Thursday, October 30, 2008

Beware the key

USB keys are prevalent. They are used heavily by many incident response teams and first responders. They're less fragile than CD's, faster and offer greater storage.

They are also weapons of destruction and can become fast victims of compromised systems. It's been estimated that 10% of malware has the ability to infect removable media devices. Recall if you will that old is new. When you respond in an incident, you'll want to take some precautions if you use USB devices.

1) Make sure your devices are wiped and formatted after each case. If your device infected, your device becomes a weapon.

2) Create a directory named Autorun.inf in the root of your devices. This offers some protection against autorun malware.


To protect your Windows workstations if you haven't already, do the following things.

Copy and paste this in to a .reg file and merge it.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


Follow the instructions here:
http://support.microsoft.com/kb/953252

1 comments:

Andre said...

Talking about USB Devices, some time ago I on eBay purchased 256MB ‘Pretec’ brand USB flash drive for $75 Australian Dollars which was incredibly cheap at the time. This little thing has a very nice feature that you can hardly find on modern 16GB and 32GB monsters. It is a little write protect switch. I have several incident response tools stored on this drive and I always write protect the device when performing a live forensic, so at least my USB drive does not get infected :-)