Friday, 9 June 2006

USB drives and potential danger

Since the laptop program, some schools have moved on to abandon the laptop and instead ask the students to carry a much cheaper and lighter USB drive. Students can use the public desktop computers (or some laptop with wireless) in the campus. By plugging the USB drive into the provided computers, students can save their work and bring them home.

Slashdot has an article on Social Engineering Using USB Drives:

Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors.

and in the comments:
Imagine you are walking into work early, and find an open folder on the floor, with some papers strewn around and a CD or DVD in with it. Imagine the paper is an application to put on a SIGGRAPH demonstration, and on the CD is a WINDOWS directory, a LINUX directory, a BSD directory and a SOLARIS directory and each directory has a file named SIGGRAPH_presentation.exe or there is a SIGGRAPH_presentation.jar, (eliminating the need for multiple OS versions), with a README about how to execute it. You figure, "What the heck - I love cool graphics."

Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them.

Students are curious, at least we should keep them curious so that they can learn. This kind of social engineering is very easy on students.

Disabling autostart of USB drive IS NOT the solution. As noted, the user action will trigger the virus/trojan.

Make the USB drive non-executable does not help either. Students can just copy executable files to the harddisk and then execute! Make harddisk not readable is also NOT a solution. Students may need to test out program!

Any idea to solve this problem?

No comments: