Interesting that this topic has come up. I believe this was being
discussed some time ago (maybe a month or two). I have two of the
I-Stick USB thumb drives. Each one holds a gig of info and can be used
in a form that is about an inch long and as thick as a stick of gum.
(They also make it through airport metal detectors I found out on my
last flight to Denver. Point being - they are hard to detect, visually
or with machine.)
As a PoC for physical security, I had written an autorun and a batch
file that would show users just how nasty USB thumb drives could be.
Used in conjuction with hiderun32.exe (runs programs with the GUI
hidden), it proved to be a very good tool. In any system that
recognizes autorun, all one had to do is plug in the stick. The OS did
the rest. I had made the batch file to adapt to different operating
systems (Win9x compared to XP). It would do some quick PoC stuff (copy
files from the My Documents folder, do some recon on the system with
ipconfig, net *, etc, then run notepad to show PC control).
At the current time, I'm still looking for a reliable, cost effective
solution to control USB access. I haven't given it much dedicated
research however. I'll be watching this convo. =)
--
Peace. ~G
On Fri, 19 Nov 2004 23:14:43 -0000, Gray, Steve <sgray@wakefield.gov.uk> wrote:
Hi,
This is something we are very interested in at the moment. I have found some
software, from a firm called Generix, that looks as though it will control
the use but it is difficult to get managers to pay for it. They seem to
understand risks from floppy disks and CD's, but not from USB devices. Any
practical policy guidelines to limit risks would be welcome.
Steve Gray
Wakefield MDC
--------------------------
Sent from my BlackBerry Wireless Handheld
