Security

In the wake of the Conficker worm spreading via removable storage devices among other methods, Microsoft said on Tuesday it is making a change to the way Windows 7 handles USB drives.

As a result of the change, most USB drives will not be able to automatically launch a program using a Windows feature known as AutoRun, Microsoft said in a post on its Security Research & Defense Blog.

So, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed, Microsoft said.

Fixed removable media, such as CDs and DVDs will still be able to use AutoRun. Also, some specialized "smart" USB flash drives such as those containing U3 software will still be able to appear as DVD drives, effectively allowing them to also use AutoRun, Microsoft cautioned.

The change will show up in the release candidate version of Windows 7 that is being released to developers this week and publicly on May 5.

Microsoft said it is planning on making the change available on Windows Vista and Windows XP, as well.

In February, Microsoft released an update for Windows AutoRun that allows people to selectively disable the AutoRun functionality for drives on a system or network to provide more security. The update addressed an issue that prevented the NoDriveTypeAutoRun registry key from functioning as expected. Disabling AutoRun functionality can help prevent the execution of arbitrary code when a removable storage device is used.

The AutoRun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the U.S. Defense Department, and digital photo frames, among other storage types.

Microsoft detailed additional security features in Windows 7 during the RSA security conference last week.

Before the change, the malware is leveraging AutoRun (box in red) to confuse the user.

(Credit: Microsoft)

After the change, AutoRun will no longer automatically launch when most USB drives are attached, so the AutoPlay options are safe.

(Credit: Microsoft)

USB thumb drives are convenient, popular and often free--and they're spreading viruses like sailors on shore leave.*

The US-CERT (Computer Emergency Response Team) issued a warning on Thursday that malicious code is increasingly propagating via USB flash drive devices.

Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus, a variant of the SillyFDC worm, according to Wired.

We've seen this before with portable external storage devices. Floppy disks were the culprit in the early 1990s, followed by CDs. The fact that USB thumb drives are being used by so many people makes them an attractive target for virus writers.

"The bad guys are intentionally developing new flavors of malware designed to propagate through USB devices," said Gunter Ollmann, chief security strategist for IBM's ISS security division. "They are today's floppy drives."

(Credit: CNET News/James Martin)

But USB drives are even handier. Their small size makes them easy to slip into a pocket or carry on a lanyard around your neck. A common swag item in the tech industry, they also are mainstream consumer storage devices. They literally litter my desk drawers.

There are a couple of ways USB thumb drives can be used to spread viruses and other malicious software.

... Read more

IT professionals surveyed worldwide said they think their own employees pose a more serious security threat than outsiders, and often it's because of personal use of corporate assets, according to the third and final report based on a 2008 survey (PDF) commissioned by Cisco Systems and released Wednesday.

Other findings include: One in five Brazilian IT professionals said they think their employees are less diligent around protecting corporate data. And in China and in India, IT professionals are most concerned with data thefts through the use of USB devices including thumb drives and iPods in the workplace.

A Cisco survey found that of employees who have lost company-issued devices or have had them stolen, one in four employees have done so more than once within the past year.

(Credit: Cisco)

According to the survey, IT professionals said about 10 percent of their employees are losing corporate devices like laptops and USB drives with valuable data more than once a year.

"There's either a negligent behavior or careless recklessness in which they handle data maybe because they didn't realize it was there or maybe there's an education gap," Fred Kost, director of security solutions for Cisco, told CNET News in an interview. "The storage capacity of some of these devices and the types of access they have access to is becoming a critical issue for companies."

The report also cited the growing risks of portable hard drives as opposed to lost or stolen laptops. One in three IT professionals said USB drives (including iPods) were their top concern, more so than e-mail (23 percent), lost devices (19 percent), and verbal communications with outsiders (8 percent).

Surprisingly, 1 in 10 end users in the Cisco survey admitted stealing data or devices and then selling them for profit, or knowing of co-workers who have done so.

Yet there are also nonmalicious reasons to explain how corporate data gets leaked into the wild.

"If you think about the device leaving the enterprise, going into their home environment, the personal environment, maybe letting their children use it; that puts the corporate data at risk," said Kost. He said data leakage could occur when the kids are using the device to surf some Web 2.0 application. "And what about the end of life, when they go to give the device up on one of the e-waste recycling days? There's another chance for somebody to get that corporate data."

Kost repeatedly mentioned the increasingly blurred lines between business use and personal use and how some of that is OK. But long-term personal use of a corporate asset could become a problem.

"Say they have their iTunes library on the device they use for work, now they have to give up their work device, and they have to figure out what to do." In the study, less than 10 percent of the employees did keep their work devices. Of those who did, 60 percent said it was because there were personal files on the device. "It's not malicious," Kost said, "it may just be the only computer in the household."

The Cisco study was conducted in late July through early August by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.

The first report on cultural attitudes toward security was released in October.

Of those who kept a work device, Cisco found that 60 percent did so for personal needs.

(Credit: Cisco)

IBM was set to unveil on Wednesday a prototype USB device designed to protect people doing online banking from having their data stolen or compromised.

The device, which looks like a memory stick with an integrated display, creates a secure channel to a bank's online transaction server. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe.

The user can log on and validate transactions using the device's display and a smart card can be inserted into the device, providing an added layer of security to protect transmissions from man-in-the-middle interceptions, IBM said.

The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC.

Developed at IBM's Zurich Research Lab, pilot devices are ready for bank trials. They do not require changes in the bank server software or the client software and they run on all major client operating systems.

IBM Research's Zone Trusted Information Channel is a USB that makes online banking safer.

(Credit: IBM Research)

Not everyone is rocking to the new iTunes 8 released Tuesday. An informal poll on ZDNet suggests that a problem with the latest edition of the Apple media player is affecting some, but not all, users of the software on Microsoft's Windows Vista. (You can download iTunes 8 for Windows from CNET Download.com.)

Users on an Apple forum reported seeing the so-called blue screen of death (BSOD) on their desktops running Windows Vista with iTunes 8 installed. The BSOD problem occurs shortly after connecting their iPods and iPhones.

A second, more subtle effect is that their CD/DVD drives "disappear."

ZDNet's Ed Bott offers a look at the upgrades or changes in iTunes 8.

Removing other USB devices, such as Webcams and printers, appears to resolve the problem, for the moment. Users on the forum speculate that there is an incompatibility between Apple and USB products from LogicTech and HP, as well as disc-burning software from Roxio.

We will update this post with further details, as they unfold.

Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.

Contractor PA Consulting alerted the Home Office to the loss last Monday evening--and by midday Tuesday, the contractor confirmed "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cachet of sensitive information.

According to a Home Office statement, the missing USB stick contains:

• Data relating to all prisoners in England and Wales, including names, birth dates, and, in some cases, expected prison release data of about 84,000 individuals
• Data relating to prolific and other priority offenders, including the names and birth dates of approximately 10,000 individuals
• Drug Interventions Programme data, with offenders' initials

"We have been made aware of a security breach at the offices of an external contractor involving the loss of personal information about offenders in England and Wales," a Home Office statement said. "A full investigation is being conducted. Police and the Information Commissioner have been informed."

It added: "The data was held in a secure format on the contractor's site. It was downloaded onto a memory stick for processing purposes, which has since been lost. The transfer of data on this assignment to the external contractor has been suspended."

Following the breach, a member of PA Consulting staff has been suspended, a Home Office representative said.

The company was appointed by the Home Office in June 2007 to provide application support for tracking prolific and priority offenders through the criminal justice system.

Asked whether the Home Office will be terminating PA Consulting's contract in light of the security breach, the representative told Silicon.com, "We are investigating the external contractor's contractual obligations."

The Home Office refused to comment on whether security measures should have been in place to prevent unencrypted data being transferred onto a USB stick. The representative also refused to clarify exactly what security requirements the Home Office has for external contractors who handle sensitive data.

PA Consulting--which was selected in 2004 to also work with the Home Office on the design, feasibility, and business and procurement elements of the government's ID card program--said in a statement, "We are collaborating closely with the Home Office on this matter. We have no further comment to make at this time."

This is not the first time sensitive data held by the government has gone missing.

Just last month, it emerged that the details of 45,000 people, including criminal records and banking and court information, have been lost or compromised in the past year by the Ministry of Justice. And last year, two CDs containing the confidential personal details of 25 million child benefit recipients were lost by HM Revenue & Customs.

"It is deeply worrying that after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost," David Smith, deputy commissioner for U.K. data protection watchdog the Information Commissioner's Office, said in a statement. "The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability, if it is not handled properly and reinforces the need for data protection to be taken seriously at all levels. It is vital that sensitive information such as prisoner records is held securely at all times."

Smith added: "The Home Office has informed us that an internal investigation is being carried out into the data security arrangements between the Home Office and its contractor, PA Consulting. We expect the Home Office to provide us at the Information Commissioner's Office with a copy of the report and its findings. We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information."

Natasha Lomas of Silicon.com reported from London.