I agree, the use of USB-connected devices is nothing new. They make a very unobtrusive delivery system, as well as a great way to load vast amounts of data into an extremely small space to get information out of an organization.
But you know something, that's not really the point. Yes, this is an old concern. It goes right up there w/ digital camera-enabled cell phones and variety of other security risks. I've been after one thing from the beginning...information. Evil Wrangler said that information should be free, but when I asked him some questions, all I got back was, "what...never heard of hacking??" In his 2600 article, EW stated that he plugged a USB device into a friend's computer, and the autorun.inf file was automatically parsed and commands within the "open=" line of that file were automatically run. According to documentation at MS, by default, this should not be possible. The NoDriveTypeAutorun key within the Registry allows CDs to run the autorun.inf file, but not removeable drive types, such as floppies and USB thumb drives. I have asked for specifics such as manufacturer and model number of the device used, specific information regarding drivers loaded, etc. After all, EW says that "information should be free", but I certainly don't see him freeing any information. If anyone has any information that can be used in repeatable experiments, I'd appreciate hearing from you. Thanks, Harlan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
