Be safer than NASA: Disable autorun

NASA confirmed this week that a computer on the International Space Station is infected with a virus. (See "Houston, we have a virus" at The Register.)

The malicious software is called W32.TGammima.AG, and technically it's a worm. The interesting point, other than how NASA could let this happen, is the way the worm spreads--on USB flash drives.

Randy Abrams, director of technical education at ESET, alerted me about this. Touching on both interesting points, he said:

To start with, no computer going into space should have autorun enabled. Simply disabling autorun would have almost certainly rendered the worm inert. Given that age of the worm, and its low risk ranking, it is probable that current (antivirus) software was not being used either.

(Credit: NASA)

Malicious software spread by USB flash drives and other removable media takes advantage of a questionable design decision by Microsoft. Windows is very happy to run a program automatically when a USB flash drive is inserted into a PC. How convenient, both for end users and for bad guys.

Abrams blogged about this back in December, and I wrote about it in March. In that posting, I described how to disable autorun for Windows XP and Windows 2000 and I just revised it to include Vista.

In his December blog, Abrams writes, "Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."

Don't be a victim, disable autorun (also known as autoplay) for all devices. It may be a bit inconvenient going forward, but to me, the added safety is well worthwhile.

See a summary of all my Defensive Computing postings.

[sfrob]

Or upgrade to Vista... autorun doesn't run by default in Vista, it pops up a dialog box with an option to run the specified program.

[ARTIFEXapparel]

Switch to Vista? That would most definitely bring the space station crashing around our heads. <br />Two months ago, the armed forces and most branches of the government issued statements saying they were going to avoid windows vista for the time being, as that operating system is obviously buggy, and in no way stable enough for use in high importance areas such as military use or the NASA program. I mean, if the staff at NASA is half as smart as they are supposed to be, then I am sure that they are not using it for ANYTHING! :)

[bassimplant]

What in the Universe was a Windows machine doing in space in the first place?!?!?!?!<br />That operating system was never designed to leave the face of the planet!<br /><br />The bloke that wrote that worm must be over the moon about the fact that his virus is floating around in space :o)<br /><br />Here's a tip... use a more stable OS for something you're sending into space. <br />That's just my opinion.

[CrashPad63]

What exactly is more stable than Vista? Most assuredly not OSx or Linux. They cant seem to get their own apps to work right let alone a whole world of varying apps. <br />Keep drinking that Koolaid, remeber sips not gulps.

[dasium]

"Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."<br /><br />There is a third type that has the sense not to run Windows, especially without current AV software!

[cuban_cigar]

Upgrade to vista? HAHAHAHAHHAHAA<br /><br />Picture the station break orbit and catch on fire as it enters the earths atmosphere, heading towards an unsuspecting city below.

[electromanvern]

Ok, Autorun has been around since XP launched (2001). So it takes these guys 7 years to say "I told you so". <br /><br />Then we have the typical band wagon anti-MS gang show up. I'm sure it doesn't matter that any antivirus at all would have caught this old (exactly 1 year old) W32. <br /><br />And, do you really think people that put something in their USB ports with unsure origins would be any better with Autorun disabled? Those same people would click the runme.exe program on a CD/USB device with the same result. <br /><br />And yes, Vista would have prompted. But as usual, the linux crowd has to chime and and bust on a good feature just because it comes from MS.<br /><br />And for dasium, I assume you are implying that linux users could never fall into the trap of running something virus laden. Well, autorun or not, even on linux if a user runs a program from a CD or flash drive of unknown origin, it could cause big problems. The fact that linux users tend to be a bit more tech savy might limit this from happening. But if you get your way and someday linux goes to the masses, you'll have to deal with the 'stupid' users too. <br /><br />Good luck

[AmericanMade]

Amen to that electromanvern. Everyone is so hot to jump on the anti-MS bandwagon it totally clouds their judgement. ANY system is vulnerable to a virus, plain and simple.<br /><br />For t26l, no self respecting scientist would run Windows? Just who the heck are you? Ah yes, another anti-MS grunt who is probably all high and mighty on themselves to think that anyone outside their circle isn't worthy. You really think that Windows isn't up to the task? I completely beg to differ. I also think Linux is up to the task, but, you, yourself, mentioned incompetence. Incompetence isn't only a Windows issue. It is a global issue that would allow any OS to have the potential to put lives at risk.<br /><br />So step off your high and mighty soap box and look outside your little world. You might see it's not all bright and shiney like you think it is.

[chash360]

While I agree that imcompetence is a problem, thats not a problem that can be 100% solved. There will always be stupid people. Which is why a responsible developer of a widely spread OS should distribute with stupid features turned off.<br /><br />I would say M$ is very much to blame, they were the first widely implement the autorun 'feature' and have it turned on by default. Again the same with OE, and its security features all turned of by default, so that when the incompotent user(90% of OE users are) gets a malicous e-mail it is immediately executed code, even upon previewing.<br /><br />As a longtime user of the Internet, long before www. existed, there were simple common sense protocols used on the Internet. <br /><br />Rule #1 You never, ever execute arbitrary code from a remote source period! That means you do not automatically run anything attached to an e-mail, you do not embed scripts or code to be executed, and you do not create client readers that will execute such code. The same goes for a web page. You do not embed code to be sent to the client to run, nor do you create a browser that will execute code or script upon viewing a web page.<br /><br />Rule #2 If you are not actively using (transferring or communicating over) the network with some application, and are not serving files or compute services, or providing remote logins, then your system should not have any open ports it is listening on, period!<br /><br />M$ violates all of these and more, and creates new ways to violate these ideas everyday. Every Windows system from WinNT on has open ports it is listening on even when you are not logged in. You cannot remove all of these unless you remove all network interfaces, and install the OS with no networking features installed. (which will give you a tremendous performance boost I might add)<br /><br />They know what they were doing, and the security risks involved, in implementing these stupid features, and they simply do not care. Such flaws and mistakes gives them and many others a chance to sell you more crap, to charge you for servicing your computer, etc. Know this to be true: Software has no moving parts, it does not wear out, if it were flawless, it would remain flawless, until your hardware fails. That fact does not sit well with planned product life cycles, and expected turn over rates, they want to sell you more stuff more often than that.<br /><br />Open Source is the future, be it Linux or something else. When software is created with the best intentions, without the motivation for profits, greed and market control, it will at least approach flawless, because it is created and reviewed by the competent, to be useful and reliable for its purpose.

[blsith]

Actually, autorun was a major new "feature" in windows 95. It was intended to make running programs from inserted CD's easier. XP will prompt you as well for most items plugged into your machine as well.<br /><br />Here's a trick - be careful what you stick into your machine. And keeping an up-to-date virus table is always advisable. I'm sorry, but disabling a feature that is widely used by the developers is not good security, it's called crippling. Yes, security is an issue, but it doesn't mean you should chop off all your functionality in spite of it. You just have to be educated, aware, and prepared. Too many folks blindly use devices without knowing much about them, and then get upset when they don't work right.<br /><br />Love the "More stable OS" cracks - I guess it's stable when you don't do anything with it...

[GuinessGuy]

"Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."<br /><br />I guess they think the readers all stupid. But then they are journalists, not too high on my smart scale.<br /><br />How about those of us that turned off autorun, on our own cause we were tired of seeing crap from CD's inserted just for music.<br /><br />Some bands have flash video crap that autoruns. Not to mention that some games require the CD to be present, and people smarter than journalists turn off autorun, to avoid the install program running everytime they switch games.<br /><br />you people managed to insult everyone with a brain. good job.

[mhinnewyork]

The quote about two types of readers is from Randy Abrams who works for ESET, the company behind NOD32. Mr. Abrams is not a journalist. And, I'm not one either. Some CNET bloggers work for CNET, others, such as myself, are independent contractors. I'm more of a computer nerd with a pencil, rather than a reporter covering a beat. This story was covered elsewhere on CNET where the focus was on the news aspect. My reason for writing this posting was to warn people to disable autorun, people who might not be aware of how it can be used to infect their computers. A nerd's angle rather than a reporters angle. <br />That said, from your comments you seem both socially and intellectually challenged, go read another blog. <br />Michael Horowitz

[t26l]

This is why NASA was scanned and hacked by Gary McKinnon. They buy computers, and run windows with all the defaults left intact. Its called 'incompetence'.<br /><br />No self respecting scientist runs Windows. Furthermore, NASA should be running NSA Linux at a minimum. It is completely irresponsible and unnecessary to run Microsoft windows on any NASA machine, and frankly, it just shows how careless they are about safety. What if that worm was designed to wipe all the machines on the space station? The lives of the astronauts there would be in danger; everything runs off of the computers. It is almost beyond belief. That scientists would trust their lives to Microsoft Windows is also beyond imagining; not only are they risking their lives, but they are risking the loss of their precious work, which could be destroyed by the ordinary functioning of that family of operating systems, never mind an attack from a worm or virus.<br /><br />Commercial operations like the ones that make TomTom GPS car navigation have the sense to base their devices on Linux; how is it that these otherwise intelligent people are using Windows....IN SPACE?<br /><br />Truly and completely shocking.

[kwabina]

"No self respecting scientist runs Windows."<br /><br />How many scientists do you know? I work in a research facility and I will let you know that there isn't a single person here willing to waste their time with Linux. Most scientists around here are more interested in actually collecting and using data to bother with anything BUT Windows. Every computer in this building primarily runs XP and all use MS Office no matter what the OS they are running. We have nearly zero downtime related to OS problems. Too many Linux and OSX fanboys don't live in the real world where actual windows users get REAL results in scientific research.<br /><br />Stop wasting your breath on things you don't actually know anything about.

[frasercrane]

to t26 and kwabina: you're both wrong. No scientist at a Federal government facility "runs" any software. Scientists work with the software the IT people set up the systems with. That software is usually obtained through competitive bidding. UNless NASA uses a whole lot of sole source software, it is highly likely the whole local facility or NASA entirely runs Windows, or Linux, or whatever OS--but no scientist has the option to run out and use his or her own chosen software. Twabina, you're either not a scientist or you don't work in a governmental facilit; so please don't waste your breath on things you think you know something about. .

[ZetaZeta_]

t26l: "No self respecting scientist runs Windows, etc. ..."<br /><br />I guarantee the main research machines, things that are keeping the ship running, etc. are running on some government-written unix system. I bet this worm virus popped up on a random recreational PC on the station. Look: They were using an infected thumb drive. This means they put an infected file on it, probably by unsafe browsing or from a different already-infected system (This isn't a "work" machine or at least the drive isn't being used for "work" as it's been in an infected system already). Since it's an old worm, an astronaut probably had some old pictures he wanted to look at of his family or something (who knows) and he plugged in his thumb drive to view them.<br /><br />Autorun itself ran CD installers way back in 1995 so I don't know what the hubbub is all about right now. It's 2008, you should have some on-access scan running or something. In fact, by sheer fact that there wasn't a scan running makes you wonder what the significance of the infected computer is, as well.<br /><br />On to the Anti-MS comments... I've never, *never* has a stability problem with Windows NT. Windows classic had loads of problems, but the way NT 5 and 6 run prevent "crashes" unless you've seriously messed with something in the system. You'll have incompatibility, but what OS doesn't? Lack of drivers are the hardware manufacturer's fault. A failure of a hard drive or the lack of detection of a flash drive is the drive manufacturer's fault. Saying Linux is more secure doesn't mean much, either. Fewer people use it, or rather, there are countless distributions. If someone who wants to inflict a lot of damage, they are going to go for Windows. Going after Linux is a waste of time. Is this a bad thing? Maybe not to widespread consumerism, but if a hacker tried to hack one system, say he knew what system NASA was using, Windows or not, he could probably try to inflict *some* damage. The problem here was that a worm virus meant to randomly ruin someone's day, using Windows, happened to affect someone in space, using Windows. The only problem with Windows is that it is used by everyone. However, it's greatest strength is the same thing, since it's most worth developer's time to develop software and hardware for that system.<br /><br />The hacker took advantage of a feature including in Windows. A small, almost insignificant feature. To bash Windows because of that is ridiculous. I'm sure some Linux distros *also* have a similar autorun feature. XP lets you turn it off, Vista has a prompt by default... Microsoft provided the means to fix this problem... Why are we so angry about it then?<br /><br />"Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."<br /><br />The first type are also the people who randomly turned off User Account Control in Vista because it was "annoying" ... probably because an article told them they could. People will go for convenience and save time above all else. A human will drive an hour, get popcorn, watch 30 minutes of trailers, and sit through a 3 hour movie, but then dash out of the theatre during the 5 minutes of credits, even if they *know* there is a small feature after the credits. If autorun is annoying, they'll turn it off, if it's helpful, they'll leave it on. If they're at risk for viruses, either way, they'll still say "meh, I won't run into any viruses, why spend time getting something that'll keep me secure."<br /><br />I'm all for Linux, or any unix system, but bashing Windows is stupid. The infection in this article is not the fault of the OS, but rather of the person who wrote the malicious software, the person who unknowingly put the software on his drive (meaning he was probably already using an infected system, so he wasn't running a virus sanner that could handle it, or is just plain foolish) and finally the fault of the guy who loaded the drive on the destination computer (he didn't have a scanner running, he didn't hold shift to disable autorun, something I've known about since 1996, etc.).<br /><br />Blech, i'm done.

[TomMariner]

Yes, we have to practice "defensive computing". But it is not like "defensive driving" where we guard against someone else who might also get hurt having a lapse of attention. This is like a criminal purposely driving around in an armored vehicle, ramming everything in sight!<br /><br />We should stop blaming the victim -- like NASA. It's like blaming me for building a house out of wood because an ansonist could set it afire. Instead of calling ourselves names for not dumbing down all of these amazing features that could have made our computing experience better, let's turn the anger toward those who steal our data or just maliciously damage.<br /><br />If we all get together we can get the attention needed to catch the individual criminal and identify nation-sponsored mischief. Since identity theft can do as much damage to your wallet as a mortar shell landing in your bedroom, isn't it time to start demanding that serious money is spent finding those who are perpetrating these acts of war?

[ComputerSecurityAbroad]

A more thorough solution (that also prevents a host of other security problems with USB attached storage) is to simply disable USB *storage* class devices altogether. <br />(Your mouse will still work, and you can always turn storage back on...)<br /><br />The NSA has an excellent trifold brochure that shows how to disable USB storage for Windows, Mac and Linux.<br /><a class="jive-link-external" href="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/factsheets/I731-002R-2007.pdf" target="_newWindow">http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/factsheets/I731-002R-2007.pdf</a>

[murbo]

rolfcopters hahahaha. almost dropped down from my chair! a nasa computer infected with a year old worm?!!! some nerve these nasa guys have, i couldnt even trust windows on my car pc because of the instability and insecurity, these guys sent it to space. LMAO<br /><br />at least get norton or mcafee or something HAAHHAAHAHAHAHA

[pj4614]

I used to be incompetent too. Definition - Windows User. Switched 18 months ago to Mac OS X and have experienced improvements in security, productivity and peace of mind. IT professionals would get to work on more important, fun and profitable tasks if they simply realized that the users aren't stupid but that their blind choice of Windows as the operating system is.

[Auntmabel]

Dude. Computers are computers. Hardware breaks (no matter how shiny and white it may be). OS's have exploits. If you truly believe that switching platforms has made you, in any way, "less incompetent", I assure you... you are very sadly mistaken. Not only are you incompetent, but you've proven yourself to be needy, insecure, and in desperate need of clinging to something that you believe will in some way "elevate" you above the masses. <br /><br />I'm happy for you. Now take your crutch, (it's a friggin computer, not a lifestyle!) and please... ****! There are millions of competent windows users out there that are perfectly happy. I'm not one of them. I use a mac. I have for years, and they break... all the time - for no apparent reason.

[rob___]

To the Linux kiddies who believe their OS is bullet proof: Question: What major Linux software company had their distro server hacked?? (See: <a class="jive-link-external" href="http://rcpmag.com/news/article.aspx?editorialsid=10144" target="_newWindow">http://rcpmag.com/news/article.aspx?editorialsid=10144</a>)<br /><br />To all who care: Please follow this link (<a class="jive-link-external" href="http://csrc.nist.gov/checklists/repository/vendor.html" target="_newWindow">http://csrc.nist.gov/checklists/repository/vendor.html</a>) find your checklist and secure your systems! Think of the checklists like a seatbelt in your car. If you don't use it the injuries are significantly higher, sympathy is nil, and liability probable.<br /><br /><br />BTW: I'm a Solaris/2K3/XP/Ubuntu/Fedora guy who believes in using the OS that works the best for the purpose at hand. That is driven by the applications I need to run (hence no OSx). So if the best app runs on Windows...... Or Fedora /Yellow Dog (Bell CE dev)

[murbo]

": Question: What major Linux software company had their distro server hacked??"<br />you are not really comparing a targeted attack with a random worm infecting a random computer.. are you?<br />no one says linux or os x or any other *nix is bulletproof, we are merely saying that it is better in terms of stability and security. there is a reason why a big big big majority of servers and mission critical computers are on *nix systems... and anything with more than 32 processors.<br /><br />and i am like you too, i use whatever OS is good for the job, for that reason i maintain a quad ppc with os x, a quad intel win xp 64, a p4 with ubuntu, a dual intel with vista 64 and os x each running different tasks

[electromanvern]

@murbo <br /><br />You attempt to point out a flaw in rob's comment by ignoring his stated point, which is that many in the Linux community, and observably the young 'Kiddies' are arrogant and naïve enough to think their systems are more secure than they actually are.<br /><br />Opensource Linux may be a great development model, but it does not guarantee a ?bullet proof? OS any more than a closed source product guarantees an insecure one. <br /><br />You also make the same mistake as many others by saying that the various flavors of *nix are better in terms of stability and security. Just stating that without any context is misleading, as security is a complex of technology and configuration, and suitability to task issues that must be kept in balance.

[ultimatetux]

M$ Windoze on a NASA spacecraft ! people please check www.kernel.org and grab yourself some kernel and a little of bash and I could write you a package manager if you can't afford a Debian or a RedHat and boom!!! no viruses anymore... can't believe that NASA is using such OS.<br /><br />Instead of giving them a lesson on disabling autorun, give them a lesson of how they make fools of themselves by using Windows.

[richardsequeira626]

Acutally people autorun or AutoPlay has existed long before @ the time of Windows 95, Belive me Mac are fare better of than a Windows PC or linux pc, Linux still has some unfinshed bussiness to do.<br />Windows does too!<br /><br />Mac OS X has eveyrthing we, even nice developer tool who need to develope programs in such fast time!

[ewelch]

No computer in any critical role should run Windows. Period.

[rob___]

"Mac OS X has eveyrthing we, even nice developer tool who need to develope programs in such fast time!"<br /><br />Does the complier on the Mac input horrible syntax / misspellings and still work? Maybe I should look at them.... :)

[DrTurkleton]

I love ppl that think Mac's are invincible just b/c the don't like MS, or maybe b/c they are trendy and you think that spending an extra grand makes you better. <br /><br />I know IT professionals, one of them works largely with Mac's and every one of them has to get reimaged b/c they all have viruses. They are far from the perfect, user friendly fortresses that you think they are.

[Techie_Jr]

Ha ha. Reading commentary from a bunch of techie geeks is such an enjoyable way to begin my day.

[johnnypopper]

One word people. Apple. The government could save millions on security software alone by switching all their computers to Mac OS X. But then again saving money isn't their forte and people would be out of a job if the money wasn't there to waste.

[Haralambos Mavromatidis]

Ahh... Apple huh... yup they are great on security... asking for administrator passwords when a portable device is brought into a shop for repair or the "really hard" hack to their pin lock on the iphones/ipod touch that was released in January but the devices are still vulnerable to: <a class="jive-link-external" href="http://www.iphoneatlas.com/2008/08/28/iphone-security-flaw-is-the-tip-of-the-iceberg/" target="_newWindow">http://www.iphoneatlas.com/2008/08/28/iphone-security-flaw-is-the-tip-of-the-iceberg/</a>

[outpostprime]

OSX has a butt load of holes in it. It's just not worth while to hack OSX. Just because it was based on UNIX doesn't mean its as secure as UNIX. UNIX and OSX are very different code wise. If OSX was actually based on the SCO and AT&#38;T Variants, you wouldn't own a mac computer. <br />Just to license their kernels costs millions. Go look up how much a copy of (REAL) Unix costs. I don't even want to try to count how many times SCO has sued their customers even after they paid the outrages amount of cash. <br />If you think Office 2007 Pro or photoshop CS3 is expensive.. You probably never seen how expensive SCO Unix is... FreeBSD is the closest to how Unix really is and is free but still isn't unix. Also if NASA needed a truly secure OS they would best look at AS/400's and their terminals. Nothing beats a godly secured and stable AS/400.