[ale] Usb Autorun Attacks Against Linux At Shmoocon 2011
Ron Frazier
atllinuxenthinfo at c3energy.com
Sun Mar 13 23:58:48 EDT 2011
Hi Damon,
As Michael W said in his reply to my post, "Autorun == Evil in all
forms." (Glad you agree with me, Michael W.) I turned off autoplay /
autoexecute in Nautilus. Automount may still be engaged. There are a
number of scenarios where preventing this functionality may be useful.
Imagine you go to a meeting, or a class, and you get a memory stick from
someone which has something malicious on it (whether they know it or
not), or possibly you copy something that you wanted to your memory
stick. You put it in your computer because you think it's something
useful or good. Immediately, your computer is compromised and the
machine is no longer trustworthy. This happens all the time with Windows
machines, and it can happen to Linux too if there is enough incentive
for the Black Hats to create and spread malware. That incentive will
grow as the number of Linux desktop users grows. In a college computer
lab, a library, or even an office, memory sticks have become a huge new
vector to spread viruses, like the old floppy disks. Even worse, in some
ways, because you actually had to run a virus on a floppy disk, it
wouldn't do it for you. You definitely don't want someone to be able to
install a keylogger or trojan horse in a machine just by putting in a
memory stick and waiting for 30 seconds. It's quite possible that they
can do that without attracting attention whereas longer more in depth
attacks on the machine might arouse suspicion. It's also quite common
that they might have access to the USB ports but not physical access to
the rest of the computer. Once the computer is compromised, inserting a
non infected memory stick will allow the virus to jump onto it and spread.
By the way, I heard on one of the Security Now podcasts that some
Library system (I don't remember the city.) found a bunch of PHYSICAL
keylogger dongles attached to the keyboard ports. It doesn't matter what
OS or security measures you have, the only way to fix that is to find
them and remove them. There's no telling how long they'd been there or
who put them there. If it were me, (and it never would be), I'd design
the dongle to piggyback on the network port too so it could call home.
It's a good bet that many patrons have had their login credentials and
credit card numbers (if they entered them) stolen from those library
computers. Pretty scary.
Sincerely,
Ron
On 03/12/2011 11:47 PM, Damon L. Chesser wrote:
> On Fri, 2011-03-11 at 10:45 -0500, Ron Frazier wrote:
>
>> I just ran across this after Steve Gibson mentioned it. It's a video you guys might like to see. I haven't had time to see all of it yet.
>> It looks pretty good after a few minutes.
>>
>>
>> Usb Autorun Attacks Against Linux At Shmoocon 2011
>>
>> http://www.securitytube.net/video/1393
>>
>> Sincerely,
>>
>> Ron
>>
>>
> I don't get it. The most secure computer in the world is one that is in
> a safe or vault with no connections to the outside. There is an old
> axiom, one that explains why RHEL can be booted into single user mode
> with out a password. If someone can touch your computer, you lost all
> security. So (speaking of servers) it has an automount, who cares?
> They are in the DC and they could just clone the drives and walk away.
>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list