Horizons Unlimited - The HUBB - WARNING: USB Flash Drive users beware

Horizons Unlimited - The HUBB (https://www.horizonsunlimited.com/hubb/)

- Communications (https://www.horizonsunlimited.com/hubb/communications/)

- - WARNING: USB Flash Drive users beware (https://www.horizonsunlimited.com/hubb/communications/warning-usb-flash-drive-users-27150)

WARNING: USB Flash Drive users beware

If you routinely plug a USB flash drive into PCs in internet cafes, or even PCs where at some time untrusted people may have temporarily had access (even possibly your friend's or your own home PC), then at some point it is likely that a copy of your files will be covertly taken without your permission.

USB Hacksaw is one example of freely available software that makes this very easy to do:

http://wiki.hak5.org/wiki//USB_Hacksaw:

This web page gives a free download of the USB Hacksaw software. It takes a few minutes to download and install this to a USB flash drive. The rogue flash drive is then plugged into the USB port of a PC and automatically installs the USB Hacksaw software within seconds, with no need for user input. Here is a description of what happens next:

"This hack is based on a modified version of USBDumper. Once installed on a targert machine it will stay resident and wait for a USB flash drive to be inserted. Once a USB flash drive is inserted the hacksaw will download the contents of the drive to a temporary location using the modified USBDumper, then silently run the send.bat file located in the same directory, which will then archive the contents using RAR, eastablish an SSL SMTP connection to smtp.gmail.com using Stunnel and Blat, email the downloaded data to an email address, and remove the documents and archives."

Things like that were discussed a few days ago:

http://www.horizonsunlimited.com/hub...s-device-27022

While in Africa I now and then got some new .exe files (viruses) on my USB stick after visiting Internet cafes.

OMGoodness, I am so glad you posted this, I keep all my bike payment info on my thumb drive, so I can prove when payments have been made, of course it links to my bank account too.

AHHhhh, I scared myself !

Gotta fix this, before I go on the road again.

I already knew about the key logger, so thanks too Ian Bradshaw..

Keep sensitive info on your USB stick and your laptop encrypted, using something like PGP. If you use a good passphrase the encryption is uncrackable and a data thief is left with useless files.

Quote:

Originally Posted by beddhist (Post 137339)

Keep sensitive info on your USB stick and your laptop encrypted, using something like PGP. If you use a good passphrase the encryption is uncrackable and a data thief is left with useless files.

No encryption is uncrackable.

Best to keep the data away from computers IMO, and I work with the things !

Now, if only internet cafes dropped MS and realised Solaris was a better solution :-)

Quote:

Originally Posted by BruceP (Post 137346)

No encryption is uncrackable.

Reading a bit about it it is my understanding that with a secure passphrase all available computing power on the planet would take more than a lifetime to crack the algorithm. I don't care what happens to my data after I'm dead.

Quote:

Originally Posted by BruceP (Post 137346)

Best to keep the data away from computers IMO, and I work with the things !

Don't use computers, then? You will need to write it down in clear text on paper then...

All safety and security is relative.

Yo have two concerns with the USB stick...Upstream and Downstream.
Upstream deals with infecting other computers with your USB stick and that will compromise more information than exists on your stick.
Downstream deals with the information on your stick being emailed to a culprit.
To mitigate the Upstream risk, online solutions are available but aren't 100%. I won't recommend any specifically as I don't want my PM box filled with IT specific questions. But do your 5minutes of research now and develop a plan before you run into a problem, and at a time convenient to you.

Downstream, same advice as upstream. These cafes, and other public places are vectors for such hacks/viruses/etc.

Hey this is Darren from Hak5. I'm the author of the program in question. I found this site while checking our apache logs. Anyway as a fellow rider myself I figured I'd weigh in on this.

First off, the program was built as a proof of concept to show how vulnerable Windows computers are in their default configuration. We spent a great deal of time talking about how to protect yourself from such a hack in the episode that covered this program. Education is always the answer.

I highly recommend everyone with USB drives look into encryption. My personal favorite is a free and open source program called Truecrypt, from truecrypt.com. It's really easy to use and very secure. Google it and you'll find a ton of tutorials and testimonials.

Anyway I hope that clears things up.

Oh and for the record I ride a Honda Rebel, but will soon be moving up to the Shadow Spirit. 250cc just isn't enough, especially on those long hauls! :)

Quote:

Originally Posted by Hak5Darren (Post 138795)

I highly recommend everyone with USB drives look into encryption. My personal favorite is a free and open source program called Truecrypt, from truecrypt.com. It's really easy to use and very secure.

Drive decryption requires password entry and that password can be captured by key logger, unless it uses some kind of "password hardware" like physical ID card or something. There is no security in public computers if you need to enter password via keyboard.

Also, this Truecrypt software requires Windows 2000 or newer and *administrator privileges*, something that is not present in many public computers (internet cafes). Also I can't see how data from new decrypted virtual disk can't be copied by a bad program the same way as from ordinary volume if the decrypted volume appears in system as a logical disk the same way as any other disks.

What they'll get off my flash drive is a few Gb of photos ..