No subject

[bogus () does not exist com ()]

formatted in any traditional way)

[autorun]
open=3DIronKey.exe
Icon=3DWINDOWS\CD.ICO
label=3DIronKey Unlocker


Once Auth'd from writable storage area:

[autorun]
label=3DIronKey Secure Files
icon=3DSECUR02B.ico (hmm)



Hope this helps




On Wed, Mar 18, 2009 at 12:52 AM, John <johnemiller at gmail.com> wrote:

> I would check to see where the autorun software is stored on the drive.
> If it truly is read-only, then you arrive at two possible scenarios.
> They might have a mass produced security hardware device that is not
> able to be updated. It becomes a sitting target. The only way around
> this is to call executable code from the read-write partition. This
> would make the drive vulnerable to overwriting the autorun application.
>
> This is a technique that is used by the Downadup worm. It writes itself
> into autorun.inf files on removable media and network shares. I also use
> the stock autorun.inf on U3 drives and replace the contents of
> LaunchU3.exe with a malicious agent. I've had antivirus catch suspicious
> autorun files, but I figure they will always accept a stock U3 drive.
>
> On Tue, 2009-03-17 at 23:29 -0400, Michael Salmon wrote:
> > I posted this comment/question on the PaulDotCom forum, but I'm
> > wondering what you guys think.  First, let me start saying the
> > PaulDotCom podcasts are awesome and Irongeek is a big influence on my
> > interest in computer security (his video's are great!).  Feels like
> > I'm talking to moviestars, lol ...
> >
> > I hope I'm not beating a dead horse.  I know U3 hacking has been
> > around for years and so has the UniversalCustomizer tool.  My company
> > purchased back in 2007 the Kingston DTSP (DataTraveler Secure Privacy
> > Edition) USB keys for their hardware encryption.  Last year Kingston
> > replaced the drives with DTVP (DataTraveler Vault Privacy Edtion) and
> > my manager asked me to find out if it was possible for a virus to
> > install on the CD-Rom partition.  I called Kingston to discuss the
> > matter and ask other detailed questions about their product.  I was a
> > bit surprised when the engineer told me it uses U3 technology... I
> > shouldn't have been, but because U3 didn't seem very secure to me I
> > assumed they developed their own CD-Rom emulation software.  I tested
> > the UniversalCustomizer tool against the older DTSP driver first and
> > it recognized it as a U3 drive and overwrote their CD-Rom partition,
> > although the data on the key was gone and even with data recovery
> > tools (used PhotoRec) I couldn't retrieve anything, it really
> > concerned me that a virus could overwrite the CD-Rom area and
> > Antivirus wouldn't be able to delete the infection.  The tool failed
> > to recongnize the newer DTVP drive as a U3 enabled key, but that
> > doesn't mean someone else won't figure out a way to overwrite it.
> > Kingston didn't have an answer when I asked what kind of security is
> > in place to protect against this (I'm still in talks with them,
> > hopefully someone will give me an answer).  So now I'm interested in
> > Ironkey, but on a recent PaulDotCom eposides it was said that also
> > uses U3 technology.  I'm going to contact Ironkey soon, but i have
> > very little trust in what vendors say, has anyone else researched
> > this?  Company's put a lot of faith on hardware encrypted keys and
> > believe it's a secure mediam, allowing their "secure drives" access
> > through device blocking products.  Kingston was confident that CD-Rom
> > partition is READ-ONLY, thus creating a false sense of security (at
> > least for their DTSP).  Sounds like a big security hole to me.
> >
> > Your comments are appreciated.
> >
> >
> > ______________________________________________________________________
> > Windows Live=99: Keep your life in sync. Check it out.
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

--00163646d973f35b61046565258b
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Encryption (no matter what form) only protects the data during transit. Onc=
e authentication is successful then data /drive will be the target.<br><br>=
With this said I believe device lockdown, policies around use of such devic=
es, and disabling the auto-run feature is where one should concentrate. Onc=
e decryption occurs, files will be loaded in memory, etc.. Does not hurt to=
 have all other pieces of the defense puzzle in place (i.e. patching soluti=
on, etc..)<br>
<br>I did try the U3 Universal Customizer on Ironkey but it not detect the =
device so maybe it is not U3 (news to me)<br><br>From ironkey Virtual CD RO=
M Drive (verified it is read only and cannot be formatted in any traditiona=
l way)<br>
<br>[autorun]<br>open=3DIronKey.exe<br>Icon=3DWINDOWS\CD.ICO<br>label=3DIro=
nKey Unlocker<br><br><br>Once Auth&#39;d from writable storage area:<br><br=
> [autorun]<br>label=3DIronKey Secure Files<br>icon=3DSECUR02B.ico (hmm)<br>=
<br><br>
<br>Hope this helps<br><br><br><br><br><div class=3D"gmail_quote">On Wed, M=
ar 18, 2009 at 12:52 AM, John <span dir=3D"ltr">&lt;<a href=3D"mailto:johne=
miller at gmail.com">johnemiller at gmail.com</a>&gt;</span> wrote:<br><blockquot=
e class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204);=
 margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I would check to see where the autorun software is stored on the drive.<br>
If it truly is read-only, then you arrive at two possible scenarios.<br>
They might have a mass produced security hardware device that is not<br>
able to be updated. It becomes a sitting target. The only way around<br>
this is to call executable code from the read-write partition. This<br>
would make the drive vulnerable to overwriting the autorun application.<br>
<br>
This is a technique that is used by the Downadup worm. It writes itself<br>
into autorun.inf files on removable media and network shares. I also use<br=
>
the stock autorun.inf on U3 drives and replace the contents of<br>
LaunchU3.exe with a malicious agent. I&#39;ve had antivirus catch suspiciou=
s<br>
autorun files, but I figure they will always accept a stock U3 drive.<br>
<div><div></div><div class=3D"h5"><br>
On Tue, 2009-03-17 at 23:29 -0400, Michael Salmon wrote:<br>
&gt; I posted this comment/question on the PaulDotCom forum, but I&#39;m<br=
>
&gt; wondering what you guys think. =A0First, let me start saying the<br>
&gt; PaulDotCom podcasts are awesome and Irongeek is a big influence on my<=
br>
&gt; interest in computer security (his video&#39;s are great!). =A0Feels l=
ike<br>
&gt; I&#39;m talking to moviestars, lol ...<br>
&gt;<br>
&gt; I hope I&#39;m not beating a dead horse. =A0I know U3 hacking has been=
<br>
&gt; around for years and so has the UniversalCustomizer tool. =A0My compan=
y<br>
&gt; purchased back in 2007 the Kingston DTSP (DataTraveler Secure Privacy<=
br>
&gt; Edition) USB keys for their hardware encryption. =A0Last year Kingston=
<br>
&gt; replaced the drives with DTVP (DataTraveler Vault Privacy Edtion) and<=
br>
&gt; my manager asked me to find out if it was possible for a virus to<br>
&gt; install on the CD-Rom partition. =A0I called Kingston to discuss the<b=
r>
&gt; matter and ask other detailed questions about their product. =A0I was =
a<br>
&gt; bit surprised when the engineer told me it uses U3 technology... I<br>
&gt; shouldn&#39;t have been, but because U3 didn&#39;t seem very secure to=
 me I<br>
&gt; assumed they developed their own CD-Rom emulation software. =A0I teste=
d<br>
&gt; the UniversalCustomizer tool against the older DTSP driver first and<b=
r>
&gt; it recognized it as a U3 drive and overwrote their CD-Rom partition,<b=
r>
&gt; although the data on the key was gone and even with data recovery<br>
&gt; tools (used PhotoRec) I couldn&#39;t retrieve anything, it really<br>
&gt; concerned me that a virus could overwrite the CD-Rom area and<br>
&gt; Antivirus wouldn&#39;t be able to delete the infection. =A0The tool fa=
iled<br>
&gt; to recongnize the newer DTVP drive as a U3 enabled key, but that<br>
&gt; doesn&#39;t mean someone else won&#39;t figure out a way to overwrite =
it.<br>
&gt; Kingston didn&#39;t have an answer when I asked what kind of security =
is<br>
&gt; in place to protect against this (I&#39;m still in talks with them,<br=
>
&gt; hopefully someone will give me an answer). =A0So now I&#39;m intereste=
d in<br>
&gt; Ironkey, but on a recent PaulDotCom eposides it was said that also<br>
&gt; uses U3 technology. =A0I&#39;m going to contact Ironkey soon, but i ha=
ve<br>
&gt; very little trust in what vendors say, has anyone else researched<br>
&gt; this? =A0Company&#39;s put a lot of faith on hardware encrypted keys a=
nd<br>
&gt; believe it&#39;s a secure mediam, allowing their &quot;secure drives&q=
uot; access<br>
&gt; through device blocking products. =A0Kingston was confident that CD-Ro=
m<br>
&gt; partition is READ-ONLY, thus creating a false sense of security (at<br=
>
&gt; least for their DTSP). =A0Sounds like a big security hole to me.<br>
&gt;<br>
&gt; Your comments are appreciated.<br>
&gt;<br>
&gt;<br>
&gt; ______________________________________________________________________=
<br>
&gt; Windows Live=99: Keep your life in sync. Check it out.<br>
</div></div>&gt; _______________________________________________<br>
&gt; Pauldotcom mailing list<br>
&gt; <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul=
dotcom.com</a><br>
&gt; <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot=
com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/=
pauldotcom</a><br>
&gt; Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">htt=
p://pauldotcom.com</a><br>
<br>
_______________________________________________<br>
Pauldotcom mailing list<br>
<a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.pauldotco=
m.com</a><br>
<a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom"; =
target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauld=
otcom</a><br>
Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">http://p=
auldotcom.com</a></blockquote></div><br>

--00163646d973f35b61046565258b--