[Noisebridge-discuss] usb 'dead drops' at noisebridge?

travis+ml-noisebridge at subspacefield.org travis+ml-noisebridge at subspacefield.org
Wed Nov 3 15:29:03 UTC 2010


On Sun, Oct 31, 2010 at 01:01:08PM -0700, Mitch Altman wrote:
> One (perhaps) interesting side-note: 
> I plugged a USB drive into a computer at a hotel in Brussels a few
  weeks ago.  The computer was running Ubuntu.  The next time I
  plugged the USB drive into my computer I noticed that the
  "autorun.inf" file was altered, and had some EXE file added to its
  root directory, ready to be executed.  Seems that people (if one
  could be so kind as to call them that) are writing software for
  Linux that is intended to install itself on USB drives that they
  assume will eventually be plugged into Windows machines.

That is interesting.

I've also seen systems that image the flash drive when you plug it in
and transfer it to a remote system for analysis, possibly to obtain
deleted files, which are often the most sensitive.

Reminds me of how certain people like to tear sensitive documents in
half before throwing them away, especially in the copy room trash can.
I'm sure dumpster divers thank you for marking those documents as
especially sensitive. ;-)

Oh yeah, I've heard that disabling autorun/autoplay in XP is kinda
tricky, and that it may require multiple registry settings to account
for the various situations.  Without source code, it's hard to be
sure.

Also interesting that most file systems were designed with the
assumption that the media was not made by an adversary, but USB
drives breaks that.

Also, the USB interface forms part of the attack surface:

http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc7.5
-- 
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20101103/30e9711e/attachment-0003.sig>


More information about the Noisebridge-discuss mailing list