Vaping, USB’s and your electronic security

I read an article in Wired several months ago about the security of USB and why it’s fundamentally flawed.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

‘In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.’
In there it also mentioned about other USB devices such as keyboards, mice and peripherals that have some kind of firmware (or can be modified to include said firmware) that are also susceptible to infecting with malware.
8a0f_usb_rocket_launcherI’ve seen people plug in some weird crap to their computers for the sake of either holiday decorations, or to play around (aka missile launcher from ThinkGeek ) or to charge their devices (tablet, reader, phone, hand warmer, coffee warmer, speaker, etc).  Some of the things I’ve seen plugged in are ‘decorations’ that someone found on one of those el-cheapo type web sites that offer bundles of things for like $10.00.  They’re made in China somewhere and you really have to wonder what exactly is happening when you’re plugging something like that in to your computer.  I mean come on, you do your banking on your computer, shopping, keep pictures and personal records (possibly even tax documents) there.  Do you really know what’s happening?
That includes using a USB hub.  Do you really honestly trust that USB dancing monkey hub that you got off of an online web site?
Either way, now you’ve got to worry about plugging in your new battery to charge it if you’re going to vape.  For those of you that don’t know, Vaping is using electronic ciggarettes.  It’s called vaping because the liquid is vaporized by the internal parts of the device, then inhaled.
The thing that got me starting to think about this again (not like I’m not always thinking about stuff like this) is this article over on about Vaping and USB/Computer security:

ecig-590x330While the health effects of vaping are currently a mystery, it seems the hobby might now have another negative side-effect. Reddit user Jrockilla posted a story to the often hilarious Tales From Tech Support subreddit about a security breach at an undisclosed large corporation. Reportedly, an execute had malware on his computer, the source of which could not be ascertained.

Rechargeable e-cigarettes usually come with a little USB charger — unscrew the battery (the shaft of the e-cig) from the e-liquid cartridge (the filter area of a traditional cigarette), screw it into the port on the charger, and plug the USB dongle into a power supply or USB port on a computer.

Head on over to Wired and to read the full stories

WIRED: Why the Security of USB is Fundamentally Broken Vaping Can Now Lead to Computer Virus

And if you want to pick up one of those Missile Launchers head over to ThinkGeek.

Some personal thoughts on the whole USB thing?

18mk506qxcz38jpgYes, this is going to make it extremely difficult for some businesses and be a royal pain for every day users.  Disable all USB ports for removable storage.  I can tell you now that you’re probably going to get a raft of crap from your kids. In the long run though, USB storage is starting to calm down a little bit and the cloud is becoming more popular.

There are many ways to do this either through a third party software, via a security policy through GPO or even taking care of it on the local system.  If you’ve only got a few boxes to do, I’d say do it locally, but if you’ve got more than 5 or so machines, go ahead and create a package and send it out to your devices remotely.

A few other ways are:

  • Treat your USB port like you would your daughter, don’t let anyone put their dongle in it.
  • Don’t trust foreign USB devices
  • If you let someone use your USB device, assume it’s not infected and get rid of it.
  • Don’t ‘lend’ your USB devices out.
  • Make sure you’re protecting your computer with some sort of anti virus software and/or security suite.

That’s pretty much about it.

Now back to your regularly scheduled day.

~ by Normanomicon on November 26, 2014.

%d bloggers like this: