22 January 2009

Podslurping

I learned a new word today: Podslurping.

I've been having fun with StatCounter seeing how many people have been hitting this blog since the Conficker worm made people take the whole business of securing their networks against memory stick worms seriously. (The answer is: about 15000 in the last 7 days.)

One of the sites which referenced my original post was this one at the Postdam Institute for Climate Impact Research in Germany. It notes that with Autorun.inf disabled, Podslurping is made harder.

So what is Podslurping? Well, at its simplest, it consists of plugging a USB storage device (of which an iPod is just one example) into somebody's PC and copying lots of data from its disk, or the network to which the PC is connected. That hardly seems worth giving a name to, but the clever part comes if you automate it. You can write an Autorun.inf file which will start the copy to the USB device as soon as you plug it in, without any need to access the keyboard. All it needs is a reasonable copy program and a few lines of a .BAT file.

So now you literally only need three seconds unsupervised access to the PC on two occasions (one to plug the device in, one to unplug it half an hour later) and you can steal all of the data from it, without having to log in or risk detection by hanging around in the office, leaving a command prompt window open on the screen, etc. If the PC has USB ports on the rear, you don't even have to walk round to the side of the desk where your victim sits; in fact you could probably drop your phone and slip the USB device in while the user is sitting there.

So if you have issues with people potentially stealing data, disabling Autorun might be a useful extra precaution to take.

15 January 2009

Conficker

This rather unfortunately-titled virus - ask anyone who speaks both French and German ;-) - seems to be "flavour of the month" at the moment.

There is a nice, readable summary of how this virus spreads here.

On our network, we installed the MS08-067 patch to every PC as soon as it became available, and we have Autorun disabled (of course).

That just leaves the problem of the worm, once it's on your LAN, spreading by logging in to the other PCs. I presume from the description that it does the equivalent of
  NET USE \\{pc}\ADMIN$ /USER:{pc}\Administrator {password}
for some set of passwords selected from a dictionary.

Well, as luck would have it, all of our PCs have unique, computer-generated(*) passwords on the local Administrator account. This was a decision we took 12 years ago when we first installed Windows NT 4.0. It was done so that if necessary we could keep any troublesome users from having Administrator privileges (we had decided that by default, Domain Users would be in the Administrators group, after discovering that this was necessary to install a patch for Office, and not being in the Administrators group didn't prevent them accidentally breaking NT anyway). In 12 years we've only had to do this once (and the guy was let go a couple of months later), and we've always wondered if it was really a sensible thing to do, since managing all those 8- or 9-letter random words is quite a bit of work. It looks like we may have found a good reason after all...


(*) Since you ask: we used SET PASSWORD /GENERATE on VAX/VMS.