Autorun is VERY bad
Tony Pursell
ajp at princeswalk.fsnet.co.uk
Mon Feb 7 22:48:56 UTC 2011
On Mon, 2011-02-07 at 13:35 -0600, Cybe R. Wizard wrote:
> On Mon, 07 Feb 2011 10:21:42 -0800
> kellyremo <kellyremo at zoho.com> wrote:
>
> >
> > How to disable autorun? Are there any hidden autorun features on a
> > standard Ubuntu install??
> > http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-video.aspx
> >
> Here's the telling sentence from that site:
>
> "I'll explain how attackers can abuse these features to gain access to
> a live system by using a USB flash drive."
>
> What it tells us is that whoever is doing the 'hacking' of the system is
> sitting in front of the system. If that is so then all bets are off.
> The only real protection from someone with physical access to the
> system is encryption of the hard drive(s).
> If you are concerned with someone having physical access to your box,
> encrypt the drive during installation. If no one /has/ physical
> access, the USB attack won't work.
Except for a few headless, lights out installations it is unlikely that
'no one' /has/ physical access. There is always the possibility that
the sole user gets duped into plugging in a USB stick. You could even
get a batch of supposedly blank new USB stick sold in some cheap shop.
Call me paranoid, but in considering security issues you always have to
consider all possibilities then do your risk analysis on each.
>
> The speaker also stated that autorun for USB is disabled by default in
> Ubuntu. Where is the problem, again?
>
> It is a non-news item.
>
> Cybe R. Wizard
> --
> When Windows are opened the bugs come in.
> Winduhs
>
More information about the ubuntu-users
mailing list