Don't Just Plug Random Crap Into Your Computer
from the just-don't dept
There's been a lot of talk about how iPods and other portable devices pose a security risk to companies, as employees may store important company documents of them. Now there's fear that such devices could upload malware and infect corporate systems. A team of security specialists recently demonstrated exactly how such an attack might work. First they collected a bunch of cheap USB drives, the type a company might give out for free as a promotion. After loading malware onto them, they simply scattered a bunch of them around the parking lot of a bank at 6:00 AM, when nobody was watching. As the employees got to work, they found the drives just sitting there, and one by one plugged them into their computers as they day went on. What's funny is that the employees knew there was going to be a security test happening, and yet they still didn't find it suspicious that several USB drives just happened to be in the parking lot when they got to work. It's unfortunate, but it seems that the typical office employee just doesn't understand or care about security. Recall the studies suggesting how easy it is to get employees to give up their passwords in exchange for a cheap gift. While that lesson may seem obvious, just wait for the fearmongering about USB drives, totally missing the point.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Externalities
[ link to this | view in chronology ]
Externalities (Reformatted)
Before our networks were locked down, some of my colleagues could not resist the temptation to install every cutesy thing that they saw... (Dolphins! Webshots! Free Spongebob Screensaver!) and could not understand why their machines were not working properly.
The techs that repaired their machines told them again and again not to install that crap, but since they could not enforce the rules, the crap was soon back, often within a week.
The Techs changed tactics and started imaging their machines... and then when the users broke them it was a simple matter to restore... and all their recent documents (which they were SUPPOSED to store on the network), were gone. There was much weeping and wailing and gnashing of teeth, but the crapware installations soon stopped.
If they bugger up their machines then they should have to bear part of the cost in some way. At one place I used to work, if you left your machine logged in someone would send a message to everyong in the office saying that you were buying the drinks on Friday at lunchtime. Everyone got caught... once. Then you learned to lock your screen.
Whether it is security or policy, people start caring about this sort of thing when it costs them.
[ link to this | view in chronology ]
USB?
[ link to this | view in chronology ]
Damn!
[ link to this | view in chronology ]
Slashdot had the exact same story a lot earlier.
[ link to this | view in chronology ]
Slashdot had the exact same story a lot earlier.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Funny Videos Are A Much Greater Security Risk
Hopefully you also thought about the capacity for many video formats to contain executable code or link to certain webpages.
Most videos are distributed as either MPEG variations (safe, I think) or Windows Media Video. Windows Media Video used to contain the capacity to run executable code (much like the Windows Metafile Exploit debacle recently) and still retain the capacity to link to pages, which most likely will open in internet explorer.
Linking to about: pages with html tags will dynamically create a web page based on the tags you specify... and local pages are not filtered, and can easily access the hard disk through massive holes in the so called 'sandbox' which microsoft tacks on to most of its products once the hype has died down and the crashing/virus infections have begun.
Therefore video distribution could pose a massive threat to computer networks. With video, a user wouldn't notice the extra MB or so containing a virus/trojan/codec exploit.
Not a foolproof idea... just something to think about! ;-)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:ha!
[ link to this | view in chronology ]
Unsafe USB practices...
[ link to this | view in chronology ]
Insertion
[ link to this | view in chronology ]
Lifetime supply of windy farts
[ link to this | view in chronology ]
Lifetime supply of windy farts
[ link to this | view in chronology ]
Secure Hole
[ link to this | view in chronology ]
Security
[ link to this | view in chronology ]
Re: Security
[ link to this | view in chronology ]
No surprise here
I've even seen people connect to the Internet BEFORE having any Security set in place on their computers...Needless to say within minute they were infected by Spyware & Viruses....As I've said over and over...Alway, always, always...Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file...
[ link to this | view in chronology ]
No surprise here
I've even seen people connect to the Internet BEFORE having any Security set in place on their computers...Needless to say within minute they were infected by Spyware & Viruses....As I've said over and over...Alway, always, always...Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file...
[ link to this | view in chronology ]
Re: No surprise here
You don't know what you're talking about. Simply connecting to the Internet will not infect you with "spyware and viruses".
[ link to this | view in chronology ]
Re: Re: No surprise here
[ link to this | view in chronology ]
Re: Re: Re: No surprise here
[ link to this | view in chronology ]
Re: Re: No surprise here
[ link to this | view in chronology ]
Re: Re: Re: No surprise here
Why do you even bother installing patches if you can't get malware installed by not doing anything? How moronic!
I have absolutely no patience for people who claim to understand network security and don't.
Please refer to one example:
http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
Do you know what buffer overrun means? Probably not, but hopefully you know how to Google it.
Do you know what allows remote code execution means?
Wow... you really need to get out of the IT field if you in fact are in it.
[ link to this | view in chronology ]
No surprise here
I've even seen people connect to the Internet BEFORE having any Security set in place on their computers...Needless to say within minute they were infected by Spyware & Viruses....As I've said over and over...Alway, always, always...Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file...
[ link to this | view in chronology ]
Look in the mirror
To make it even funnier: Two employees brought in a copy of the ant-virus for IT to use. (after looking over it for validity, though these were trusted techs) IT informed them they were going to us their disk (IT's) and not the Techs disk. An hour later one of the techs saw IT using the disk he brought in, exept IT had used a marker and re-labled it as an "IT anti-virus disk" or something similar.
[ link to this | view in chronology ]
Security Issues
[ link to this | view in chronology ]
This isn't about computer security...
[ link to this | view in chronology ]
Hey FLATLOOP
[ link to this | view in chronology ]
Here is the solution
http://www.sonarware.com
Software that will restrict these devices for all people, except people you want to have access.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: no surprise here
[ link to this | view in chronology ]
Re: Re: no surprise here
http://www.zdnet.com.au/news/security/0,2000061744,39200021,00.htm
http://www.usatod ay.com/money/industries/technology/2004-11-29-honeypot_x.htm
http://www.stillsecure.com/docs/Stil lSecure_DenverPost_Honeypot.pdf
http://www.microsoft.com/athome/security/viruses/fwbenefits.mspx
[ link to this | view in chronology ]
Re: no surprise here
[ link to this | view in chronology ]
Re: Re: no surprise here
[ link to this | view in chronology ]
Re: Re: no surprise here
[ link to this | view in chronology ]
Re: Re: Re: no surprise here
Oh, and BTW? If you have users on those thousands of machines, I wouldn't guarantee that there is NO malware on ANY of them -- just my experience in call centers... ;-)
[ link to this | view in chronology ]
Re: Re: no surprise here
[ link to this | view in chronology ]
Re: Re: Re: no surprise here
"While most break-in tries fail, an unprotected PC can get hijacked within minutes of accessing the Internet."
Unfortunately, what you did not notice is that this sentence was purposely written to confuse. It should have said, while most break-in tries fail, an unprotected PC can get hijacked within minutes of accessign the Internet, after the user opens a web browser, an email, installs software, opens a file whether over a network share, on another partition or disk (or in other ways).
"Simply connecting to the Internet — and doing nothing else — exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously."
Well OBVIOUSLY. No one that I have noticed has disputed this fact and it is indeed a fact. Do these attempts render any results or infect a cleanly installed machine where no software has been installed, no webpage has been accessed, or no email attachment has been opened? No. Nor do these websites ever come out and say so, they leave their sentences completely open to mean just about anything.
Do any of you know anything about TCP/IP? You should learn. TCP/IP is the equivelant to a shipwrecked sailor, armed with a machine gun loaded with unlimited flares firing in every possible direction as quick as possible advertising his prescence in all directions, 24 hours a day, 7 days a week. Does every single thing you see in a firewall log consitute as an ATTACK? NO. It does NOT.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: no surprise here
[ link to this | view in chronology ]
Re: no surprise here
[ link to this | view in chronology ]
Now that a few years have passed, that worm is no longer as common so I could avoid infection now. No telling when some other exploit will do the same thing with the current generation of PCs.
The hubris of phoenix and DMD will one day bite them.
[ link to this | view in chronology ]
Hazards of just connecting
Me too.
The logs of my firewalls reflect constant port scanning. XP SP2 is somewhat hardened, a very good improvement over all previous Windows versions. But far too many services are still enabled by default, and far too little information is available on most of them. When (not if, when) the next exploit shows up in a default service, there will be another flurry.
SQL Slammer is still out there! One infected machine is all it takes. One old app package that installs an unpatched MSDE could leave you vulnerable.
[ link to this | view in chronology ]
A.) You never want to be without a firewall, no matter what OS you're running.
B.) An unpatched Windows system, no matter what version, will not last as long as a Linux/Solaris/BSD/etc machine when hooked up to the internet.
[ link to this | view in chronology ]
xp viri
mydoom
sasser
blaster/lovesan
funlove
gaobot.
could be a long list if I had the time. Too many of my clients run asr and think they're done. gotta go fix em
[ link to this | view in chronology ]
Re: the facts
[ link to this | view in chronology ]
Stupid employees
For example: If all employees are required to follow a protocol to fill out their work hours, they should be required to practice safe computing.
Why are time cards accurate and closely observed? Because their paycheck is determined by such attention.
All that is needed is the threat that if certain security protocols are not followed, it will be reflected in their paychecks. The costs incurred to remedy their carelessness will paid by the employee.
Simple: they do the damage...they pay for it.
Would an employer keep an employee who breaks the front window just because they feel the need?
[ link to this | view in chronology ]
Re: Re: no surprise here
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This is where the Linux desktop is superior. Of course, I could run as root, and I have seen some noobs misconfigure their systems using only a root account leaving themselves completely vulnerable. No system is idiot proof and just when we think we're getting there, they build a better idiot. :)
BTW - I'm a Linux noob myself, just installed my system in March.
[ link to this | view in chronology ]
It's true, why attack an os group so small that you probably won't even make the local eight o clock news.
[ link to this | view in chronology ]
Wow, you mean to tell me that ZoneAlarm prevents an attempt at an attack from ever even occuring! That is amazing! So by using ZoneAlarm I get attacked less! Wait, I thought ZoneAlarm was a firewall designed to block attacks not stop them entirely.
That is just sad. Who do they have writing these articles anyhow?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It got taken down as the worst offenders were in management.
[ link to this | view in chronology ]
Just out of the blue, what's your favourite scanner?
[ link to this | view in chronology ]
Re: no surprise here
Yes, they can.
I understand the point that you and Phoenix are trying to make, but the fact is that you are just plain wrong. While it's true most malware gets installed unwitingly by users, other attack vectors are indeed possible.
A fresh install of XP *can* be compromised from the network, without any user even having logged in. The way this type of attack works is by exploiting bugs network services that are running on a cleanly installed system. Many worms have done exactly this, by exploiting holes in NetBIOS.
It's the same type of attack generally used against *nix systems, and it doesn't necessarily require any stupid action on the part of the user.
[ link to this | view in chronology ]
Also, understand the difference between an operating system that is "superior" and "more secure". Linux is "more secure" because it is the minority. Users participating in malicious activity our out to gain something, whether it is money or to simply wreak havoc. The majority want to gain something. Now, would you make an attempt on 10,000 machines or 900,000,000 machines? By attacking 900,000,000 machines you would have a far better chance of gaining access.
Make no mistake, there are no amazing super-being programmers out there, all working together on a single operating system. Reality is no motion picture. Microsoft is not an evil corporation hiring programmers with a specific tailored lack of skill in specific areas to create an OS that is inferior. Those programmers at Microsoft are human beings just as those working on open source software, Linux, BSD and other operating systems.
I would like to know where Linux programmers are requiring super-genes that make them so much better?
Also, those running alternative opreating systems such as Linux or BSD are typically 99.999% of the time either gurus or corporations with data that requires security. Either one of these entities almost always take large steps to secure their systems. Why would you attempt to access systems which you know is most likely going to be secured when you can attack many systems whose users almost always have no concept of security - whose concept of security is installing software from any and every source on the Internet that claims to provide a working service for free.
If you were walking the street and someone you did not know approached you and proclaimed "Hi! I just wanted to introduce myself as a courtesy to you out of the goodness of my heart and offer my services to you free of charge. I noticed that your home has no security system! Just say "yes" and I will ente your home and guard you from any and all intruders. Again I will not charge you a dime, I will not ask you for your credit card number or any identifying information.
You say yes, and you return home robbed of everything you own. Except, computer users never know they are robbed. They don't know their keystrokes have been logged, or data has been sent across the Internet with personal information. They don't notice the information is gone, because it isn't. It has only been copied. These actions take place invisibly. Except on the Internet millions do this everyday. Why? The simple fact is because of their lack of understanding.
As USAToday even said, 90% of systems connected to the Internet are running the Windows operating system. Whether this percentage is 100% correct I doubt highly, but it's a good estimate. Therefore, there will be more attacks on systems running Windows just due to the fact that there Windows is operated on the majority of systems.
For example, if you have 10 Europeans visit a foreign country and 2 are infected with a virus. If you have 15,000 Americans visit that foreign country 3000 may be infected with a virus. Same percentage of infections, but significantly more people infected (20% infection rate).
Does this make Europeans more "immune"? Absolutely not.
[ link to this | view in chronology ]
Re: *nix versus windows
How does one ensure a networked host is secure? There are tons of things you could check, but perhaps the two biggest things might be:
1) Disable all network services except those which are absolutely necessary.
2) Audit running network services to ensure they are free of bugs and properly configured.
The main reason *nix is considered more secure has to do with the relative difficulty of performing these tasks on windows compared to *nix.
The focus in windows is on "ease of use" for the end user, and the end result of this focus is that important security related config data gets scattered all over the filesystem and registry. Often this data can only be read or modified with a GUI config applet, which makes automation of security audits difficult or impossible.
Microsoft also loves to create lots of undocumented features and APIs, which the administrator has no way of knowing about. These invariably end up being used to turn on or reconfigure some network service without the administrator's knowledge or consent, potentially exposing the host. This sort of behavior would NEVER be tolerated by *nix customers, but we've grown to expect it from windows. Why? Because Microsoft claims they do these things to make the system more user friendly... again different focus.
Lastly, the networking code itself is far more mature in *nix, since it was there from the very inception. TCP/IP wasn't supported in windows until decades later.
Sure, any *nix system can be vulnerable, but the point here is that the *nix administrator generally has an easier task than his windows counterpart if he/she is asked to confirm with some certainty that the system has been secured.
[ link to this | view in chronology ]
USB Security
[ link to this | view in chronology ]
Don't Just Plug Random Crap Into Your Computer
[ link to this | view in chronology ]