I'm sure we already know about this, maybe.
But I got a newsletter from US-CERT,
United States Computer Emergency Readiness Team.
And I don't know maybe this is a heads up for some,
maybe some coder/programmer would find a way to prevent this
whatever.
I just thought it is interesting and noticed if you scroll down that
you will see ( Mozilla has released Firefox 2.0.0.18, Firefox 3.0.4, and SeaMonkey 1.1.13 to address multiple vulnerabilities.).
This place releases something new every day.
http://www.us-cert.gov/current/index.html#malicious_code_spreading_throu...
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
This really should be taken with mozilla and anyways they probably already know of this and is more than likely making a patch for it.
your friendly neighbourhood moderator Zach Thibeau
Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. (article dated 19 Nov 2008)
MC
Chalk this 'new' attack vector up to ye olde human stupidity. What would you do if you found a USB drive just laying around? Yup, curiosity just killed your comp. I saw an article that a security auditor scattered a few thumbdrives with trojans around a bank, in the restroom, the smoke room, etc... and pretty soon the lemming employees found em and while they were entertaining their curiosity with the pics and music he put on the drives, the trojans were feeding him passwords.
Low risk too. Someone sees you, woops, didnt know I dropped that, thanks I got important stuff on there. Trouble is now that its getting press its gonna make all of us who carry drives on a keychain look like a security risk. Libraries, cafes, all the places that used to not even blink are going to be banning them.
Then a person wouldn't even know that his stick was a problem.
Be careful...
USB drives do not autorun any programs on any OS, unlike the CDROM autorun.inf. So there's always an element of human stupidity here. Granted, there are some neat tricks like making an autoplay menu entry look like the entry to "Browse content", but it really launches your trojan.
First, anything that can write to the stick could infect existing apps with viral code, then its only a matter of time until the user goes to use their stuff on a host machine.
Second, U3 and others like it use a partition that looks like a cd-rom to the computer specifically so they can use autorun. Makes it more idiot friendly. Also makes it more exploit friendly .
But my main concern is public perception. Once John Q gets it in his head that these devices could in some way be a threat, public use of portable apps will be doomed. What is technically possible or not means nothing to those who think they know everything about a device because they saw it live at 6.
U3 autorun doesn't work anymore either on Vista, because it won't automatically launch CDs either. Which means that under Vista, there's no difference between a U3 drive and a drive with an autorun.inf on its main partition, except for a useless extra drive letter. Kind of explains why U3 is going out of favor, doesn't it?
Portability does not fit into their scheme of having control over end users.
Really, does anybody else feel like the computer industry is being purposely driven away from end user independence?
Who are "they"? You make it sound like it's some sort of conspiracy or something. :/
Valid point, and an angle I had not considered. I feel less worthy of the toinfoil beret now.
From a governmental/law enforcement perspective, this could be quite the thorn in the arse. Proxies, onion routing, and encryption are already a headache to finding out "who's doing what?" The whole "leave no trace" philosophy of PA, while based in noble and polite reasons, nicely tacks on "from where?"
Especially when you consider it can be run from something the size of a microSD chip, something ridiculously easy to conceal and which could be wrapped in a wad of toilet paper and flushed. What evidence?
OK, setting big brother back on the shelf for a moment, I can also see techs and anyone looking out for network security not liking this because it allows not just running your own software with its own settings regardless of whats on the machine (browser locked down? no problem, I got my own on my keychain) to booting an entirely seperate OS. From there you have total access and no logs. And no traces or clues on the local drives to help techs figure out WTF hit the machine.
I guess what it comes down to is...
Anything that empowers someone in any way has potential for abuse.
Anything that empowers someone in any way is guaranteed to piss someone else off.
Any admin who locks down browsing at the workstation level is an idiot. For logging, anything that goes over the Internet should be being logged and/or blocked by the proxy server/firewall, not the computer doing the browsing. And there are plenty of ways to log other stuff (keyloggers, etc.).
And preventing people from booting their own OS is just as easy--just disable all boot devices except the local hard drive from CMOS, then lock the BIOS with a password.
About portableapps being doomed, BUT if that were to be true.
Then it would HAVE to include, external (portable)
Harddrves, card readers, cameras and a million other things too.
one of my friends works in IT of a big hospital.
Now he got the order, the lock out all dangerous usb devices, but allow those not dangerous on all workstations.
Such order seems to be almost impossible to fulfill, he and his team of 6 people work on that nearly a year now, still not having any final solution.
OK easy way just get rid of all usb, remove the drivers etc. But the mouse is hanging on that, so not possible. So how to finally find out what is dangerous category?
As daily more and more gadgets appear on the market to be plugged into usb just to get power from there this is difficult situation. Who tells that the coffie warmer for usb does not connect also the data wires and not only the 5V power? And as what does it report itself?
Otto Sykora
Basel, Switzerland
Tell your friend to take a look at DeviceLock from http://www.devicelock.com/
It does basically what he wants / needs. You can lock out devices by class or even by serial no, on a user-class basis, so you could, for example, bar all USB storage devices except for specific ones carried by the support staff, or unless the user logged in is an administrator, etc.
It isn't free, but it isn't that expensive, either. We're looking at deploying it here where I work.