Educause Security Discussion mailing list archives
Re: USB Storage Devices
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 3 Dec 2008 11:14:08 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 USB drives institute a number of security challenges but most of those have been around for a while so I'm not sure what might have changed recently to cause the CERT warning and DoD edict against USB drives. - From an integrity standpoint, the biggest concern is the potential for a hacker to fill a USB drive with malware and then somehow get an unsuspecting employee to plug the drive into their system. There have been a few social engineering experiments showing the effectiveness of this attack. Here is one such anecdote from 2006: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634 The development of the U3 USB drives made this much easier as the autorun functionality allowed attackers to automate and hide the malware infection: http://en.wikipedia.org/wiki/U3 One of my former co-workers had rigged up a U3 with a pretty nasty trojan that would do something very similar to what the whitehats did in the article mentioned above. However, even "normal" USB drives can be rigged up to infect systems which they are plugged into: http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/ Like I said, I don't think that any of these concerns are very new and there are a number of things procedurally and technically that you can try to do to protect yourself: 1) Tell employees not to plug random devices into their workstations or run unauthorized software. This should apply to USB drives, CD-ROMS, and software on the Internet. 2) Ensure users do not have administrator or local administrator privileges on their workstations to limit the damage of any malware that is run (and have even stricter requirements/guidelines for those who have administrator privileges). 3) Disable auto-run on your workstations or better yet disable the USB ports/CD-ROM entirely if that is an option(which it usually isn't, but if you have PS/2 mouse/keyboard and no USB devices, might as well turn off the USB ports). 4) Ensure that you have anti-virus software that will automatically scan any connected devices before the user is allowed to access the files on the device. Actually now that I've written this and done a little googling, CERT had their own recommendations so you shouldn't bother listening to me: From: http://www.us-cert.gov/current/ US-CERT encourages users to do the following to help mitigate the risks: * Install antivirus software and keep the virus signatures up to date. * Do not connect an unknown or untrusted USB drive to your computer. * Disable AutoRun or AutoPlay features for removable media. * Review the Using Caution with USB Drives Cyber Security Tip for more information on protecting your USB flash drive. * Review The Dangers of Windows AutoRun Vulnerability Analysis Blog entry for more information regarding AutoRun. Also see: http://www.us-cert.gov/cas/tips/ST08-001.html http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html - From a data security/data loss prevention standpoint, USB drives open up a different set of challenges and you may want to consider implementing policies to address those challenges as well, but I think that is a much different type of concern. - -Adam Douglas Gale wrote:
CERT recently issued a warning about malicious code propagating via USB flash drive devices and the Defense Department suspended “usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware," Have any campuses experienced problems or developed any policies or procedures regarding the use of USB storage devices? Doug Gale
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk22oAACgkQT0QSLt7kiaADOgCgk+JU5vNyy3J9si49H7GCvvDP uIQAoL1r8RUaKIz+LXGdWrs14lmFrQDA =eeNo -----END PGP SIGNATURE-----
Current thread:
- USB Storage Devices Douglas Gale (Dec 03)
- <Possible follow-ups>
- Re: USB Storage Devices Mike Iglesias (Dec 03)
- Re: USB Storage Devices Adam Carlson (Dec 03)
- Re: USB Storage Devices Tupker, Mike (Dec 03)
- Re: USB Storage Devices Stanclift, Michael (Dec 03)
- Re: USB Storage Devices Rowe, Ken (Dec 03)