Slashdot Mirror
Yet Another "People Plug In Strange USB Sticks" Story
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
>> The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks." Couldn't it still be a little of both?
Everyday You see me is the worst day of my life -Office Space
The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.
AutoRun!
But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.
The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.
You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
Firewall too tough? Get localhost access today.
You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.
The problem isn't that people are idiots...
Seems to me this is exactly the problem.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
but also that the OS trusts random USB sticks.
I found a random USB stick in my car about 3 years ago; I still haven't plugged it in.
But that aside, if you found a candy bar laying on the street, would you eat it?
Possibly, but certainly not one floating in a pool.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
So it's not people being stupid, but admins being stupid. Functionality is there.
... problem solved.
Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
Do you want to:
1) Infect your computer with another virus?
2) Look at the pictures and crap on the thing?
3) Just leave me the fuck alone, I've been using removable media all my life and I'm not going to stop now.
The only thing worse than sales people are security people. They are paranoid scizos that are given lower responsibility IT jobs to fullfill corporate checkboxes.
I suspect some of these people do it simply because they want to figure out who the owner is so they can return it. Storage devices should be untrusted. This is an OS problem, not PEBKAM.
So, for the 60% who knowingly violated the government security rules, when do we get to see "The Department of Savings announced an unexpected windfall of 30 million due to involuntary termination of employment" article?
...than to stick strange devices into their ports.
But, then, to each his or her own I guess.
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
Am I the only one that finds a CD on the ground in a parking lot, inspects it, then pops it into my CD player to see what music is there? I think people plug in the found USB sticks out of curiosity. Maybe there is some good stuff there, maybe there is important data and they want to return it to the owner? I agree with those that blame Autorun for this being a problem. If it's just about browsing the files and directories it shouldn't be a big deal. Running strange executable files is pretty stupid, but just seeing what is there can be pretty compelling.
autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.
Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.
Are they trying to be nice and return the stick to the owner? This is a case of being "too nice".
Is it plain curiosity?
Just chuck the thing in the electronics disposal bin.
... problem solved.
Better answer, use Group Policy to turn off AutoRun.
But I still understand what your getting at. It's like this. Problem #1: People are idiots Fix: There is none Problem #2: Admins and companies are lax with Security Policy. Fix: You let me know what it is after you overcome laziness, apathy and budgets. So someone was like, I'm sick of all this nonsense what can be done to actually fix this? Well like was pointed out, the functionality is all ready there in most endpoint security solutions. Revert to Fix #2. This is not the OS's job, it's the peoples job. I bet the poster is for the nanny state as well.
This is true. Employees shouldn't be able to harm the company or government computers, or expose sensitive company/government data.
Also, people who try to do that should be penalized. It doesn't have to be much, but you must raise awareness that such actions can do a lot of damage.
PlusFive Slashdot reader for Android. Can post comments.
Yes, but remember that most USB sticks are actually useful. Banning all USB sticks because somebody might pick up one with that somebody dropped in a parking lot is pretty stupid. Should we also ban all baggage from airplanes because somebody might pick up a strange bag in a parking lot and try to bring it on a plane?
dom
See how many of them then get the message... and how many of them shoot up on water.
YES, THEY ARE! As someone who worked as a security engineer, the biggest threat to the network wasn't an external threat, that is fairly easy to prevent if you know what you are doing and don't be cheap about it. It is however hard to prevent you employees from doing something dumb. Clicking on links in emails, connecting laptops to their home networks riddled with viruses, plugging in USB's that they don't know where they came from! I mean yes, you could lock down USB drives so that you can read or write to them unless they are encrypted with Bit-locker and have the key, but they will hinder productivity because Bitlocker is a pain in the ass. I mean you don't know how many computers you can log on to simply by walking up to the desk and opening the drawer which has a sticky note with the password on it. PEOPLE ARE DUMB! They will do dumb things like this it is inevitable. Your only option to try to stop it without hearing tons of bitching and adding a lot more overhead is to have all of your employees go through IT security classes involving passwords, usbs, emails, and how to use IT safely, but even then people will do something that will make you scratch your head at how.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
If someone found a random car part in the parking lot, then broke their car when they tried installing it, should we blame the car?
"The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
No, it's completely the user. Why shouldn't the OS trust what the user does who has physical access?
There is one answer that will always stop this kind of stupidity. Block up the ports with hot glue.
Non bene pro toto libertas venditur auro
Well it's not the OS's fault unless it's a Microsoft OS, then you can go ahead and blame Microsoft if you want.
This "automatic run" stuff is a crappy idea. Even MacOS doesn't do that. So yeah, it's kind of Microsoft's fault.
But people will always be stupid. They were stupid thousands of years ago, and they are stupid today. They will be stupid a thousand years from now.
You going to register all of those USBs, or pay for all those USBs you distribute to your employees?
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
I've made a comfortable living consoling the computers of owners that are stupid.
Autorun is bad..very bad!
Slashdot previously had an article discussing pointless research (which was an interesting and surprisingly two side story). But...this "study" would be an example of said (truly) pointless research.
As soon as they had the hypothesis that people would pick up these sticks and put them in their computer the problem was exposed. Any real leadership would just have moved to solve this problem, rather than prove that it is indeed a problem. I would hope that the "security experts" at the DoHS would ponder than an outcome of 1% and an outcome of 99% would basically be the same problem and studying the particular location on this spectrum should bear little relationship to the need to address the problem.
Where I work, all the USB ports are disabled. The most you can hope from plugging anything into them is a recharge. If you *really* need to use a USB stick, you get an encrypted one from in house and your local permissions are tweaked to allow just that model and not much else. Plus you get a very clear message that if a virus does get onto the system, you're in a world of trouble, possibly dismissal.
I want a list of atrocities done in your name - Recoil
Autorun is disabled (might not be out of the box... might need Windows Update patches). And you can disable it in any other Windows OS where it is enabled by default.... so the problem is the IT department is not properly securing their network with existing OS controls against USB sticks.
Just because it's tedious doesn't mean the admin doesn't have a responsibility to do it.
Ceci n'est pas un sig.
Don't Antivirus and other security software disable autorun on USB hardware? I know I have some program that does.
Bruce Schneier's response in a comment:
"Children are taught not to take candy from strangers. But adults are perfectly OK with using USB sticks from unknown sources..."
It's a stupid thing to teach children, too.
I don't thinks it's a stupid thing for either children or adults. Neither the OS nor the children should know what in a candy or as USB stick.
PlusFive Slashdot reader for Android. Can post comments.
Here is the registry key that I use when reinstalling Windows XP: .reg, right click and merge with my registry.
Iut the following in a text file with the extension
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Are you saying that "known" USB sticks are better? I find it far more likely that an attacker would infect a known USB stick of a targeted employee... or the USB stick would be mailed to them as "Vendor bling" It would be relatively easy to get several dozen USB sticks with "Cisco" or "Microsoft" printed on them, mail to random people with a note that says "thanks for using our products" and I'm sure 90%+ of them would get plugged strait in and considered "safe".
Even before USB based storage was on the market, people were still infecting computers with their junk. Even supposedly 'isolated' computer that had the media drives removed, and with non-worms. The only common denominator was humans doing something that was against policy. So, no - it's not the specific technology, yes- the problem is people.
I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.
Turn off autorun for everything on all non-entertainment machines. It was originally put in so that entertainment CDs like Disney's The Lion King (remember those?) would autoplay.
There's almost no circumstance under which you'd want to autorun anything from a USB stick or any USB peripheral. Microsoft is negligent in setting their defaults to "on", and providing a "use AutoPlay for all media and devices" checkbox.
My G'Linux OS has been configured to require admin privileges to mount any new USB storage devices; I wonder if I could do this for other USB hardware ie mice, media players, etc. This should be the standard config with a "[_] Don't ask me again." option, IMO. Especially since this arbitrary code execution exploit has been demonstrated.
USB stick autorun! http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/
Have gnu, will travel.
Computers have keyboards not a single switch labelled "0" and "1" for humans to control using binary.
Humans are curious. We need to use UBS devices. It is not that hard to require confirmation before running any program from a flash drive. It is not that hard to sandbox everything and by default (deactivate-able) run a virus check on any new drives - flash, hard, or DVD, CD, or what have your.
Build technology AROUND the human, don't try to change the human to fit the machine.
excitingthingstodo.blogspot.com
Can you believe people are such idiots that they'll eat food they've bought from people they don't even know?
Set up vending machines, inject fresh produce and meat, sneak poisoned packages onto the shelves. This might seem harsh, but it's the only way they'll learn that the world is out to get them.
Or, just maybe, we stop using insecure, badly-configured operating systems on machines we want to keep secure.
To check for colon cancer? There are now USB glucose meters that accept a test strip with a drop of blood, so why not one that accepts a stool sample?
At least three times in the past year I have found USB sticks on the walkway into my building at work.
Three times I have picked them up and immediately turned them over to the security desk.
Now, that does NOT preclude someone from security being an idiot...
Would that many of you really not look to see what is on the stick? Are you really that OCD? Ok, plugging it into your office computer on the company network is irresponsible. Doing so in any sort of sensitive government office is worse. But to not look at all? Really?
Surely the more security sensitive among you are also among the geekier. Right? Are you saying you don't have a spare computer around anywhere? You can't plug the stick into some old non-internet connected junk computer to see what is there? You aren't curious enough to do so? What could possibly happen? Corrupt a spare machine with some virus? So what? Ghost the thing beforehand if it's that big of a deal. I suppose there could possibly be something on it that will actually harm the hardware. Nobody writes that kind of lowlevel malware anymore though, not unless they are working for a government attacking another government's nuclear program anyway. Even if you did run into some old hardware eating virus, with all the outdated yet perfectly usable hardware lying around these days who cares?
Personally if I had that much of a security phobia I would have a junker sitting around just for this purpose. I'd have two identical hard drives and would just copy the good unexposed OS image back and forth each time I wanted to test something I didn't trust. Fortunately I don't have this phobia. I would just wait until I got home and stick it in my desktop which runs Linux.
Yes, I know that even Linux has security holes and yes there have been viri and other attacks on it. I also know that statistics are on my side, I am probably more likely to get run over a bus where the driver was struck by lightning than to ever encounter a problem simply viewing files on a Linux machine. Also... no auto-run!
It's easy to blame Autorun for the problem. However, the only reason Autorun exists is because of idiot users. Try telling someone to insert a CD, navigate to the CD and launch setup.exe (or any other file). Better yet, try doing it over the phone. I guarantee you that a large percentage of the population can't do it. I know because I've experienced it with more people than I can count, including dentists, doctors and other "well educated" people.
People are idiots, and/or have their own objectives that are not very well aligned with yours.
There, fixed that for you.
I don't get it. What are those horrible thing operating system does when you plug in a USB memory? Mine shows me the files store on it, at most.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
...Because they can.
Having done customer support at locations where we had dozens of operators using our workstations, and also code development on similar systems, I've been asked numerous times why I would build in error checking for seemingly obvious operator blunders. Why indeed....because they can, and it's your responsibility to design a system than is resilient enough to not crash and burn because they screwed the pooch.
People are at all levels of understanding when it comes to computers, and everyone who designs, builds, or maintains them makes a living on those users. Embrace them and stop whining.
Just another day in Paradise
If you work in a government agency where people could have important information saved on a flash drive are you just supposed to destroy the drive for fear of it being infected.
As far as opening it at work I might take some precautions when opening the files but why would I open it on my home computer that has my personal information on it. Its not really the OS's fault, a government agency a normal users account should be very limited in how much access it has to network files and how much damage it can do. I don't windows popping up with a bunch of "are you sure?" prompts every time I am working with a flash drive. Besides the idiots will still just disregard the warning boxes and directly install the virus.
and at the same time he probably wouldn't want to harm his personal computer at home
You're overthinking this - they use the office computers because they find the USB sticks on the way to work.
sic transit gloria mundi
Firstly, before MS gets bashed (Oh, they did deserve bashing for not stopping it earlier) - The've released the change that stops the auto run on USB.
Second, if an ORG or CO has not implemented that change, then the fault is moved by a layer from user to 'admin/sec' and they should get the brunt.
Thirdly, to a nominal degree, if users cannot use the computer and get on with their work, including to some degree, plugging in a drive, then you have a totally broken system
Lastly, companies and orgs who have normals running as admin have bigger problems than just USB devices.
Hint; You can watch my basic vids on not running as Admin on XP for a kick off if you really don't know much about it. A high percentage of people think its not possible to run with limited rights so I made the vids to try and help anyone interested.
Skip to part 2 for the actual methods.
Part 1
http://www.youtube.com/watch?v=q6UIrdLAkFM
Part2
http://www.youtube.com/watch?v=osF6FS2KS_E
We`re all equal
How many people *REALLY* pick up a wallet or USB stick so they can find the owner and return it to them, and how many people *REALLY* pick it up because they're hoping there's something good inside that they can take (money, porn, etc.) People pretend to be honest but reality is much different.
...isn't with the user. The problem is with the Admin who allows USB devices in a government building and the security at the front door that doesn't confiscate them.
I8-D
Or upgrade past XP.
It's poor security practice, but if someone drops an expensive device, there's a natural inclination to find the owner and return it. From a security standpoint, that's a horrible decision, but viewed from a societal and human decency perspective, that's exactly the kind of behavior you want to encourage (as opposed to, say, finding a lost iPad and deciding to keep it). Checking a USB drive on a sensitive computer is a stupid decision, but most people don't know how- or where- to check this safely. That's something that needs to be addressed to balance good social practice with good security decisions.
For that matter, most of the users I find doing this think of viruses as flashy, destructive affairs; a common rationalization is that they plugged the device in and "didn't see anything happen". The concept of subtle dangers is relatively new, and wrecking someone's computer to make a point (as someone above suggested) would be very counterproductive.
This isn't anything new- CD-ROMS and floppy disks have served as malware vectors in their day. OS designers have no excuse to be surprised anymore.
The Register has an article claiming a security company used a mouse rigged to do something similar ... only it was installing malware.
Mind you, they said it was specifically using a windows exploit, but there's nothing to keep 'em from loading it up with exploits for multiple OSes ... dunno of the USB device can query for that sort of information or not.
Build it, and they will come^Hplain.
A friend of mine (head of IT at the company in question), dropped a dozen or so USB sticks off in his own parking lot as an exercise. Nothing nasty on them, nothing personal, just a bunch of false (honeypot-ish) stuff and a fake in-house email address. That false address got about ten emails from internal addresses offering to return the USB stick.
If you're infrastructure is running Server 2008 and your clients are running Vista or higher you can already prevent unauthorized devices from being installed via Device GUID. See here: http://msdn.microsoft.com/en-us/library/bb530324.aspx Of course, it's not completely bullet-proof but it's definitely better than letting anything be installed on any workstation.
People are not idiots, they just have their own objectives that are not very well aligned with yours.
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Crappy opsec ends up making everything hard to do with the, usually unstated, goal of making the wrong actions harder than the right actions. That usually fails because it's super hard to figure out all of the possible wrong actions ahead of time, but users will always seek the easiest possible route.
When designing a security system you'll be 100x more successful if you cater to human nature instead of trying to fight it. In this example, people want to plug in USB sticks to see what's on them happens all the time since usb sticks are the new floppy disk. So make it easy to do what they want in a safe way - give them a program to "view unknown usb drive" that disables autorun and takes any other necessary precautions like temporarily running in a read-only virutal machine.
When information is power, privacy is freedom.
ANYTHING to make Windows "look bad" (and it wasn't a mistake he made, he was probably aware of it) - it's all so others who know less than say, you do, get "paranoid of Windows". These *NIX douchebags *think* they're "clever' but to myself, and doubtless yourself? They appear to be anything but clever. They seem more "desperate" than anything else because Linux is in last place, and MacOS X is right behind it, in terms of market share and mindshare/usage by users worldwide and by many orders of magnitude. Notice the bullshit +4 mod up too? Do you think they don't also cheat the moderation system as well so they appear on the front page of the site at article closing and your post gets buried? Here is an example of HOW they cheat the moderation system here (which is why slashdot won't post WHO modded whom up or down): http://developers.slashdot.org/comments.pl?sid=2278690&cid=36608082
Back when a 20MB USB stick was $75, I could see the reason to plug one in to try to find the owner. Now that 8GB+ sticks are conference freebies I don't see the point, especially when the majority are just used to transport Word document to and from work for people who don't know how to use Dropbox. It's very unlikely that there is irreplaceable work on a random USB stick or that the owner will suffer financial hardship because of its loss.
Support SETI@home
... is email blast a resignation letter to everyone in the address book.
now we need to go OSS in diesel cars
but I put it in a linux box with no net connection. I also have my contact info on my usb stick that I use at work. I lose things a lot and have been very grateful when somebody emailed me and said they had my stick. Now the OS autorunning sticks is a terrible idea, that is blocked at my company by domain policy (on Windows workstations).
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Sure you might get virused... but then again that might be a flash drive full of office porn. Pictures from the receptionist's wild vacation at Hedonism with the boss... it's worth the risk!
If you find a wallet/purse outside of the building where you work odds are the wallet belongs to someone inside the building. So you open it up, to try and find some ID, so you can give it back to the owner. I can see the same sort of reason here. You found a USB stick, so you take it to your computer to open it up, try to find some documents, and see who the author is of the documents. Odds are, that's the owner of the USB stick and you can return their property to them.
Didn't Vista spam everyone with "are you sure?" messages every time they wanted to do anything? Adding validation prompts to operating systems will just annoy the users who are bound and determined to circumvent security.
Most newer operating systems have disabled autorun on removable media. Virus scanners can pick up a significant percentage of malware when you insert the drive. That catches a lot of it. Still, all you have to do is embed a new virus that hasn't been found by the scanning tools yet in a video of a cute kid or pictures of kittens. Half the people who insert the drive won't be able to resist the urge not only to look at it but to pass it on to the rest of the clucking hens in the office, who will put it in an email to all of their friends...
The root of the problem is that security for computers is often diametrically opposed to what makes them useful. Lock down the security too much and you can't get anything done. Open it up so it's useful and you have all sorts of vectors for attack. And, as was shown by this demonstration, the biggest vector for attack is the ID-ten-T interfacing with the computer in the first place.
It's been very long known that anti-viruses are just the proof that the OS the anti-virus is running on is defective and broken beyond repair. In a correctly conceived OS (are there any? OS X doesn't seem immune and I'm not sure about Linux / FreeBSD / etc.) viruses SHOULD NOT be able to find their way through the system.
Same has 0-day exploit: on a correctly conceived OS users should not get their machines "admin'ed" / root'ed by 0-day drive-by "I just followed a link" exploit.
So, yes, the OS shouldn't stupidly trust USB stick but, quite frankly, there are a lot of other things to fix first in all these broken OSes.
An OS that tries to be user friendly is fine, but one that will execute arbittrary code found on a randomly offered device is broken. This may be desirable from a "more features is better" perspective, but this has gone too far. When will we know MS technology has gone too far? We've already seen the signs, we are just too stubborn to move on to a better feature set. Not a fatter one, a better one. Soon,
Well, I'm sorry but I'd prefer knowing the full contents of any candy before I put it in my USB port.
Grammar nazis are to this community what excrements are to gold.
Reminds me of the "Light Grenade" from Mom and Dad Save The World.
For those not familiar, it looks like a grenade, but it says "Pick Me Up" on the side. Whoever picks it up disappears, but the grenade remains for someone else to pick up. Diabolical exploitation of human stupidity! You could wipe out entire armies with one of these.
It is easy enough to turn off in Windows 7: Just type in "autoplay" in the START menu search bar and uncheck devices that you don't want to auto play. It is a little trickier in XP:
http://techbybucky.blogspot.com/2008/01/how-to-disable-usb-and-cd-autorun.html
I'd rather have a full bottle in front of me than a full frontal lobotomy.
The problem *is* that people are ignorant. I won't say idiots as I don't think that's right - most people are smart enough in their own domains, but completely ignorant in other areas (such as computer security).
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Ergo, the solution to this kind of problem is to put a dummy machine near the entrance of your building with "Insert found USB sticks here!" written on it in big friendly letters. That'll let people satisfy their curiosity without endangering your organization.
It won't catch 100% of the idiots, but it will filter a lot of them.
Blasphemy is a human right. Blasphemophobia kills.
...why would their want to put their home systems at risk?
...but if you're going to look, you'd only be looking so that you might return the USB stick to its owner.... right ??
So find the cheapest, most obsolete computer you have. You don't want to short circuit your best computer.
Disconnect anything corruptible (hard-discs, USB drives, etc.) from the computer.
Disconnect any networks from your computer, you don't want any hacker software on the USB to bring the "men in black" knocking on your door.
Boot from a live CD.
If the USB drive works... you'd surely ONLY be interested in:
a) returning the drive to the owner
b) informing the police about evidence of illegal activities
It's not safe to stop for random strangers on the highway. That is a job for the police. My sister was robbed, raped, and then murdered by two men who were faking a flat tire. They did the same thing to a dozen other people before they got the wrong person and were shot by a passerby with a hunting rifle.
So when you see a car on the side, DON'T STOP, just CALL THE POLICE. They can deal with it.
My sister had no idea there was a second man hiding in the back seat, and just wanted to be nice. She paid for this mistake with her life. That's fact. Nobody can afford to be nice anymore. The world has changed. If you are nice, you will be taken advantage of by those who aren't. Be nice at your own risk.
Wanting to stay alive does not make me an evil person. People who are nice are killed. If you want to survive, you need to learn to TRUST NOBODY, EVER.
There we go. An adult that understands the world in which he lives.
Not creating inconvenience for the help desk is not priority #1 for 'people', including employees or operating system vendors. Whatever consequences exist beyond the frustration of some low-end computer fix-it monkey is a matter for law enforcement. There is no obligation to submit to interrogation by the fix-it monkeys, either.
That is the situation that prevails in most environments. There are some places that practice more rigor regarding security and acceptable use of equipment. In such an environment whatever consequences are suffered by the 'user' will be only a fraction of the consequences for the fix-it monkeys that failed to protect the equipment from errant USB devices in the first place.
Either way the the angry 'tired' fix-it monkeys lose.
People have been sticking infected media into various slots and opening unsolicited attachments for 30 odd years now. Few have learned not to do this and many just tacitly refuse to accept that they have anything to learn. Very little has emerged in the way of policies that are broadly enforced. Why are the fix-it monkeys still expecting to see a change in behavior?
many of us would be out of a job. No, the right approach is to market items that address this need. USB condoms, holographically-marked trustworthy USB drives for IT departments to hand out, expoxy-on USB port adaptors that change the PC's USB port to a different connector and a range of keyboards, thumb drives and mice that use the non-standard connector.
come on people, stupidity --> profit.
Nullius in verba
My workstation has a big assed red banner when I log on saying "DO NOT STICK A USB IN ME YOU FUCKING MORON"*. So if this study was conducted at my site, or was malicious, I'd wager they'd have a few things to say to me.
"Just look at how people have reacted to this spring's exploits of web sites and services...they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use."
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
*Color is correct, but the wording might be paraphrased
Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.
According to KB 967715 it can be done in 2000/XP/2003 and newer via GPO's in the domain.
"A plan fiendishly clever in its intricacies"- Homer Simpson
That's all well and good, but this isn't a corporation. This is the government. These people are trained to protect the IT system. I mean, I don't know if the training is the same for other areas, but I know the Army trains civilians/contractors regularly in Information Assurance.
What can you do with something that looks alot like a flash drive? Anything you can type into a computer. http://hak5.org/episodes/episode-709
People are conditioned to think that USB drives aren't dangerous because 99% of the their experiences with them aren't dangerous. They are just harmless devices to store your files on.
When they see one on the ground, they will think it is that someone lost their files and they would like to see who it belongs to. It is stupid to expect people not to do this and the security should be designed around that. You don't go against human nature
SSIA.
If the people deploying Windows in the organization knew what the hell they were doing, plugging in a USB key would do squat.
Joe (picks up stick in parking lot): Hmm, I could use an extra one of these. (tosses in desk drawer)
(next week)Sally: Hey Joe, I've got to bring some files to a meeting at the customer site. Got a spare stick?
Joe: Sure, Sally, use this one.
Now between them Joe and Sally have not only infected their own network, but also their customer's. No amount of user training provided to Sally and the customer would have been sufficient to stop this - only the OS is in a position to save the day here.
People are inherently unreliable - machines shouldn't be.
If you found a printed sheet of A4 paper you would probably read its contents in the hope of fabulous secrets or to satisfy your curiosity. Or maybe you were just motivated to return potentially valuable data to its owner. You would not expect a dragon to leap off the paper, embed itself in your brain, and make you cluck like a chicken.
No seriously. People still plug unknown cocks they've just found in a bar into themselves (and the other way around, but that simile doesn't work as well - all I'm trying to say is, this is a gender neutral metaphor). And the viruses you can get from that are way more dangerous than anything your computer can get.
That virus fried their centrifuges and delay the Iran nuke a couple years.
...what would you do?
Until they do that, then yes, it is theoretically safe to return wallets. Cyber attackers have been dropping poisoned media for years, but people haven't learned.
Consider the scale of this problem, and then consider the percentage of people who may do this that do NOT read this here on /. or elsewhere, before calling people 'dumb' or 'stupid'. Not everyone prone to doing so will even learn of this study. If this issue really matters, companies will take steps to warn employees about sticking random USBs in their computers. Otherwise, it's just a matter of time before something very bad happens, and then there will be consequences. If there are consequences, then realization happens. Otherwise, this will keep happening.
The more you know, the more you have to say and the more you should listen.
question is, do you need usb sticks much at the company at all? and yes, why not? those few that need might get one that is company-locked. it's rather important to make sure nothing gets in AND nothing gets out. usb sticks are the most easy way to steal data from a company without any trace. same reason we don't have cd burners in our companies systems, except on demand.
I'm going to disagree with that.
Filthy, filthy copyrapists!
The most insidious attack vectors are more creative than just having some trojan autorun. For example, here is a mouse with an attack vector built in:
http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/
People looking to steal something don't say "Oh that poor old lady just forgot to close her door it would be unsportsmanlike to rob her" and then go crack into a bank vault. Instead they take that old lady for everything she has.
The polite, responsible thing to do would be to inform the vulnerable person about the problem. The issue here is that the computer security industry/community has been pointing these flaws out for over a decade and it hasn't made a single difference. No one is listening so some people are trying a different approach. No one listens when you say "Someone can hack your server and steal customer data." but they sure as hell get the point when someone steals the data.
I agree that what they did was illegal and wrong(ish) but I can also see why there are people getting frustrated when the powers-that-be don't listen until something bites them in the ass.
The moral of the story: It's OK to plug in a random USB stick into your computer if it is Halloween.
At night I drink myself to sleep and pretend I don't care that you're not here with me
Why don't we just put the blame where it should be. If you have a job then you have the responsibility to do it. That also includes keeping memory sticks and disks in your possesion and save from crooks. If you don't care enough to do your job you should quit or be fired. Stop blaming it on someone else!
...reall is that people ARE idiots. Almost any real business has policy in place for what the user can and should do, just that most of them ignore/don't pay attention to them.
Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?
I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.
Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.
Buy some epoxy and use it on all USB ports.
Problem solved.
The problem is, who is to be trusted more..a random data stick, or the OS....
It's not that people fool around with random unknown data, but they entrust the os to take care of the consequences.
Again, not learning from the past...is itself a different story
I work in the tech support field, as an industrial electrician. Trust me, people really are idiots. On the other hand, "people" build the computers that government people use. Those people should be capable of either securing the system from unknown USB devices or educating the users about the risks. At the end of the day, someone has to take responsibility for security.
Would you 'plug' into a blowup doll you found on the street? What about a dildo? Not likely but I suspect people still do it. Let the users who find these peripherals be the judge of whether they expose their 'hardware' to these risks...
Actually, the problem is that people are idiots... all the way from the developer to the user level.
The behavior is quite logical, once you understand what the objective is. [snip] He may be interested to find out what's on the USB device [snip] Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem.
I don't think they put that much thought into it. I think they use a work computer because happen to be at work (and they found the usb drive just before going into the office).
They are probably just thinking, "Hey, free usb drive. Any pr0n on it? Otherwise I'll delete the contents & use it myself."
No no no... That's what library computers are for.
I wouldn't say it hasn't made a difference. It's just that security is a never-ending job. It's not a problem that you "solve", any more than most other human problems. It's a problem that you have to continuously harp on, while trying to improve it from the technical side as well. And aside from infrequent anecdotes, I'm not aware of any studies indicating that throwing peoples information out in the clear is more effective than notifying companies.
What is clear, is that an info dump and/or public defacement is a hefty ego-stroke for the doer.
The worst thing that someone could put into a USB stick would be some C4 with a detonator wired across the 5V lines......
It's sort-of people, yes they're idiots. But the bigger problem is an OS that assumes that any random removable-media drive is safe and that it should automatically execute programs on it when it detects new media in it. Instead the OS should assume that removable-media drives are not safe and that programs on inserted media are not to be run without the user doing something special to make them run.
On my Linux systems the OS doesn't auto-run programs on removable media at all. And I have it set to normally mount removable-media drives as "no execute" so programs on them simply can't be run without the user first copying them elsewhere and then setting the execute bit, or alternatively remounting the media with execute permissions enabled. Either way they have to do something pretty deliberate, and your average idiot isn't going to clear that bar. Windows offers at least the "no AutoRun" option, and it's easy enough to set it (flipping that setting on a new Windows installation is almost reflex for me by now), the only thing Windows doesn't offer is a "no execute" option for mounted media (and I'm sure it has it, just not obviously exposed in the UI).
I'm not sure I understood what the OP was saying, but what I took from it was, there should be a way to lock down computers so that only USB sticks which have been approved can be plugged into company computers and autorun should be turned off.
I wouldn't mind having the option or ability to say only USB sticks with this code file can be used on this/these computers. In a company where USB sticks are/look all the same, I wouldn't mind not be able to plug in some of my co-workers USB sticks and I would definitely like to be able to enforce the policy that all USB sticks are scanned or full formatted before use.
Yeah, the asshole with dubious morals. I rather deal with an honest idiot.
In a machine onto which you can quickly blast a fresh new os image, not plugged into the network... why not? Check it out, see what's on it. If it's dirty, 60 seconds in the microwave, then into the trash. If it's clean, free USB thumb drive!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
stupid slashdot, need delete option!
You bring a valid point, but I think that the root of this the problem is education: most people don't know that malicious software can spread from simply plugging in a USB key.
Perhaps more and better training from the company IT dept. would be helpful in educating these people. Ignorance isn't a valid defense, granted, but it's a reality that most IT dept. have to live with.
For non-techy types, there isn't an easy or obvious way to view/wipe the contents of a USB stick without first plugging it into your computer. Sandboxing and VMs are not Joe the Plumber-type applications. If Windows and Macs had a built-in USB sandbox feature that IT could turn on, it would make things much easier.
Or again, better education from the IT dept. asking users to bring them found USB drives for identification and if they can't find the owner, they can wipe it and give it back to the person who found it.
~Syberz
This is the battle of Evolution vs. Intelligent Design at it's finest: Evolution clearly wins!
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Err. Let's try this again. My fault for not closing a quote tag correctly.
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
No, that was exactly my point, which went WHOOOSH over your head: Just because A is wrong doesn't mean that B can't be wrong too.
There's enough blame to go around - just because Lulzsec did something wrong doesn't mean that the companies and end-users didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Can you really call it legit if they are doing stuff that you the consumer didn't authorize?
They're always aiming at Windows users -- and I'm not talking about technical issues (this time).
BTW, unless otherwise stated, all my anonymous posts are personal opinions, unrelated to anyone else.
Won't do that, current ubuntu sucks.
This is a stupid article. Clearly under US Federal Annual Assessment training they tell you this should not be done. Secondly there are other mitigation factor on this disable USB devices in the institution unless required and IDS detects unauthorized USB (hmm one that has a valid cert) send alert to SOC and isolate commence shutdown. There are technical ways to mitigate the risk and it all depends how manage the security. Geez Really Bruce Snizzer still around.
Stop the Windows Notification Service and it won't autorun anything anymore.
Heh, it didn't really go over my head so much as I worded my response improperly. Blame, as I apply the word, can only be assigned to a party that deliberately left themselves open. They've got to know better first. It remains to be seen if that is the case for all the targets we've been reading about.
Even my own statement has limits though. I don't care if my bank didn't know better; they have a responsibility above and beyond an ordinary business to keep my information and finances secure. Sony falls under this aegis. The Neverwinter Nights forum though? Not so much.
It seems to me that OSes should pop up a dialog when a USB device is plugged in, that displays what features the device is advertising, and allows you to OK each service you want accessible from that device on that OS, signing them so that you never get prompted for them again in the future. Should be extremely easy to add to any modern OS, as the OS already has to enumerate the features anyway. This would also mean that if your Android device got compromised and a special driver was installed that turned it into a stealth interface device when you plugged it into your PC, the PC would alert you that a new feature was detected, and did you want to enable it....
Except that this isn't a "safe way." As other people have pointed out, what looks like a USB thumbdrive may not in fact present itself to your system as a mass storage device. It can be an HID device and get automatically installed and take over your system; this works even in Linux. Tricking up such a device is not hard for somebody with some hardware chops. There is *NO SAFE WAY* to insert a malicious USB device into your system.
I'm sure you can just turn off autorun on the corporate build rather than going to all that trouble.
These are both problems. One is mostly fixable by relatively simple technology. The other is not really fixable, except by rather drastic means. Which problem do you suppose we should try to fix?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
It will also almost guarantee that the found harmless sticks will be harmfull from now on.
Rethinking email
Unless that stick tells the OS it is a keyboard, of course.
Rethinking email
So find the cheapest, most obsolete computer you have. You don't want to short circuit your best computer.
Ok. got it.
Disconnect anything corruptible (hard-discs, USB drives, etc.) from the computer.
Well, I guess I can unplug the cassette player.
Disconnect any networks from your computer, you don't want any hacker software on the USB to bring the "men in black" knocking on your door.
No network plugs...
Boot from a live CD.
Where do you put a CD on a TRS-80?
Hardly hiding something. The whole idea of a U3 drive was that piece of software to put an application launcher that would run portable applications. Thats like buying a bag of oranges and then complaining about all the fruit in the bag.
We need a read-only mounting of a stick that can run software. I'd use it to bring anti-virus software (et cetera) over to computers I want to repair. If I can update it with the last anti-virus signature file on a good machine and then safely bring it over to the sick machine, running all kinds of portable software there. I'd also like to be able to boot from a stick — for the same purpose.
So we need a read-only button on the stick to guarantee the stick doesn't get infected from the sick computer. Does this exist?
I can do this with a CD or DVD, but a stick is more convenient.
I18N == Intergalacticization
Wouldnt it be possible to have an OS that could be set up to act like that?
Doesn't just disabling autorun for all devices (not just CD) under say XP work to prevent this? I am referring to:
GPEDIT.MSC->Local Computer Policy->Administrative Templates -> System -> Turn Off Autoplay
The last flash drive I brought from transcend had some autorun software on it that was trying to sign me up for a lifetime warranty. My antivirus did notice the autorun and put a stop to it and then I just formatted the thing.
Interesting that no one has suggested that people plug in random USB drives because they assume it has been dropped and lost, and hope to be able to return the drive to the original owner by gleaning their identity from the data it contains. Certainly, the one time I did this, this is why I did it (and I was sucessfully able to return the drive to its rightful owner).
Still, I concur that ther should be some way to examine the contents of a USB drive without allowing it to do anything on your computer. Perhaps some sort of "safe mode" you can turn on prior to insertion.
+1 !
I'm thinking of something like an OS that can be setup to ask the user if he wants to give access for a USB device to the interfaces it's trying to use.
Such a device would be possible, but fairly expensive, as it would need to act as a USB host. The USB spec was designed on the assumption that hosts would be full-featured PCs, so as much of the complexity as possible was pushed onto the host in order to reduce the burden on the devices.
The burden would be mitigated somewhat by the fact that it would only need to handle a single device (if you plug a USB hub into the adapter, you lose).
Also, the adapter would only work with "vanilla" USB mass storage devices. There are a fair number of "smart" USB drives which include custom Windows software for added "features". Those won't work unless you're planning on having the adapter run Windows.
It can be an HID device and get automatically installed and take over your system; this works even in Linux.
Big deal, a read-only VM with io virtualization will contain it.
Anyone knows how to configure a USB port to accept only mass storage devices? (no autorun of course) Linux solution is enough for me (lol)
Not necessarily; it could be a filtering hub, watching all traffic that passes through it and dropping all packets from any device that identifies itself as any type other than mass storage. Think of it as a USB firewall.
BRB, off to file my patent.
My U3 drive had a portable version of skype on it that would ping their server even if there was no account configured. IT noticed it right away, and deactivated my LAN connection.
The helpdesk was waiting for my call as the manager of the PC end of the IT dept made his way across the plant to my desk.
Fortunately I did not install it, or have it configured with a login, or even know it was there, otherwise it would not have been pretty!
A NAS with USB support works quite well. It doesn't have drivers for random USB devices, and won't be running Windows-x86 anyway.
My ADSL modem/firewall (FritzBox) has similar functionality.
This is especially galling to me; I have a book out that I encourage folks to share, but it's only in PDF form. The only people who are going to open it are ignorant of the fact that it could contain a virus, even though it doesn't.
Why don't you release it in more formats, like .epub and other reader-friendly extensions? To my knowledge, they can't execute arbitrary code on their own like .pdf and .doc can. My e-book reader app (FBReader) on my phone can't handle PDF, and it's how I do most of my reading these days.
This is assuming that by "have a book out" you mean you authored or published a work.
For optimal comment enjoyment, take red pill now.
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
Where I am employed, it is forbidden by law to bring USB sticks, USB HDDs, CDs/DVDs, etc. into the facility. Getting caught doing so is likely to cost you your job and your security clearance.
Hey at least the office system is properly backed up right? :)
I wouldn't say it hasn't made a difference. It's just that security is a never-ending job. It's not a problem that you "solve", any more than most other human problems. It's a problem that you have to continuously harp on, while trying to improve it from the technical side as well. And aside from infrequent anecdotes, I'm not aware of any studies indicating that throwing peoples information out in the clear is more effective than notifying companies.
Many of the flaws that were exploited were so basic, and have been known about for many years, that it's inconceivable that any serious thought was put into security. Yes, security a continuous process, but if you haven't even bothered to address the basics, then you are certainly to blame when someone takes advantage of that.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
+1
Something like a dummy barrier as seen in the anime "Ghost in the Shell"
Interestingly, I worked for a government department back in the mid-90s, and idly one day worked out how I'd go about untraceably diverting the multiple billions they oversaw to overseas accounts etc. Part of the anonymizing would have been to have the entire thing launch from an appropriately-named EXE on a floppy disk dropped casually in the waiting area or one one of their desks, and labeled "Social Work data". The office SWs at the time were notorious for having about the same computer-savvy as roadkill, so they'd be unlikely to make the connection between the disk and the month-later financial disaster. Particularly if the disk got overwritten with actual SW data in the process, and the worm erased itself retroactively from the first dozen computers it infected.
I see the idea of leaving a mislabeled item of media lying around where an unsuspecting administrative worker could introduce it to the corporate network hasn't lost any of its appeal. Social engineering strikes again.