Read only USB stick trick
The sad demise of readily available, cheap USB sticks with a switch to flip the device to be read only has caused some problems when dealing with suspicious machines, especial when I’m off duty and I hear the dreaded words “Oow, you’re in IT – could you have a look at my computer quickly?”
Back in the good old days, I could pick them up at nearly all my favourite shops and the vendors gave them away by the bucket load, but alas, they seem to have all but disappeared.
CD/DVD or Blu-ray disks are great, but lugging around a harden CD case really does clash with some of my outfits and doesn’t always send out the right message, particularly at: romantic diners, standing at a checkouts or trying to order drinks at a bar. This is where a small USB key, fitting neatly in to a pocket, helps me blend in with the rest of humanly almost seamlessly. Almost.
The standard read/write USB keys fall prey to being infected and compromised the very second they are insert in to a machine, which, as we know is a bad thing.
Stuck with this dilemma, I stumbled upon a neat solution – Secure Digital (SD) Memory Cards.
SD Memory cards have a small lock switch on them, making them read only; they can reach up to a whooping 32GB, are only slightly more expensive than similar size USB drives and are common place (I can find them in the petrol stations, corner stores and on aeroplanes). Now add in a small SD reader, around the size of a normal USB drive, and this is perfect for incident response on an untrusted system in a pinch or when a full response kit isn’t viable.
With the size of SD memory cards, it means I can have my favourite recovery [1], incident handling and fun at -someone else’s - party [2] boot images each on their own SD card, hidden in a wallet, jacket lapel or hat band for ease of use. Producing them, seeming out of thin air, to fix a broken or infected machine amazes and astounds plus get brownie points at unexpected moments in life.
Another option for the uncluttered, nattily dressed Incident-Handler-around-town’s toolkit.
As always, if you have any better suggestions, insights or tips please feel free to comment.
[1] BartPE - http://www.nu2.nu/pebuilder/
[2] Backtrack - http://www.backtrack-linux.org/downloads/
Chris Mohan --- Internet Storm Center Handler on Duty
Adobe Flash Player update, RSA further notification and Play.com breach
Adobe Flash Player update addresses a critical security issue (CVE-2011-0609):
http://www.adobe.com/support/security/bulletins/apsb11-05.html
RSA have released a further list of recommendations to their customers of security best practices via email. No further information on the actual breach.
And finally, the www.play.com, a large on-line retailer, has had a security breach. Some customer names and email addresses may have been compromised from a 3rd part company that handles part of their marketing. Emails notification have been sent out to existing customers.
Thank you to those readers for writing in with these updates.
Chris Mohan --- Internet Storm Center Handler on Duty
Comments