22 January 2009

Podslurping

I learned a new word today: Podslurping.

I've been having fun with StatCounter seeing how many people have been hitting this blog since the Conficker worm made people take the whole business of securing their networks against memory stick worms seriously. (The answer is: about 15000 in the last 7 days.)

One of the sites which referenced my original post was this one at the Postdam Institute for Climate Impact Research in Germany. It notes that with Autorun.inf disabled, Podslurping is made harder.

So what is Podslurping? Well, at its simplest, it consists of plugging a USB storage device (of which an iPod is just one example) into somebody's PC and copying lots of data from its disk, or the network to which the PC is connected. That hardly seems worth giving a name to, but the clever part comes if you automate it. You can write an Autorun.inf file which will start the copy to the USB device as soon as you plug it in, without any need to access the keyboard. All it needs is a reasonable copy program and a few lines of a .BAT file.

So now you literally only need three seconds unsupervised access to the PC on two occasions (one to plug the device in, one to unplug it half an hour later) and you can steal all of the data from it, without having to log in or risk detection by hanging around in the office, leaving a command prompt window open on the screen, etc. If the PC has USB ports on the rear, you don't even have to walk round to the side of the desk where your victim sits; in fact you could probably drop your phone and slip the USB device in while the user is sitting there.

So if you have issues with people potentially stealing data, disabling Autorun might be a useful extra precaution to take.

2 comments:

  1. Hi,

    thanks for the 2 scripts Disable and Reenable Autorun scripts.

    I have not been able to get either to work. I run Win XP home. I double clicked on the Disable Autorun script and receive the "open with what application" option menu.

    How do I use it?

    thanks

    Greg

    ReplyDelete
  2. Greg, please read the original blog post again. You have to make sure that the file has a .REG extension. Maybe your text editor is giving you a different extension. Otherwise, check this link which has a downloadable version in a ZIP file: http://www.articlesbase.com/security-articles/recovering-from-the-downadup-conficker-virus-767475.html

    PS: If you want to reply, please do it under the original "Memory Stick Worms" blog post. This post is about a different subject.

    ReplyDelete