Penetration testing via USB keys

There have been a number of articles written about the security experts who recently during a security penetration test randomly dropped around the target facility USB flash drives with a trojan set to autorun. I like Bruce Schneier’s write-up and story links o this, so will reference it. First, Schneier has this:

Recently I’ve been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called “iPod Sneakiness” (unfortunately, not on line). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files.

So if you aren’t reading 2600 Magazine to keep up with the security underground, you’re in the dark.  Get to reading it.  I’ve found it to contain loads of worthless stuff, but the letters section and at least a few articles per issue are usually worth the cost of the magazine.  And if any of you want to get me a lifetime subscription to 2600, I’d be more than happy to accept it…
Next, he links to the story about the USB drives used for the penetration test.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

After this, it’s just a matter of waiting. And as noted in the penetration testing story, it didn’t take long. I have to admit, I probably would have gotten taken by this attack as well, and I’ve spent years working with computer security. It’s not that I wouldn’t be suspicious of the USB drives. My problem is, I didn’t know USB drives could be set to auto-run just like CD drives can. In fact, it’s the default behavior in Windows!

AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what’s on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the “Shift” key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for “disable autorun”) or you can download and use Microsoft’s TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting “Take no action” for each kind of disk that’s listed. Unfortunately, disabling AutoPlay for CDs won’t always disable AutoPlay for USB devices, so the registry hack is the safest course of action.

Bruce winds up with this comment that seems obvious to everyone interested in protecting computers except the folks at Microsoft:

In the 1990s, the Macintosh operating system had this feature, which was removed after a virus made use of it in 1998. Microsoft needs to remove this feature as well.

[tags]Security testing, USB drives, Autorun, Network security, Bruce Schneier[/tags]