1 / 23

New Windows and Mac OSes USB Thumb Drive Protection SIRT IT Security Roundtable

New Windows and Mac OSes USB Thumb Drive Protection SIRT IT Security Roundtable. Harvard Townsend Chief Information Security Officer harv@ksu.edu September 11, 2009. Agenda . Windows 7 and Mac OS X 10.6 Timeline for release Security features Application compatibility Anti-virus solutions

Antony
Download Presentation

New Windows and Mac OSes USB Thumb Drive Protection SIRT IT Security Roundtable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Windows and Mac OSesUSB Thumb Drive ProtectionSIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu September 11, 2009

  2. Agenda • Windows 7 and Mac OS X 10.6 • Timeline for release • Security features • Application compatibility • Anti-virus solutions • Deployment strategy at K-State • Dealing with malware spread by USB flash drives • Q&A

  3. Windows 7 • Now available for purchase from SHI ~ $50 • General availability to public Oct. 22, which is when it will start shipping on new computers • Designed to fix the Vista debacle; sort of a streamlined Vista under the hood • Faster boot/shutdown times • Some “improvements” to the UI, handling media, Windows Explorer, IE8, wireless networking (“the wireless networking interface isn't completely stupid anymore”), and setting up home networks

  4. Windows 7 Security Features • Still has annoying pop-up security nags, but not as many as Vista because it’s easier to set level of alert messages in User Account Control, but that also makes it easier for user to shut off alerts • Same ol’ Windows Firewall and Windows Defender • Security settings all managed through “Action Center” • AutoRun disabled for USB drives (but not CDs/DVDs) • Improved encryption with BitLocker (easier to use, support for USB drives, but still only in Enterprise and Ultimate versions); we still recommend using PGP for encryption for key mgmt/recovery • Better support for biometric devices

  5. Windows 7 Compatibility • Designed to run anything that runs in Vista, but don’t believe it – test everything and ask your software vendors • Hardware requirements virtually the same as Vista (unprecedented for a new Windows OS!) • Trend Micro OfficeScan • Version 8 NOT compatible • OfficeScan 10 has some issues • OfficeScan 10 sp1 supposed to have full Windows 7 support; in beta now • Should have no problem being available by October 22 • PGP Whole Disk Encryption • August 12 from PGP: “There is no official statement on the compatibility of Windows 7 right now.  There is still several levels of testing that need to occur before it is fully released.  The next full release of PGP should support Windows 7, but there is no official statement as of yet.”

  6. Windows 7 Strategy • Purchase now from SHI to test with ALL applications used by your department • Build Trend Micro OfficeScan 10 infrastructure (or use central TMOS server) and test OfficeScan 10 (are other reasons besides Windows 7 to upgrade to v10) • No compelling security reason to upgrade from Vista, but probably are performance, reliability, usability reasons • Check hardware requirements for upgrade from XP • Beware of version 1 of anything, let alone an OS

  7. Mac OS X 10.6“Snow Leopard” • Released Aug. 28, shipping NOW on all new MacBooks • Available from K-State Union Computer Store for $29 • Incremental upgrade to 10.5 (“Leopard”), hence not a new cat name! • Mostly performance/efficiency improvements • Faster startup/shutdown time, more efficient use of multiple-core Intel processors • UI tweaks, better 64-bit architecture support, Microsoft Exchange 2007 support • No support for PowerPC processor – it’s Intel-only from this point on

  8. Snow LeopardSecurity Features • Rudimentary anti-malware feature added (enhanced “File Quarantine” that was part of OS X 10.4 and 10.5) • Pops up warning if attempt to install known malware • Only detects two categories of Trojans (RSPlug and iServices) • Signatures generated by Apple • Apple distributes the malware signatures through usual update services (which isn’t very frequent, so not responsive to new malware) • No clean-up services – tells you to drag it to the Trash • Not detected when executed from USB flash drive, DVD, Skype, and some other programs • See www.securityfocus.com/news/11559?ref=rss • Built-in support for Cisco VPN (not sure how well it will work at K-State) • Same ol’ (adequate) firewall • Shipped with vulnerable version of Adobe Flash – users should get update from Adobe (blogs.adobe.com/psirt/2009/09/flash_player_update_and_snow_l.html)Also said to be fixed in Mac OS X 10.6.1 update released on Sept. 10.

  9. Snow LeopardCompatibility • Lists of incompatible sw: • support.apple.com/kb/HT3258 • snowleopard.wikidot.com/ • wiki.brown.edu/confluence/pages/viewpage.action?pageId=53674011 • PGP Whole Disk Encryption also incompatible • www.securityfocus.com/brief/1004?ref=rss • Statement from PGP support blog on August 27:“While we are working diligently to complete the Snow Leopard compatible versions of the PGP Desktop products, we do not recommend you use the currently shipping versions on any system that has been upgraded to Snow Leopard. Please note that users wanting to migrate to Snow Leopard immediately must first decrypt all of their PGP WDE encrypted drives and uninstall their PGP Desktop application prior to upgrading to Snow Leopard. Failure to decrypt PGP WDE encrypted drives prior to installing Snow Leopard could result in data loss or other system issues.”

  10. Snow LeopardCompatibility • Symantec AV for Mac 10.2 incompatible • www.symantec.com/connect/forums/mac-osx-snow-leopard-install-failure • Sorta works if already installed on Mac OS X10.5 and install 10.6 over the top; updates work, can do manual scan, but “Auto-Protect” fails. • Will not install on a clean Mac OS X 10.6 install • Symantec has not offered any date for compatible release • Trend Micro Security for Mac 1.5 incompatible • Service pack 1 will support OS X 10.6 “end of October” • ClamXav an interim option? • Based on popular ClamAV open source code • Version 2.0.1 is compatible with OS X 10.6, but is a beta release  • www.clamxav.com/ • Needs to be tested, including compatibility with Bradford Campus Manager

  11. Snow LeopardStrategy • Purchase now for testing, both upgrade from 10.5 and clean install; test all applications used in your department • Delay departmental deployment until Trend Micro Security for Macs 1.5 sp1 is available and tested (late Oct, early Nov) • Any MacBook used PGP WDE must wait until PGP releases compatible version, which we’ll get due to our support contract, or decrypt laptop and uninstall PGP • Residence Halls a different animal – when Bradford Campus Manager supports 10.6, we’ll evaluate AV options

  12. Malware on USB flash drives • First experience in fall 2007 with PE_LUDER – wreaked havoc! • Seen it off and on ever since • Hit campus again in August as soon as students returned, spread rapidly throughout campus • Aug. 21: IT support reported it on USB flash drive after helping students in reshalls; OfficeScan did not detect it.

  13. Malware on USB flash drives • Autorun.inf file:[autorun]shellexecute=Wscript.exe /e:vbs M.p.jpg • Malware file on the flash drive named M.p.jpg, which is a VBScript program not a jpeg image • I was admittedly slow in getting this submitted to Trend for analysis, but they had solution within 2.5 hrs of submittal • Identified as VBS_AUTORUN.MAD • By the end of the day, the production pattern file was identifying it • 92 instances detected/cleaned by OfficeScan since 8/27

  14. Malware on USB flash drives • Next one reported on August 28; very similar with autorun.inf file that executes VBScript code • This time the malicious file was “(o_o).jpg” • This time it was submitted to Trend right away and they had a solution within 3 hrs • Identified as VBS_RUNAUTO.AM • 155 instances detected/cleaned by OfficeScan since 8/28 • Third round on September 3, more of the same • Since August 1, Trend Micro OfficeScan has detected/cleaned 275 instances of autorun-style malware, including 8 instances yesterday

  15. What do we do about it? • New variants exploit limits of pattern-based anti-virus protection • OfficeScan 10 will help by distributing pattern files quicker, thereby limiting the spread • Submit new samples as soon as you discover them via new “Malicious Software Reporting Tool”:SecureIT.k-state.edu/ReportMalware.html • Can be difficult to find original malicious file • Hackers hide the malicious files • Was a student USB flash drive and you’re not sure which one • Often only see the after-effect – a compromised computer • Can put a flash drive into an infected computer and see if new autorun.inf and malware files are added to it (be careful!) • Be wary of student USB flash drives! • External USB hard drives also vulnerable

  16. What do we do about it? • Disable Autorunso files on infected USB drives are not automatically executed when you plug the flash drive into your computer • Side effect: In Windows Vista and older versions, it also disables automatic playing of a DVD movie or automatic software installation from a CD – it’s all or none with Autorun • Run Windows 7 since it disables Autorun on non-optical media by default (everything except CDs/DVDs, like USB flash drives) • Trend Micro OfficeScan 10 allows sysadmin to specify different actions for different media/devices

  17. Autorun vs. Autoplay • Autorunenables media and devices to launch programs by use of commands listed in a file called autorun.inf, stored in the root directory of the medium. • Autoplayexamines removablemedia and devices (like USBflash drives) and, based oncontent such as pictures, musicor video files, launches an appropriate application to playor display the content. • Autorunis the bigger risk of the two,but they are interrelated enough tobe confusing, and both have the same end result – automatic executionof a program when you insert removablemedia.

  18. Disabling Autorun • Method depends on version of Windows – either use group policy or edit the registry; can be complicated and is always risky to edit the registry manually. • Check with your IT support person!! • Are security patches required for most versions of Windows to properly handle Autorun registry keys • Detailed instructions at support.microsoft.com/kb/967715/ • Wikipedia entry is informative - en.wikipedia.org/wiki/Autorun • TweakUI sets it on a per-user basis rather than for entire computer (HKEY_CURRENT_USER registry keys rather than HKEY_LOCAL_MACHINE) and the local_machine setting trumps the per-user setting. • Use Windows Group Policy • Centrally managed with ADS, done by your sysadmin • Individually with Group Policy Editor

  19. Group Policy Editor Windows XP Pro, Windows 2000, Windows Server 2003 only: • Click Start, click Run, type Gpedit.msc in the Open box, and then click OK. • Under Computer Configuration, expand Administrative Templates, and then click System. • In the Settings pane, right-click Turn off Autoplay, and then click Properties. Note In Windows 2000, the policy setting is named Disable Autoplay. • Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. • Click OK to close the Turn off Autoplay Properties dialog box. • Restart the computer.

  20. Group Policy Editor Windows Vista and Server 2008: • Click Start, type Gpedit.msc in the Start Search box, and then press ENTER. If you are prompted for an administrator password or for confirmation, type the password, or click Allow. • Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies. • In the Details pane, double-click Turn off Autoplay. • Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. • Restart the computer. Have more granularity for defining actions with two additional registry keys: • Default behavior for AutoRun • Don't set the “Always do this…” checkbox

  21. Registry Edit For operating systems that do not include gpedit.msc: • Click Start, click Run, type regedit in the Open box, and then click OK. • Locate and then click the following entry in the registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun • Right-click NoDriveTypeAutoRun, and then click Modify. • In the Value data box, type 0xFF to disable all types of drives. Or, to selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section. • Click OK, and then exit Registry Editor. • Restart the computer.

  22. Easier Way to Edit the Registry • Open Notepad and copy/paste the following into a text file:REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist“ • Save the file as something.reg. (You have to be sure to change the "Save File as Type" to "All Files" before saving, or Windows will try to save it as a .txt even if you typed in .reg). • Locate the file you just saved and double-click the file to run it. You will receive a prompt asking if you want to add the data to the registry. Click yes to allow the modification. • Restart the computer • The above method nulls any request for autorun.inf and works on XP Home or Pro, as well as Windows Vista. This is from antivirus.about.com/od/securitytips/ht/autorun.htm

  23. What’s on your mind?

More Related