[unisog] Pen testers after my own heart...
numatrix at ufl.edu
Mon Jun 12 19:00:46 GMT 2006
David McBride wrote:
> Paul Asadoorian wrote:
>> I am curious as to what their recommendations were for this particular test,
>> "Tell employees not to put things in their computer" or "fill the USB ports
>> with epoxy". Not so practical....
> Turn off Autorun via a domain group policy?
> At least part of the problem here is not that the users are deliberately
> running untrusted code found on a discarded USB key, but rather that
> their shell is doing it for them!
Actually, that's not true. USB keys don't autorun. Give it a try some
time. I put a lot of work into it a while back and I'm pretty sure it
can't be done. I even got a special USB key with a partition that
identified itself as a CDROM drive to try to get autorun working, but
never even got that to work.
There has been some discussion about using the auto-loading driver
aspect of USB (USB devices can provide their own drivers) to load code
via a USB device, but it would take some custom hardware and not cheap
disposable USB keys you're willing to lose like the ones in this article.
That said, disabling autorun isn't a bad idea. It just has nothing to
do with this particular threat. In fact, if my memory of the paper is
good, it specifically mentioned that they had hidden their trojan as if
it were an image. So they got users to click through some images on the
key, and one of the "images" was the malware.
So user education and epoxy seem to be the only two solutions that I can
think of. I'll give you one guess as to which method I'd actually
Jordan Wiens, CISSP
UF Security Engineer
More information about the unisog