[Tfug] Thumb drive sizes

Bexley Hall bexley401 at yahoo.com
Mon Dec 3 22:55:36 MST 2012


Hi Kramer,

On 12/3/2012 7:36 PM, Kramer Lee wrote:
> Isn't SneakerNet is how Stuxnet was "carried".

Dunno.

> If there is a worm on the originating machine, it might put itself on
> the thumb drive, and when it is in the secondary machine it might
> infect that one.  Or maybe it is fine in the originating machine but
> during the plug in time in the second machine it picks up a virus on
> the "to" machine, then it infects the original machine when plugged
> back into that one.

The only way for any sort of "infection" to propagate is if it
can cause code -- that *it* controls -- to be executed.  This
can be done by (in Windows land) something like an "autorun.exe"
on the drive *deliberately* being invoked by the (fool's!)
poorly configured OS.  Or, a macro invoked in a "document"
that supports macros.  Or, an HTML image that tickles an
exploit in a particular web browser.  Or, ...

I.e., if all you do is, effectively:
   mount <USB_device> /<mount_point>
   ls /<mountpoint>
   umount /<mount_point>
then there's nothing to be fearful of.  (unless your ls(1)
has a bug that can be exploited by a "carefully crafted
file name")

Moral of story is to NOT let anything happen automagically on
your system unless you know, for a fact, that all of those
mechanisms are "safe"/reliable.  I.e., don't allow any
<specific_file_type> to be opened automatically "just by
clicking on it" (since you are likely to -- intentionally or
accidentally -- click on it, sooner or later) unless you know
for a fact that the application associated with the file
extension is "reliable".

E.g., I immediately name foreign executables to remind me that
they shouldn't be executed (mv foo.exe foo.xex) -- or, adjust
their permissions to prevent the OS from allowing them to be
executed.  (similarly, make sure "." is never in my $PATH)

> There was a saying in the days of floppy disks "Practice safe
> computing, always wear a write protect tab.  The last flash drive I
> had with a little write protect switch is a 4 GB.  At least if the
> data only went one way you could have your known uninfected machine
> write to it and then flip the switch and transfer files to the
> destination machine, and if there isn't a way to write to the flash
> drive with its switch set to protected, you are safe.
>
> The floppy could have a write protect tab, but that still depends on
> the floppy protection circuitry working as it should, and you could
> modify a floppy to write on a write protected floppy disk.  There are
> ways to get around just about any protection scheme, especially if
> those doing it are well financed.

On controllers where write-protection is an advisory role (i.e., not
enforced in hardware), the software can deliberately (or "buggily")
ignore the write protect switch.

> I don't know if the flash drive manufacturers put in a back door so
> they can write to a flash drive with its switch set to write protect.
> They could.  I haven't seen a switch on a flash drive lately.  I
> haven't seen a jumper for write protection on a flash BIOS much lately
> either, and that is easy to write over the net.

Most MB's that I have encountered have a "write enable" switch
(jumper).   However, in the name of increased user friendliness,
the jumper can be left in the "enabled" position to facilitate
BIOS upgrades ("visit our web site.  Click on 'Update My BIOS'.
Wait until the dancing bear stops and smiles before powering
off your computer...")

> Did your computer ever spontaneously reboot while other ones stayed on
> just fine?  One of mine actually got reflashed and the only reason I
> know about it is that it was the only one of 3 computers that were on
> that rebooted, and it was a poor job so there was no network
> communications after it happened.  It ran fine again after I reflashed
> the BIOS.  I think I had visited a BIOS site just before this, I was
> fooled by the site name and thought it was a real ECS motherboard
> site.  It was a drive by BIOS reflash.  If it worked I wouldn't know,
> but after that I reflash BIOSes somewhat regularly and reinstall.

See above.

And, if you don't have total control of the software on a particular
machine (i.e., the case with damn near ALL "closed" software), then
any "protections" that the software *claims* to be giving you are
dubious.  E.g., software running on your machine (with sufficient
privilege) can disable any rules you may have installed in the
firewall service *on* that machine; contact a remote server;
download <some_file>; install it; execute it; and remove all
traces of it -- without your knowledge.  And, this action can be
initiated from *outside* or *inside* your firewall -- depending on
how it is crafted.

Moral of story, don't rely on closed software for security.

[I have (ab)used "nominal" traffic as a clandestine channel to
communicate with remote devices *through* firewalls -- since most
firewalls have pretty coarse controls and it's relatively easy to
slip nondescript traffic to/from a device that is *expected* to
talk to the outside world for some limited functionality.  Even if
you logged *all* of that traffic, how do you know what is "unusual"
for this device??]

*Real* moral of story:  cut the cord!  :>




More information about the tfug mailing list