[unisog] Pen testers after my own heart...

Cosmin Stejerean cstejerean at gmail.com
Tue Jun 13 16:32:43 GMT 2006


I would propose to block execution of all executables from removable
devices for all users. Users should not need to install software from
CDs and in the rare event that the need to bring executables to work
they can copy it to the PC first and run it from there.

Not sure how easy this is to do in Windows (if there are some built-in
settings or software available) but something to do this can be easily
written with some system hooks. I think that would mitigate the
problem altogether without blocking users from using USB storage
devices. I feel that in a university environment USB storage devices
come in very handy.

Regards,

Cosmin Stejerean

On 6/13/06, Dave Ellingsberg <dave.ellingsberg at csu.mnscu.edu> wrote:
> usb 1-1: new full speed USB device using uhci_hcd and address 6
> usb 1-1: configuration #1 chosen from 1 choice
> scsi7 : SCSI emulation for USB Mass Storage devices
> usb-storage: device found at 6
> usb-storage: waiting for device to settle before scanning
>   Vendor: SanDisk   Model: U3 Cruzer Micro   Rev: 2.15
>   Type:   Direct-Access                      ANSI SCSI revision: 02
> SCSI device sdb: 990865 512-byte hdwr sectors (507 MB)
> sdb: Write Protect is off
> sdb: Mode Sense: 03 00 00 00
> sdb: assuming drive cache: write through
> SCSI device sdb: 990865 512-byte hdwr sectors (507 MB)
> sdb: Write Protect is off
> sdb: Mode Sense: 03 00 00 00
> sdb: assuming drive cache: write through
>  sdb: sdb1
> sd 7:0:0:0: Attached scsi removable disk sdb
> sd 7:0:0:0: Attached scsi generic sg1 type 0
>   Vendor: SanDisk   Model: U3 Cruzer Micro   Rev: 2.15
>   Type:   CD-ROM                             ANSI SCSI revision: 02
> sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray
> sr 7:0:0:1: Attached scsi CD-ROM sr0
> sr 7:0:0:1: Attached scsi generic sg2 type 5
> usb-storage: device scan complete
>
> see http://cse.msstate.edu/~rwm8/hackingU3/  for more info.
>
> as you see this reports to be two devices a usb and cdrom.
>
> foot.
>
>
> >>>chris at eng.gla.ac.uk 06/13 6:19 am >>>
> On Mon, 12 Jun 2006, Jordan Wiens wrote:
>
> | http://www.microsoft.com/whdc/device/storage/usbfaq.mspx
> | -----
> | Q: What must I do to trigger Autorun on my USB storage device?
> | The Autorun capabilities are restricted to CD-ROM drives and fixed
> disk
>
> ...which suggests a variation on the attack - simply burn a load of
> autorun CDs and leave them around!
>
> (cheaper than memory sticks too)
>
> As for globally disabling USB, I think we'd have a riot on our hands.
> In our University environment, education is the way to go.
>
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>


More information about the unisog mailing list