Security Conference Gifts are Viruses

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
Thank you for coming today, we appreciate you being here, please accept this free virus as a sign of our gratitude. If nothing else this sound serve as a warning to never access a strange USB flash drive with a computer that you even remotely care about.


The Criminal Investigation Bureau has admitted that it handed out 54 malware-infested thumb drives to the public at a data security expo hosted by the Presidential Office from Dec. 11 to Dec. 15 last year.

An employee at the company used the affected computer to transfer an operating system to the drives and test their storage capacity, transmitting the malware to 54 units, the bureau said.
 
How has this never been done before? Seriously this would be a brilliant idea just to help drive home the point. Obviously in this situation it wasn't intentional but think of this: You show up for a security conference, get handed a free usb drive as a grab-bag freebie, you plug it into your laptop, and bam, you get a page-hijack that is basically a web page that says "hey stupid, don't ever put usb's you don't trust into a computer you ever care about!".
 
Oh no, I like the "virus" one. Think about it. How many people would consider picking it up and walking away with it? :)

I do have to laugh at the irony of it.
 
Oh no, I like the "virus" one. Think about it. How many people would consider picking it up and walking away with it? :)

I do have to laugh at the irony of it.

Well... I would... :D I'd pop it into a non-networked expendable machine that I could blow away the OS on, format it, and then I have a free USB device that says Virus on it. :p

I wouldn't actually take it if it wasn't mine... I'm usually on the receiving end of that one...
 
Physical trojan horses are still a thing.

People can't fucking learn from history so they are doomed to repeat it.
 
How has this never been done before? Seriously this would be a brilliant idea just to help drive home the point. Obviously in this situation it wasn't intentional but think of this: You show up for a security conference, get handed a free usb drive as a grab-bag freebie, you plug it into your laptop, and bam, you get a page-hijack that is basically a web page that says "hey stupid, don't ever put usb's you don't trust into a computer you ever care about!".
That’s what I was thinking. Honestly I had to reread the post to realize they didn’t do this intentionally.

It would be a great publicity stunt, and important lesson to some.


The funny thing is having worked at Nukes, the typical policy is that we aren’t allowed to plug ANYTHING into a PC that hasn’t already been checked out and approved by their cyber security team. Anything meaning, anything down to the 3.5mm Aux.
 
how much of this is intentional so they have a backdoor again after all the leaks caused backdoors to start getting fixed. there were memos like "hey we should distribute this app so people create a trojan for us..."
 
how much of this is intentional so they have a backdoor again after all the leaks caused backdoors to start getting fixed. there were memos like "hey we should distribute this app so people create a trojan for us..."

"on accident" :D
 
Really surprised that this hasn't been posted yet.

990457e5a99ac7af36872e27170eaf47-full.jpg
 
In the 90's I purchased some CAD software on a 3.5 floppy disk that had a sticker on it. "Hermetically Sealed"
 
Hmm, a better virus to take home than what could occur with some of what is being discussed in the Buy anything with crypto thread...
 
I will say this. If you attend SHOT Show, CES, Defcon, Blackhat, pharmaceutical, aerospace, defense, rapid prototyping, or any other trade show that shares an industry with the PRC...You are a target. Especially if you are a vendor. I've been in situations personally where co-workers have left the conference to grab their laptops out of their room and keep them on their person due to the behavior being exhibited by some of the attendees.
 
I will say this. If you attend SHOT Show, CES, Defcon, Blackhat, pharmaceutical, aerospace, defense, rapid prototyping, or any other trade show that shares an industry with the PRC...You are a target. Especially if you are a vendor. I've been in situations personally where co-workers have left the conference to grab their laptops out of their room and keep them on their person due to the behavior being exhibited by some of the attendees.

I exhibited at ITSEC in Orlando this past November- if you walk around, there are like 20-30 suited security guards, who mostly stair at their phones or tell you that you can't get back in if you go out those doors. Then I read through the agreement for exhibitors when they tell you, "We will not protect any of your shit".... I get that they can't be on the hook if ninja's break in and steal Boeing's new Rocketpack but come on...I'm paying this facility a hundred dollars a square foot and some of that is going to these yahoos who won't do anything at all to protect my stuff. Call me paranoid but I packed up everything I couldn't afford to lose into my Pelican 1690 and took it home every single night of the trade show.
 
wow.. and they didnt even have to go to the effort of throwing a bunch around on the ground

nice
 
I exhibited at ITSEC in Orlando this past November- if you walk around, there are like 20-30 suited security guards, who mostly stair at their phones or tell you that you can't get back in if you go out those doors. Then I read through the agreement for exhibitors when they tell you, "We will not protect any of your shit".... I get that they can't be on the hook if ninja's break in and steal Boeing's new Rocketpack but come on...I'm paying this facility a hundred dollars a square foot and some of that is going to these yahoos who won't do anything at all to protect my stuff. Call me paranoid but I packed up everything I couldn't afford to lose into my Pelican 1690 and took it home every single night of the trade show.

Yup. My experiences exactly. Don't even get me started on the honey pots hanging out in the hotel lobbies and bars after hours. "Yeah lady...You're way to hot to be interested in what I do or say.... How much is the PRC paying you?"
 
I assume the 'dirty' thumb drives are a distraction from the fact all the phones are getting owned.
 
I assume the 'dirty' thumb drives are a distraction from the fact all the phones are getting owned.

And that's when the attack comes, not from the thumb drive you never used, but from the phone you always had.
 
Physical trojan horses are still a thing.

People can't fucking learn from history so they are doomed to repeat it.

Should they have to ? I mean I have never understood the whole deal with USB based malware.

I have these really simple questions.

What is the point of even having USB drives which are designed to move data physically between computers if we cant trust them at all anyway?
How is it possible that after 20 years of using these things the OS and antivirus do not have solid protections by default in place to stop these devices from auto play, or whatever the heck is allowing them to infect machines.

I mean seriously but then again I view pretty much all the products we use in this manner. People like to say things like don't browse bad web sites. UMM why on earth is an internet browser even open to these attacks. There should be a clear point where anything that could harm your computer or install anything on it requires elevated privileges. And at no point should anything ever pop up or prompt you automatically to install anything when you are surfing the web unless you specifically click a link to do so.

Security buffs are always trying to blame their clients for the failures of the software and hardware they use. They hired you because they don't know what they are doing don't be a moron and push the blame off on to them. Make it secure. That is the point of security if the clients could handle it all we wouldn't need security.
 
  • Like
Reactions: WhoMe
like this
Should they have to ? I mean I have never understood the whole deal with USB based malware.

I have these really simple questions.

What is the point of even having USB drives which are designed to move data physically between computers if we cant trust them at all anyway?
How is it possible that after 20 years of using these things the OS and antivirus do not have solid protections by default in place to stop these devices from auto play, or whatever the heck is allowing them to infect machines.

I mean seriously but then again I view pretty much all the products we use in this manner. People like to say things like don't browse bad web sites. UMM why on earth is an internet browser even open to these attacks. There should be a clear point where anything that could harm your computer or install anything on it requires elevated privileges. And at no point should anything ever pop up or prompt you automatically to install anything when you are surfing the web unless you specifically click a link to do so.

Security buffs are always trying to blame their clients for the failures of the software and hardware they use. They hired you because they don't know what they are doing don't be a moron and push the blame off on to them. Make it secure. That is the point of security if the clients could handle it all we wouldn't need security.


There's only so much you can do to prevent normal people from doing batshit insane stuff.

https://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/

SOCIAL ENGINEERING WILL ALWAYS BE THE WEAKEST LINK!!
 
So I don't know what the point of your link is, once again I reiterate that the mere fact you plug a usb drive in should not be a security risk no matter where it comes from. A properly secure OS should be able to handle plugging any USB drive in laden with thousands of malware and only the act of running a program and elevating privileges should be a security risk.
 
Back
Top