ComputerWorld - Defensive Computing: Defending against malicious CDs and USB flash drives

/Home/Internet Security: Blogs/Internet Security: ComputerWorld blog/ComputerWorld: Defensive Computing

July 3, 2011
by Michael Horowitz

Not long ago the Department of Homeland Security repeated a test that has been written about before. According to Bloomberg, they dropped CDs and USB thumb drives in parking lots. As you might expect, people working in the buildings that populate those parking lots picked up the devices and inserted them into their computers.

The news here, according to Bloomberg and people they interviewed, is the actions of the employees. Not to me. I see the story being the failure of the IT departments to educate employees about how dangerous this is. And, how Windows computers can be defended against this sort of thing. Neither is rocket science.

One supposed expert that Bloomberg consulted called the employees "idiots". This is ridiculous. These people worked for either the US government or private contractors with, no doubt, dedicated IT staff. Bankers don't blame computer nerds when loans aren't re-paid yet computer techies blame civilians when the stuff they are responsible for, fails.

The first time I read about a test like this, the USB flash drives exploited the autorun feature in Windows. The Bloomberg story didn't go into this, but it bears repeating: autorun in Windows can be totally, perfectly, 100% defended against. Too few people are aware of this. The defense is a simple modification of the registry, and it works on all versions of Windows. I wrote about it, here, back in January 2009 (The best way to disable Autorun for protection from infected USB flash drives).

In a follow-up to the Bloomberg story, Lifehacker suggested opening suspect hardware in a virtual machine. There are better, simpler options.

Click the URL above to read the full article