Don't Just Plug Random Crap Into Your Computer

from the just-don't dept

There’s been a lot of talk about how iPods and other portable devices pose a security risk to companies, as employees may store important company documents of them. Now there’s fear that such devices could upload malware and infect corporate systems. A team of security specialists recently demonstrated exactly how such an attack might work. First they collected a bunch of cheap USB drives, the type a company might give out for free as a promotion. After loading malware onto them, they simply scattered a bunch of them around the parking lot of a bank at 6:00 AM, when nobody was watching. As the employees got to work, they found the drives just sitting there, and one by one plugged them into their computers as they day went on. What’s funny is that the employees knew there was going to be a security test happening, and yet they still didn’t find it suspicious that several USB drives just happened to be in the parking lot when they got to work. It’s unfortunate, but it seems that the typical office employee just doesn’t understand or care about security. Recall the studies suggesting how easy it is to get employees to give up their passwords in exchange for a cheap gift. While that lesson may seem obvious, just wait for the fearmongering about USB drives, totally missing the point.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Don't Just Plug Random Crap Into Your Computer”

Subscribe: RSS Leave a comment
68 Comments
Wizard Prang (user link) says:

Re: Re: Externalities

I disagree.

Before our networks were locked down, some of my colleagues could not resist the temptation to install every cutesy thing that they saw… (Dolphins! Webshots! Free Spongebob Screensaver!) and could not understand why their machines were not working properly. The techs that repaired their machines told them again and again not to install that crap, but since they could not enforce the rules, the crap was soon back, often within a week.

The Techs changed tactics and started imaging their machines… and then when the users broke them it was a simple matter to restore… and all their recent documents (which they were SUPPOSED to store on the network), were gone. There was much weeping and wailing and gnashing of teeth, but the crapware installations soon stopped.

If they crap up their machines then they should have to bear part of the cost in some way. At one place I used to work, if you left your machine logged in someone would send a message to everyong in the office saying that you were buying the drinks on Friday at lunchtime. Everyone got caught… once. Then you learned to lock your screen

Whether it is security of policy, people start caring about this sort of thing when it costs them.

Wizard Prang (user link) says:

Re: Re: Externalities (Reformatted)

I disagree.

Before our networks were locked down, some of my colleagues could not resist the temptation to install every cutesy thing that they saw… (Dolphins! Webshots! Free Spongebob Screensaver!) and could not understand why their machines were not working properly.

The techs that repaired their machines told them again and again not to install that crap, but since they could not enforce the rules, the crap was soon back, often within a week.

The Techs changed tactics and started imaging their machines… and then when the users broke them it was a simple matter to restore… and all their recent documents (which they were SUPPOSED to store on the network), were gone. There was much weeping and wailing and gnashing of teeth, but the crapware installations soon stopped.

If they bugger up their machines then they should have to bear part of the cost in some way. At one place I used to work, if you left your machine logged in someone would send a message to everyong in the office saying that you were buying the drinks on Friday at lunchtime. Everyone got caught… once. Then you learned to lock your screen.

Whether it is security or policy, people start caring about this sort of thing when it costs them.

Christopher says:

Funny Videos Are A Much Greater Security Risk

Have you noticed that it is the office workers who have the largest collections of ‘funny videos’?

Hopefully you also thought about the capacity for many video formats to contain executable code or link to certain webpages.

Most videos are distributed as either MPEG variations (safe, I think) or Windows Media Video. Windows Media Video used to contain the capacity to run executable code (much like the Windows Metafile Exploit debacle recently) and still retain the capacity to link to pages, which most likely will open in internet explorer.

Linking to about: pages with html tags will dynamically create a web page based on the tags you specify… and local pages are not filtered, and can easily access the hard disk through massive holes in the so called ‘sandbox’ which microsoft tacks on to most of its products once the hype has died down and the crashing/virus infections have begun.

Therefore video distribution could pose a massive threat to computer networks. With video, a user wouldn’t notice the extra MB or so containing a virus/trojan/codec exploit.

Not a foolproof idea… just something to think about! πŸ˜‰

ElectricMayhem says:

Security

Reading this lot and then referring back to other threads on the same subject just demonstrates to me how little you guys out there think of your work etc. Who’s to blame….probably the bosses who treat you all like animals, pay you badly and abuse you…..so they only have themselves to blame but will they turn the mirror on themselves….doubt it….they’ll just blame you lot and bring in silly rules to try and bring you all to heel and in the process just piss you off even more……nice circle guys…..resign and work for yourself….I do and it’s great…..!! anyhow….I’m off for a couple of hours to sit in the park and sunbathe whilst i dream up my next money making stratagy…it’s a tough life but hey…..xxxx

Muff says:

No surprise here

I’m never surprised at all the Idiots in this world…No-one seems to have a grasp on just how important Computer Securtiy really is… :-

I’ve even seen people connect to the Internet BEFORE having any Security set in place on their computers…Needless to say within minute they were infected by Spyware & Viruses….As I’ve said over and over…Alway, always, always…Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file…

Muff says:

No surprise here

I’m never surprised at all the Idiots in this world…No-one seems to have a grasp on just how important Computer Securtiy really is… :-

I’ve even seen people connect to the Internet BEFORE having any Security set in place on their computers…Needless to say within minute they were infected by Spyware & Viruses….As I’ve said over and over…Alway, always, always…Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file…

Chris G says:

Re: No surprise here

>>>>>I’ve even seen people connect to the Internet BEFORE having any Security set in place on their computers…Needless to say within minute they were infected by Spyware & Viruses…

You don’t know what you’re talking about. Simply connecting to the Internet will not infect you with “spyware and viruses”.

Ochito says:

Re: Re: No surprise here

No, YOU don’t know what you’re talking about. Stick a Windows machine, any pre XP SP2 flavor directly on the Internet (not behind a NAT router), with the OS freshly installed, and leave it for an hour or two, then come back and run your mouth off. If your computer is even able to do that, I mean.

Simple Minded says:

Re: Re: No surprise here

Chris- if you really want to test your theory take your PC uninstall all anti-spyware / anti-virus software then plug it up to the internet and let it run idle for a day… I recommend you have a good backup of your data though.

Re: No surprise here by Chris G on Jun 9th, 2006 @ 5:31am

>>>>>I’ve even seen people connect to the Internet BEFORE having any Security set in place on their computers…Needless to say within minute they were infected by Spyware & Viruses…

You don’t know what you’re talking about. Simply connecting to the Internet will not infect you with “spyware and viruses”.

Some Guy says:

Re: Re: Re: No surprise here

I can’t believe than some people here are so ignorant that they don’t even understand the scope of their actions when connecting an unprotected pre-SP2 Windows XP computer directly to the Internet un-NAT’d or firewalled.

Why do you even bother installing patches if you can’t get malware installed by not doing anything? How moronic!

I have absolutely no patience for people who claim to understand network security and don’t.

Please refer to one example:

http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx

Do you know what buffer overrun means? Probably not, but hopefully you know how to Google it.

Do you know what allows remote code execution means?

Wow… you really need to get out of the IT field if you in fact are in it.

Muff says:

No surprise here

I’m never surprised at all the Idiots in this world…No-one seems to have a grasp on just how important Computer Securtiy really is… :-

I’ve even seen people connect to the Internet BEFORE having any Security set in place on their computers…Needless to say within minute they were infected by Spyware & Viruses….As I’ve said over and over…Alway, always, always…Scan EVERYTHING BEFORE installing it on your computer, or even opening up a file…

non-IT says:

Look in the mirror

A certian computer company who shall remain nameless [It has a 2 letter name πŸ™‚ ] was infected with a worm/virus after a head IT-Engineer brought his personal laptop in an logged onto the network.

To make it even funnier: Two employees brought in a copy of the ant-virus for IT to use. (after looking over it for validity, though these were trusted techs) IT informed them they were going to us their disk (IT’s) and not the Techs disk. An hour later one of the techs saw IT using the disk he brought in, exept IT had used a marker and re-labled it as an “IT anti-virus disk” or something similar.

flatloop (user link) says:

This isn't about computer security...

It’s about stupid people. People who don’t bother to know or find out what the consequences of their actions are. There are no security measures for stupid people, EOE won’t allow us to not hire them. If you don’t believe it’s stupid people, look at the degenerate responses above concerning anal sex.

Junyo (user link) says:

Wasn’t there a Techdirt article about cameraphone bans last week that pretty much said that companies shouldn’t worry because this sort of thing was inevitable? Now we’re told that companies can’t rely on their employees to have the common sense of a kumquat, yet any bans or restrictions fall into the category of “fearmongering”. So my suggestion is a policy of total freedom, let employees do whatever they want, run their (and your) livelihoods into the ground with blantant stupidity or malice, but with the caveat that any such error in judgement will result in a smack in the face with the flat of a shovel. You can’t eliminate stupidity, but you can make it painful.

dnorle says:

Re: no surprise here

I believe the original comment was referring to XP machines, pre SP2. Pre XP machines run fewer services out of the box and are not targetted by hackers because there are fewer connected to the Internet. That doesn’t mean they’re completly safe, but there is no debating the risk connecting an unpatched XP system to the Internet without some sort of firewall, these systems can and will be infected if left on the Internet long enough.

DMD says:

Re: no surprise here

Sorry to say, but phoenix is right. I have been a network engineer for many years and ochi-whatevers comments are just NOT true. His comments are based out of fear bred from a simple lack of knowledge. The “internet” does not infect your machine, stupidity does. I have thousands of machines that will attest to that and I guarantee you won’t find virii or malware on any of them. Try to be at least aware of the facts before displaying your ignorance.

Edward B. says:

Re: Re: no surprise here

Network engineer, eh? Thousands of machines, eh? So you’d probably NEVER let a freshly reinstalled XP (no SP or SP1) get connected to the internet without a firewall or AV — probably not even a way to do so on your network without reconfiguring. However, the point that the OPs were making is that many consumers do precisely that. They have a system problem, restore back to the original system disk, and end up with a vulnerable computer connecting to the internet with no protection at all. No firewall and AV + unpatched XP = quick virus infection by one of the varieties that actively scan. If the consumer surfs the internet while waiting for all those security patches to install, here comes the spyware/malware. Add that there are varieties of virii now that “cooperate” with spyware/adware by each reinstalling the other if it’s removed, and you have a nasty combo that a regular consumer is not able to handle. Of course YOU’ve never seen this problem because you know better, but even though you haven’t seen the problem doesn’t mean it doesn’t exist.

Oh, and BTW? If you have users on those thousands of machines, I wouldn’t guarantee that there is NO malware on ANY of them — just my experience in call centers… πŸ˜‰

Anonymous Coward says:

Re: Re: no surprise here

You are kidding me right? Do you actually believe everything that you read? These articles offer no real evidence or facts to support their accusations and theories.

“While most break-in tries fail, an unprotected PC can get hijacked within minutes of accessing the Internet.”

Unfortunately, what you did not notice is that this sentence was purposely written to confuse. It should have said, while most break-in tries fail, an unprotected PC can get hijacked within minutes of accessign the Internet, after the user opens a web browser, an email, installs software, opens a file whether over a network share, on another partition or disk (or in other ways).

“Simply connecting to the Internet β€” and doing nothing else β€” exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously.”

Well OBVIOUSLY. No one that I have noticed has disputed this fact and it is indeed a fact. Do these attempts render any results or infect a cleanly installed machine where no software has been installed, no webpage has been accessed, or no email attachment has been opened? No. Nor do these websites ever come out and say so, they leave their sentences completely open to mean just about anything.

Do any of you know anything about TCP/IP? You should learn. TCP/IP is the equivelant to a shipwrecked sailor, armed with a machine gun loaded with unlimited flares firing in every possible direction as quick as possible advertising his prescence in all directions, 24 hours a day, 7 days a week. Does every single thing you see in a firewall log consitute as an ATTACK? NO. It does NOT.

screenshot says:

I’ve seen a freshly installed XP (original version) get infected by a worm while attempting to use Microsoft Update to load the current security fixes required to block that worm. Happened within 5 minutes. Had to aquire a disk with a newer XP to get a system that stayed clean.

Now that a few years have passed, that worm is no longer as common so I could avoid infection now. No telling when some other exploit will do the same thing with the current generation of PCs.

The hubris of phoenix and DMD will one day bite them.

Henry Troup says:

Re: Hazards of just connecting

…infected by a worm while attempting to use Microsoft Update to load the current security fixes required to block that worm

Me too.

The logs of my firewalls reflect constant port scanning. XP SP2 is somewhat hardened, a very good improvement over all previous Windows versions. But far too many services are still enabled by default, and far too little information is available on most of them. When (not if, when) the next exploit shows up in a default service, there will be another flurry.

SQL Slammer is still out there! One infected machine is all it takes. One old app package that installs an unpatched MSDE could leave you vulnerable.

Dork says:

Stupid employees

Well I have a simple solution for these wreckless employees.

For example: If all employees are required to follow a protocol to fill out their work hours, they should be required to practice safe computing.

Why are time cards accurate and closely observed? Because their paycheck is determined by such attention.

All that is needed is the threat that if certain security protocols are not followed, it will be reflected in their paychecks. The costs incurred to remedy their carelessness will paid by the employee.

Simple: they do the damage…they pay for it.

Would an employer keep an employee who breaks the front window just because they feel the need?

phoenix says:

no surprise here

He’s right about that. If you have users on them then I’d bet my last dollar that there is malware, spyware or viruses on them. Referring to earlier what I was saying is if you just put a freshly installed machine on the net and don’t browse around it won’t get infected, because the net itself can’t infect you. You have to visit a site or download something that installs it.

Anonymous Coward says:

The sheer lack of knowledge in these sorts of conversations astounds me. The *nix users always show their faces and they always claim a variant of Linux or BSD is superior, yet they will never understand in their lifetime that Linux or BSD is not anymore secure than another OS out there. There are just not billions of users attempting to be malicious towards those OSes, because you don’t attack a minority. Simple and indisputable fact.

shadowdeamon says:

Re: Re:

I mostly agree except that outside of the corporate world you’ll find somwhere in the 90 percentile of end users are running as an admin instead of a user. Most don’t even bother to create a password for login.

This is where the Linux desktop is superior. Of course, I could run as root, and I have seen some noobs misconfigure their systems using only a root account leaving themselves completely vulnerable. No system is idiot proof and just when we think we’re getting there, they build a better idiot. πŸ™‚

BTW – I’m a Linux noob myself, just installed my system in March.

Anonymous Coward says:

Oh and another thing to shun your little theory that these sources of yours are so grand. USAToday lists a table of data showing attacks from Sept 10 to Sept 25. XP SP1 shows 139,024 attacks and XP with ZoneAlarm shows 848.

Wow, you mean to tell me that ZoneAlarm prevents an attempt at an attack from ever even occuring! That is amazing! So by using ZoneAlarm I get attacked less! Wait, I thought ZoneAlarm was a firewall designed to block attacks not stop them entirely.

That is just sad. Who do they have writing these articles anyhow?

Anonymous Coward says:

no surprise here

>>> Do these attempts render any results or infect a cleanly installed machine where no software has been installed, no webpage has been accessed, or no email attachment has been opened?

Yes, they can.

I understand the point that you and Phoenix are trying to make, but the fact is that you are just plain wrong. While it’s true most malware gets installed unwitingly by users, other attack vectors are indeed possible.

A fresh install of XP *can* be compromised from the network, without any user even having logged in. The way this type of attack works is by exploiting bugs network services that are running on a cleanly installed system. Many worms have done exactly this, by exploiting holes in NetBIOS.

It’s the same type of attack generally used against *nix systems, and it doesn’t necessarily require any stupid action on the part of the user.

Anonymous Coward says:

To further what I have been saying, you also have to understand that attacks, attacks that lead to compromised systems, vulnerabilities and actual local user “caused” infections are entirely different occurences.

Also, understand the difference between an operating system that is “superior” and “more secure”. Linux is “more secure” because it is the minority. Users participating in malicious activity our out to gain something, whether it is money or to simply wreak havoc. The majority want to gain something. Now, would you make an attempt on 10,000 machines or 900,000,000 machines? By attacking 900,000,000 machines you would have a far better chance of gaining access.

Make no mistake, there are no amazing super-being programmers out there, all working together on a single operating system. Reality is no motion picture. Microsoft is not an evil corporation hiring programmers with a specific tailored lack of skill in specific areas to create an OS that is inferior. Those programmers at Microsoft are human beings just as those working on open source software, Linux, BSD and other operating systems.

I would like to know where Linux programmers are requiring super-genes that make them so much better?

Also, those running alternative opreating systems such as Linux or BSD are typically 99.999% of the time either gurus or corporations with data that requires security. Either one of these entities almost always take large steps to secure their systems. Why would you attempt to access systems which you know is most likely going to be secured when you can attack many systems whose users almost always have no concept of security – whose concept of security is installing software from any and every source on the Internet that claims to provide a working service for free.

If you were walking the street and someone you did not know approached you and proclaimed “Hi! I just wanted to introduce myself as a courtesy to you out of the goodness of my heart and offer my services to you free of charge. I noticed that your home has no security system! Just say “yes” and I will ente your home and guard you from any and all intruders. Again I will not charge you a dime, I will not ask you for your credit card number or any identifying information.

You say yes, and you return home robbed of everything you own. Except, computer users never know they are robbed. They don’t know their keystrokes have been logged, or data has been sent across the Internet with personal information. They don’t notice the information is gone, because it isn’t. It has only been copied. These actions take place invisibly. Except on the Internet millions do this everyday. Why? The simple fact is because of their lack of understanding.

As USAToday even said, 90% of systems connected to the Internet are running the Windows operating system. Whether this percentage is 100% correct I doubt highly, but it’s a good estimate. Therefore, there will be more attacks on systems running Windows just due to the fact that there Windows is operated on the majority of systems.

For example, if you have 10 Europeans visit a foreign country and 2 are infected with a virus. If you have 15,000 Americans visit that foreign country 3000 may be infected with a virus. Same percentage of infections, but significantly more people infected (20% infection rate).

Does this make Europeans more “immune”? Absolutely not.

Anonymous Coward says:

Re: *nix versus windows

I can’t decide if it’s amusing or sad to watch people argue about things they don’t really understand.

How does one ensure a networked host is secure? There are tons of things you could check, but perhaps the two biggest things might be:

1) Disable all network services except those which are absolutely necessary.

2) Audit running network services to ensure they are free of bugs and properly configured.

The main reason *nix is considered more secure has to do with the relative difficulty of performing these tasks on windows compared to *nix.

The focus in windows is on “ease of use” for the end user, and the end result of this focus is that important security related config data gets scattered all over the filesystem and registry. Often this data can only be read or modified with a GUI config applet, which makes automation of security audits difficult or impossible.

Microsoft also loves to create lots of undocumented features and APIs, which the administrator has no way of knowing about. These invariably end up being used to turn on or reconfigure some network service without the administrator’s knowledge or consent, potentially exposing the host. This sort of behavior would NEVER be tolerated by *nix customers, but we’ve grown to expect it from windows. Why? Because Microsoft claims they do these things to make the system more user friendly… again different focus.

Lastly, the networking code itself is far more mature in *nix, since it was there from the very inception. TCP/IP wasn’t supported in windows until decades later.

Sure, any *nix system can be vulnerable, but the point here is that the *nix administrator generally has an easier task than his windows counterpart if he/she is asked to confirm with some certainty that the system has been secured.

Roberto says:

USB Security

While this does pose a problem, there is a bigger question of security risks being posed by tech support. Why are these people having access to this much stuff, and why are there not being more measures taken to prevent this kind of thing? It all comes down to this statement: “Give a stupid person a shovel, and there will be crap everywhere.” And why is there not addequate virus, and malicious program prevention? It is gonna take a little more scripting, but it can be done. This question is just that, an inquery, but think about it: Don’t let stupid people have admin access. End of story.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop Β»

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...