Removable media: We all have them, maybe a few of them in different sizes. They’re invaluable for various administration tasks. Trying to get network drivers onto that new machine you’re re-installing? How about bringing one with you when you have to patch a few machines that aren’t on the domain? Or loading Knoppix LiveCD onto one for resetting administrator passwords? We love flash drives, but we also know they can be perfect vectors for malicious users. As with many types of technology, as their popularity increases the more lucrative it becomes to write virus code that targets them.
I have personally run across several viruses that will try to copy themselves onto any drive attached to the infected machine. This means that if you plug your flash drive into an infected machine, a virus can easily copy itself onto the drive and then propagate itself to every computer you use thereafter. You may say to yourself, “Well, this will never happen to me, I’m a lot safer with the machines I use with my personal flash drives.” I was once in that group and I completely understand the logic, but one experience changed my entire outlook on flash drives, and Microsoft AutoRun. A family friend came to me one day and asked me to find out what was wrong with his laptop. It didn’t take me very long to figure out that it was heavily infected with many viruses, so I went to work cleaning them off. I obviously did not want this machine on my home network (or connected to any network, for that matter), so I copied a malware removal program to a handy flash drive, attached it to the infected laptop, and started cleaning. Shortly thereafter, I decided I needed to use a different application for a specific virus found on the infected laptop. You know where this is going. I moved the flash drive back over to my personal computer, and before I knew it Microsoft’s AutoRun opened my flash drive for me and executed the virus that had moved itself to my computer. Bam. Two infected machines. Maybe AutoRun is to blame for this particular incident, but I feel that the popularity and sheer number of flash drives in use presents a high likelihood of this same thing happening to other folks. The easy fix here is to turn off AutoRun and the companion feature AutoPlay on every machine that you can. Had I done this on my home computer, I could’ve simply reformatted the flash drive before Windows tried to run anything found on the flash drive.
Here is a link to the Microsoft KB article on how to disable AutoRun in Windows via local security policy or domain policy, if you’re a domain administrator. Please think of the flash drives, and do this to all computers you administer.
Viruses don’t present the only problem for flash drives, as the small devices can be easily lost. They can slip out of your pocket when you’re pulling your keys out, or they can be left on a desk after you pack up your bags and head home for the day. It then becomes very easy for someone to grab your flash drive, connect it to their machine, and read any unencrypted data on the drive. I have found a few flash drives on the CU campus and, with the desire to return them to their rightful owners, put them into a machine (that now has AutoRun disabled) to find information on its owner. This has netted mixed results, but in one case an instructor had put his class grades into a spreadsheet and kept it on the unencrypted device. I was able to find the owner (as it happened to be a class that I was taking) and give the drive back to him, but not without first reprimanding him about storing my grades on removable media and then leaving it lying around campus. If you would like the portability and convenience of using a flash drive for storing sensitive documents, then please check out TrueCrypt and encrypted volumes. While it may not be secure enough for some people, in my opinion it does provide enough security for the average user. If this isn’t enough security for you, then you probably shouldn’t be storing your data on a flash drive in the first place!
As illustrated above, either by pure curiosity or the Good Samaritan in you, it’s common for people to take found flash drives and plug them into their computer to find out what’s on them. While most company policies would prohibit employees from doing this, it’s still common in the corporate world. I remember reading an account about a company using USB drives for a social engineering experiment. Keeping in mind that this was all sanctioned by the target company’s management, the company wrote a Trojan that would gather passwords and logins and also computer information and then email that information back to a specific machine. The company then put this Trojan onto 20 flash drives and “lost” them in various places around the business. Thanks to AutoRun and employee curiosity, “15 were found by employees, and all had been plugged into company computers.” (Reference: Here) They were able to get username and passwords for company machines without emailing the employees directly, or by phishing, or by any other notable virus transmission vectors.
In summary, we all need protection when it comes to these handy little devices. Encrypt your flash drives if you want to store sensitive data on them, and turn off AutoRun on all machines you use them on. You can save yourself the potential of embarrassment, wasted time and money, and a compromised machine just by taking the proper precautions with AutoRun and encryption.