You may have heard that it’s not exactly safe to stick strange USB sticks into your laptop or desktop computer. This advice is oft-repeated but also oft-ignored. A 2011 test run by the Department of Homeland Security showed that 60 percent of people who picked up random thumb drives or computer disks they surreptitiously dropped in government building and private contractor parking lots plugged the devices into office computers. If the thumb drive or CD case had an official logo, that figure jumped to 90 percent.
But there’s reason for some caution. USB drives can fry your computer. The USB Rubber Ducky tool could perform a scripted attack on your computer. And running random files on that sketchy jump drive you picked up in the parking lot could lead to doom, especially if you’re working at an industry commonly targeted for corporate espionage, or are targeted for another reason.
But what about the rest of us? Plugging random USB drives handed to you by nice people at conferences is probably safe, right? “Any untrusted media should be approached with caution. However, malicious thumb drives are generally uncommon and typically used in targeted attacks,” said Zachary Julian, Senior Security Analyst at global security consulting firm Bishop Fox. ”The most common attack vector via thumb drive will be a malicious program on the disk that tricks the user into executing it. When browsing untrusted media, any program or document on the drive should be treated carefully, as it may contain malicious code,” he adds.
Though he’s quick to point out that this threat is extremely unlikely for most people, “a targeted attacker could conceivably craft an exploit that would allow them to execute code without the victim opening any file, such as an exploit affecting the thumbnail-rendering library in Windows or Linux,”he says. One example is a file name using a right-to-left ASCII control character. “It is invisible to the user, but indicates to the operating system that the text following it should be displayed right-to-left. This can be used to trick a user into opening a malicious program. For instance, imagine a malicious file called gpj.malware.exe. If we insert the right-to-left ASCII control character at the beginning of this filename it becomes exe.erawlam.jpg, which could trick a user into thinking it is a .jpg image. It will actually run as an .exe file on the victim’s machine.”
Is this likely, or isn’t it? Well, it all depends on your threat model and whether someone would realistically invest a lot of time and/or money to try to compromise your machine. So you’ve got a potentially suspect USB drive, but really want to see what’s on it. What steps should you take? The best defense, says Julian, “is to avoid inserting untrusted media into your computer altogether.” Surely you can buy your own USB drive instead of using the one you found or got for free, right?
But if somebody’s sent or given you a jump drive with files on it instead of emailing them to you or using Dropbox, you could still find yourself in a situation where you’ve got a potentially suspect drive and don’t know what to do with it. Here’s what Julian recommends, depending on your level of suspicion.
First, perform a virus scan on untrusted files. You can upload the file on VirusTotal, but Malwr might be a better solution since VirusTotal shares the data with security researchers, and Malwr will not share it unless you allow it to (or unless it’s legally required to by law enforcement). Also, “Malwr.com can provide a more detailed technical analysis of uploaded files,” says Julian. Another option is to upload and view the file on an online editor like Google Drive. However, you’d be sharing the information with Google, of course.
“If the file cannot be shared with a third party, download a sandboxing program — like Sandboxie — and use it to open any programs or documents,” says Julian, but with one caveat: “Keep in mind that sandboxing programs will prevent malicious programs from writing to disk permanently, but may not prevent them from reading sensitive data.” (If you’re not on a Windows machine, you’ll have to use a Mac alternative to Sandboxie.
Another option if you’d prefer not to share data with any third party: you can run a local virus scan or use a Linux live CD. “Live CDs run entirely within memory, offering a strong defense against malware writing to or reading from the hard disk. Malicious software is typically crafted to attack Windows, so using a Linux live CD will prevent most malware from executing at all. Linux live CDs provide a high level of protection against malware and are relatively easy to create, making them a great option for viewing untrusted media that accommodates most threat models,” says Julian. A Linux live CD is also an effective defense against most USB Rubber Ducky attacks.
You’ll want to use a virtual machine (as discussed in this excellent article by technologist Micah Lee, With Virtual Machines, Getting Hacked Doesn’t Have To Be That Bad, or even kick it up a notch: ”the highest levels of sensitivity require a compartmentalized machine to view a thumb drive’s contents — e.g., a computer with no sensitive or identifying data on it, no network connection, using a Linux live CD with the hard drive physically disconnected,” says Julian.
Want to learn more about the specifics on how to do any of these things in an upcoming post? Leave your thoughts and questions in the comments, or contact me directly. I’ll cover the most requested topics over the next few months.
This article was written by Yael Grauer from Forbes and was legally licensed through the NewsCred publisher network.