[unisog] Pen testers after my own heart...

Jordan Wiens numatrix at ufl.edu
Mon Jun 12 19:00:46 GMT 2006

David McBride wrote:
> Paul Asadoorian wrote:
>> I am curious as to what their recommendations were for this particular test,
>> "Tell employees not to put things in their computer" or  "fill the USB ports
>> with epoxy". Not so practical....
> Turn off Autorun via a domain group policy?
> At least part of the problem here is not that the users are deliberately 
> running untrusted code found on a discarded USB key, but rather that 
> their shell is doing it for them!
> Cheers,
> David

Actually, that's not true.  USB keys don't autorun.  Give it a try some 
time.  I put a lot of work into it a while back and I'm pretty sure it 
can't be done.  I even got a special USB key with a partition that 
identified itself as a CDROM drive to try to get autorun working, but 
never even got that to work.

There has been some discussion about using the auto-loading driver 
aspect of USB (USB devices can provide their own drivers) to load code 
via a USB device, but it would take some custom hardware and not cheap 
disposable USB keys you're willing to lose like the ones in this article.

That said, disabling autorun isn't a bad idea.  It just has nothing to 
do with this particular threat.  In fact, if my memory of the paper is 
good, it specifically mentioned that they had hidden their trojan as if 
it were an image.  So they got users to click through some images on the 
key, and one of the "images" was the malware.

So user education and epoxy seem to be the only two solutions that I can 
think of.  I'll give you one guess as to which method I'd actually 
trust.  ;-)

Jordan Wiens, CISSP
UF Security Engineer

More information about the unisog mailing list