http://www.gcn.com/print/26_18/44704-1.html By William Jackson Cybereye GCN Home 07/23/07 issue Senforce Technologies announced last month a new version of its Endpoint Security Suite that includes encryption and controls for removable storage devices such as USB thumb drives. Its no secret that these small, fast, high-capacity drives can be risks, but Senforce has come up with a new trick to drum up a market for the suite. Shortly before the product announcement, I received in the mail a bright new USB drive from Senforce. Being a sucker for free stuff, I eagerly examined the drive and even read the material. I learned Senforce had thoughtfully loaded the device with malware. Once the thumbdrive is inserted into your computers USB port, the following harmless, yet very insightful experiment will begin, I was advised: * The program on the thumb drive will execute once your operating system recognizes the device. * The program will immediately identify and download the contents of your My Documents folder to the thumb drive. * You will not receive any notification or warning that your documents have been identified and downloaded. Nothing to worry about, I was assured. No harm will be caused to your data or your computer. But, I was warned, it will be your responsibility to monitor or destroy the thumbdrive once it is in your possession. Thanks a lot, guys. The publicity scheme is to raise awareness of a trick called thumbsucking, a cute name coined by Senforce to describe the process of using a U3-enabled device which can carry your software and data to trick a computer into downloading data. A U3 drive does this by mapping to two-letter drives when inserted into a computer, one of the drives masquerading as a CD drive. When the computer sees this CD it uses the AutoRun feature to launch the US3 LaunchPad on the thumb drive. If the thumb drive happens to have a thumbsucking tool loaded on it and Senforce includes detailed instructions for creating your own tool data is automatically and secretly downloaded to the devices second drive. There is no word yet if this technique is actually being used in the wild, but depending on the size of the Senforce mailing list, I doubt that it will be long before it is. I was sorely tempted by their offer. The device is an unbreakable 2G titanium drive with a handy lanyard. An accompanying letter egged me on by saying, With the included drive, you are now capable of thumbsucking any of your unsuspecting colleagues! Naturally we dont suggest it. Wink, wink. And if I had no playful or malicious inclinations, I should feel free after testing to erase the script, and just use the drive as you would any other. No, thanks. I just dont feel like taking the risk. At least not on my computer. And certainly not on a friends computer. How do I know that the experiment is harmless or what else is going on in the background? How do I know it will let me erase the script? I suppose I have Senforces word for it, and it doubtless is an honorable company. After all, they were honest enough to tell me about the software in the first place. Maybe I'm being too sensitive about this, but it just seems wrong for a security company to ship out hardware loaded with malicious code. Even to entirely respectable persons like me. Still, it could be an effective tool for creating a demand for an anti-thumbsucking tool, and I have to admit that Im a little curious. So, take a look at the picture at the top of this column, and if you see someone who looks like that sidling up to your computer with a thumbdrive in his hand _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 24 2007 - 22:42:11 PDT