Right-- I should have stated that in my earlier message- the
"autorun"
capabilities of u3 thumb drives function because the
hardware is
specifically designed to provide that (and other)
functionality. The device
specifically presents itself as a media device that supports
auto-run (like
a CD or DVD drive would) upon insertion.
A "standard" thumb drive would not invoke autorun
unless you have software
on the system to do that (it's out there). Unfortunately,
you can find many
references in posts and blogs around the net where people
talk about putting
autorun on a thumb drive and rootkit'ing people's boxes at
banks, insurance
agencies, etc, but it's bunk. I've even seen detailed
explanations of how to
encrypt drive contents on "any old thumbdrive" and
to use autorun to
immediately execute code, but they dance right over the fact
that you have
to go out of your way to autorun a thumb drive.
The most important thing is the last point you made about
least privilege.
Even if someone went out of HIS way (There, Shinder- That
better??? ;) to
autorun a usb (or if it was u3) the user would still have to
be an
administrator to do anything.
Again, in Vista, even with autorun supported media
insertion, it asks if you
want to run autorun by default. If you want to, (depending
on what the
autorun does) UAC requires you to then enter the admin
password to execute
code or such. If you've turned off UAC, nothing would
happen unless you
were an admin. And in this day and age, no one should ever
be running an
interactive session as admin, unless you're a Scot in
Bermuda (inside joke
;)
t
On 12/15/06 5:40 AM, "Henry Troup" <HenryT watchfire.com> spoketh to all:
> Ah, the Bruce Schneier blog comments have the very
valuable comment:
>
> The removable media device setting is a flag
contained within the
> SCSI Inquiry
> Data response to the SCSI Inquiry command. Bit 7 of
byte 1 (indexed
> from 0) is
> the Removable Media Bit (RMB). A RMB set to zero
indicates that the
> device is not
> a removable media device. A RMB of one indicates
that the device is a
> removable
> media device. Drivers obtain this information by
using the
> StorageDeviceProperty
> request.
>
> So U3 is a different hardware spec, and U3 function
can't be copied to
> non-U3 media. That's good. But the remarks about
custom USB hardware
> there make me want to reach for the ol' glue gun! Of
course, the real
> problem is still failure to adhere to least privilege.
>
> Thanks for the link, Bill.
>
> Henry Troup
> Watchfire Corporation
> henrytwatchfire.com
>
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
> On Behalf Of Bill Call
> Subject: RE: strange new virus
>
> I wouldn't be so sure about that. Check out:
>
> http://www.schneier.com/blog/archives/2006/06/
hacking_compute.html
>
>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
>
>
>
------------------------------------------------------------
---------------
------------------------------------------------------------
---------------
|