I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the "band" and pontificate with no holds barred about the latest security threats, just like we did in the old days.

One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, "What scares you the most these days?". My answer was the proliferation of of inexpensive digital devices made in China that we plug into our computers. The malware problem is getting tricky to dodge. First you couldn't open email attachments you weren't expecting. Then you had to worry about surfing even trusted websites with JavaScript turned on, even with the latest patched browsers. Now you have to worry about plugging in the shiny new digital toy you got as a gift. Perhaps its a digital picture frame, digital camera, music player or silly programmable gizmo. Welcome to the age of factory installed malware --the age of devices coming Certified Pre-0wned.

The Associated Press writes:

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs' capability to build detection for it. The digital picture frame sold at Sam's club was infected with previously unknown malware that stole passwords and turned off AV software.

An additional threat that has been reported is devices have been found infecting the flash memory cards that are often inserted to upload photos. From SANS:

“Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it.Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe.The exe would place itself in the recyclerrecycler folder and the .inf would place itself on the root of the removable drive as a hidden file.At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us.Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “

We are back to the days of the floppy or "sneaker net" attack vector. Do you know who has touched your SD card or USB drive? Don't use it in public. Don't share it with multiple machines. Dan Geer told me he once tossed a USB drive into an audience with the slides for a presentation he just delivered on it. About 10 people passed it around and copied off the slides. It came back with a virus on it. And this was at a security conference.

Veracode Security Solutions


Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (7)

CG | March 17, 2008 7:02 pm

that's it, i'm powering down...forever...

very cool post Chris

John | March 18, 2008 7:41 am

How about having a policy that only allows the reading of data from such media if it was encrypted with the company key (and of course only allow writing encrypted data).

Only the ones allowed to read plain data would be able to get infected/attacked/backdoored whatever, and those people need to be more aware than others, like security officers...

MIchael Fitzgerald | March 20, 2008 11:27 am


Thanks for this great, informative post. I was going to circle back with you on the source for pre-0wned picture frames. I was hoping it was hypothetical. Oh well...


Tyler Shields | March 21, 2008 11:10 am

Very scary stuff indeed. I recently posted on my blog about counterfeit routing hardware, namely Cisco gear, making it's way around through resellers and auction sites. The government is rightly concerned. If our routing infrastructure is seeing issues similar to the ones that you mentioned about, we are in deep trouble.


Apneet Jolly | March 21, 2008 11:18 am

This is one reason I wish usb drives with read/write switches were more common. It seems like they used to be everywhere, but are now no where to be found.

SourceBoston was great btw.

LonerVamp | March 21, 2008 3:45 pm

I'm surprised you consider this something that scares you the most. I mean, I could maybe worry just as much about getting bad beef in my own country, having a tracker in my Japanese-made car, or an embedded hardware keylogger in the keyboard made somewhere mysterious.

You have a point in saying malware just touching everything and everyone way too much; network shares and passed-around devices pick up malware like fresh dung picks up flies. This might be more a problem with a porous OS or terrible detection/cleaning technologies. Or even perhaps poor risk management by people and companies to implement proper paranoia and prevention/detection measures to stem this tide.

Good post! :)

Ma petite parcelle d'Internet... | April 7, 2008 4:29 am

<strong>Source Boston 2008...</strong>

J'ai de nouveau du temps à consacrer à ces lignes, et en particulier à un rapide compte-rendu de la conférence Source Boston qui, comme je vous l'ai dit plus tôt, était excellente. Comme son nom ne l'indique pas, la conférence ne se déroulai...

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.