What is Digg?111 Comments
- dnthomps, on 10/12/2007, -1/+91"Even if I saw a setup.exe file on it, i'd probably run it"
You are a great part of the reason the Anti-Virus companies do so well. - thegreatsam, on 10/12/2007, -2/+65I wouldn't run it on my Office PC. I would run it on my cube-neighbors Office PC.
- mirek, on 10/12/2007, -4/+64Honestly, if I found or received a free USB drive, I wouldn't hesitate to plug it into my PC to see what was on it. Even if I saw a setup.exe file on it, i'd probably run it to see what it did (provided it wasn't 3KB) This is a great idea.... digg..
- elnerdo, on 10/12/2007, -16/+69Oh man! You're so cool! I wish I was that cool!
- Dracos, on 10/12/2007, -1/+43Most people don't know what file types are or what executable means. Coincidently, Windows hides file extensions by default. So a file named "britney_spears_nude.jpg.exe" shows as "britney_spears_nude.jpg" in Windows explorer.
Double-click, bang: virus triggered, security compromised. Heard over the cubicle wall: "This picture doesn't work!" - drwatson, on 10/12/2007, -2/+44"Evil will always triumph over good... because good is dumb."
- wwwdeveloper, on 10/12/2007, -5/+45This doesn't sound neat at all! Why would these "security experts" who are conducting the audit use a trojan to EMAIL SENSITIVE INFORMATION? If I hired auditors and they wrote a trojan that would e-mail my company's usernames, passwords, and other sensitive information, I would be more pissed at the auditors than the ignorant employees! Am I wrong for thinking this?? Why would anyone purposely shoot all of this sensitive information over e-mail?
This author sounds like a hoax or a joke to me. I couldn't see any security expert purposely shooting a client's sensitive information all over the Internet! - FiveFiftyOne, on 10/12/2007, -3/+38"I found a random CD lying around, pooped it in my school comp, and voila!"
Best. Typo. Ever. - officerdoofy, on 10/12/2007, -4/+38I bet your just saying that after reading the article.
- aphexcoil, on 10/12/2007, -1/+33"Watcha got there?"
"I don't know, some USB thingie I found in the parking lot."
"I found one, too!"
"Wanna plug it in?"
"Yeah!"
"Let's go plug it in and see what's on it!"
** 2 weeks later **
CNN.COM
BREAKING STORY: 450,000 CREDIT PROFILES COMPROMISED AT BANK OF XXXXXX. - mirek, on 10/12/2007, -2/+33I wouldn't run it on my office PC, however curiosity would get me, and I'd probably run it on my offline laptop. Who knows it could be the new virtual girl installation. ;)
- Al3x, on 10/12/2007, -3/+33To do this, create a file called "autorun.inf" in the root of the USB drive. Open the "autorun.inf" file in notepad and put something like this:
[AutoRun]
open=LaunchVirus.exe
icon=HarmlessLookingIcon.ico
Right click the file and check the box that says "hidden" for good measure. Unplug, replug, and boom, "LaunchVirus.exe" is executed...on most machines anyway (it can be disabled...somebody already commented on how to disable). - Winters, on 10/12/2007, -3/+29This sounds really neat, though I would like a few more technical details. Was something being auto loaded or were they relying on users to run an exe file? From the article it sounds like they ran an exe.
"I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software."
Either way, pretty interesting. Predictable, but interesting. - inactive, on 10/12/2007, -4/+28Yeah, that is a real good thought. But then how many workers have even heard of Knoppix? Better yet, how many workers even care about what may happen to their company's computer?
- Scatropolis, on 10/12/2007, -5/+23"If you're going to have risky behaviors, at least use a little protection."
They taught us that about once a year in Jr. High and High School. - interiot, on 10/12/2007, -0/+17VMware or Xen3.0 or something.. If you're going to have risky behaviors, at least use a little protection.
- ZaNkY, on 10/12/2007, -1/+17This has to be the most ingenious Social Engineering hack I've ever read about. Pretty sweet, but in a way quite sad.
As much as all the people above me say they WOULDN'T plug it in on their comps, I'm sure most would still do it if it really happened to them, at work or home. Hell, that's what I did today! I found a random CD lying around, pooped it in my school comp, and voila! I found some random middle school language teacher's teaching lessons and private todo's list (even testing info!). What if there was some secret autorun? :-/
As for running the EXE, shame on them, but again, I would expect half the people here to at least think about it, if not try it.
Now I don't see why there can't be some auto exec script on the USB drive. As soon as you plug in the USB drive windows starts polling the device for driver info. An assembly hacker could easily write something in that would exploit......
Then again, I'm sure there is free software that will do just that. How many USB drives install (temp) some custom menu in the taskbar?? I've seen more than one that do that as soon as you plug it in.
All in all, nice read, makes you think, Next time I pick up a USB drive what shall I do? - hater2win, on 10/12/2007, -2/+18I would have also liked some more technical details, as well as employee and company reaction. Still a good read though.
- madeingermany, on 10/12/2007, -0/+14@xXShadowstormXx:
Since the Trojan was custom made, I don't think your Avast would have caught it.
Heuristic Scanners aren't that good.... - inactive, on 10/12/2007, -1/+15Having never used a USB drive I was wondering the same thing. I suppose nice labels on CDs or DVDs would work too.
- the413bandit, on 10/12/2007, -0/+14we've done this where I work a long time ago and have been doing this for a while to test our security. This goes back to the early days of computers where viruses were only spread on floppy disk, then came the internet and the microsoft operating system, and now everybody gets viruses. This also works w/ floppy disks, CD's, and even more tempting than a free thumbdrive is a free MP3 player. People will plug anything into their computer.
heck, to keep my data safe from my thumbdrive, i made a file called "passwords.txt.exe" on a default installation of windows it would hide the .exe, so i wrote a little program in visual basic, changed the executable file's icon to the same icon as notepad, if some random moron finds my thumbdrive and they decide to look through my passwords, my executable will ping my server (so i can find the jerk who stole my thumbdrive) and the next thing it does is it overwrites everything on the thumbdrive so that hopefully they weren't smart enough to make a backup copy before they decided to read my passwords. even if they were, any data that is remotely sensitive is well encrypted anyway.
Also, I'm not paranoid to the point of disabling USB storage devices on my computer (because i use them all the time) but I have disabled autorun on my computer. - xXShadowstormXx, on 10/12/2007, -2/+14I'd never open a .exe file like this @ the Office. Not even @ home unless I knew what it was for -- even then I'd scan it via Avast just to make sure.
- Mesach, on 10/12/2007, -0/+11Or you could just open regedit and browse to this key:
HKLMSYSTEMCurrentControlSetServicesUsbStor
Change the "Start' value to one of the following
Switch this value to 4, and USB storage devices are disabled.
Switch this value to 3, and USB storage devices are enabled.
Or you could do it through group policies so that people in the IT department can log in and have access but everyone else cannot - rishubhav, on 10/12/2007, -21/+31I would boot knoppix and THEN open the usb drive.
- t3hX, on 10/12/2007, -10/+20Digg me down, but I'd use a Mac, or Linux machine. Too dangerous for Windows.
- luma, on 10/12/2007, -0/+9I've done a similar stunt (as a security audit), but using CD-ROMs. The trick? Burn a generic blank CD with your desired executable on it (in this case, a VNC server mildly modified to avoid symantec SAV), and label it "2006 Salary Reviews". Place it in the men's room, and wait 15 minutes.
- boff, on 10/12/2007, -0/+9Public Machine (library, Kinkos) FTW?
- cphuntington97, on 10/12/2007, -0/+9Note Autorun.inf files are not supported under Microsoft Windows XP for drives that return DRIVE_REMOVABLE from GetDriveType.
from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/programmersguide/shell_basics/shell_basics_extending/autorun/autoplay_works.asp
but I don't know how secure that is, and obviously it's XP only. - inactive, on 10/12/2007, -0/+8Using people's greed to compromised security; social engineering to the max!
- ModernTenshi, on 10/12/2007, -6/+14What, you mean people don't carry a Knoppix CD with them, or any other Live CD distros? Man, when classes are in session, I always have the latest version of Knoppix in my laptop bag. Never know when you might need it.
- Otto, on 10/12/2007, -0/+8Sorry, but autorun.inf *does* work on some USB drives. Works on iPod's too. You have to use an undocumented bit of text in the inf file to make it not do the normal scan and ask the user for the action, but yes, by default, XP will indeed look at autorun.inf files on removable drives. It just treats them slightly differently.
- xAXISx, on 10/12/2007, -0/+7Good idea, but that would mean you have to have suspicion of the drive in the first place. Even if people knew what knoppix is, they probably wouldn't suspect anything bad.
- alcimedes, on 10/12/2007, -0/+7So what happens if someone has decent firewall software installed that limits outgoing traffic? I wish there were a few more details as to how this started mailing info out, unless it compromised their own e-mail program. Wouldn't semi decent security software warn the user they're about to run an application, and if the user doesn't have admin access stop them?
- thegreatsam, on 10/12/2007, -0/+7"So what happens if someone has decent firewall software installed that limits outgoing traffic?"
Which most small to medium companies don't have....They usually rely on blocking crap from the outside world, never understanding that their greatest threats are on the trusted side of the fence. - nwily, on 10/12/2007, -0/+7I once saw a speech given by a security expert where he referred to the "Hot porn" attack. He said it was the most effective attack on any given network. The basic premise is you make a bunch of CDs with an autorun that executes some trojan. Then you label them all "Hot Porn" or something far more lewd. All thats left to do is leave them in bathrooms, elevators, whatever. Besides scaring the living ***** out of me, that made me want to see hard data on the % of those CDs that call home. He also mentioned you can do the PG version by labeling all the CDs "Confidential" or "Authorized Personnel Only" or something along those lines.
- Universal, on 10/12/2007, -0/+7Thats a good way to track a USB drive, if you lost it...on accident......of course ;)
- d3dm, on 10/12/2007, -0/+7If you could get it to autorun, just gut a mouse, keyboard, webcam etc. and install this drive inside the USB device and leave it lying around.
Few people would think that they could ever get a virus by plugging a mouse into their USB port. They'd plug it in, roll it around and determine it was dead, then toss it. The damage would be done by that point.
Even funnier would be to leave the thing in the hall with a "broken plug" label on it, then watch Nerdly Nerdstrom take it home, wire a new cable end on it thinking he's used his electronics genius to make something out of someone's trash. Heh-heh-heh. - samdu, on 10/12/2007, -3/+9Sounds like a neat idea, but personally, I don't want the people at my bank (credit union) inserting USB drives from unknown sources into their office computers. Something about having my personal banking information scattered to the digital winds doesn't sit well with me.
- inigomntoya, on 10/12/2007, -0/+6I would find USB drives on my college campus all the time. Most of the people that were going to school there had put a text file at the root with the owner info on it. So, I would go to a lab computer and plug the thing in. My first reaction was always to try and get it back to the original owner (which I think was the employees' first reaction as well - not "Sweet a free USB drive! Hope it has pr0n on it!").
Also, if the credit union was this paranoid about security with USB drives - why didn't they disable the ability to use them? We do that int he computer labs of the private school I work at now. It keeps the students in check and keeps our calls down. - n_md, on 10/12/2007, -0/+6I once made a CD labeled "PORN" with a autorun to wipe a bunch of files and left it at school. :(
- schwack, on 10/12/2007, -0/+6While this is a great read and diggable, I would point out that most layfolk don't even have a concept of USB drives and their potential role in the workplace network. Like the article points out between the lines: The masses like new toys, and are more than willing to connect them to their boxes without reservation. This is one of the reasons why AOL has such an enormous user base. People who are not computer literate, simply put, just follow the carrot or click what they shouldn't unknowingly. There is significant disconnect between geeks and PC / net n00bs. It's one of the many factors that fuels the technology industry economically. IT security will continue to be a problem for longer than my lifetime; In this realm, whatever someone bulletproofs- a craftier, smarter person will undo.
- UnclePunk, on 10/12/2007, -0/+5"So a file named 'britney_spears_nude.jpg.exe' shows as 'britney_spears_nude.jpg' in Windows explorer."
Enough with the jibber jabber, where can I get that file? ...and is it before or AFTER the kid? - madeingermany, on 10/12/2007, -0/+5Most employers don't want you to run any linux distro of your choice at work (I know mine doesn't).
And by the way: The people that would think of using a live CD or VMWare or whatever are not the problem, because they would also consider that they are being played.... - mattb5, on 10/12/2007, -0/+5At the company I used to work for a few years ago they had the PC's locked down pretty well. CD drives removed, no Internet/e-mail access, etc. Even removed ***** solitaire, the bastards! (Actually, at first they just removed the shortcut. Duh! Then when I made new desktop shortcuts for some of my friends, the next thing I know they actually managed to remove it entirely from the image they were using. Not necessarily an easy task as it usually keeps reinstallying itself even after being deleted.)
Then one day this wannabe geek loaded up a bunch of crap on his PC via a USB drive. Weird *****, some stuff in Arabic. Really creeped out I.T. when they found it. Next thing I know I had some stuff that I wanted to back up from the drive on my PC and I had just gotten a cheap USB drive and figured I'd try that since it had worked so well for the wannabe. I plugged it in and the computer shut itself down. No warning. No error message. Just began the shutdown procedure. Color me impressed! That's security. - oepapel, on 10/12/2007, -0/+4"So what happens if someone has decent firewall software installed that limits outgoing traffic?"
I don't know a single company that filters out SMTP or HTTP ports. Employees need to go to web sites and check their mail. Even if they turn off SMTP and filter all outgoing emails, a virus can still post a message via HTTP to a web based email client like hotmail. Even if the company has a proxy server set up, hotmail traffic will get through. - realnebby, on 10/12/2007, -0/+4I'm not surprised it worked if it is indeed a true story. The piece I find hard to believe that a credit union would hire a pen test team that would use email to send username/passwords back to them. A pen test team should never do anything that puts the clients data in more jeopardy that it is already. As email is sent through the internet in clear text that is what they are doing.
- The_Decryptor, on 10/12/2007, -0/+3"XP will indeed look at autorun.inf files on removable drives."
I use autorun.inf to give my thumbdrive's custom icons, every single system i have plugged the drives into has run it and shown the icon (friends, school systems that have been locked down, etc.) - thefinger, on 10/12/2007, -2/+5I'd wait until I got home. But I suppose the employees were too curious and impatient for that.
- squarehappy, on 10/12/2007, -0/+3@the413bandit: If you actually read the article, it states that they planted several dummy image files on the drive alongside an executable. The employees ran the executable whilst browsing the images. It doesn't state how the file was presented, but there would be no need for these dummy files to exist if the trojan auto-ran, other than to make the drive appear innocuous, which would be pointless for the purposes of this experiment.
They should've had an auto-run trojan just to phone home and let them know if the user had plugged the drive in, and a separate executable for the employees to run themselves so they could see who's ignorant enough to just plug in the usb drive, and who's so clueless that they would run an unknown executable on a bank computer. - phlogiston99, on 10/12/2007, -1/+4That's the best idea so far. [autorun] that's the way it's done. Otherwise the whole idea is priceless, I would have never thought of that. But now, yes, my mind has been seeded.
Companies are sloooooowly rolling out media access (read: blocking) solutions. But really, this is nothing new. PC had floppy drives forever. -
Show 51 - 100 of 111 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is