New Windows and Mac OSes USB Thumb Drive Protection

advertisement

New Windows and Mac OSes

USB Thumb Drive Protection

SIRT IT Security Roundtable

Harvard Townsend

Chief Information Security Officer harv@ksu.edu

September 11, 2009

Agenda

Windows 7 and Mac OS X 10.6

Timeline for release

Security features

Application compatibility

Anti-virus solutions

Deployment strategy at K-State

Dealing with malware spread by USB flash drives

Q&A

2

Windows 7

Now available for purchase from SHI ~ $50

General availability to public Oct. 22, which is when it will start shipping on new computers

Designed to fix the Vista debacle; sort of a streamlined Vista under the hood

Faster boot/shutdown times

Some “improvements” to the UI, handling media,

Windows Explorer, IE8, wireless networking (“the wireless networking interface isn't completely stupid anymore”), and setting up home networks

3

Windows 7

Security Features

Still has annoying pop-up security nags, but not as many as Vista because it’s easier to set level of alert messages in User Account Control, but that also makes it easier for user to shut off alerts

Same ol ’ Windows Firewall and Windows Defender

Security settings all managed through “Action Center”

AutoRun disabled for USB drives (but not CDs/DVDs)

Improved encryption with BitLocker (easier to use, support for USB drives, but still only in Enterprise and

Ultimate versions); we still recommend using PGP for encryption for key mgmt/recovery

Better support for biometric devices

4

Windows 7 Compatibility

Designed to run anything that runs in Vista, but don’t believe it

– test everything and ask your software vendors

Hardware requirements virtually the same as Vista

(unprecedented for a new Windows OS!)

Trend Micro OfficeScan

Version 8 NOT compatible

OfficeScan 10 has some issues

OfficeScan 10 sp1 supposed to have full Windows 7 support; in beta now

Should have no problem being available by October 22

PGP Whole Disk Encryption

August 12 from PGP: “There is no official statement on the compatibility of Windows 7 right now. There is still several levels of testing that need to occur before it is fully released. The next full release of PGP should support Windows 7, but there is no official statement as of yet.” 5

Windows 7 Strategy

Purchase now from SHI to test with ALL applications used by your department

Build Trend Micro OfficeScan 10 infrastructure (or use central TMOS server) and test OfficeScan 10

(are other reasons besides Windows 7 to upgrade to v10)

No compelling security reason to upgrade from

Vista, but probably are performance, reliability, usability reasons

Check hardware requirements for upgrade from XP

Beware of version 1 of anything, let alone an OS

6

Mac OS X 10.6

“Snow Leopard”

Released Aug. 28, shipping NOW on all new

MacBooks

Available from K-State Union Computer Store for

$29

Incremental upgrade to 10.5 (“Leopard”), hence not a new cat name!

Mostly performance/efficiency improvements

 Faster startup/shutdown time, more efficient use of multiple-core Intel processors

 UI tweaks, better 64-bit architecture support,

Microsoft Exchange 2007 support

No support for PowerPC processor – it’s Intelonly from this point on

7

Snow Leopard

Security Features

 Rudimentary antimalware feature added (enhanced “File Quarantine” that was part of OS X 10.4 and 10.5)

Pops up warning if attempt to install known malware

Only detects two categories of Trojans (RSPlug and iServices)

Signatures generated by Apple

Apple distributes the malware signatures through usual update services (which isn’t very frequent, so not responsive to new malware)

No clean-up services – tells you to drag it to the Trash

Not detected when executed from USB flash drive, DVD, Skype, and some other programs

See www.securityfocus.com/news/11559?ref=rss

Built-in support for Cisco VPN (not sure how well it will work at K-State)

Same ol ’ (adequate) firewall

Shipped with vulnerable version of Adobe Flash – users should get update from Adobe

( blogs.adobe.com/psirt/2009/09/flash_player_update_and_snow_l.html

)

Also said to be fixed in Mac OS X 10.6.1 update released on Sept. 10.

8

Snow Leopard

Compatibility

Lists of incompatible sw:

 support.apple.com/kb/HT3258

 snowleopard.wikidot.com/ wiki.brown.edu/confluence/pages/viewpage.action?pageId=5367

4011

PGP Whole Disk Encryption also incompatible

 www.securityfocus.com/brief/1004?ref=rss

 Statement from PGP support blog on August 27 :

“While we are working diligently to complete the Snow Leopard compatible versions of the PGP Desktop products, we do not recommend you use the currently shipping versions on any system that has been upgraded to Snow Leopard. Please note that users wanting to migrate to Snow Leopard immediately must first decrypt all of their PGP WDE encrypted drives and uninstall their PGP Desktop application prior to upgrading to

Snow Leopard. Failure to decrypt PGP WDE encrypted drives prior to installing Snow Leopard could result in data loss or other system issues.

9

Snow Leopard

Compatibility

Symantec AV for Mac 10.2 incompatible

 www.symantec.com/connect/forums/mac-osx-snow-leopard-installfailure

Sorta works if already installed on Mac OS X10.5 and install 10.6 over the top; updates work, can do manual scan, but “Auto-Protect” fails.

Will not install on a clean Mac OS X 10.6 install

Symantec has not offered any date for compatible release

Trend Micro Security for Mac 1.5 incompatible

Service pack 1 will support OS X 10.6 “end of October”

ClamXav an interim option?

Based on popular ClamAV open source code

Version 2.0.1 is compatible with OS X 10.6, but is a beta release  www.clamxav.com/

Needs to be tested, including compatibility with Bradford Campus

Manager

10

Snow Leopard

Strategy

Purchase now for testing, both upgrade from 10.5 and clean install; test all applications used in your department

Delay departmental deployment until Trend Micro

Security for Macs 1.5 sp1 is available and tested

(late Oct, early Nov)

Any MacBook used PGP WDE must wait until

PGP releases compatible version, which we’ll get due to our support contract, or decrypt laptop and uninstall PGP

Residence Halls a different animal – when

Bradford Campus Manager supports 10.6, we’ll evaluate AV options

11

Malware on USB flash drives

First experience in fall 2007 with

PE_LUDER – wreaked havoc!

Seen it off and on ever since

Hit campus again in August as soon as students returned, spread rapidly throughout campus

Aug. 21: IT support reported it on USB flash drive after helping students in reshalls; OfficeScan did not detect it.

12

Malware on USB flash drives

Autorun.inf file:

[autorun] shellexecute=Wscript.exe /e:vbs M.p.jpg

Malware file on the flash drive named M.p.jpg, which is a VBScript program not a jpeg image

I was admittedly slow in getting this submitted to

Trend for analysis, but they had solution within

2.5 hrs of submittal

Identified as VBS_AUTORUN.MAD

By the end of the day, the production pattern file was identifying it

92 instances detected/cleaned by OfficeScan since 8/27

13

Malware on USB flash drives

Next one reported on August 28; very similar with autorun.inf file that executes VBScript code

This time the malicious file was “(o_o).jpg”

This time it was submitted to Trend right away and they had a solution within 3 hrs

Identified as VBS_RUNAUTO.AM

155 instances detected/cleaned by OfficeScan since 8/28

Third round on September 3, more of the same

Since August 1, Trend Micro OfficeScan has detected/cleaned 275 instances of autorun-style malware, including 8 instances yesterday

14

What do we do about it?

New variants exploit limits of pattern-based anti-virus protection

OfficeScan 10 will help by distributing pattern files quicker, thereby limiting the spread

Submit new samples as soon as you discover them via new

“Malicious Software Reporting Tool”:

SecureIT.k-state.edu/ReportMalware.html

Can be difficult to find original malicious file

Hackers hide the malicious files

Was a student USB flash drive and you’re not sure which one

Often only see the after-effect – a compromised computer

Can put a flash drive into an infected computer and see if new autorun.inf and malware files are added to it (be careful!)

Be wary of student USB flash drives!

External USB hard drives also vulnerable

15

What do we do about it?

Disable Autorun so files on infected USB drives are not automatically executed when you plug the flash drive into your computer

Side effect: In Windows Vista and older versions, it also disables automatic playing of a DVD movie or automatic software installation from a CD – it’s all or none with Autorun

Run Windows 7 since it disables Autorun on nonoptical media by default (everything except

CDs/DVDs, like USB flash drives)

Trend Micro OfficeScan 10 allows sysadmin to specify different actions for different media/devices

16

Autorun vs. Autoplay

Autorun enables media and devices to launch programs by use of commands listed in a file called autorun.inf

, stored in the root directory of the medium.

Autoplay examines removable media and devices (like USB flash drives) and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content.

Autorun is the bigger risk of the two, but they are interrelated enough to be confusing, and both have the same end result – automatic execution of a program when you insert removable media .

17

Disabling Autorun

Method depends on version of Windows – either use group policy or edit the registry; can be complicated and is always risky to edit the registry manually.

Check with your IT support person!!

Are security patches required for most versions of Windows to properly handle Autorun registry keys

Detailed instructions at support.microsoft.com/kb/967715/

Wikipedia entry is informative en.wikipedia.org/wiki/Autorun

TweakUI sets it on a per-user basis rather than for entire computer (HKEY_CURRENT_USER registry keys rather than

HKEY_LOCAL_MACHINE) and the local_machine setting trumps the per-user setting.

Use Windows Group Policy

Centrally managed with ADS, done by your sysadmin

Individually with Group Policy Editor

18

Group Policy Editor

Windows XP Pro, Windows 2000, Windows Server 2003 only:

1.

Click Start , click Run , type Gpedit.msc in the Open box, and then click OK .

2.

3.

4.

5.

6.

Under Computer Configuration , expand Administrative

Templates , and then click System .

In the Settings pane, right-click Turn off Autoplay , and then click Properties .

Note In Windows 2000, the policy setting is named

Disable Autoplay .

Click Enabled , and then select All drives in the Turn off

Autoplay box to disable Autorun on all drives.

Click OK to close the Turn off Autoplay Properties dialog box.

Restart the computer.

19

Group Policy Editor

Windows Vista and Server 2008:

1.

Click Start , type Gpedit.msc in the Start Search box, and then press ENTER.

If you are prompted for an administrator password or for confirmation, type the password, or click Allow .

2.

3.

4.

5.

Under Computer Configuration , expand Administrative

Templates , expand Windows Components , and then click

Autoplay Policies .

In the Details pane, double-click Turn off Autoplay .

Click Enabled , and then select All drives in the Turn off

Autoplay box to disable Autorun on all drives.

Restart the computer.

Have more granularity for defining actions with two additional registry keys:

Default behavior for AutoRun

Don't set the “Always do this…” checkbox

20

Registry Edit

For operating systems that do not include gpedit.msc:

 Click Start , click Run , type regedit in the Open box, and then click OK .

Locate and then click the following entry in the registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Window s\CurrentVersion\policies\Explorer\NoDriveTypeAutorun

Right-click NoDriveTypeAutoRun , and then click Modify .

In the Value data box, type 0xFF to disable all types of drives. Or, to selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section.

Click OK , and then exit Registry Editor.

Restart the computer.

21

Easier Way to Edit the Registry

Open Notepad and copy/paste the following into a text file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist “

Save the file as something.reg. (You have to be sure to change the "Save

File as Type" to "All Files" before saving, or Windows will try to save it as a .txt even if you typed in .reg).

Locate the file you just saved and double-click the file to run it. You will receive a prompt asking if you want to add the data to the registry. Click yes to allow the modification.

Restart the computer

The above method nulls any request for autorun.inf and works on XP

Home or Pro, as well as Windows Vista.

This is from antivirus.about.com/od/securitytips/ht/autorun.htm

22

What’s on your mind?

23

Download