Educause Security Discussion mailing list archives

Re: USB Storage Devices

From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 3 Dec 2008 11:14:08 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

USB drives institute a number of security challenges but most of those
have been around for a while so I'm not sure what might have changed
recently to cause the CERT warning and DoD edict against USB drives.

- From an integrity standpoint, the biggest concern is the potential for a
hacker to fill a USB drive with malware and then somehow get an
unsuspecting employee to plug the drive into their system.  There have
been a few social engineering experiments showing the effectiveness of
this attack.  Here is one such anecdote from 2006:

http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634

The development of the U3 USB drives made this much easier as the
autorun functionality allowed attackers to automate and hide the malware
infection:

http://en.wikipedia.org/wiki/U3

One of my former co-workers had rigged up a U3 with a pretty nasty
trojan that would do something very similar to what the whitehats did in
the article mentioned above.

However, even "normal" USB drives can be rigged up to infect systems
which they are plugged into:

http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/

Like I said, I don't think that any of these concerns are very new and
there are a number of things procedurally and technically that you can
try to do to protect yourself:

1)  Tell employees not to plug random devices into their workstations or
run unauthorized software.  This should apply to USB drives, CD-ROMS,
and software on the Internet.

2)  Ensure users do not have administrator or local administrator
privileges on their workstations to limit the damage of any malware that
is run (and have even stricter requirements/guidelines for those who
have administrator privileges).

3)  Disable auto-run on your workstations or better yet disable the USB
ports/CD-ROM entirely if that is an option(which it usually isn't, but
if you have PS/2 mouse/keyboard and no USB devices, might as well turn
off the USB ports).

4)  Ensure that you have anti-virus software that will automatically
scan any connected devices before the user is allowed to access the
files on the device.

Actually now that I've written this and done a little googling, CERT had
their own recommendations so you shouldn't bother listening to me:

From:

http://www.us-cert.gov/current/

US-CERT encourages users to do the following to help mitigate the risks:

    * Install antivirus software and keep the virus signatures up to date.
    * Do not connect an unknown or untrusted USB drive to your computer.
    * Disable AutoRun or AutoPlay features for removable media.
    * Review the Using Caution with USB Drives Cyber Security Tip for
more information on protecting your USB flash drive.
    * Review The Dangers of Windows AutoRun Vulnerability Analysis Blog
entry for more information regarding AutoRun.

Also see:

http://www.us-cert.gov/cas/tips/ST08-001.html

http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

- From a data security/data loss prevention standpoint, USB drives open up
a different set of challenges and you may want to consider implementing
policies to address those challenges as well, but I think that is a much
different type of concern.

- -Adam

Douglas Gale wrote:

CERT recently issued a warning about malicious code propagating via USB flash drive devices and the Defense 
Department suspended “usage of all USB storage media until the USB devices are properly scanned and determined to be 
free of malware,"

Have any campuses experienced problems or developed any policies or procedures regarding the use of USB storage 
devices?

Doug Gale



- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk22oAACgkQT0QSLt7kiaADOgCgk+JU5vNyy3J9si49H7GCvvDP
uIQAoL1r8RUaKIz+LXGdWrs14lmFrQDA
=eeNo
-----END PGP SIGNATURE-----

Current thread:

USB Storage Devices Douglas Gale (Dec 03)
- <Possible follow-ups>
- Re: USB Storage Devices Mike Iglesias (Dec 03)
- Re: USB Storage Devices Adam Carlson (Dec 03)
- Re: USB Storage Devices Tupker, Mike (Dec 03)
- Re: USB Storage Devices Stanclift, Michael (Dec 03)
- Re: USB Storage Devices Rowe, Ken (Dec 03)