when I plugged in my flash drive to my surprise I could;
Take my wife and kids out for the weekly shop, bring back the groceries unpack and stock the shelves.
I could also take the dog to the local park, throw him in the pond bring him home bathe him, dry him off, have my lunch then return to my PC and guess what?
I only had to wait another 10 minutes for Ubuntu to read the contents of my flash drive and display a message telling me that it was empty!
Flash drive and Ubuntu? Don’t make me laugh!!!!
Simon @ Jun 10th 2006 10:12AM
A any corp should have AV soft running that would just deny those files to be executed. So I think it's the fault of the lazy admins, not that of the curious employees.
Curiousity is what made us evolve. If you stop being curious you could just as well stop living at all.
RJR @ Jun 10th 2006 10:43AM
Very insightful comment about Macs, Leo. It was so witty, that I thought I would come up with one all by myself:
"leos are gay. they wouldn't exist had their parents' not decided to get it on that night."
It's just that easy to sound like a moron.
G Money @ Jun 10th 2006 10:46AM
i found a one gig shuffle, i picked it up and plugged it in as soon as i got home. :(
M @ Jun 10th 2006 10:57AM
The fact of the matter is - PCs are better because the majority of the wolrd use them. If Macs were better wouldn't everyone have them then?
steve @ Jun 10th 2006 11:11AM
dont take me as a mac fan but....
macs would still be alive because they are better with graphics and other stuff than windows
that means that art schools and places that need that kind of stuff would use them
they are more expensive which dont make them as good for business comps or home comp (although some ppl have them)
well anyhow, the flash drive could contain a bomb that is ignited wen its powered by the usb port!
Dan F @ Jun 10th 2006 12:00PM
amazing, RJR is a genius! but anyway if I had found one of these I would probobly plug it into a friends computer or a school one ect.. or windows in safe mode i guess. anyways, i would first look at what files were in there then wipe it clean.
Eamon @ Jun 10th 2006 12:23PM
I actually found a 128mb flash drive on the footpath walking to school last week. I had no fear plugging it into my *linux* box when I came home! It was full of boring accounts and stuff...
fowler @ Jun 10th 2006 12:29PM
@M
yeah, good logic there, guy. now lets apply that same genius to cars and see how much it makes sense.
RJR @ Jun 10th 2006 12:38PM
Good point, M. I would venture to say that the majority of people who own mp3 players own ipods. Does that make them better?
My point didn't really have anything to do with Macs, it was the fact that Leo's comment didn't relate to the article. I could honestly care less about which is better between a mac or a pc because I use both of them for different things. My point was that a stupid and irrelevant comment deserves a stupid and irrelevant response.
P.S. I apologize to any test-tube leos out there.
Chris @ Jun 10th 2006 12:42PM
Honestly, I've Never Seen an Auto-Run Flash Drive
And if I did find one on the street (Not that i'm that lucky), I would Format it Instantly to erase anything like that that was either a) Harmful or b) would trace it to the owner ;)
- Chris :)
Matt @ Jun 10th 2006 12:42PM
How did they get people to run the program? Were these computers not patched for the WMF exploit or something?
Fabian @ Jun 10th 2006 1:00PM
Though this exploit most likely didn't even use autorun, the risk with USB-Devices is much larger.
The trouble is, that USB devices are able to use DMA (Direct Memory Access) and circumvent the OS. Though I'm not quite sure how this can be exploited when using "normal" memory-only devices, it is already being exploited with devices like the iPod.
There's software out there that you can use to make your iPod into a data collector. You just need to plug it into a computer to "recharge" and it automatically copies predefined stuff like username/password from the host to the iPod without the OS of the host knowing.
While you can monitor your own filesystem for access to sensitive files, a normal system will do the job without you ever noticing, and theoretically this applies to MacOS and Linux users as well.
Just check the usual suspects for more info. Bruce Schneiers Blog is always worth a read, if you need a place to start.
Seroth @ Jun 10th 2006 1:01PM
I can honestly say that if I found a USB drive lying on the ground outside, I'd probably take it and use it on my PC.
Matt G @ Jun 10th 2006 1:29PM
Just plug the drive into a trusty Mac, and format it, before you plug it into a Windows machine. And yes, Mac's can format as a Fat32 (Windows) partition as well as Macintosh.
Mac OS > All
And yeah, about the comment where windows is the majority, so that means i should totally buy a Ford and NOT a Mercedes-Benz? Hell no.
Dell + Windows = Ford Fiesta
-Trying to cut cost, mass produce, make cheap, and sell to masses
Apple = Mercedes Benz
-Quality control, built to high standards, innovative, top notch
funetik @ Jun 10th 2006 1:41PM
Sorry to burst your bubble, Matt G, but Mercedes' build quality is crap now: Crysler own them.
Lux Aeterna @ Jun 10th 2006 1:55PM
Are...Are you kidding me? Not only can you NOT spell CHRYSLER, you fail to realize that the company is now called Daimler-Chrysler, Daimler coming first, meaning Benz owns Chrysler, not the other way around. Wow, stupidity will never cease to amaze me...
Kevin M. @ Jun 10th 2006 2:16PM
"I would, because I don't have to worry about viruses. Mac rules yay"
Don't be so dumb. Macs *CAN* get viruses, just not as many. Making people believe the lie that "macs never get viruses" is downright DANGEROUS.
Cry Havoc @ Jun 10th 2006 2:31PM
Matt G, you must be joking.
Mac OS > All? What a laugh. Both net and free BSD will kick the Mac OS up and down the sidewalk in efficiency, power, and outright awesomeness. It's not even a close race. It doesn't have TEH SHINY APPLE LOGO in the background, but it is a beast of an operating system. And it's not even the best. LISP machines have been ahead of the pack for 20+ years. And they're still running nearly the same OS they used in the 80s.
I also enjoy your reference to Apple as a Mercedes Benz. You are aware that Benz is the car manufacturer with the lowest reliability ratings when price is taken into account, right (among mass-produced vehicles)? A Benz IS less reliable than most Fords. And costs three to twelve times as much. The Benz is a status symbol, a pointless declaration of wealth. The Ford is a tribute to practicality and something everyone can afford. I see much the same in Apple computers vs. PCs.
It should further be noted that while Apple computers are more expensive, they are NOT more powerful than PCs. Not even close in some respects. So actually, it's more of a comparison between a ~$45,000 Lotus Elise and a ~$150,000 Ferrari. And if you REALLY want to bash on Ford, the new Ford GT will absolutely annihilate any Ferrari outside of the limited-production Enzo, which costs about $600 thou more than the GT, to say nothing of what a GT will do to any Mercedes you see driving down the road. ;)
While Apple computers are paramount in design, IBM/Lenovo notebooks are still the industry standard for build quality. And they are in the same price range as many MacBooks.
CypherHackz @ Jun 10th 2006 2:35PM
Update antivirus and install good firewall and anti-spyware.
Virtual1 @ Jun 10th 2006 3:28PM
re: "hold shift down"
From reading the article I gather that this was NOT done with an autorun on the flash drive, but rather by a trojan picture. Put a dozen photos in a folder, plus one executable with a picture's icon and something like "funpic.jpg.exe" and watch them double click it. If it displays a picture as expected, they may not even realize they were just owned. End it in something else like ".sc" or ".vbs" and you'll pick up most of the remaining 5% or so that realize that ".exe" in the filename could be trouble.
Gathering passwords and scrollback histor, keylogging, etc is trivial and an unpriveleged operation that any trojan could do, and in many cases direct smtp access is allowed out through the firewall. (which at a bank it really shouldn't!) So as set up, this bank had a worthless defense against this variant of social engineering.
What to do: lock down all input methods on secure machines. Remove or disable the optical drive. (read "unplug the IDE cable") Delete system extensions for USB and firewire storage device access - no bank employee should ever need to plug in a storage device to a company computer short of swapping backup tapes. Do not give employees administrative access so they cannot install replacement USB drivers. No access the internet OUT thru the firewall except for whitelisted locations - bank employees browsing the web are not only wasting company time but are opening a GIANT hole in the network's security in many ways
If either or both of these sensible steps had been taken by the bank, this attack would have failed. Educate the employees too, so they don't take a flash drive home with them and jack into their windows box and then try to VPN into work or something while a keylogger is running.
Having said that, a previous job I had a former bank exec as our IT manager. He was none too happy when I brought in my new flash drive, but he finally left me alone about it. Thinking back on things, he was probably correct in resisting my bringing in the flash drive at all. Though that company had quite a few other security issues they were not dealing with either. He seriously baulked at my bringing in my laptop until about the 3rd time my laptop was required to fix a problem we were having.
Leo @ Jun 10th 2006 3:38PM
RJR dont be an idiot. my comment on Mac addressed an earlier comment on how "macs rule". I apologize if my use of the word "gay" or the fact that i insulted mac computers bothered you, but grow up.
as for majority = superiority, being the genius you are, you go ahead and apply the analogy anywhere you want. the best selling car brand in the world is Toyota, and they arguably ARE indeed the best by quality standards and price. Best selling MP3 player in the world is the iPod, and when you take into account their music platform, hardware, price and industrial design, show me one that is better? (dont bother with the toshiba gigibeat, it needs time).
in the case of operating systems, windows IS the best in large part due to its ubiquity. anyone with a brain knows that in software that is a key determinant of competitive advantage. what can you do with a mac that you cant do with windows?? taking cost into account, and the fact that there is so much more freedom of choice in applications and the ability to create your own, mac has little on windows....(oh but they look "cute")
and then RJR retorts by reminding us all how virus prone windows is. i dont get viruses... intelligent computer users dont get viruses.
-the test tube moron named leo
Leo @ Jun 10th 2006 3:40PM
or maybe i should grow up ;-)
Joe @ Jun 10th 2006 3:45PM
Why does it seem like Apple users never have anything to offer in terms of comments except a blind devotion to Apple? To my understanding, this particular article is about USB flash drives, and the risks that people take by using one without knowing what is on it. And yet, like nearly every other computer-related blog post on the Internet, it has come down to a fight between the Apple users and PC users, with the Mac uers talking about how much better/safer/more powerful Macs are than PCs, yet ignoring or brushing aside any comments that put Macs in a bad light, such as their lack of market share.
I'm not criticizing Macs. Not at all. I can appreciate their quality and interface, though I'm a PC user. However, I have one thing to ask all Mac users out there: if you're so proud of your Macs, then why does it always seem like you're insecure and must actively defend their reputation? If they were so magical, they would simply speak for themselves, wouldn't they?
Nick @ Jun 10th 2006 3:46PM
People still use autorun?
Virus issues aside, Autorun just bugs the shit out of me.
One of the first thing I do when I install a computer is head over to the group policy editor (gpedit.msc) and do a system-wide disable of autorun.
Even then, I suppose it won't stop some people from double-clicking HappyVirus.jpg.exe in the thumbdrive directory.
Mrco de Salvo @ Jun 10th 2006 3:52PM
Yes, the flashdrive can represent a security problem for a Company, but the question is: why we use standard PC's and standard OSes in a Company? Probably we need the flexibility and multimedia input to share informations. I think the solution can be to disable all input devices, but to focus the attention on a really smart security policy.
I remember the old antiviruses, slow and diffucult to manage, and the modern antiviruses, with real-time scan and constant auto updates. Probably the way is to make Corporate OSes a little different from standard single-user OSes.
Marco
anon @ Jun 10th 2006 4:07PM
First, let commend Secure Network Technologies for a clever and savvy way of exploiting humanities weakness for curiosity --and free stuff-- when they found out the office was tipped off to their audit.
Second, comparing a Mac to a Mercedes Benz is a bad analogy. The average Mac machine is akin to a Maybach. Is it the features in these cars that will be the standard features a decade form now. Microsoft, as always has to play catchup.
Lastly, the "Unix/Linux will kick OS X ass" argument is true. A Lamborghini is faster than a Maybach and dumptruck has more cargo space than a Maybach, but it doesn't make it a better, more enjoyable experience for the owner. Macs are for those that care about overall performance AND the ultimate user experience.
note: I'm well aware that Mercedes owns Maybach, but that doesn't change the facts.
fowler @ Jun 10th 2006 4:16PM
@Joe
How is it a bad thing that not everyone owns a Mac? I could really care less about market share, nor would I determine how good a computer or OS is based on how many people use or don't use it. It seems like a waste of breath to use that as an argument for a PC.
As far as OSX and Apple speaking for themselves, in the past year or two, they have. Which is why they are so wildly popular. There are always going to be fanboys who will stay loyal to whatever is they love and knock anything that's in direct or indirect competition.
I really think you need to reconsider what you wrote, cause there are a huge amount of holes in there.
willink @ Jun 10th 2006 4:21PM
Engadget is a great site, and the contributions from readers in the comment section make it even better -- except when they digress into a mac vs. pc flame war, or any other type of name calling. If this continues to happen, the comment function will be shut down again. That would be a shame.
Scott @ Jun 10th 2006 4:31PM
I never knew Wildly Popular and 5% Market Share were one in the same. Don't you have to have the Majority Market Share or even more than 10% to be "Wildly Popular"?
Leo @ Jun 10th 2006 4:40PM
fowler,
i agree, how good an OS "operates" is irrelevant of its market share. but today, there is more to a system than just how it runs. a lot of it has to do with its overall network. windows has thousands of more options when it comes to software. people aren’t building the type of software for small businesses (that they greatly depend on) on mac that they do for windows. while i cant hope to compete with anon's prowess in using analogies, i think the video game industry is a great example. the true test of a system is not the system itself (the xbox was much better than the ps2), its the games.
No more windows vs mac comments from me.
cheers willink, we should keep it clean....
Pete Avila @ Jun 10th 2006 5:51PM
Thanks to the Mac, I dont have to worry about stupid things like this!!! yay :D
Zo @ Jun 10th 2006 8:26PM
To Mac users that think that they are safe, I spent the good part of last week at the Software Security Summit in Baltimore, MD -- if you think you can't be bitten you are either foolish, stupid or nieve -- one of the speakers showed an exploit using his own personal Mac -- don't feel so high and mighty. The only secure computer is the one that has no I/O ports or devices and never ever plugged into a network.
freakon @ Jun 10th 2006 9:11PM
the only reason macs dont get that many viruses is that only 5% of people use em. If more people used macs, that of course there would be more viruses for them.
And macs suck, they are all glued together, and they sell mice for 50$
"Wow it has 2 buttons!"