A caution, in particular, about "dropshippers" who offer lowest price but have no inventory or track record

This caution recently appeared at Slashdot:

Dropshippers can get wholesale prices from the big sources, advertise things very cheap, collect your payment information, send it back to the big source and have the item shipped.
They never touch it, they never see it, they have no clue what it is they’re selling.

Slashdot cautions that people selling very cheap, with no track record, may also be cutting security corners.

And in other recent news, anything USB now can come with automounting malware — the fact that USB is inherently insecure on almost all computers was very quickly followed by people discovering that e-cigarette chargers and USB cables may come with malware ready to load onto your computer the first time you insert the USB device.
http://www.reddit.com/r/hacking/comments/2nzsfj/badusb_ecigarettes/

(I’ll be curious to see how long ago this selling hacked USB cheap cables and stuff started —- whether it’s a new problem for us customers and just the hardware people rushing the crap into production, or a longterm problem of stuff being sold that attacked your computer for months or years and just now becoming public[

People selling stuff really cheap may be making their real profits elsewhere than the few pennies they get from you.

Also, people selling stuff really expensive may just be reselling stuff they got really cheap, of course.

Point is — watch out, out there.

I know a few things to watch out for:
— sites that send you your new password in plain text (and keep doing it each time you change it)
— sites using HTTP instead of HTTPS

What else do you think twice about, on a new web page offering cheap cheap cheap — do you look for a security policy?

(Me, mostly, I just register with a disposable email address and see if spam starts showing up to that address, an early detection system for crap artists)

Buyer beware is always good advice. For most stuff, I’d rather pay an extra 10% to get something from a reputable seller, or a marketplace that provides good buyer protection. If the savings is more than that, I start to get suspicious.

That said, that ecig malware looks like a bunch of crap. Sure, it is theoretically possible and I’m sure we’ll be hearing more and more about USB security issues in the coming years, but that reddit thing isn’t credible. Just look at the original “report” on /r/talesfromtechsupport.

Is it the posters story? It isn’t clear, until you look at the OP’s follow-up comments, particularly this one:

So, something he heard somewhere once. Ok.

Anyway, lets look at the rest…

The answer they were looking for? So, basically, they now had a plausible explanation, and so they accepted it as true. Good enough to close the ticket, maybe, good enough for a story. Not good enough to count as an in-the-wild sighting of a theoretical exploit.

I regard the story itself as a type of social-malware. It’s worth some consideration on its own.

It is, ostensibly, constructed to encourage “safe” behavior, but as such, I’d say it rates up there with telling pre-teens that kissing a boy will make a girl pregnant — impractical, and so oversimplified that as soon as people inevitably see through it, they will be dubious about any “adult” advice on the topic.

Then there are the narrative elements: A mystery, a persistent hero the intended audience can identify with, finding that their “superior’s” foolish actions have been the cause of the superior’s own undoing. Plus, the unseen villain is, basically, China, playing to people’s xenophobia and insecurity about their financial security in a global marketplace.

(Yeah, I’m lots of fun at parties.)

Certainly likely, and I have the same suspicion any time an IT department says they’re happy now, please don’t ask anything more about this.

From the descriptions of this USB security hole, for any given USB item, it does sound like if something hasn’t been weaponized yet, it probably will be.

The caution is — for anything we buy with USB — that this is a new thing to watch out for.

And how do we watch out for it? ….

disable autorun globally.
its more an annoyance to me anyway.
i always saw it as a risk too.
no autorun=no way for the embedded malware to execute.

Also, and in particular, what to watch out for on new sales sites with no history or recommendations — the ones that you never heard of, that show up in Google when you search for a flashlight.

Those, often, are dropshippers — and may have real low prices, or may have issues. I’m just wondering what to watch for besides
— using https not http
— not sending passwords in plain text

What else can you look for to tell who’s going to become a reliable supplier?
Or what can you ask a new supplier to do to be a good reliable source?

Solarforce, supposed to be “Friends of BLF” and still they will not pay the money to clean up their sloppy security.

I for one, have not and will not buy anything from them directly because of this.
There has to be repercussions of sloppy/cheap/amateur web sites with no safeguards .

It starts here, vote with your wallet!

Later,
Keith

My DCP enumerator boards (both versions) also double as USB wrappers…no juice jacking or syncing up with devices that could be a problem…just straight up 5vdc charging power and no data transfer at all

But yes…you never know what kind of security a vendor has, or doesn’t have…just ask the customers of Home Depot and Target about that

Actually not! Analysis of the STUXNET virus revealed a 0-day exploit that used a corrupted .LNK file to auto-run a file and install malware. That exploit has since been used by a lot of evil foers.

And a Snowdon leak showed that the NSA has been tricked-up using USB cables for years. There are LOTs of USB devices/cables out there now that carry malware. Some of the trickier exploits actually re-write the firmware of some USB device which will then re-infect any computer it is hooked to… and no anti-virus can will find it.

And then there is malware that re-flashes the computer BIOS ROM. And supposedly some laptops made by Lenovo (and other Chinese makers) come with spyware built into their BIOS or even basic hardware chips:

http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL

> LOTS of USB devices/cables out there now that carry malware.

I predict a wave of sites hyping “Protected Secure USB Cable With Malware Filter, Discount, 80 percent off ….”

i had seen the lnk exploit but i remembered that got patched fast.
looks like we will be xraying cables,opening devices,ect to look for stuff that does not belong.
maybe this will deter folks from buying cheap usb junk and plugging it in .

A little more info on Evil USB stuff:

Power supplies are probably safe, because they only connect to the power pins. If in doubt, one can check that. So USB chargers seem to be safe unless the thieves pay to add signal pins.

No, chargers are VERY likely to be sources of attack. Almost all chargers these days have connections to the data lines. They signal the charger how much current the device wants to use. There are. That is why “USB condom” devices exist… to block data from passing, but (the good ones) allow the charging current state to be passed.

There have been several charger based hacks spotted in the wild… airport/coffee shop charging stations are popular attack points.