Don’t Plug Unknown USB Sticks Into Your Computer

There is a fundamental flaw in the firmware on USB sticks and a pair of hackers has made public the code for really bad malware that takes advantage of that flaw.

In August, at DefCon in Las Vegas, researcher Karsten Nohl demonstrated an attack called BadUSB which proved it is possible to corrupt any USB device with malicious, undetectable malware. Understanding the vast implications of this malware Nohl did not release the code he used in the attack. Unfortunately at DerbyCon last week in Kentucky two other researchers, Adam Caudill and Brandon Wilson, presented a similar exploitation of USB firmware to Nohl's and in this case Caudill and Wilson published their code, leaving everyone with a USB port at risk. 

"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got." Caudill said at DerbyCon. He went on to say, "This was largely inspired by the fact that [Nohl, et al] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."

While that stance may seem noble, many agree that the logic behind it is flawed.  It is one thing to release findings that they've replicated Nohl's earlier work, and provide the code used directly to the manufacturers to fix the problem; it's something entirely different to release it to the general public and thereby putting it directly in the hands of cyber criminals who you can bet are already working on ways to use it against unsuspecting victims.

Caudill went on to say in an interview with Wired, "You have to prove to the world that it's practical, that anyone can do it... That puts pressure on the manufactures to fix the real issue."

Of course that perspective completely ignores the millions of USB sticks already in circulation that can be exploited.  Nohl addressed this concern when stating he would not release his code.  Nohl estimated that it would take 10 years or more to pull existing vulnerable devices out of circulation.

Nohl, Caudill and Wilson all reverse engineered the firmware of the USB microcontrollers, then reprogrammed that firmware in multiple ways. In one example they had the infected USB stick impersonate a keyboard to type keystrokes on the victim's machine.

"People look at these things and see them as nothing more than storage devices." Adam Caudill

Deleting everything on a USB stick wouldn't remove the malware as it's code is stored in re-writable code that controls the basic functions of the USB.

So how do you keep your computer protected?  The advice has been out for some time, from security experts, to stop accepting USB sticks as gifts or with company information unless it's from a trusted source, as the risk has been there for something malicious being previously installed.

Use only trusted USB devices on your computer.

I hate to say it, but it's a little like your baggage at the airport - did you purchase your USB device, has your USB device been with you at all times, has anyone else used your USB device?



Can You Guess Which US Retailer Hired A Former Virus Spreading Teen As IT Security?

Hacked_BearI will start by saying that some technical mischief as a teenager (or later) does not automatically make a prospective employee undesirable.  More often than not it makes them more desirable because you know they've been willing to dig in and get their hands dirty.  Whether that means they took the family computer apart and it took them a few extra days to put it back together the first time, testing to see if that password you found online for the ATM machine will actually grant you access, or when their college professor said the college's network was 100% secure took that as an assignment and were later expelled for proving that incorrect. These are the people who enjoy the ins and outs of IT and are willing to dive in where others take a step back and ask for help or simply choose not to venture.

That being said, an employer also needs to be able to understand the difference between those whose interests inadvertently went too far and those who were intentionally malicious or destructive.

Now let's look at the case of the Home Depot breach where cyber criminals used malware to steal about 56 million customer details including credit card numbers.  Home Depot's former Senior Architect for IT Security, Ricky Joe Mitchell, as reported by Ars Technica has a past centered on the destructive side not the curious one.

Everyone in technology on the Internet has used a handle, ask your current IT guy, he may immediately tell you because it's something harmless or funny like Scooby or Coolio, or he may blush and be hesitant to tell you because it's something a little more risque like Rasta or Killa.  If he looks at you like you're crazy , it may be time to look for another IT professional, one who's gotten their hands a little dirty using a handle to cause a little mischief.  Coincidentally I know IT professionals who sported each of those handles, they are all excellent at the different IT positions they hold today, truly an asset to the companies they work for.  I would hire anyone of them in a heartbeat.

Back to Ricky Joe Mitchell, whose handle is RickDogg and on his 1996 personal website Mitchell provided a description of himself with the title "The story of RICKDOGG".  An excerpt of that story:

"Anyway, I love to write and distribute Viruses.  They intrigue me.  I have taught myself how to program in assembly, c-- and pascal. I also love to fix computers as well. I am considered smart in school although I am very lazy. I do not like the shit they try to teach me so I get bored and try to liven things up a bit."

Apparently livening things up included planting viruses in his high school's computer system.  Mitchell was suspended for three days for planting "108 computer viruses from floppy diskettes to disk space allocated and assigned to another student on the Capital High School computer system." per a memo to the Kanawha County School Board members, now part of court documents.  Mitchell went further, publishing "derogatory statements about the teachers and made threats to students he believed reported the virus", per the Charleston Gazette causing him to be expelled from Capital High School.

RickDogg didn't just hack in to poke around or change a grade, he uploaded viruses an act that is always destructive, right there as an employer I'd encourage anyone to walk away.  Do people change?  Absolutely.  Is that a risk worth taking with your company data and infrastructure?  No, in my opinion.

Years went by and if there is anything questionable that occurred in the interim it is not currently known.  And then RickDogg found out he was going to be terminated from EnerVest Operating in June 2012.  Here is the reason when it comes to your network security, terminations should be fast and efficient. Upon learning of his impending termination Mitchell, "remotely accessed EnerVest's computer systems and reset the company's network servers to factory settings. As a result of his intentional conduct, EnerVest was unable to fully communicate or conduct business operations for approximately 30 days. In addition, data that the company thought had been backed up could not be retrieved." Included in a Department of Justice press release after his conviction.

The indictment itself goes on to offer more details on the accusations, "...Mitchell did knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, cause damage without authorization, to a protected computer. That is...Mitchell accessed without authorization the protected computer and deleted backup information, transmitted a command to disable the data replication process designed to transmit backup data to the Houston, Texas location, deleted all of the Company's phone system accounts and extensions, deleted all accounting data, and deleted all information validation for the Houston, Texas location among other acts.  ...The acts of defendant Ricky Joe Mitchell caused damage...which resulted in a loss to the Company substantially in excess of $1,000,000."

You'd think the story of RickDogg would end here, with his January 2014 conviction and April 2014 sentencing to 4 years in federal prison, but it doesn't because after his June 2012 firing he took a position with Home Depot where in March 2013 he would be promoted to a position in Home Depot's IT security.

This month Home Depot has disclosed a security breach which puts at risk, "approximately 56 million unique payment cards".  The malware is "believed to have been present between April and September 2014."  A breach of 56 million credit cards takes the title of largest breach from Target, where 40 million credit cards were exposed.

Is Home Depot's breach related in anyway to Ricky Joe Mitchell?  To date I've seen no comment from Home Depot or the Justice Department on this coincidence, but I'd hazard a guess that RickDogg's time at Home Depot is being scrutinized very closely and if anything is found we'll all know about it soon enough.


Not A Good Week To Own A Mac

On the heels of the ShellShock aka Bash disclosure that Mac OS X is included in the list of vulnerable operating systems comes word that hackers are using Reddit to connect Macs to a Botnet.

First let's start with what is a Botnet?  A botnet is a collection of programs interconnected via the Internet communicating with other similar programs in order to perform tasks. When the program is installed on numerous computers, those programs depend on instructions from the command and control server they are connected to for information on tasks to be performed. They can be connected together by the command and control server to create a spam bot, where machines are brought together to send unwanted or malicious emails, or another example would be when a botnet is used in a DDoS (distributed denial of service) attack often against a government body or corporation.

Cyber criminals have developed a malware, dubbed Mac.BackDoor.iWorm, using C++ and Lua to open a backdoor into Mac OS X machines. When the malware is launched it saves it's configuration in a separate file and attempts to read the /Library directory, then uses system queries to determine the home directory of the Mac OS X account under which it is running, it then writes the data needed for it to continue to operate into this file.  Next Mac.BackDoor.iWorm opens a port on the computer, sends a request to a remote site for a list of control servers, connects to the remote servers and then waits for instructions.


Reddit comes in to play as Mac.BackDoor.iWorm is using the search service at to return results listing botnet C&C servers and ports published by the cyber criminals in the comments posted to minecraftserverlists under an account vtnhiaovyd. The malware, now a bot, picks a random server from the list to connect to. When the bot successfully connects to the server, it sends information about the open port on the machine it's infected as well as a unique ID for that machine that was created as a part of the configuration when it installed.

Now that machine waits for instructions from the Command and Control Server. As of the latest reports there is no evidence that these bots have received any instructions. Information obtained by Doctor's Web researches showed 17,658 computers had been infected by the malware and were part of the botnet as of September 26, 2014; a week later there are no available statistics for additional infected Macs. Of those infected over a quarter are in the US.

For anyone who continues to believe that Macs are safe and unaffected by viruses and malware, let this week be a wake up call.  Previously Macs have been a less frequent target not due to their security, but due to their smaller market share.  The more Macs on the market the more cyber criminals will be targeting them.  


What is ShellShock aka Bash & Are You Vulnerable?

You've likely been hearing a lot about ShellShock aka Bash, but what exactly is it and should you be worried?

First if you are running a Microsoft environment, then you likely have nothing to worry about.  The Bash code injection vulnerability is found primarily on UNIX, LINUX and Mac OS X.

Now on to what is ShellShock? ShellShock is the name that has been given to a bug found in the Bash (Bourne Again Shell) command-line interpreter, also known as a shell.  The Bash shell is widely used as the default command-line interpreter on many operating systems including most flavors of Linux, many flavors of Unix, and Apple's OSX.  Bash shell can be installed on Windows and Android, however with those two it is not installed or used by default on these systems.

Who needs to be concerned? All users of Bash are vulnerable, however for the vulnerability to be exploited your computer needs to be connected to the Internet. Certain software is also required to provide attackers a route through to reach Bash.

Who is most vulnerable? Those running Internet servers, such as website hosting servers, are the most vulnerable and likely to be targeted in attacks.  Home users, who say have an Apple running Mac OS, are unlikely to be targeted but could become victims of circumstance by using untrusted networks or if the Internet servers trusted and used by that home user become compromised this could cause a trickle down effect to home users.  As a Mac user you would also have to have enabled certain services on your Mac to make you vulnerable.

What does this vulnerability do? The Bash shell bug will allow an attacker to have command line access; full access to the computer or server as if they are the legitimate operator. So anything you can do with your computer, now so can the attacker.

How wide spread could the affects of ShellShock become?  When the Bash shell bug was first discovered there were hundreds of thousands of servers connected to the Internet vulnerable to this exploit. How many of these servers have now been compromised is not known. The bug itself has existed in the Bash shell code for over 2 decades; it is possible that some have previously discovered the bug and kept it to themselves or attackers may have been using it for malicious attacks for sometime before this public disclosure.

(There is debate among the tech community as to it being a "bug" or a "feature" as when Bash was originally created it was long before Apache httpd and other external access in were created...but that's a whole different topic.)

Now that the bug has been made public every attacker is working hard to compromise computers before the patches are put in place; with hundreds of thousands of targets it's a race against time between exploitation and getting the patches installed.

What do you do now?  Apply your system's patch or patches.  Red Hat has setup a very helpful site to help diagnose and determine your vulnerability. If you are running Mac OSX Apple has released a security patch, however this patch is not available via Software Update, instead you have to install the patch manually, see below for more information.

From Apple - OS X bash Update 1.0 may be obtained from the following webpages:

To check that bash has been updated:

  • Open Terminal
  • Execute this command: bash --version
  • The version after apply this update will be:

OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)  

Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844


Physical Address:

8755 Technology Way

Suite J

Reno, NV 89521

Log in or Sign up