back to article Between you, me and that dodgy-looking USB: A little bit of paranoia never hurt anyone

Arriving at a recent conference organised by one of the government's many regulatory bodies, I received my obligatory lanyard – and something else, credit-card-shaped, emblazoned with the branding for event. "What's this?" I asked. "Oh, that's a USB key." I presume the conference organisers mistook my wild-eyed stare of …

  1. Real Ale is Best

    It'll only get worse

    Once USB-C (3.1) sticks become more common, security threats will only increase.

    As you can route PCI over USB-C, goodness knows the sorts of attacks that could then be carried out.

    1. IceC0ld Bronze badge

      Re: It'll only get worse

      one more, and I'll stop - PROMISE :o)

      TITSUP

      This Is The Safe USB Present .................................

    2. DuncanLarge Bronze badge

      Re: It'll only get worse

      "As you can route PCI over USB-C"

      Oh f*ck

  2. Doctor Syntax Silver badge

    You're dealing with marketroids & PR.

    These are the folk who will keep sending out emails which exactly emulate phishing emails to customers and would-be customers. Emails, even, warning their customers of the dangers of phishing. They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.

    Given half a chance they'll hoard customer details contrary to GDPR until they earn their employers multi-million quid fines.

    They'll make every effort to force ads onto people who make abundantly clear by using ad blockers that ads are unwelcome and hence hugely counter-productive.

    They lobbied Bambi's govt to make exceptions for existing customers to let them bypass TPS and make those calls despite use of TPS should send the same message as ad-blockers.

    They're the biggest single risk to their employers in terms of pissing off potential and existing customers and in attracting GDPR fines.

    You're never going to talk sense into them.

    1. oiseau
      Stop

      Hello:

      You're dealing with marketroids & PR.

      Indeed ...

      But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...

      I'm sure you get the idea.

      To all these shitheads it's all about the money (moolah, dough, wonga, bread, etc.) and only about the money and up to a point in makes sense: if they do not get the results expected from them, they are out of a job.

      None of these minions serving the upper echelons give a monkey's toss about what their actions mean or their consequences.

      So they just do as they are told, instead of putting spokes in the wheel, like I was once told I should and was then promptly sacked.

      Business ethics? Corporate responsability and accountability?

      Yes, they've surely heard of all that at some time or another but these have long ago become abstract values.

      Cheers,

      O.

      1. Loyal Commenter Silver badge

        But these utterly despicable abortions of nature respond to a boss, who in turn responds to management, who in turn responds to upper management, who in turn responds to the board who in turn ...

        ...more often than not come from a background in marketing and PR.

        There's your problem, right there, and it's cultural, not technical or political in nature.

    2. Anonymous Coward
      Anonymous Coward

      You're dealing with marketroids & PR.

      I've spoken to them about this - they are NOT going to give away USB sticks at the next conference, instead they will email everyone the information ... I believe it will be called README.XLS

      Happy Now?

      You really think anything will change?

      1. Snowy
        Facepalm

        No the information should be in the email, an attachment is also a no-no!

      2. John Smith 19 Gold badge
        Unhappy

        Easier when such items were passive things that needed the intelligence in a reader

        IE a DVD or badge with an optical code.

        As Edward Snowden should have taught everyone you can pack a lot of hardware in a USB stick.

        Should be just some storage.

        Could be.......

    3. Anonymous Coward
      Anonymous Coward

      Meanwhile, at our $BIGCORP...

      1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.

      2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.

      You couldn't make it up, etc...

      1. imanidiot Silver badge

        @AC

        Promptly and "in good faith" report the email as attempted phishing to your corporate GDPR/data security officer. Have your coworkers do the same. Someone will get a/the message when the poor guy goes ballistic.

        1. Gene Cash Silver badge

          Re: @AC

          > report the email as attempted phishing

          Yup. This. I see stupid stuff happen all the time, and people just facepalm without telling anyone that can do anything about it.

          The amount of "WAIT. WHAT?!" faces and "well that stops now!" I've gotten when I've asked "do you know about [stupid thing]?"

        2. stevebp

          Re: @AC

          There was a saying in a bank I once worked in that, "if you want to get the monkey off your back, call in Audit or Infosec". Unsurprisingly, it works very effectively.

      2. Captain Scarlet Silver badge
        Coat

        Delete the email and when asked why you didn't fill in the "anonymous" survey forward them to the first point and arrange retraining for them.

      3. Antron Argaiv Silver badge
        Facepalm

        My company was recently acquired.

        I was given a new email address and a new web-based email account <my_name>@BIGCORP.COM

        The *very first* email in my new inbox, was titled "Mandatory Security Training!" and came with a link, which I stupidly clicked and entered my newly provided credentials, only to be informed that this had been a phishing email from their "IT security team" and that I had failed.

        So, like a good boy, I went to change my password.

        "Password cannot be changed because you have had this one for less than 7 days"

        1. Anonymous Coward
          Anonymous Coward

          click on the "I forgot my password" link instead?

        2. billdehaan

          Had a new co-worker with something similar. When he clicked the "Mandatory Training" email, and was reprimanded for clicking on a spammy link. A spammy internal link, but still, he should have forwarded it to the internal security "check link for validity" service, which no one was using.

          It turned out he actually had. Being a new employee, he'd followed the policy verbatim.

          It turned out that the suspicious link account that you were supposed to forward links to had its' spam filter cranked up to maximum sensitivity. In other words, the suspicious link checker account blocked all incoming links that were suspicious from being seen by the team that was supposed to check them. Which of course explained why "no one used it". People in fact had been using it for months, but all their emails had been deleted before being read.

          Management then asked why no one noticed or commented on the fact that IT had not responded to their submissions. "We're so used to being ignored that it didn't seem worth mentioning" was the answer, much to the shock of executives.

      4. Version 1.0 Silver badge
        Unhappy

        $HOSPITALS often outsource their purchasing and payment systems these days, I just rip my hair out when they email us PAYMENT.HTML and PO#76293.HTML documents ... if you deal with China then you're used to getting New_Order.XLS files too, and of course when my customers need to send a picture of something it's always PICTURE.DOC ... these are real, not fake - they come in every week.

      5. MacroRodent Silver badge
        Facepalm

        re surveys

        > 2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.

        Wonder if you work in the same $BIGCORP as me. Happens here all the time...

      6. Anonymous Coward
        Anonymous Coward

        1. E-mail received about warning about phishing attempts from external e-mail addresses targeting people by their name and encouraging them to click on a link. Do not click on the link, do not enter account details such as username or password, report as spam.

        2. Followed by an e-mail sent from an external company to me about an anonymous employee survey, participation is very strongly encouraged, and please click here.

        You must be at IBM...

      7. Anonymous Coward
        Anonymous Coward

        pay no attention to the hack behind the link...

        At $WORK we get the corporate (IT "InfoSec") -sponsored phishing attempts too, with dire warnings of how many employees still fall prey, and then inevitably followed by even more security theatre measures which do more harm than good.

        Status quo, right? Everybody has this now, and "InfoSec" departments push their agenda with scare tactics and bogeymen more than ever.

        And yet, they don't seem to be able to manage the obvious common sense things. E.g. $WORK uses a common SaaS IT ticket tracking system -- you've heard of them, they're awful. But the real point is that they're awful outside of $COMPANY's borders and control, meaning that any corporate intellectual property in an IT ticket is on the internet.

        Same with some of the doc/publishing suites (Engineering product plans in o365 Sharepoint, anyone?) and even source code in some cases.

        So yes, don't click those scary phishing email links from "InfoSec", but do share the company jewels with the cloud.

      8. billdehaan
        WTF?

        And in the same email, too

        Several years ago, our IT send out one of their OMG world-is-ending ALL CAPS blanket emails to the company.

        To summarize, it said:

        "A new malware attack is being spread through malformed URLs in email links. Our firewall is currently not configured to protect against these types of attacks, and we are currently waiting for a fix from the vendor. In the meantime, employees are not, under any circumstances whatsoever to click on any external links. Disciplinary action will be taken against those who fail to comply with this mandate.

        You are required to confirm that you have read, and understood this new mandate. You must sign the electronic form at www.externalcorp.com/signatures.asp no later than Friday. Failure to comply will result in disciplinary action, including termination".

        Yes, employees were required to click an external link in order to promise not to click on internal links. With both actions being grounds for dismissal.

      9. HWwiz

        We employ an external company to actually email our employees with HoneyTrap emails.

        IF they click on links in that email, then they have to go on a security awareness course.

    4. Terry 6 Silver badge
      FAIL

      God yes. Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account. In effect training the public to open an unsafe link and type in their security details. Why's there no hands up in despair icon?

      1. Doctor Syntax Silver badge

        "Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account."

        Me for some time now. I reported a number of these to their phishing report helpline. I eventually emailed that or some similar address than in the continued absence of any reply I'd discontinue the email address set up specifically for said bank. No reply so I gave them the chop. They don't seem to have noticed their emails bouncing.

      2. Anonymous Coward
        Anonymous Coward

        Who hasn't had an email from their banks with a "click here" rectangle for customers to log in and learn about some new trick with their account.

        I haven't seen such from Kiwibank. Westpac - some of their emails have been known to be virtually indistinguishable from known phishing attacks.

        And one bank in NZ displays 3rd party advertising (or used to), AFTER your log-in. With won't say which Bank that is, but that they're a Bank in New Zealand. A couple of characters should be able to figure that out...

    5. Anonymous Coward
      Anonymous Coward

      Ugh don't remind me. It isn't just PR and marketroid people.

      Once upon a time, at a big corporate firm I worked at, we had the "report this email as phishing" button, which we were to use if a suspicious email shows up.

      anyway, one day, I started getting emails from the "IT Security department", asking me to click on a link with their updated security policy on it.

      Thing is:

      - The email headers did not match the domain in the "to" field, nor did it match the name of the sender.

      - The email headers showed not the company domain, but some generic sounding one I had never heard of, and the company search engine did not return any results for the domain

      - The email was generically written, not even my name in it

      - The URL that I was to click on was on yet another third party domain, which was a complete unintelligible alphabet soup of a domain, with long strings of what looked like random characters, ending in ".doc"

      Knowing about doc macros, exploits, etc.. there was no way I was going to click on the link while on the corporate windows box, and the entire thing smelled like a phishing email (and who better to impersonate than the IT security staff, a lot of people would listen to them just because they are the "IT security" people).

      so I promptly clicked the "report phishing" email, and was on my way. I did this repeatedly over the course of two weeks, until my manager called me into his office.

      Apparently the head of the IT security team was livid with rage because their important IT security policy was being flagged as a phishing email (apparently if someone flags an email as "phishing", all the other people get a "this might a phishing email" header on the email, so they don't click on it, because it can be grounds for termination of you knowingly infect the company).

      Apparently the random letters are a tracking ID for my account, so they know that (a) I am the one reporting the email, and (b) I haven't read the document yet.

      All my points about how it looks like a phishing email were accepted by my manager, then immediately overruled.

      I was told that the email is safe, and that I should stop reporting it as phishing, and more to the point that I should click on the link to view the policy.

      So I did what I was told, and the first page of the IT policy was about the risks of phishing emails, and what to look out for (which was almost the exact same criteria I reported the email for), without a hint of blasted irony from the "IT security" team.

      So now, I have to assume that no matter how dodgy an email (or its attachments) look, I have to trust it if it says "IT security team" on it. Talk about blowing a gaping hole in a companies security policy. Seeing as all future emails I have since received from the security team are still looking like a phishing email, I can see my complaints fell on deaf ears, and there were no repercussions for them.

      My point is, we have a long long way to go before "best practices" can be considered in security. Companies still don't get it, if even their security teams are not able to make an email seem legitimate. Instead you get in trouble for "showing up" the security team.

      I feel that they are only doing this "IT policy" and phishing email training to "tick a box" on their cybersecurity checklist. They don't actually care about security or preventing phishing. It is a "cover your ass" ploy from legal, nothing more.

      As long as attitude like that is prevalent in companies, nothing will get better, and it may well get worse. You can't expect the PR and marketroids to be any better when the culture they work in encourages such behavior.

      1. Doctor Syntax Silver badge

        "So I did what I was told"

        It depends on what you were told. If I was told to report emails with phishing characteristics I'd have continued to do it. What's more, back in the day, they'd have known I'd have continued to do just that.

      2. hmv

        "listen to them just because they are the "IT security" people"

        ROFL

    6. Anonymous Coward
      Anonymous Coward

      They'll keep doing that until you prise their keyboards from their (hopefully) cold, dead hands.

      You should NEVER, under any circumstances, kill a marketing or PR droid and then take their keyboards from them.

      It is far better, and far FAR more enjoyable, to take their keyboards from them while they're living and then apply said keyboard in an appropriate manner until both cease to function! (unless it's a really good keyboard, in which case find something else for said application).

  3. Semtex451 Silver badge
    Holmes

    Was this article crafted to be sent to our 'superiors'?

    Only I'm not sure it was intended for your typical El Reg reader

  4. Spanners Silver badge
    Holmes

    Did you accept the USB?

    Perhaps it was a test, a bit like the fake phishing emails.

    1. A.P. Veening

      Re: Did you accept the USB?

      Accepting the USB isn't a problem, plugging it in your computer is. Unfortunately, USB sticks are just a bit light to properly work as paper weight.

      1. Adrian 4 Silver badge

        Re: Did you accept the USB?

        Would make for a nice point in a talk about security : get answers to the following questions and then comment on the results :

        1. Did you accept a free USB stick at the entrance ?

        2. Are you going to put it in your device ?

        3. Are you going to give it to another employee, or to a family member ?

        4. Did you accept a free coffee ?

        5. Did you accept a free brownie (cake, not human) ?

        6. Did you pick up a brownie you saw on the floor and eat it ?

        7. Did you accept and read the glossy literature ?

        8. Did you accept the cute air freshener to hang in your car ?

        9. Did you accept the promotional item modelled on a presidential seal ?

        We're accustomed to dealing with most of these threat models. Mostly without errors, but occasionally we screw up.

        1. Martin Gregorie Silver badge

          Re: Did you accept the USB?

          Acceptable answers to:

          1. Did you accept a free USB stick at the entrance ?

          2. Are you going to put it in your device ?

          are

          (a) No

          (b) Yes, and I'm going to reformat it before I mount it or give it to anybody.

          Anything else shows insufficient paranoia. But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.

          1. FrogsAndChips Bronze badge

            Re: Did you accept the USB?

            Reformatting won't protect you against malware at the firmware or chip level.

            1. the_rob

              Re: Did you accept the USB?

              > Reformatting won't protect you against malware at the firmware or chip level

              I'm just going to jump in with a shameless plug for a pet project of mine - an open-source USB hardware firewall.

              https://github.com/robertfisk/USG/wiki

              It allows only known-good USB commands to pass, thus blocking BadUSB type attacks. (The filesystem may still be infected but a reformat will take care of that.) It is designed exactly for the scenario of someone handing you an untrusted USB stick and expecting you to plug it into your system.

              The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.

              1. Anonymous Coward
                Anonymous Coward

                Re: Did you accept the USB?

                The firewall runs at USB-1 speed for now, but a little bird says check back in a month or two if you need more speed.

                The project looks great, and as someone who has had to work with untrusted USB's many times (cheap (thus disposable) laptop running Linux, later a Pi-like device), the device project looks great and is has replaced one of my presents-to-self for early next year :)

                One question... Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?

                1. the_rob

                  Re: Did you accept the USB?

                  > Would your device manage and shielding against USB killers (ie those things that dump a hefty chunk of volts into the data lines)?

                  The firewall will provide some protection against USB killers, simply because the voltage spike has to pass through 2 ESD clamps and 2 microprocessors before reaching your computer. So the firewall will be destroyed, but your computer may be saved.

            2. Doctor Syntax Silver badge

              Re: Did you accept the USB?

              "Reformatting won't protect you against malware at the firmware or chip level."

              Especially when you can't reformat it because you didn't accept it.

            3. Anonymous Coward
              Anonymous Coward

              Re: Did you accept the USB?

              Formating won't protect you from the USBKiller. Perfect security device, though, permanently disables the port. https://arstechnica.com/gadgets/2016/12/usb-killer-fries-devices/

          2. Loyal Commenter Silver badge

            Re: Did you accept the USB?

            But of course (b) requires that you know how to reformat it and that you are running an OS that gives you the option of reformatting a USB device before its filing system is accessed.

            That's little use if it presents itself to the USB bus as something other than a file system, for example as an input device.

            1. LateAgain

              Re: Did you accept the USB?

              Better yet a network device, with drivers you know are in Windows. Become the default route and do what you want.

        2. Real Ale is Best

          Re: Did you accept the USB?

          Have a look at this hack.

          Even QR codes are dangerous.

          1. Mage Silver badge
            Alert

            Re: Even QR codes are dangerous.

            Ages ago I was tempted to put replacement QR codes at all the labels in Tesco veggie section. I noticed recently they are gone.

            You mean especially QR codes are dangerous?

            I managed to find an app that reads them (and other barcodes) and only decodes & displays, with an option to save it or create a Firefox tab. Most phones seem to open the browser directly.

            I despise people using obfuscated short codes (invented for Twitter and no longer needed there?). 1: The short code provider knows your IP, the time, your browser, OS and previous web site. 2: You have no idea what it will load.

        3. Version 1.0 Silver badge
          Joke

          Re: Did you accept the USB?

          5. Did you accept a free brownie (cake, not human) ? My answer, "Yes, I ate a Brownie"

      2. Anonymous Coward
        Anonymous Coward

        Re: Did you accept the USB?

        Go and test it at your local library.

      3. Sureo

        Re: Did you accept the USB?

        "plugging it in your computer is"

        Find someone else's computer to plug it in to, preferably one of theirs.

    2. LDS Silver badge

      Re: Did you accept the USB?

      Why not? Use it as a training exercise for a forensic examination...

  5. Duncan Macdonald Silver badge

    A paranoid mount option ?

    What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device. If the device presents as having storage then a full virus scan would be executed on the storage and the results displayed. The files (if any) on the device would not be accessible until after the virus scan and the user acceptance of the scan result.

    To allow for the possibility of a USB bricker device, all data and power lines should be protected by zener diodes (clamp data to +5.5v/-0.6v and power to +(maximum charging voltage +1 volt)/-0.6v)

    1. A.P. Veening

      Re: A paranoid mount option ?

      I am missing the zap-option, applying a higher than survivable voltage to the USB if it turns out to be unsafe. It will require some rewiring in the computer to make such an action safe for the computer itself though.

      My question to you: Are you paranoid enough?

      1. Version 1.0 Silver badge

        Re: A paranoid mount option ?

        El Reg covered this a few years back : -

        https://www.theregister.co.uk/2015/10/14/sneaky_220v_usb_fries_laptops/

      2. Doctor Syntax Silver badge

        Re: A paranoid mount option ?

        "It will require some rewiring in the computer to make such an action safe for the computer itself though."

        Or just an old USB connector wired to mains. Via an RCB of course. And videoed for YouTube.

    2. chivo243 Silver badge
      Coat

      Re: A paranoid mount option ?

      @Duncan Macdonald

      That's where the old crap laptop with wifi disabled comes in handy.

      1. Doctor Syntax Silver badge

        Re: A paranoid mount option ?

        "That's where the old crap laptop with wifi disabled comes in handy."

        Raspberry Pi. The most you have to discard is an SD Card and that's only if you think it might propagate something nasty through that.

    3. Pascal Monett Silver badge

      Re: A paranoid mount option ?

      Would be a nice option but for one thing : you have to be sure that said mount option cannot be tunneled through or otherwise worked around by the USB device. If done right it should be efficient enough to contain most malware, but a determined review by those damn blackhats could well uncover an unprotected exhaust port . . .

      Personally, I'd prefer a device external to the PC. Some brick-sized thing or block, with a USB slot and a small flat screen that would, upon being turned on, simply list the files on the key, including hidden files if there are any. That way I could see if there is only the one file, or a host of other files, and decide what I want to risk : plug it in my PC and analyze it, or just trash the key entirely ?

      A reformat option would be good as well.

      Maybe someone could dream that up with a Raspberry Pi ?

      1. Natalie Gritpants Jr
        Boffin

        Re: A paranoid mount option ?

        It's called a linux PC.

        1. Down in the weeds

          Re: It's called a linux PC.

          This is too simplistic and generalised; not all Linux are equal. All Linux are reconfigurable, even to the extent that some Linux do not include USB kernel modules (the paranoid option). For those that do, a careful crafting of rules in 'udevs' is necessary to create the appropriate behaviours*. Further, given deeply meaningful knowledge of the Registry, even Windoze can be configured to mount the volume of a USB storage device in a 'sandbox' and not assume that any executable in the contents of the sandbox should be executed without inviting the external (responsible?) human to so approve.

          *So, what to do about USB devices that are *not* storage devices? A faker USB device that is to all intents a 'keyboard' that squirts "go to attacker's hell-hole web site now" in the direction of your web browser at USB wire speed?

          1. dbtx Bronze badge

            Re: go to attacker's hell-hole

            Totally a thing. Some TNT (turner network television) promo device looked exactly like a flash drive, so I decided to find out how big and if it was writeable. (this was years ago, a slightly more innocent time!) It merely pushed out keystrokes for the Windows key and their address for the particular show and enter. So I popped it open... it was just a little SOIC and a USB plug on what could have been 1 layer from a 4-layer "real" PCB, judging by how thin it was. Then I briefly hated them for being cheap and lazy even though I knew it was fairly clever and I had still fallen for it.

            Good thing it was all just about TV. That was a WinXP box, after all...

            1. dbtx Bronze badge
              Facepalm

              Eh, I derped it up slightly. Actually I meant it sent Win+R combo and typed into the Run dialog.

        2. owlstead

          Re: A paranoid mount option ?

          Yes, that's a good idea; give the HID-input emulating device a better command line experience. Sigh.

        3. doublelayer

          Re: A paranoid mount option ?

          We could make that run on a raspberry pi rather easily. If we don't let the standard interface run, it doesn't have any automatic handling for USB disks. Then we block acceptance of other USB devices at the device level. Our display would have to be mounted on the GPIO system, but a cursory check of the pi hat manufacturers shows several options that can do display, touch input, and power from the GPIO. We'd first check what interface(s) the USB device says it provides, and assuming it's only storage, we can grab details about the filesystem and the files on it. We should probably do a quick scan for suspicious stuff, especially windows executables and shell/batch/powershell scripts. This wouldn't help against a USB device that intends on physically destroying a machine, but I don't know whether someone is really likely to start handing those out, and at least only our USB tester would be vaporized. This isn't completely foolproof (for example, you could have an innocent-appearing storage disk that only mounts the malicious stuff after ten minutes) but it'd be pretty good against the typical threats. Should we build it?

      2. Adrian 4 Silver badge

        Re: A paranoid mount option ?

        I know Windows has a poor reputation for introducing security holes in the OS, but isn't automatic device scanning on insertion a common feature of both MS and third-party virus scanners ?

        If hardware 'safety checkers' became common and there was a significant effort to distribute malware-laden memory devices, we would quickly have an arms race : consider a device that detects a format operation and adds a malware file after the first n files have been written to the device and it is re-inserted.

        1. Charles 9 Silver badge

          Re: A paranoid mount option ?

          And what will that do against the likes of BadUSB which work at the chip level, below the OS and therefore OS-independent as well? Remember, state-level malware is already at the chip level as well, and it can only trickle down from there.

      3. DuncanLarge Bronze badge

        Re: A paranoid mount option ?

        "Maybe someone could dream that up with a Raspberry Pi ?"

        I was just thinking of doing this with an Arduino. No need for the RPi's power.

        My solution was to create a device about the size and length of an adults thumb that allows you to plug a USB A device into it. It would then tell you how that device was presenting itself to the host. You would be able to see that a flash drive is presenting as a flash drive and as a HID device at the same time.

        If it is a USB keyboard I was going to have this device try to capture any keystrokes. You can use it to test a real keyboard or see what a flash drive is trying to type into your shell if it appears as a keyboard.

        I was also thinking of having an option to wipe out the partition table of the flash drive so to reformat it you need not plug it into a computer at first, putting that machine at risk should it do something silly and generate thumbnails for images on the drive when you accidentally open it instead of right clicking ;)

        It could also let you confirm that other USB devices seem to be working, so you can check that second hand PS4 controller seems to be trying to connect and has an unbroken cable.

        Using a RPi would allow you to do many more things such as check the files on the drive etc.

        Thinking about it, an RPi zero would fit the form factor I'm thinking of.

    4. A Non e-mouse Silver badge

      Re: A paranoid mount option ?

      The problem is that some of these attacks are happening within the driver layers of the operating system. A paranoid "Read-only" filesystem mount is too late.

      1. DropBear Silver badge

        Re: A paranoid mount option ?

        "The problem is that some of these attacks are happening within the driver layers"

        Not if you are booting from ROM each time something is inserted, and have no persistent storage or any connectivity whatsoever, only a screen. Granted, that description doesn't exactly fit any current hardware all that well (even a Live CD is only a partial match), but it's not like it couldn't be done...

        1. Maty

          Re: A paranoid mount option ?

          There is a secure device into which you can insert a dodgy USB stick.

          It's called a rubbish bin.

          1. Steve Davies 3 Silver badge

            Re: A paranoid mount option ?

            The rubbish bin is far too good.

            The best place is as a present to the PHB who made your life hell when you leave the job. If they... well, you know the rest.

    5. Chairman of the Bored Silver badge

      USB bricker?

      I presume the concept involves a USB device that attempts to brick a host.

      Most ports are indeed defended by TVSes. But volume and board area are low and cost is definitely a consideration. What you find is decent ESD performance and low/moderate hardness against conducted EMC threats.

      See: https://www.st.com/en/protection-devices/usb-port-protection.html?querycriteria=productId=SC1489 for a typical approach.

      Any reasonable EE student with with DC/DC converter design experience can build you a thumb device that will overmatch the protection. What I dont know is whether you just destroy a USB bridge IC and bring down part of the USB bus, or can cause more extensive damage.

      1. Duncan Macdonald Silver badge

        Re: USB bricker?

        That is why I was saying zener diodes - a typical USB bricker sends a high voltage negative pulse down the data lines. Because of the small space in a typical USB key the actual energy is unlikely to exceed one joule per pulse. For a negative pulse a protective zener diode will be forward biased and will easily clamp the voltage to under one volt without being strained. (A discrete zener diode is a lot less fragile than a sub 1 micrometer transistor in an integrated circuit.)

        (For a positive pulse a 5.5v zener will clamp the spike voltage to under 6v which is still low enough to protect the ICs.)

        1. Chairman of the Bored Silver badge

          Re: USB bricker?

          @Duncan Macdonald, you're quite right and rather devious. Combine your reverse bias concept with a small old-school xenon strobe circuit and I will buy you a pint. And keep you the hell away from my 'puter, of course.

        2. Mage Silver badge

          Re: zener will clamp the spike voltage

          I could easily destroy 1.3W Zener with a "USB stick". Zener protection on it's own isn't good enough. You need "crowbar" circuit and fuse.

      2. Gene Cash Silver badge

        Re: USB bricker?

        Yes, it does depend on the device:

        http://arstechnica.com/gadgets/2016/12/usb-killer-fries-devices/

      3. Wim Ton
        Mushroom

        Re: USB bricker?

        Stick the suspicious device in a cheap hub. Frying a 10£ hub is preferred to frying a motherboard.

    6. jmch Silver badge
      Facepalm

      Re: A paranoid mount option ?

      "A paranoid mount option ?"

      That shouldn't be the 'paranoid mount option' behaviour, it should be the default behaviour !!

    7. Peter2 Silver badge

      Re: A paranoid mount option ?

      What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device.

      Already exists.

      Disable autorun and put a Software Restriction Policy GPO in to not execute any executable code outside of authorized locations (eg, %program files%, %servershare%) unless you are an admin.

      Hence, local users can't execute files that haven't been put in an authorized location, and can't put them in an authorized location themselves. This provides quite a lot of protection; since %temp% is blocked as a authorised location and outlook puts files there when it runs then while the users can open documents sent to them (.doc(x), .xls(x), .pdf) then executable content (.exe, .vbs, .etc) will not run. They literally then can't run trojans attached to emails if they try. They can't run executables from USB sticks either.

      Then lock down office from downloading content from the internet that's not in the document and block unsigned macros from running and... how can users damage their computers? They can't. This is all available for zero cost with group policy out of the box.

    8. Anonymous Coward
      1. Doctor Syntax Silver badge

        Re: A paranoid mount option ?

        From https://www.circl.lu/projects/CIRCLean/: "The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer."

        Last time I looked all my Pis were computers.

        But a good idea even if the explanation wobbles.

    9. Mage Silver badge

      Re: protected by zener diodes

      You'd need a fuse too. 1: Easy to overload zeners. 2: Easy to destroy other things on the power rail. An amazing amount of pulsed power & destructive voltage can be stored by using high voltage capacitors.

  6. Chairman of the Bored Silver badge

    My superiors?

    I find one wanker - a senior executive - texting away on a personal iFone at the start of a sensitive briefing. Phones are not even allowed in the entire building, let alone in a brief. So I quietly and politely ask if I can take the phone to the front desk for him.

    Slightly embarassed, my Dear Leader gives me the phone and I secure it.

    Upon my return I find him banging away on a BlackBerry, and there is another BlackBerry as backup. Oh, FFS!

    A couple of days later some swinging dick working for Dear Leader attempts to slap my wrist for embarassing Dear Leader.

    With leadership like this what difference does it make what sort of USB stick is left in the executive head? Parking lot? Tossed through open window of BMW parked in the "executive reserved" space?

    1. Anonymous Coward
      Anonymous Coward

      Re: My superiors?

      I trust said SD lost his fingers? Quite a lot of the time I do visit somewhere where phones/cameads/personal devices are not allowed in the building (secure shields lockers before security). An immediate sacking offence to be found with such - quite possibly criminal.

      1. Chairman of the Bored Silver badge

        Re: My superiors?

        @AC, I totally agree with you this should be an actionable offence. We have the lockers, signs, a polite but firm receptionist and so forth. There is no excuse to have a device in the room...

        ...but it all depends on who you are: in the service we called this "different spanks for different ranks." Sucked then, sucks now.

        I have no doubt that I or any other working stiff could get sacked for bringing a phone in ... but execs get a free pass. And this REALLY pisses off the workforce. Technical types crave consistency, and this includes consistency in policy and its application. Stuff like this can grow a little seed of discontent into a full-blown insider threat problem... why do we insist on tempting fate?

        And this is not just in IT policy - my team was rocked recently when we lost a good man because his accesses were yanked. He and the wife were separated. He started seeing a new gal and got popped for moral turpitude. I won't claim that my guy's decision making process was sound, but what burns is the manager who sacked him had a well-known affair going on with his admin... including some navel exploration and offshore drilling done on company time. WTF, over?

    2. Khaptain Silver badge

      Re: My superiors?

      Couldn't agree more.

      We had a lock down policy which stopped the usage of any usb device, guess who were the first to request that their PCs were excluded from the policy. Oh yes Dear Leaders you are the probably more responsible than any else on the company for security issues.......and lets not forget marketing, who cry all day about not having the right to do X or Y, then they cry to the leaders who ask for an exemption also for the marketing department....it never ends...... and Finance are never far behind because of the upcoming audit with PWC etc

    3. Flocke Kroes Silver badge

      Re: My superiors?

      Scribble out a quick note:

      I, Swinging Dick take full personal legal and financial responsibility for deleted, corrupted or encrypted data including resulting loss of business, reputation and fines for distribution of personal data caused by use of an unsecured phone on company property.

      Ask him to sign it and watch how quickly he remembers that he is late for a meeting.

      1. Charles 9 Silver badge

        Re: My superiors?

        And if he counters, "Who hired this clown?"

        1. Flocke Kroes Silver badge

          Re: "Who hired this clown?"

          Answer honestly. See who still has a job in the evening. If it isn't you, get a job somewhere that values your skills. Everyone will be happier.

      2. Wellyboot Silver badge

        Re: My superiors?

        @Flocke >>>I, Swinging Dick take full personal legal and financial responsibility for deleted, corrupted or encrypted data including resulting loss of business, reputation and fines for distribution of personal data caused by use of an unsecured phone on company property.<<<

        Adding -- and in contravention of company/site security policy ref.xxx -- can't hurt, lawyers love that bit :)

    4. Doctor Syntax Silver badge

      Re: My superiors?

      "A couple of days later some swinging dick working for Dear Leader attempts to slap my wrist for embarassing Dear Leader."

      I trust you pointed out that the only person to embarrass Dear Leader was Dear Leader.

      1. Chairman of the Bored Silver badge

        Re: My superiors?

        @Dr Syntax,

        I didn't discuss anything with SD because the assistant in question is purely a yes man. His only job qualifications are that he is swingin' and looks good in a suit. Every firm's got them.

        I just filed it under "ignore"

  7. Chairman of the Bored Silver badge

    Fun Def Con talk on on USB impersonation

    Please look up Dr. Phil Polstra's talk "One Device to Pwn Them All"; DefCon 23.

    Video link, if you don't mind being tracked, hacked, and perhaps sacked:

    https://www.youtube.com/watch?v=F9cYW7oPNw4

  8. JohnG Silver badge

    In my experience, senior management in many organisations want to have the security box ticked but they often don't want the expense and hassle of actually implementing very much of any security policy. They do like to have security people who can be held responsible for any security issues that arise.

    1. Doctor Syntax Silver badge

      "They do like to have security people who can be held responsible for any security issues that arise."

      OTOH security needs to start from the top. You can delegate the work but not the responsibility.

  9. DropBear Silver badge

    Easy-peasy...

    how to tell the difference between commercial interest and national interest;

    Oh, that's trivial... Is it going for your wallet or insisting to offer you something for free? Former. Is it going for your vote or trying to scare you? Latter.

    between marketing hype and political propaganda;

    Same as above.

    between authentic relationship...

    You need not worry about those, you don't have any.

    ...and clever manipulation.

    There isn't any of that around either. Blunt in-your-face manipulation is just so much more effective...

  10. Adrian 4 Silver badge

    paranoia

    Do you also reject free coffee, cakes and random ornaments ?

    Yes, you might do if you're afraid someone might poison or bug you, and quite right too.

    But in general, we trust people based on their reputation. The conference organiser's reputation will be that they might nag you to sell their conferences, but they probably won't try to drug, bug or infect you with malware. Because they have some integrity, and don't want to be demonised.

    Why is the branded USB drive any different ? You probably shouldn't accept it from someone who comes up to you in the street. Same goes for the other things I suggested - if someone in the street offers you cookies you make a judgement based on your experience and prejudices about whether to take them.

    The USB stick isn't any different. There is a possibility of accidental or intentional malware. You can choose to trust it or not according to your usual threat model. It doesn't make the marketroids stupid for offering it, nor does it make you stupid for accepting it.

    1. NickyD
      Stop

      Re: paranoia

      "Why is the branded USB drive any different ?"

      Because you don't really know who made it and how? You may trust your contacts, but do you know how many layers of procurement and supply they went through to source these cheap 'gifts'?

      Risk vs benefit - no real benefit vs a tiny (but > 0) risk of possibly severe consequences.

      1. Adrian 4 Silver badge

        Re: paranoia

        True, you don't know who made it. Same goes for shop-bought comestibles, though the threat model is less severe (less likely that there's someone intentionally putting rohypnol in grocery-store milk, but by no means impossible).

        You might though, expect a responsible marketroid to buy such devices from a reputable source and perhaps even scan a sample of them before handing them out. Likewise, you wouldn't expect them to give you tea, coffee and biscuits by skipdiving at the local supermarket.

        I still say 'be reasonable' - the process for trusting USB sticks is only similar to the processes we already use for other gifts and promotional articles.

        If there is a warning to take away, it's that promoters should bear in mind that USB sticks are in the same category as other items with a mild threat. Source them responsibly, but don't necessarily give them up. Punters like these things.

        (declaration : no, I'm not a vendor of promotional USB sticks. I do occasionally get given them and I'm happy to accept them, though I wouldn't miss them as they're usually a bit small in capacity).

        1. Doctor Syntax Silver badge

          Re: paranoia - Danger: oxymoron alert.

          a responsible marketroid

      2. Kevin Johnston Silver badge

        Re: paranoia

        Don't recall which ones but there were conferences/trade shows where the free USB sticks turned out to be far less than suggested. They were 'adjusted' to report as a much higher capacity than they really were.

        Free gifts are often worth every penny

    2. DropBear Silver badge

      Re: paranoia

      Not so. I would trust nobody's "reputation" to vouch for the pristine state of a tchotchke they are offering me, no matter who they are. The knowledge that someone from PR in their organisation hired a conference organizer outfit who outsourced the trinket procurement to a bauble personalization joint shipping the cheapest mass-produced stuff directly from Alibaba fills me with very much zero confidence that anyone interested along the chain did not add a little something to the whole batch. I DID buy local-retail-store-sold photo frames that came malware-laden straight from the factory you know.

    3. Charles 9 Silver badge

      Re: paranoia

      I'm old enough to remember the poisoned Tylenol scandal. And I think they managed to do it DESPITE tamper resistance.

      1. Anonymous Coward
        Anonymous Coward

        Re: paranoia

        > I'm old enough to remember the poisoned Tylenol scandal. And I think they managed to do it DESPITE tamper resistance.

        Actually no, the Tylenol incident did kickstart the tamperproof packaging on almost everything edible, not just prescription medicine. At that time you could take an over-the-counter medicine bottle off the shelf, pop the top off, put it back on, and no-one was the wiser. Not even a plastic band around the cap. Yup. People trusted lots more back then.

        I did a paper on that incident in college to satisfy "do a paper on something security related" and the instructor didn't specify "computer security" so he was impressed how I did make it related.

        1. doublelayer

          Re: paranoia

          If you allow this to go as far as it can, you end up not able to use anything. Every time you buy something with a USB connector on it, it might have been compromised. Every time you are given something, that might be compromised too. The computer you bought might have malware preinstalled. The parts you were going to use to build yourself a computer because you can't trust the manufacturers might have malware on them.

          In the case of the conference, I think it's fair to assume that the drive is probably safe. Don't just assume that it is--test it first--but it is not the high-risk situation like when drives are found unattended. If you always use "what is possible" as your question for trust, you will end up at a dead end. Instead, ask "what is feasible" and "what is likely", and take whatever precautions are available for those infeasible and unlikely things that nonetheless are possible.

    4. Anonymous Coward
      Anonymous Coward

      Re: paranoia

      Rigghhhhhtt.

      Who the F do you trust - many moons ago had a customer who called us in a rip roaring panic attack. Trusted supplier of half his product line had sent a dvd of updates to their service software and it just happened to contain a virus inserted at the dvd production site. Talk about a cockup involving an entire nation of distributors and a multi-billion dollar business exposed.

    5. Doctor Syntax Silver badge

      Re: paranoia

      "The conference organiser's reputation will be that they might nag you to sell their conferences, but they probably won't try to drug, bug or infect you with malware."

      Succeeding without trying is an option. Just how much cost do you think they're prepared to take on board to source promotional tat?

  11. Lee D Silver badge

    First action upon starting at my current workplace:

    A blanket ban on all USB sticks and any mass storage devices, and any "unauthorised" USB devices in general.

    You want that, it has to come through IT who will scan it, and copy it to normal storage for you. If it leaves site at any point, it has to be scanned again. No exceptions. Not even for the big bosses. USB is just disabled and alerts us when it's attempted.

    That's held for 4 years, and I'm regularly able to demonstrate why it's in place (with speakers, presentations and visitors all the time, there's ALWAYS something on a stick, and more often than not I have to refuse them access).

    Number of virus infections: 1. Contained to a single PC. Introduced from a dodgy download, which the user persisted in attempting to run despite it being a file-inside-a-file-inside-a-file from a personal webmail from a spam from someone they didn't know, etc. etc. etc.

    (Second action on starting at my current workplace: Stop all the password expiry nonsense as per all modern password guidelines.)

    Honestly, you have ZERO NEED to use USB sticks, or even devices. The hindrance is literally "Hi John, nice to meet you, can I just take that stick from you to give to IT, they'll put it on the system for you and give it back, cool, let's go get a coffee and get you set up, eh?". You're just introducing the potential for everything from keyboard loggers, wireless access that bypasses your network security (or even shares out the local network to the Internet!), etc. etc. to anyone.

    You need a piece of software that lets you block categories of USB drivers (e.g. mass-storage, etc.) and also whitelist authorised devices. Even then, there's potential for serious compromise (e.g. nothing to stop a USB keylogger looking like an authorised keyboard by offering fake USB PIDs).

    1. wyatt

      I'd be happy to not use USB storage devices when I go to a customers site, unfortunately most of them block and won't allow an alternative method of obtaining logs or retrieving software updates.

      It'd be more convenient to have access to Office365/One drive or similar, save me then putting the USB device back into my laptop having been on their network.

    2. Charles 9 Silver badge

      "A blanket ban on all USB sticks and any mass storage devices, and any "unauthorised" USB devices in general."

      And how do you stop this being countermanded by someone over your head?

      1. Lee D Silver badge

        Easy it's called "I can implement that change, but it'll cost you one IT Manager and a lawsuit about trying to get rid of them for providing adequate data and system security with a reasonable, demonstrably-effective, proven and already-in-place system".

        Also, that in any proper workplace, such people DO NOT have access to the IT system whatsoever (physically or electronically), in any way, to implement such a change behind your back - even if they got IBM/Microsoft themselves to come in and try to do it.

        Hint: The triggering of any one tripwire which suggests intrusion - whether by my own employees (IT department), other employees, outside entities, management, or any of their consultants - will result in the correct response in the case of such potential compromise. A full system shutdown until the situation can be determined.

        Other hint: Every workplace I work at is made aware of a simple rule. If I ever discover that the master password lists / backup devices are accessed by anyone other than authorised personnel in the reasonable execution of their jobs (and I will know), I walk.

        You really need to read GDPR. Unless your boss has a reason to have the domain administrator's password/access (hint: They don't, unless that boss is the domain administrator), then it's illegal for them to have it. They can *request* it. They can *instruct* me to hand it over. And I guarantee that it'll cost them one IT Manager and a lawsuit unless it was absolutely required (e.g. I'm in a coma in hospital somewhere).

        P.S. The best way to stop such things is to say "Sure, I'll do that. But it's against my advice. Just sign here to tell me that you understand that and accept the consequences". I've actually used that. It's incredibly effective. No, my boss does not have any IT rights beyond that of any other member of staff working in such a position (e.g. he has a PC with office, rights to the documents he requires, but can't even rebuild his own machine or log into a server).

        1. Charles 9 Silver badge

          Unless you can prove it's totally lawyer-proof, C-suites can probably just counter they can lawyer their way out of nigh anything.

          1. Gene Cash Silver badge

            It just needs to be reasonably lawyer-proof so that it would lead to at least a long expensive court case.

            This is mostly deterrence, although you do need the nuclear weapons to back it up and the willingness to use them.

            1. Charles 9 Silver badge

              "It just needs to be reasonably lawyer-proof so that it would lead to at least a long expensive court case."

              No, it has to be Pyrrhic, as in it costs more to lawyer their way out of it than to pay the penalties for losing. Then the shareholders will get involved.

          2. Doctor Syntax Silver badge

            "Unless you can prove it's totally lawyer-proof, C-suites can probably just counter they can lawyer their way out of nigh anything."

            Some of us work in jurisdictions with better employee rights protection. There'd also be a risk of flagging themselves up to the ICO in which case it'd most likely be settled very quietly out of court.

            There's also the fact that some of us work/have worked for businesses that take security very seriously and there it really does start at the top.

            1. Charles 9 Silver badge

              "There's also the fact that some of us work/have worked for businesses that take security very seriously and there it really does start at the top."

              Applicable word being SOME, not MOST. You're the exception; most places the execs have the ability to override and use their legal teams to find whatever excuse they need to make it above-board. Isn't that why there hasn't been any REALLY crippling judgments against big companies?

              1. Doctor Syntax Silver badge

                "You're the exception"

                Actually I have the luxury of not working for anyone these days.

                But you may be right in that before I retired my last client had the word "Security" as the first word in the company name and meant it so that helped. Directors would have Richter 8 shouting matches in the open office but not about security. At one time they hired a company to try ringing various members of staff - and freelancers - to try to pry out company information and found we were effective at rebuffing them. Prior to that I worked for a large company that had a major, in PR terms at least, security egg-on-face incident and after that they went on a not entirely security theatre kick so at that time at least they became quite security minded. I don't suppose it lasted when their feet were no longer held to the fire.

                When security requirement are imposed externally, and the likes of GDPR can do that, it becomes in the top team's interest to take is seriously.

                1. Charles 9 Silver badge

                  "When security requirement are imposed externally, and the likes of GDPR can do that, it becomes in the top team's interest to take is seriously."

                  Is it? Or is it just a case of the lawyers finding a way out of it? I've yet to see anything really lawyer-proof.

        2. Anonymous Coward Silver badge

          @Lee D

          Sounds like you've got a great setup there. Any jobs going? I'd love to work in a place where the IT department can actually implement their policies.

        3. Anonymous Coward
          Anonymous Coward

          Uh huh...

          "You really need to read GDPR. Unless your boss has a reason to have the domain administrator's password/access (hint: They don't, unless that boss is the domain administrator), then it's illegal for them to have it."

          Do tell, where in the GDPR does it say that? (or even mention passwords?)

          1. toxicdragon

            Re: Uh huh...

            "Do tell, where in the GDPR does it say that? (or even mention passwords?)"

            "Even though passwords are not specifically mentioned, Regulation (EU) 2016/679 does stipulate that “a high level of protection of personal data” is required. GDPR also requires safeguards to be implemented that prevent the abuse, unlawful access, or transfer of personal data."

            https://www.netsec.news/gdpr-password-policy/

            1. Anonymous Coward
              Anonymous Coward

              Re: Uh huh...

              Of course, a high level of protection is necessary. That doesn't mean that your boss having admin privileges means that the organisation is "acting illegally" as asserted above.

  12. Mage Silver badge
    Black Helicopters

    Mount?

    Problem is basic design of USB, particularly HID which can inject scripts without storage mount.

    Also stupidity of JTAG over USB management modes on some motherboards. ONLY use a JTAG header.

    Also there are other non-storage USB modes that might be used as attack vectors.

  13. 45RPM Silver badge

    I don’t accept free USB sticks anymore, although I have sometimes wondered whether I might be safe with one from a reputable vendor (HPE, Microsoft and so forth) - although the reputable vendors don’t seem to hand them out anymore.

    Even with fresh, sealed in box, USB sticks I plug them into a non-network connected Raspberry Pi which automatically repartitions and formats any drive plugged into its USB port. If it’s an obvious bit of malware, this will wipe it. If its one of those electrocution gizmos, I don’t care (it’s a Raspberry Pi! Nice n cheap!) Of course, there are more insidious ways of compromising USB devices - but I haven’t yet thought of a way of getting around those. All thoughts welcome!

    1. Adrian 4 Silver badge

      You could reformat them with a secure file system (I assume such things exist) that would cryptographically sign updates so that the files could not be modified without using the appropriate private keys.

      This would protect you from USB sticks that modify their contents after you have written them.

      1. Charles 9 Silver badge

        But that doesn't do anything about the likes of BadUSB which work at the controller level AND can be tamper-proof in itself. Something like that could potentially detect a non-standard filesystem and ruin your day that way.

        1. Adrian 4 Silver badge

          They work at the controller level by impersonating an unexpected controller. They still don't inject driver-level code into the OS.

          Yes, if you plug a USB stick into a port and no files are displayed but the stick secretly opens a command shell and types commands into it, it won't help. That's certainly something the OS writers should address.

          1. Charles 9 Silver badge

            I thought they monkeyed with the controller directly, making it OS-independent. Thus why they say if you think your controller's been hit by BadUSB, you can never trust it again, OS be damned.

    2. owlstead

      You cannot trust your Raspberry Pi fully either. In the end you should ask yourself what there is to be gained by the seller, and at what effort, and to what price. If it is white-label, they won't be hurt by bad press. But the larger manufacturers and distributors have a lot to lose. Sometimes the free market does provide some protection.

      In the end you should not act paranoid either. But, to be honest, with computers it is hard to tell where you should draw the proverbial line.

  14. Anonymous Coward
    Anonymous Coward

    Infosec for all!

    My last few roles which included networking for the NHS always had our most tech savvy staff overruled by a director who knew nothing

    I remember one uncomfortable fight about USB sticks. We only got them barred by hitting the Patient Data Not Allowed Off site paranoia button.

    But most people will do what they want, try it, and not think twice about logging it as a fault.

    It's a shame IT is seen as an expense as training EVERYONE on basic Infosec principles, and throw in GPDR as well, might help.

    It's baffling IT is such an internal part of any organisation yet if you let them the other depts would walk all over them.

  15. CharliePsycho
    Black Helicopters

    Beware the RED USB drive

    When you work on a secure site the networks are of course air-gapped. So the only form of data transfer for normal PC's* is the RED usb stick... Which has to be signed for and audited in and out.

    If you saw a red USB that was not in someones possession, you were not to touch it, you were to ring security immediately who would send armed ninja to appropriately dispose of the USB... and the person who had not looked after it. Security used to leave them on the floor in hallways as a honey-trap for the unwary.

    It's not called sneaker-net for nothing!

    *Secure Magneto Optical drives (EMP proof) were available for those who could use them!

    1. Anonymous Coward
      Anonymous Coward

      Re: Beware the RED USB drive

      Really cool work environment there...

      1. Charles 9 Silver badge

        Re: Beware the RED USB drive

        ...except for the possibility whoever DID leave the device could ALSO order the ninjas around.

    2. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    I've actually worked at a security related company where you got a miniature USB stick as "present" during the family days. Probably meant to get you trained in accepting gifts such as that. They also sported encrypted USB sticks where you needed to install a program (McAfee shit) to decrypt it. The only problem: none of my peers wanted to click the executable ('d Oh), if I was even inclined to ask them. I would actually be embarrassed and slightly awed by the trust put in me if they would click the executable. Fortunately the computers in the office did not accept just any USB stick (but a stick mimicking a input device could still do the trick for most of those security solutions).

    The security officer nicely wore the lanyard with the company logo on it. It fitted nicely with the access card from which the company name was deliberately missing. Of course the USB stick also had the logo, in case somebody finding the stick on the street would not have another look at the contents.

    You cannot make things like that up (which could not be said from the passwords they used).

  17. davenewman

    Business cards

    There was a time when people would hand over mini-CDs as business cards.

  18. martinusher Silver badge

    USB memory sticks should be harmless.....

    ....but for a certain software firm deciding that you just had to automatically run applications based on a file extension "to improve the user experience". Obviously because they had this 'feature' everyone else had to copy it to remain competitive.

    This could be a useful illustration of just how screwed up what passes for computing has become these days. Simple, straightforward, solutions to problems get lost, users buy into complexity and suddenly its all voodoo, smoke and mirrors because we can't collectively turn around and say "This crap just isn't working properly, it needs fixing".

    1. Gene Cash Silver badge

      Re: USB memory sticks should be harmless.....

      ... except for the fact that USB allows a memory device to do ALL THE non-memory-device THINGS. This isn't just a Microsoft thing, it's a basic design challenge.

  19. mildy bemused

    Me, paranoid?

    No, just well informed.

  20. Barry Rueger Silver badge

    Waste of time.

    I remember my first virus, off of a floppy disc, setting off klaxons and flashing red warnings from Central Point Anti-virus.

    For many years I reported such things to wherever they came from, and went to considerable lengths to point out security problems. I was the poster-boy for proactive user behaviour.

    Ultimately I stopped bothering when it became clear that the majority of companies and institutions just don't care, and especially don't want customers wasting their time on such things.

    I guess there was just one too many times when the offending party replied with "Don't bother your little head with it dear."

    There a few companies that treat these things seriously, and I'll bend over backwards to help them, but in most cases I've simply given up.

  21. mrchuckles

    There's no such thing as too paranoid at the moment.

  22. Ken Mitchell

    Not Paranoid enough

    On the balance of "Paranoid?" and "Not Paranoid Enough", I'm generally going to come down on the side of "Not paranoid enough".

  23. StuntMisanthrope Bronze badge

    Gambit, thats my favorite, misdirection.

    The only thing that cannot be bought is consideration, took me forever to learn that one. #whendidthathappen

  24. bobajob12 Bronze badge

    USB is a godsend, but

    We should take a lesson from people who deal with drug users: harm reduction not behavior elimination.

    Most people will be exposed to malware on a stick, but unlikely to be exposed to chip-level attacks. And they are never, ever going to stop plugging things they find into their computer.

    So, what actions does a user need to take -- a real user, not a Reg reader, mind-- to protect themselves from nasties on the stick when they plug it in? This kind of stuff is too much.

    1. Charles 9 Silver badge

      Re: USB is a godsend, but

      You bet your career on that?

    2. Doctor Syntax Silver badge

      Re: USB is a godsend, but

      "So, what actions does a user need to take to protect themselves from nasties on the stick when they plug it in? "

      Epoxy in USB connector.

      1. Charles 9 Silver badge

        Re: USB is a godsend, but

        So how do you transfer things too complex for a human to enter into an airgapped device? Stuxnet got through Sneakernet because you had to have SOME way to program the machines.

        1. Doctor Syntax Silver badge

          Re: USB is a godsend, but

          "So how do you transfer things too complex for a human to enter into an airgapped device?"

          In the context of my reply about epoxy - which I assume is what you're questioning - the immediate reply is learn to read a statement of requirements which in this case was "So, what actions does a user need to take -- a real user, not a Reg reader, mind-- to protect themselves from nasties on the stick when they plug it in?" No mention of Stuxnet there.

          The moral you need to take from my reply is that it's a trade-off. If you want to be secure there are things you shouldn't do, sticking random USB devices into a PC is one of them. Self-discipline would be better but if physically preventing yourself or those around you from doing things is the only way of doing that, take the physical route.

          As a free-standing question, however, it deserves an answer and the answer, as with so many things in IT is that you have to analyse each situation as you meet it. If you have to make provision for data from random USB devices or the like for a single air-gapped machine a good starting point might be another air-gapped triage machine. You should be prepared to write that one off on that in the event of the sort of nasties you've mentioned elsewhere and, as several of us have said, a Raspberry Pi is cheap enough to make that painless; you can do it out of petty cash. For an air-gapped network LeeD's approach is the way to go. For a stand-alone machine your triage device could have the further level of protection of burning the data onto a write-once optical drive.

          In different circumstances there are other options. For instance in the situation I mentioned elsewhere in the thread the main security concern was confidential information in the production side of the business leaking and there they had a factory network separate from the production network. Data incoming to that from customer sources was carefully routed and checked; e.g. incoming XML data was checked against an agreed schema - any file consisting of anything other than a conforming document was dumped.

          To reiterate, you analyse the particular requirements and devise a solution that fits. If you need further help my rates are exceedingly immoderate these days.

  25. Anonymous Coward
    Anonymous Coward

    Free credit card shaped USB sticks

    Not only insecure by nature, but great for opening some door locks!

  26. Winkypop Silver badge
    Thumb Down

    Free or found USB drive? No thanks

    But then plenty of people still use social media, etc. and spaff all manner of PI over the web.

  27. Anonymous Coward
    Anonymous Coward

    Name and Shame

    Yes PAYPAL, every fucking month you send me an email saying “review your PayPal activity” and “click here to login”. It’s bloody genuine too, not that I’ve ever clicked the link to test the theory.

    1. Doctor Syntax Silver badge

      Re: Name and Shame

      And while we're calling PayPal out let's not forget they pass on your email address to vendors. That's an email address that's one half of your log-in credentials/ Very likely an email address that you set up for PayPal so you can identify genuine messages from them.

  28. GrapeBunch Bronze badge
    FAIL

    Too smart for our breeches.

    What's the obsession with vulnerability and sticks? A kind of TITSUSB of the 21st?

    My own obsession is mandatory (electricity) smart meters. They provide a vector for devilry that will cost lives, destroy buildings. Only the existence of lower-hanging fruit will delay the conflagration.

  29. Stevie Silver badge

    Bah!

    Dead simps, this one. Fire up the trusty Raspberry Pi, plug in and stand ready with the trusty lump hammer if teh warez gain the upper hand.

  30. spold Bronze badge

    Malware removal

    Malware can effectively be removed from any freebie USB device by placing it in the office microwave for 30 seconds.

    The same works with company phone SIM cards when you change jobs - I found 20 seconds to be sufficient actually. You should always follow company policy and use the office microwave and not your own that has not been inspected by the security group.

  31. Obesrver1
    Alien

    eAnarchy

    Not even Internet Anarchy, just Anarchy really ! Slowly & not so slowly being introduced into the system.

    Chaos is the disruption to systems by the "unknown", But Anarchy is the disruption to systems by the "known".

    It will fall, the system.

    Now anarchy is to destroy the existing system so one can introduce another, in time, if one actually thought that far ahead, rather than just to pull down this government. What then is the new system that eAnarchy will introduce?

    Better watch out !

    1. Charles 9 Silver badge

      Re: eAnarchy

      It usually isn't pretty. Eventually, someone amasses enough power to push everyone aside and take over. Like you said, usually isn't pretty.

  32. unbearable

    I have had similar ideas forced upon me by other means than a usb card. A little paranoia can go a long way, How much is too much? We may yet find out.

  33. Potemkine! Silver badge

    During a travel in China, my boss was offered a wireless keyboard... I asked him not to use it ^^

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019