User: Password:
|
|
Subscribe / Log in / New account

USB key attacks

USB key attacks

Posted May 20, 2010 13:44 UTC (Thu) by Cato (subscriber, #7643)
Parent article: Google Chrome and master passwords

At least on Windows, the threat of an unencrypted password store is much greater due to AutoPlay - when a USB key is inserted, a script on that drive is executed which can do anything (e.g. grab any unencrypted password stores, or install a keylogger to capture keystrokes). This could happen invisibly when a colleague is asking you to put a file on their key.

Not sure if this threat exists in Linux given Nautilus and similar file managers, but if the attacker can get you to open a file on the USB key (perhaps an innocuous looking symbolic link to an executable shell script?) that could have the same effect.

The use of a silently unencrypted password store in Chrome on Linux is horrible - something like LastPass (http://lastpass.com) would be much safer, though still vulnerable to keyloggers of course. (Windows keyloggers are quite sophisticated these days - the Zeus trojan captures a screenshot near the mouse pointer each time a key is typed, to bypass virtual on-screen keyboards as a defence.)


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds