Michael Horowitz

Defending against malicious CDs and USB flash drives

July 03, 2011 8:17 PM EDT

Not long ago the Department of Homeland Security repeated a test that has been written about before. According to Bloomberg, they dropped CDs and USB thumb drives in parking lots. As you might expect, people working in the buildings that populate those parking lots picked up the devices and inserted them into their computers.

The news here, according to Bloomberg and people they interviewed, is the actions of the employees. Not to me. I see the story being the failure of the IT departments to educate employees about how dangerous this is. And, how Windows computers can be defended against this sort of thing. Neither is rocket science. 

One supposed expert that Bloomberg consulted called the employees "idiots". This is ridiculous. These people worked for either the US government or private contractors with, no doubt, dedicated IT staff. Bankers don't blame computer nerds when loans aren't re-paid yet computer techies blame civilians when the stuff they are responsible for, fails.

 The first time I read about a test like this, the USB flash drives exploited the autorun feature in Windows. The Bloomberg story didn't go into this, but it bears repeating: autorun in Windows can be totally, perfectly, 100% defended against. Too few people are aware of this. The defense is a simple modification of the registry,  and it works on all versions of Windows. I  wrote about it, here, back in January 2009 (The best way to disable Autorun for protection from infected USB flash drives).

In a follow-up to the Bloomberg story, Lifehacker suggested opening suspect hardware in a virtual machine. There are better, simpler options. 

The safest approach is to use Linux, as so little malware targets it.

Windows users are best served with a copy of Linux on a USB flash drive. Just yesterday I ran Mint version 10 off a USB flash drive to delete files in the Windows recycle bin, files that Windows itself would not display, but were there nonetheless.

Many Linux distributions can also run off a bootable CD, but CDs are slow and some computers don't have optical drives.

Another option is to install Linux under Windows (Ubuntu can do this using Wubi). Then, much like Apple's Boot Camp, you can chose to run Linux or Windows when the computer is powered on.

 Sticking solely with Windows, Sandboxie can offer excellent malware protection, even using the free edition. A case can be made that Sandboxie protection is better than that offered by anti-malware software. 

In dealing with malicious CDs and thumb drives, run Windows Explorer in a sandbox configured to discard all changes. Close Windows Explorer, and changes made to the system by a malicious software on the hardware device get backed out. 

As a plus, Sandboxie can offer ongoing protection from many types of malware, including spear phishing. 

Virtual machines are a valid Defensive Computing approach, but they take much more work than booting to Linux or running inside a sandbox. And, with a virtual machine running Windows, there is still a chance of malware leakage either through file sharing or a bug in the virtual machine software. 

While some government employees may be idiots, that's beside the point. The real issue is that computer techies, at times, blame others for their failings. If a USB flash drive in a parking lot breaches security, it's not the fault of the non-techie that picked it up.