|عنوان فارسی مقاله:||خطر یو.اس.بی درایوها|
|عنوان انگلیسی مقاله:||The Danger of USB Drives|
|رشته های مرتبط:||مهندسی کامپیوتر، امنیت اطلاعات، معماری سیستمهای کامپیوتری و سخت افزار کامپیوتر|
|فرمت مقالات رایگان||مقالات انگلیسی و ترجمه های فارسی رایگان با فرمت PDF میباشند|
|کیفیت ترجمه||کیفیت ترجمه این مقاله متوسط میباشد|
|نشریه||آی تریپل ای – IEEE|
مقاله انگلیسی رایگان (PDF)
|دانلود رایگان مقاله انگلیسی|
ترجمه فارسی رایگان (PDF)
|دانلود رایگان ترجمه مقاله|
خرید ترجمه با فرمت ورد
|خرید ترجمه مقاله با فرمت ورد|
|جستجوی ترجمه مقالات||جستجوی ترجمه مقالات مهندسی کامپیوتر|
بخشی از ترجمه فارسی مقاله:
آزمایش ما: مرور کلی
آیا درایوهای یو.اس.بی هنوز تهدید آفرین اند؟
بخشی از مقاله انگلیسی:
Our Experiment: An Overview
To measure whether users will connect drives they find on the ground, we conducted a large-scale experiment in which we dropped nearly 300 flash drives around the University of Illinois at Urbana-Champaign campus.2 In the a ack, we replaced expected files on the drive with HTML files that contained an embedded image hosted on a central server, allowing us to track when the drive was connected without automatically executing any code. We found that users picked up 98 percent of the drives, and 45 percent of the drives were connected to a computer. Furthermore, the a ack was expeditious, with the first drive being connected within six minutes from when it was dropped. Contrary to popular belief, the appearance of a drive didn’t increase the likelihood that someone would connect it to their computer. Instead, users connected all types of drives unless there were other means of locating the owner— indicating that many participants were altruistically motivated. However, although users initially connected the drive with altruistic intentions, nearly half were overcome with curiosity, first opening intriguing files—such as vacation photos—before trying to find the drive’s owner. To better understand users’ motivations, we offered participants the option to complete a short survey when they connected the drive. Most stated that they connected the drive to locate its owner or out of curiosity, although a handful also admitted that they had planned to keep the drive. The students and staff who connected the drives weren’t computer illiterate and weren’t significantly different from their peers. When prompted, 68 percent of the participants stated that they took no precautions when connecting the drive. For those who did, 16 percent scanned the drive with their antivirus software and 8 percent believed that their OS or security software would protect them. In the end, all but a handful of the participants who took precautions did so ineffectively, and the majority took no precautions at all. We submitted and received approval from the University of Illinois Institutional Review Board and met with key stakeholders (IT, legal, and public safety departments) while developing the experiment. We didn’t automatically execute any code on participants’ systems, and we were only able to collect data if participants double-clicked files on the flash drives. Participants were debriefed and provided with an opportunity to withdraw.
Are USB Drives Still a Threat?
Microsoft Windows no longer automatically executes arbitrary code when a USB drive is connected,3 which defeats many traditional USB-based attacks.4,5 However, connecting a USB drive still poses significant risk. There are three broad categories of effective USB attacks: social engineering, spoofing, and zero-day. The simplest type of attack is social engineering, in which the drive doesn’t execute any code on connection but instead tricks the end user into opening a file on the USB drive. The files on the drive can contain a Trojan horse or can simply be HTML content that attempts to phish for credentials. These are the easiest type of attack drives to create for two reasons: an attacker can use store-bought drives, and the attack doesn’t rely on finding OS vulnerabilities. However, they’re also the least reliable and most conspicuous because they rely on the end user to open files without becoming suspicious. Unfortunately, as we describe below, many users will open the files on a drive without any prompting. A more complex attack disguises a different type of USB device as a flash drive. While USB drives can no longer automatically execute code, USB human interface devices (HIDs)—such as keyboards and mice—don’t require user confirmation. This means that if a USB device identifies itself as a keyboard, it can immediately inject malicious keystrokes that compromise the machine. This attack is more difficult to deploy than a simple social engineering one, because it requires configuring a low-level device to emulate an HID, physically disguising the device as a USB drive, and handling OS variations. However, this has been made considerably easier by the recent availability of Arduino-based microcontrollers that facilitate low-level development. Figure 1 shows a disguised Teensy microcontroller that will open a reverse shell in Windows and Mac OS by “typing” out the requisite BASH or PowerShell commands in the background. Off-the-shelf devices of this type are also available, although they cost significantly more than store-bought USB drives. The bar is still higher than a social engineering attack but can be accomplished easily by a determined hacker.6 The most complex type of USB-based attack is one in which the USB device exploits a known vulnerability in the host OS or hardware. Such “zero-day” attacks are difficult to find and expensive to purchase, and frequently require time-consuming implementation, which makes them unlikely to be used in most settings. However, if an attacker can acquire a zero-day, such an attack is incredibly difficult to protect against: OS policies can be bypassed, and there’s little protection that administrators can take beyond disabling USB ports altogether. Each of the three attacks has its set of advantages and disadvantages. Social engineering attacks are trivial to implement but rely on user curiosity. On the other extreme, zero-day attacks are difficult to acquire but nearly impossible to centrally protect against. HID spoofing devices achieve a reasonable compromise: they can be built using readily available materials and don’t require user interaction after the device has been plugged in.