PaulDotCom mailing list archives
No subject
From: bogus () does not exist com ()
Date: Tue, 21 Oct 2008 15:14:41 -0000
formatted in any traditional way) [autorun] open=3DIronKey.exe Icon=3DWINDOWS\CD.ICO label=3DIronKey Unlocker Once Auth'd from writable storage area: [autorun] label=3DIronKey Secure Files icon=3DSECUR02B.ico (hmm) Hope this helps On Wed, Mar 18, 2009 at 12:52 AM, John <johnemiller at gmail.com> wrote:
I would check to see where the autorun software is stored on the drive. If it truly is read-only, then you arrive at two possible scenarios. They might have a mass produced security hardware device that is not able to be updated. It becomes a sitting target. The only way around this is to call executable code from the read-write partition. This would make the drive vulnerable to overwriting the autorun application. This is a technique that is used by the Downadup worm. It writes itself into autorun.inf files on removable media and network shares. I also use the stock autorun.inf on U3 drives and replace the contents of LaunchU3.exe with a malicious agent. I've had antivirus catch suspicious autorun files, but I figure they will always accept a stock U3 drive. On Tue, 2009-03-17 at 23:29 -0400, Michael Salmon wrote:I posted this comment/question on the PaulDotCom forum, but I'm wondering what you guys think. First, let me start saying the PaulDotCom podcasts are awesome and Irongeek is a big influence on my interest in computer security (his video's are great!). Feels like I'm talking to moviestars, lol ... I hope I'm not beating a dead horse. I know U3 hacking has been around for years and so has the UniversalCustomizer tool. My company purchased back in 2007 the Kingston DTSP (DataTraveler Secure Privacy Edition) USB keys for their hardware encryption. Last year Kingston replaced the drives with DTVP (DataTraveler Vault Privacy Edtion) and my manager asked me to find out if it was possible for a virus to install on the CD-Rom partition. I called Kingston to discuss the matter and ask other detailed questions about their product. I was a bit surprised when the engineer told me it uses U3 technology... I shouldn't have been, but because U3 didn't seem very secure to me I assumed they developed their own CD-Rom emulation software. I tested the UniversalCustomizer tool against the older DTSP driver first and it recognized it as a U3 drive and overwrote their CD-Rom partition, although the data on the key was gone and even with data recovery tools (used PhotoRec) I couldn't retrieve anything, it really concerned me that a virus could overwrite the CD-Rom area and Antivirus wouldn't be able to delete the infection. The tool failed to recongnize the newer DTVP drive as a U3 enabled key, but that doesn't mean someone else won't figure out a way to overwrite it. Kingston didn't have an answer when I asked what kind of security is in place to protect against this (I'm still in talks with them, hopefully someone will give me an answer). So now I'm interested in Ironkey, but on a recent PaulDotCom eposides it was said that also uses U3 technology. I'm going to contact Ironkey soon, but i have very little trust in what vendors say, has anyone else researched this? Company's put a lot of faith on hardware encrypted keys and believe it's a secure mediam, allowing their "secure drives" access through device blocking products. Kingston was confident that CD-Rom partition is READ-ONLY, thus creating a false sense of security (at least for their DTSP). Sounds like a big security hole to me. Your comments are appreciated. ______________________________________________________________________ Windows Live=99: Keep your life in sync. Check it out. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
--00163646d973f35b61046565258b Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Encryption (no matter what form) only protects the data during transit. Onc= e authentication is successful then data /drive will be the target.<br><br>= With this said I believe device lockdown, policies around use of such devic= es, and disabling the auto-run feature is where one should concentrate. Onc= e decryption occurs, files will be loaded in memory, etc.. Does not hurt to= have all other pieces of the defense puzzle in place (i.e. patching soluti= on, etc..)<br> <br>I did try the U3 Universal Customizer on Ironkey but it not detect the = device so maybe it is not U3 (news to me)<br><br>From ironkey Virtual CD RO= M Drive (verified it is read only and cannot be formatted in any traditiona= l way)<br> <br>[autorun]<br>open=3DIronKey.exe<br>Icon=3DWINDOWS\CD.ICO<br>label=3DIro= nKey Unlocker<br><br><br>Once Auth'd from writable storage area:<br><br=
[autorun]<br>label=3DIronKey Secure Files<br>icon=3DSECUR02B.ico (hmm)<br>=
<br><br> <br>Hope this helps<br><br><br><br><br><div class=3D"gmail_quote">On Wed, M= ar 18, 2009 at 12:52 AM, John <span dir=3D"ltr"><<a href=3D"mailto:johne= miller at gmail.com">johnemiller at gmail.com</a>></span> wrote:<br><blockquot= e class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204);= margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> I would check to see where the autorun software is stored on the drive.<br> If it truly is read-only, then you arrive at two possible scenarios.<br> They might have a mass produced security hardware device that is not<br> able to be updated. It becomes a sitting target. The only way around<br> this is to call executable code from the read-write partition. This<br> would make the drive vulnerable to overwriting the autorun application.<br> <br> This is a technique that is used by the Downadup worm. It writes itself<br> into autorun.inf files on removable media and network shares. I also use<br=
the stock autorun.inf on U3 drives and replace the contents of<br> LaunchU3.exe with a malicious agent. I've had antivirus catch suspiciou= s<br> autorun files, but I figure they will always accept a stock U3 drive.<br> <div><div></div><div class=3D"h5"><br> On Tue, 2009-03-17 at 23:29 -0400, Michael Salmon wrote:<br> > I posted this comment/question on the PaulDotCom forum, but I'm<br=
> wondering what you guys think. =A0First, let me start saying the<br> > PaulDotCom podcasts are awesome and Irongeek is a big influence on my<= br> > interest in computer security (his video's are great!). =A0Feels l= ike<br> > I'm talking to moviestars, lol ...<br> ><br> > I hope I'm not beating a dead horse. =A0I know U3 hacking has been= <br> > around for years and so has the UniversalCustomizer tool. =A0My compan= y<br> > purchased back in 2007 the Kingston DTSP (DataTraveler Secure Privacy<= br> > Edition) USB keys for their hardware encryption. =A0Last year Kingston= <br> > replaced the drives with DTVP (DataTraveler Vault Privacy Edtion) and<= br> > my manager asked me to find out if it was possible for a virus to<br> > install on the CD-Rom partition. =A0I called Kingston to discuss the<b= r> > matter and ask other detailed questions about their product. =A0I was = a<br> > bit surprised when the engineer told me it uses U3 technology... I<br> > shouldn't have been, but because U3 didn't seem very secure to= me I<br> > assumed they developed their own CD-Rom emulation software. =A0I teste= d<br> > the UniversalCustomizer tool against the older DTSP driver first and<b= r> > it recognized it as a U3 drive and overwrote their CD-Rom partition,<b= r> > although the data on the key was gone and even with data recovery<br> > tools (used PhotoRec) I couldn't retrieve anything, it really<br> > concerned me that a virus could overwrite the CD-Rom area and<br> > Antivirus wouldn't be able to delete the infection. =A0The tool fa= iled<br> > to recongnize the newer DTVP drive as a U3 enabled key, but that<br> > doesn't mean someone else won't figure out a way to overwrite = it.<br> > Kingston didn't have an answer when I asked what kind of security = is<br> > in place to protect against this (I'm still in talks with them,<br=
> hopefully someone will give me an answer). =A0So now I'm intereste= d in<br> > Ironkey, but on a recent PaulDotCom eposides it was said that also<br> > uses U3 technology. =A0I'm going to contact Ironkey soon, but i ha= ve<br> > very little trust in what vendors say, has anyone else researched<br> > this? =A0Company's put a lot of faith on hardware encrypted keys a= nd<br> > believe it's a secure mediam, allowing their "secure drives&q= uot; access<br> > through device blocking products. =A0Kingston was confident that CD-Ro= m<br> > partition is READ-ONLY, thus creating a false sense of security (at<br=
> least for their DTSP). =A0Sounds like a big security hole to me.<br> ><br> > Your comments are appreciated.<br> ><br> ><br> > ______________________________________________________________________= <br> > Windows Live=99: Keep your life in sync. Check it out.<br> </div></div>> _______________________________________________<br> > Pauldotcom mailing list<br> > <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul= dotcom.com</a><br> > <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot= com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/= pauldotcom</a><br> > Main Web Site: <a href=3D"http://pauldotcom.com" target=3D"_blank">htt= p://pauldotcom.com</a><br> <br> _______________________________________________<br> Pauldotcom mailing list<br> <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.pauldotco= m.com</a><br> <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom" = target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauld= otcom</a><br> Main Web Site: <a href=3D"http://pauldotcom.com" target=3D"_blank">http://p= auldotcom.com</a></blockquote></div><br> --00163646d973f35b61046565258b--
Current thread:
- No subject (Oct 21)
- <Possible follow-ups>
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)
- No subject (Oct 21)