Got a minute to spare?
Watch this week’s 60 Second Security…
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
Watch recent episodes:
• Last week: Compass, chronometer and sextant – they’re BACK!
• 2 weeks ago: Would you put your kids on Facebook?
In this episode:
• [0’05”] Did the FBI really say, “Just pay the bitcoins”?
• [0’23”] Curious people will plug in any old USB key
• [0’39”] 000Webhost leaks 13m plaintext passwords
Laurence Marks
Okay, suppose Sophos Labs finds a USB key. How would they examine it?
Here’s how I would start:
1) Take a machine freshly loaded with an OS and anti-malware software. No Flash or Java installed. No network connected. No Acrobat or Acrobat Reader. Chrome installed for the PDF viewer.
2) Make sure Autorun is disabled.
3) Insert the key and scan it.
4) Using the Word Viewer (not MS-Word), view the .DOC/.DOCX files. Same approach with .PPT/.PPTX and .XLS/.XLSX files.
5) Snoop the .MSI files with a hex viewer, then delete them.
6) Open the PDFs with the Chrome PDF viewer.
7) Open the JPGs/JPEGs/GIFs/PNGs with ??. IrfanView? MS Picture and Fax Viewer?
8) Open all the TXT files with Notepad.
9) For all executables (.EXE/.COM/.JS/.JAVA/.BAT/etc.) look them up on a search engine using a different, _connected_ computer. Don’t move the stick, just make a list of the names with paper and pencil and re-type them.
10) Wipe the test computer’s drive(s) and re-install the OS/AV/Chrome for the next stick.
What would Sophos do differently?