[ale] Usb Autorun Attacks Against Linux At Shmoocon 2011

Ron Frazier atllinuxenthinfo at c3energy.com
Sun Mar 13 23:58:48 EDT 2011


Hi Damon,

As Michael W said in his reply to my post, "Autorun == Evil in all 
forms." (Glad you agree with me, Michael W.) I turned off autoplay / 
autoexecute in Nautilus. Automount may still be engaged. There are a 
number of scenarios where preventing this functionality may be useful. 
Imagine you go to a meeting, or a class, and you get a memory stick from 
someone which has something malicious on it (whether they know it or 
not), or possibly you copy something that you wanted to your memory 
stick. You put it in your computer because you think it's something 
useful or good. Immediately, your computer is compromised and the 
machine is no longer trustworthy. This happens all the time with Windows 
machines, and it can happen to Linux too if there is enough incentive 
for the Black Hats to create and spread malware. That incentive will 
grow as the number of Linux desktop users grows. In a college computer 
lab, a library, or even an office, memory sticks have become a huge new 
vector to spread viruses, like the old floppy disks. Even worse, in some 
ways, because you actually had to run a virus on a floppy disk, it 
wouldn't do it for you. You definitely don't want someone to be able to 
install a keylogger or trojan horse in a machine just by putting in a 
memory stick and waiting for 30 seconds. It's quite possible that they 
can do that without attracting attention whereas longer more in depth 
attacks on the machine might arouse suspicion. It's also quite common 
that they might have access to the USB ports but not physical access to 
the rest of the computer. Once the computer is compromised, inserting a 
non infected memory stick will allow the virus to jump onto it and spread.

By the way, I heard on one of the Security Now podcasts that some 
Library system (I don't remember the city.) found a bunch of PHYSICAL 
keylogger dongles attached to the keyboard ports. It doesn't matter what 
OS or security measures you have, the only way to fix that is to find 
them and remove them. There's no telling how long they'd been there or 
who put them there. If it were me, (and it never would be), I'd design 
the dongle to piggyback on the network port too so it could call home. 
It's a good bet that many patrons have had their login credentials and 
credit card numbers (if they entered them) stolen from those library 
computers. Pretty scary.

Sincerely,

Ron

On 03/12/2011 11:47 PM, Damon L. Chesser wrote:
> On Fri, 2011-03-11 at 10:45 -0500, Ron Frazier wrote:
>    
>> I just ran across this after Steve Gibson mentioned it.  It's a video you guys might like to see.  I haven't had time to see all of it yet.
>> It looks pretty good after a few minutes.
>>
>>
>> Usb Autorun Attacks Against Linux At Shmoocon 2011
>>
>> http://www.securitytube.net/video/1393
>>
>> Sincerely,
>>
>> Ron
>>
>>      
> I don't get it.  The most secure computer in the world is one that is in
> a safe or vault with no connections to the outside.  There is an old
> axiom, one that explains why RHEL can be booted into single user mode
> with out a password.  If someone can touch your computer, you lost all
> security.  So (speaking of servers) it has an automount, who cares?
> They are in the DC and they could just clone the drives and walk away.
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list