Penetration testing via USB keys

There have been a number of articles written about the security experts who recently during a security penetration test randomly dropped around the target facility USB flash drives with a trojan set to autorun. I like Bruce Schneier’s write-up and story links o this, so will reference it. First, Schneier has this:

Recently I’ve been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called “iPod Sneakiness” (unfortunately, not on line). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files.

So if you aren’t reading 2600 Magazine to keep up with the security underground, you’re in the dark.  Get to reading it.  I’ve found it to contain loads of worthless stuff, but the letters section and at least a few articles per issue are usually worth the cost of the magazine.  And if any of you want to get me a lifetime subscription to 2600, I’d be more than happy to accept it…
Next, he links to the story about the USB drives used for the penetration test.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

After this, it’s just a matter of waiting. And as noted in the penetration testing story, it didn’t take long. I have to admit, I probably would have gotten taken by this attack as well, and I’ve spent years working with computer security. It’s not that I wouldn’t be suspicious of the USB drives. My problem is, I didn’t know USB drives could be set to auto-run just like CD drives can. In fact, it’s the default behavior in Windows!

AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what’s on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the “Shift” key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for “disable autorun”) or you can download and use Microsoft’s TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting “Take no action” for each kind of disk that’s listed. Unfortunately, disabling AutoPlay for CDs won’t always disable AutoPlay for USB devices, so the registry hack is the safest course of action.

Bruce winds up with this comment that seems obvious to everyone interested in protecting computers except the folks at Microsoft:

In the 1990s, the Macintosh operating system had this feature, which was removed after a virus made use of it in 1998. Microsoft needs to remove this feature as well.

[tags]Security testing, USB drives, Autorun, Network security, Bruce Schneier[/tags]

Stephen Hawking to write a kid’s book?

(via boingboing)

Well, that’s what it looks like. Hawking will be working with his daughter to write a kids book to explain theoretical physics in a style kids can understand.

Physicist Stephen Hawking and his daughter are to write a science book for children which will be “a bit like Harry Potter”, but without the magic.

[tags]Stephen Hawking, Kid’s book[/tags]

Sony says PS3 is a computer, not a console

In a further attempt to alienate customers, maintain an absurdly high price, and give Micro$oft a better lead in the next-gen console battle, Sony, through President and CEO Ken Kutaragi , has announced that the PlayStation 3 is a computer, not a console.

Kutaragi pointedly commented of the next-gen console, which is due to launch this November at dual price points of $499 and $599 in North America: “We don’t say it’s a game console (*laugh*) – PlayStation 3 is clearly a computer, unlike the PlayStations [released] so far.”

This, Sony says, leaves open the possibility of upgrades or additional configurations in the future.

. . . “I think it’s okay to release a [extended PS3] configuration every year”. It’s clear from the comments that Sony is indicating that it will be possible to upgrade hard drives and perhaps even other components easily.

The Sony CEO gave another example in the interview: “As PS3 is a computer… it also wants to evolve. We’ll want to upgrade the HDD size very soon – if new standards appear on the PC, we will want to support them. We may want the [Blu-ray] drive to [have a writable version upgrade].” He then tempered his comments: “Well, BD may not develop like that, though.” But extensibility is what Sony is stressing that you get for the price of a PS3, nonetheless.

I think Bill has the whole PS3 situation covered best of all the sites I follow.  That last link in particular has some pretty good discussion on the fiasco.

[tags]PS3, Playstation 3, Sony suicide[/tags]

Dungeons and Dragons online getting solo options?

(via Slashdot games)

It looks like DDO is trying to increase its numbers. Honestly, this one change might be enough to get me to try it. I’m all for teaming when playing online, given the option, but sometimes I just don’t have the time to dedicate to building and staying with a team. This change alone could open up DDO to people like me who don’t mind teaming, but don’t always have the time.

“Turbine has also adjusted the experience requirements for leveling up. The change heavily favors new players, cutting the necessary experience points to get to level two by half. However, the requirements for levels four and up will only be decreased by 10,000 points.”

And with this game not doing well, it’s even fairly affordable to hit EBGames/Gamestop or similar to pick up a copy. Hmmmm.

[tags]DDO, Dungeons and Dragons online, MMORPG[/tags]

Industrial strength dance pad (think DDR here)

(via Hack-A-Day)

Invent Geek has posted a really high quality (and quite honestly, good looking) dance pad.  It is built for the XBox version of DDR, but with an XBox to USB adapter, it should work on a PC.  From the information available so far, build time looks to be just half an hour or so.  The big downside to this is the $250-$1000 cost (not really sure why such a large range, though).  I have a decent non-metal dance pad for my DDR gaming, but I’m seriously considering trying to build one of these.  Of course, my wife doesn’t know that yet.

With the introduction of the dancing gaming systems here in the states there has been huge growth with in the community. The problem that anyone who is truly interested in the fitness gaming revolution will face at some time is the gross difference between the home console and arcade dance pad quality. Even the super high end home use dance pads that cost 500+ are not considered a long term or heavy use choice. So I set out to create a dance deck at an affordable price range that would even trump the arcade quality units. This is just the “prototype” and we will be putting up a full article with detailed instructions and even a full part list and plans for the final version that we are in the process of writing up now.

[tags]DDR, dance pad, gaming[/tags]

Nintendo DS MMORPG

While perusing my RSS feed from DSFanBoy, I found this little gem about the upcoming (to US shores, at least) MMORPG Maplestory for the DS.  Naturally, my interest was sufficiently aroused to try to find out a bit more about it.  This lead me to the Wikipedia entry on the game.

As in any typical MMORPG, gameplay centers around venturing into dungeons and combating monsters in real time. However, MapleStory’s 2-D side-scrolling viewpoint more closely resembles a platformer than the typical 3-D or top-down view of other games. Though the 2-D graphics don’t give the player a more realistic feeling, it is an important part of MapleStory, for the 2-D effect helps the game have larger levels. MapleStory characters fight monsters through a series of attacks and skills. Along with combat, jumping is an integral part of the game.

. . .

New players are sent to Maple Island, a floating island specifically designed to be beginner-friendly. Unlike a collection of other MMORPGs, players in MapleStory can not choose a character class or job when they create the character. Rather, every character starts with the job Beginner until they meet the requirements to complete the first job advancement.

When a player creates a new character, he or she is able to spread 25 ability points amongst four different statistics: STR, DEX, INT, and LUK (Strength, Dexterity, Intelligence, and Luck, respectively). Players can not manually choose where these points will be placed, as the distribution is randomly generated by a dice roll, to which an infinite number of rolls are possible. The minimum possible point level scored when the dice is rolled in a statistic is four and the maximum is twelve.

Aside from the 2-D scroller thing, it sounds like a typical MMO.  I will have to try it out, though, whenever I can get my hands on it.  Ever since I got hooked on City of Heroes (July 2004, BTW), I’ve tried to keep up with MMO news.  And since this one plays on my portable of choice (I still want a PSP, but I can’t afford one right now), I’ll probably buy it and try it.

[tags]Nintendo DS, MMORPG[/tags]