How To Make A USB Stick Safe?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Suppose I am at a trade show and some Nice Person is handing out free
USB sticks.

How do I make one of these things "Safe" ?

i.e. how to format it and remove whatever nastyware it might be
carrying.

Off-the-shelf antivirus apps?

Something Linux?

??
--  
Pete Cresswell

Re: How To Make A USB Stick Safe?

wrote:

Quoted text here. Click to load it

    You can't. The malware might be an NSA-designed firmware
exploit, which is triggered by plugging the drive in. I believe these
exploits have been sold to the underworld, so it's possible you could
catch it anywhere.

Quoted text here. Click to load it

    Linux. Check it does not have any hidden partitions with
cfdisk, then make a filesystem on it. Any filesystem, even ext2. You
can always re-format later in Windows.
Quoted text here. Click to load it

    Won't catch zero-day exploits

    Make sure you don't have autorun enabled for any drive on your
PC (not even CD and DVD drives).
Quoted text here. Click to load it
    []'s
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: How To Make A USB Stick Safe?

Per Shadow:
Quoted text here. Click to load it

But that would not address the firmware issue, right?
--  
Pete Cresswell

Re: How To Make A USB Stick Safe?

wrote:

Quoted text here. Click to load it

    No, neither formatting or partitioning will eliminate the
firmware-malware.  From what I understand, it's a rootkit, like a
separate OS, but in the hardware ROM, not in the storage part of the
drive, but then I'm not a malware expert. I just capture the nasty
things.
    Ask one of the resident experts if a firmware hack will affect
Linux, or if the ones in the wild are Windows-only.
    []'s
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: How To Make A USB Stick Safe?


Quoted text here. Click to load it

None of the ones I've read about affect linux systems. For example,
http://www.wired.com/2015/02/nsa-firmware-hacking/

Note the firmware creates nls_933w.dll, and presumably does something
to have windows systems autoload the dll on boot.

That won't work with linux systems. It doesn't mean that a firmware
hack couldn't be written to target linux systems, just that no known
in the wild hacks have done so.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: How To Make A USB Stick Safe?


Quoted text here. Click to load it

Assuming normal malware, not a firmware hack, in linux
Open any terminal application (konsole, gnome-terminal, etc.).
plug in the usb stick.
Check the final 10 or 15 lines of the output from the command "dmesg",
to determine which drive has been assigned to the usb stick.

For example, when I plug in a usb stick, dmesg shows ...
[259569.195480] usb-storage 3-4:1.0: USB Mass Storage device detected
[259569.195576] scsi18 : usb-storage 3-4:1.0
[259570.285773] scsi 18:0:0:0: Direct-Access              USB DISK 2.0     PMAP PQ: 0 ANSI: 4
[259571.878000] sd 18:0:0:0: [sde] 15124992 512-byte logical blocks: (7.74 GB/7.21 GiB)
[259571.878623] sd 18:0:0:0: [sde] Write Protect is off
[259571.878626] sd 18:0:0:0: [sde] Mode Sense: 23 00 00 00
[259571.879248] sd 18:0:0:0: [sde] No Caching mode page found
[259571.879250] sd 18:0:0:0: [sde] Assuming drive cache: write through
[259571.882375] sd 18:0:0:0: [sde] No Caching mode page found
[259571.882377] sd 18:0:0:0: [sde] Assuming drive cache: write through
[259571.902776]  sde: sde1
[259571.907504] sd 18:0:0:0: [sde] No Caching mode page found
[259571.907507] sd 18:0:0:0: [sde] Assuming drive cache: write through
[259571.907510] sd 18:0:0:0: [sde] Attached SCSI removable disk

In this case, sde is the device assigned to the usb stick.

Switch to the superuser (aka root user) with the command "su -". Enter
the root password. On most live linux systems, the root user does not
have a password, so just press enter when it asks for the password.

To erase the drive, run the command ...
dd if=/dev/zero or=/dev/sde bs=1M count=2

This will completely erase the mbr, including the partition table.
The data will still be on the drive, but is no longer accessible
without sector level i/o, and will be overwritten, when new partitions
and data are written.

You can then use any partitioning software, such as gparted, sfdisk,
cfdisk, etc., to create a partition table, and partiton(s).

Use the exit command to undo the effects of the "su -" command.

Use the exit command, again, to close the terminal application.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Site Timeline