Re: Re: USB risks (continued)

[Harlan Carvey <keydet89 () yahoo com>]

I agree, the use of USB-connected devices is nothing
new.  They make a very unobtrusive delivery system, as
well as a great way to load vast amounts of data into
an extremely small space to get information out of an
organization.

But you know something, that's not really the point. 
Yes, this is an old concern.  It goes right up there
w/ digital camera-enabled cell phones and variety of
other security risks.  

I've been after one thing from the
beginning...information.  Evil Wrangler said that
information should be free, but when I asked him some
questions, all I got back was, "what...never heard of
hacking??"

In his 2600 article, EW stated that he plugged a USB
device into a friend's computer, and the autorun.inf
file was automatically parsed and commands within the
"open=" line of that file were automatically run.

According to documentation at MS, by default, this
should not be possible.  The NoDriveTypeAutorun key
within the Registry allows CDs to run the autorun.inf
file, but not removeable drive types, such as floppies
and USB thumb drives.

I have asked for specifics such as manufacturer and
model number of the device used, specific information
regarding drivers loaded, etc.  After all, EW says
that "information should be free", but I certainly
don't see him freeing any information.  If anyone has
any information that can be used in repeatable
experiments, I'd appreciate hearing from you.

Thanks,

Harlan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html