Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yet Another "People Plug In Strange USB Sticks" Story

Posted by CmdrTaco on from the gets-me-going dept.

Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

30 of 639 comments (clear)

  1. No... by Anonymous Coward · · Score: 3, Insightful

    The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.

  2. Windows by Kagetsuki · · Score: 4, Insightful

    AutoRun!

    But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.

    1. Re:Windows by wvmarle · · Score: 3, Insightful

      It would be great to have a sandbox option to run such software. I'd also be curious what's on a found USB key. And wondering what that .exe would be doing.

      Best solution may be if software run from an external and thus untrusted source (like a USB key) would be automatically sandboxed, and running into its own environment, separated from the rest of the OS. If it tries to do anything bad, just kill it, finish. Then we can satisfy our natural curiousity, while still being protected from anything nasty that may be done.

      This could also be a solution to make autorun useful AND safe.

    2. Re:Windows by fuzzyfuzzyfungus · · Score: 5, Informative

      Unfortunately, while this does preclude the lowest form of hackers, the ones with firmware-level access can still do their thing...

      The most famous example are those fuckers at U3. In order to allow the delight of having an autorunning launcher pop up and annoy you every time you pop a flash drive in, they produced a little firmware modification that causes the flash drive to show up as a composite device containing one flash drive, and one CD-ROM. Since autoplay is generally still enabled on CDs, the CD contained the payload that executed the launcher.

      They, as a commercial venture, weren't truly bent on malware-style evil; but they provide a good example of how it could be done.

  3. yet by arth1 · · Score: 5, Insightful

    The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.

    You can never make systems fully foolproof through technology, and Bruce of all people should know this.
    It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

  4. OS trust not really the issue. by kermyt · · Score: 3, Insightful

    You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.

  5. Re:Only one way to fix this by arth1 · · Score: 5, Insightful

    Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.

    No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.

    Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.

  6. Makes sense to me actually by dyingtolive · · Score: 5, Funny

    Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!

    --
    Support the EFF and Creative Commons. The war is coming, and they're supporting you...
  7. People are not idiots - just different motivation by ugen · · Score: 5, Insightful

    The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)

    People are not idiots, they just have their own objectives that are not very well aligned with yours.

  8. not just autorun! by Anonymous Coward · · Score: 5, Interesting

    autorun is NOT the only problem.
    The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.

    1. Re:not just autorun! by DeadCatX2 · · Score: 4, Informative

      Not really.

      When you connect a USB device, Windows automatically polls information from the device, called descriptors. This is a process called enumeration. If Windows recognizes the device class (e.g. HID Keyboard), it will automatically install drivers without user intervention. So will Linux and Mac OS; it has to, otherwise when you plug in a keyboard or mouse it wouldn't work until you activated it, and how can you activate a keyboard or mouse without either one?

      I'm not sure it's even possible to stop this process. The best you can do is eavesdrop on the data using a USB Sniffer to see what the device is sending for its descriptors, but by the time the sniffer sees the data it's too late.

      What's worse is that you can craft special descriptors which can exploit the OS! This is how the PSJailbreak worked.

      The only solution I can think of is to use an embedded host to read the descriptors without attaching it to a computer.

      --
      :(){ :|:& };:
    2. Re:not just autorun! by Just+Some+Guy · · Score: 4, Insightful

      I'll see your "clever" and raise you a "completely terrifying". I'm ashamed that it never occurred to me that something in a USB flash drive form factor wouldn't be a flash drive. I just got done lecturing a coworker about SQL injection, but I would've been utterly vulnerable to a "USB injection" attack up until 5 minutes ago.

      --
      Dewey, what part of this looks like authorities should be involved?
    3. Re:not just autorun! by mmcuh · · Score: 4, Informative

      USB doesn't have a "one device per port" rule. You could plug in an evil USB stick, it could behave just like an ordinary storage device, and then, in the middle of the night (if the computer is still on) it could start up another device, say a "keyboard" which is preprogrammed to send you to a webpage with a known exploit or to run a program in a previously hidden directory that connects to an SSH server and gives whoever is listening at the other side shell access to your computer. This could also be hidden in an USB mouse, or a USB webcam, or absolutely anything USB.

      I think I'm getting some ideas for a DIY project...

    4. Re:not just autorun! by Jarik+C-Bol · · Score: 3, Informative

      no, it did what you said, it faked the uid to be a keyboard, then it, as a keyboard, said: 'windows key, arrow up, enter, ,enter' which then of course launched the default browser and visited a page. same device could in theory be programed to erase your HD from command line if you where logged in as admin and blinked as the device mounted.

      --
      I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
  9. Re:Only one way to fix this by uncanny · · Score: 5, Insightful

    Wow, i found a USB stick once on a college campus, looked like a nice one so i plugged it into a computer to see if i could find who's it was so i could return it to them. I didn't realize that i deserved having my computer fried for trying to return something. Do you put mace in your wallet so that if you drop it and someone tries to return it that it sprays them in the face?

  10. Re:Only one way to fix this by cdtullio · · Score: 3, Funny

    The way to fix this problem, is to start dropping pistols with nipples attached to the end. That would thin the herd.

  11. Re:Only one way to fix this by Anonymous Coward · · Score: 3, Insightful

    Anyone who uses that as an excuse not to help someone with a flat should drop out of the human race entirely.

  12. Re:Dumb story by rudy_wayne · · Score: 4, Insightful

    Part 1
    http://www.youtube.com/watch?v=q6UIrdLAkFM
    Part2
    http://www.youtube.com/watch?v=osF6FS2KS_E

    Rule #1 -- If you're going to narrate a video, get a personality. Seriously, I had to turn it off after the first minute because it was so boring.

  13. Re:Only one way to fix this by tmosley · · Score: 3, Insightful

    The easiest way to do that is to stop and help someone with a flat.

    It's a ... conundrum.

  14. Re:Only one way to fix this by element-o.p. · · Score: 4, Insightful

    And despite attitudes like that, people still wonder why those Nazis in corporate IT do things like disallowing USB mass storage devices, filtering HTTP traffic through a proxy, etc.

    --
    MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
  15. No surprise people plug found sticks in work PCs.. by NeverNow · · Score: 3, Insightful

    ...why would their want to put their home systems at risk?

  16. Re:hrmmph.. by Shadow99_1 · · Score: 3, Informative

    Yes, it's always because IT 'trusts' the OS... It has nothing what-so-ever to do with management complaining in the 'your about to be fired!' fashion if they can't simply plugin x device at their whim... As an admin my job was to make things as secure as I couldn't, without pissing off the people writing my paycheck. Just as I have to leave the OS to automatically access USB devices, so to the OS must trust these devices because otherwise the people with the money get pissy.

    --
    we are all invisible unless we choose otherwise
  17. Re:No, that's a job for the police! by TheSpoom · · Score: 4, Insightful

    I really feel for your situation. That said, I'm still going to trust people. I trust people knowing that that trust could blow up in my face at any time; that's just a risk one takes. I will continue to trust people because without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  18. Re:I dunno... by djmurdoch · · Score: 5, Insightful

    Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.

    You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:

      - trust files that your colleague is giving you via USB
      - trust a USB stick distributed as a promotion
      - trust your own USB stick, if you've used it to give a presentation on someone else's computer.

    Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.

  19. Re:No, that's a job for the police! by b5bartender · · Score: 3, Insightful

    Obvious bullshit story is obvious.

  20. Re:No, that's a job for the police! by DrgnDancer · · Score: 4, Insightful

    You know what? Fuck that. I'm not going to let the fact that there are bad people out there make me live my life in fear. For every robber/rapist/murderer out there, there are probably between a hundred and a thousand people who just need a few minutes of your time to help with a flat tire. I'll take my chances. The world has *not* changed. You've allowed the media and a tragic event to convince you that the world has changed. There have always been bad people. There have always been good people. There have always been the vast majority of people who are just going to get along. I choose how I live my life, not some asshole who thinks a gun makes him powerful.

    Doesn't mean be stupid. If the news is reporting a "Flat tire robber", maybe you want to adjust your behavior for a while, but in general I'm going to help people who need help. I've lived my life that way for 37 years and I'm not changing it now. I've lived in downtown New Orleans. I spent a year in Iraq. The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.

    --
    I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
  21. Re:Only one way to fix this by DrgnDancer · · Score: 4, Insightful

    Guns and sledgehammers don't reveal their owners as a strong potential consequence of use. Hitting something with a hammer isn't going to tell you whose hammer it is. Opening "resume.doc" on a USB stick is likely to net you not only a name, but an address, e-mail, and phone number.

    --
    I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
  22. Re:not just autorun! (device to filter?) by linebackn · · Score: 4, Informative

    Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?

    I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.

    Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.

  23. Re:Only one way to fix this by sorak · · Score: 5, Funny

    Judging by the contents of my own key drives, there is almost never any user-identifiable information on these things. Any "I was just trying to see who's it was" argument is probably just cover for "I wanted a free key drive and didn't think to format it before I used it..."

    Judging by the content of my own key drives, most people watch too much porn.

  24. Re:No, that's a job for the police! by prockcore · · Score: 5, Insightful

    My sister had no idea there was a second man hiding in the back seat, and just wanted to be nice

    I love these stories that have details that, if the story were actually true, no one would actually know.