The perils of USB

USB has been great.  Connect anything to your system, it’s usually auto recognized, so it fits that useful category of “stuff that just works.”

Now Wired has pointed out that from a security standpoint, USB has some serious, fundamental flaws. In other words, you may be completely and utterly screwed.

It’s not just malware may be lurking on USB memory devices, perhaps even installed at the factory.  A couple of clever lads have figured out how to reprogram the flash that controls just about any USB device.   Which is pretty much like giving them the keys to the Kingdom.  Here are some of the scary highlights from the article.

“Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”

I’m waiting for the standalone device that reads and reflashes USB firmware to hit the IT market at an obscene profit margin.

Wait! It gets worse.

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

So the new mantra is don’t let your keys or any USB device out of your sight.



Hackers target Apple products

One of the costs of success is being a target.

Apple users are used to making fun of the security holes in Windows products.  The Apple OS has its own security holes, but it was such a small section of the market, they were not worth hacking.

That is changing as Apple’s market share grows. This includes the iPhone, which has the security lite browser Safari loaded by default (I’m not holding my breath for Firefox on the iPhone).

The word from DefCon is that Apple devices are now being targeted more and more hackers.

Welcome to the real word Apple users.

Friends don’t let friends…

This is the basic Internet security tip I give everyone. Don’t load Outlook & don’t run Internet Explorer unless you have to.

Friends don’t let friends run Outlook.

Think about it. The vast majority of email based virii (viruses or however you want to spell it) take advantage of the huge security holes in Outlook.

It’s not even that good an email client. Really, you are better off with Mozilla’s Thunderbird.

As a groupware scheduling program, it is actually pretty good.  That doesn’t make up for its general, and I’m going to use a technical term here, suckage as an email program.  If you are using Outlook for your personal email, just don’t. Use a web based solution, like Yahoo mail or Google Gmail.  You can even use a client program like T-Bird in IMAP mode with Gmail for free.

I’ve run a couple of small corporate IT departments, which included supporting their Exchange servers and Outlook clients, so I know of what I speak.

For small companies, especially non-profits, going with Google Apps makes a lot more sense.  Outsourcing your email means at least one less bit of server hardware you have to maintain on top of any software related costs.  Even if you are running Linux for your mail server, there is an associated cost for the geek to maintain it, on top of the hardware costs.

Take a look at Worcester State College for a good example of how outsourcing a basic function like email frees up not just money, but the talent of the IT department to help their clients.

Not using Microsoft IE browser is another simple way to improve your basic Internet security.  Web based security attacks focus on IE because it is the default browser for a large majority of computers in use.

Switching to a third party browser, such as Firefox, will not only improve your security, it will also improve your overall browsing experince by using a better designed product.