Re: U3 Technolgy on Flash Drives

The U3 drives basically have a portion of the disk that acts like a CD rom when inserted. An autorun file launches whatever app you have on the device to start, which is usually the 'launcher' app that runs down by your clock.

I will say that on some, it's possible to change that 'cd' portion for autorun to execute whatever code you wish (malicious or not).

Re: U3 Technolgy on Flash Drives

The USB Switchblade takes advantage of the U3 capability.

Re: U3 Technolgy on Flash Drives

this is very true, and very annoying. one thing that has exasperated me when it comes to hardening the win32 boxen which i oversee has to do with the fact that microsoft keeps coming up with new and ever-more-ridiculous ways to trigger shell events on hardware insertion. ask renderman to tell the story of the vendor table at shmoocon who had a lot of USB goodness laying around and the hillarity which ensued.

WinXP's "i see you have inserted a disk... would you like to perform any of the following innane functions" question can be disabled by killing a system service that might as well be named "helper tool for idiots who can't figure out their digital cameras and MP3 players" but the U3 tools trigger good-old auto-play events, which have grown harder to prevent with each new generation of windows.

another thing is the fact that it seems the windows disk manager goes out of its way to see that U3 code volumes remain hidden and untouchable on such flash drives. many vendors (like SanDisk) have a utilty that will remove this hidden partition and turn the device into a proper thumb drive... of course this utility is part of the U3 control package and only accessible (for the novice user) by allowing the execution of said software.

since i'm in the mood now, i have another really good rant about technology nowadays... coming soon to a forum thread near you.

Re: U3 Technolgy on Flash Drives

While I will usually disable the service, it is extremely convenient for the shell to open the folder in a new window when I insert a disk. After all, that is the behavior I want 99% of the time and it isn't exactly single click in most environments.

Really? I thought the same-old techniques for disabling Autoplay worked in Vista.

I do think it's amusing that people started disabling Autorun on USB sticks for security reasons (it might even be the default now), so U3 devices pretend to be something they are not to get around that limitation. Thanks, guys. Maybe you can also disable any software firewalls that are running so that your programs don't bug me about accessing the network.

Re: U3 Technolgy on Flash Drives

Well I guess I'm going to annoy you more sorry but It's just sooooo cool; ahh not annoying you the cool stuff just to be clear :)

Encrypt your entire USB File System and Leave No Trace On Systems You Use It On.


Kudos to Mike from Techno Forensics I'm pretty sure he doesn't want me using his last name so I won't.
But Thanks Mike



Fedora Core 5 Encrypted Root Booting on a USB Stick
- Boot in a FC5 session to be used as a source for the encrypted image
- Create the partition to house the root partition (fdisk)
- Randomize the contents of the new partition

- dd if=/dev/urandom of=/dev/{target root device}

- Encrypt the new partition with a passphrase using dm-crypt (not LUKS)

- cryptsetup create -y --verify-passphrase {name} /dev/{target root device}

- Create a new file system on /dev/{target root device}

- mkfs.ext3 /dev/mapper/{name}

- Create a mount point and mount the new encrypted device

- mkdir /mnt/encroot

- mount /dev/mapper/{name} /mnt/encroot

- Copy the existing root partition to the new one

- cp -ax / /mnt/encroot

- Create an entry in /etc/cryptab for the new encrypted device on the new root partition

- vi /mnt/encroot/etc/cryptab

- add entry:

{name} /dev/{target root device} cipher=aes

- Edit the fstab in the new root to let it know where to find the loopbacked root

- vi /mnt/encroot/etc/fstab

- change "LABEL=/..." line to

- "/dev/mapper/{name} / ext3 defaults 1 1"



** Now it gets fun **

- Need to edit the initrd that gets installed with Fedora Core

- Run mkinitrd to load all the neccessary modules into intrd

- We'll need ehci-hd, usb-storage, scsi_mod, & sd_mod to make the USB booting work

- We'll need aes, dm-mod and dm-crypt for the encryption

- mkinitrd --preload=ehci-hd --preload=usb-storage --preload=scsi_mod --preload=sd_mod --preload=aes --preload=dm-mod --preload=dm-crypt /boot/{initrdname}.img {kernel-no}

- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"

- Now we have a initial initrd to work with that contains all the modules we need. However, we need to add to it to query the user for their passphrase and decrypt the root before loading.

- So, edit the init script within initrd*.img

- Explode the initrd*.img to a temporary location, with Fedora Core, its a cpio image thats gziped

- cd /wherever

- mkdir initrd

- cd initrd

- gzip -cd /boot/{initrdname}.img | cpio -i

- Edit the init script and add the step to cryptsetup the root partition and capture the passphrase

- vi init

- add the line "/sbin/cryptsetup create {name} /dev/{target root device} < /dev/console > /dev/console

above the line "mkrootdev /dev/root"

- Copy cryptsetup to the initrd/bin directory

- cp /sbin/cryptsetup /wherever/initrd/bin/

- Now wrap the initrd backup to the boot partition

- cd /wherever/initrd

- find . | cpio -o -c | gzip -9 > /boot/{initrdname}.img

- Finally, edit the grub boot loader to point it to the new initrd img

- vi /boot/grub/grub.conf

- add the following lines under the boot choices

title Fedora Core Encrypted ({kernel-no})

rootnoverify (hd0,0)

kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet

initrd (hd0,0)/boot/{initrdname}.img

- Thats it.

- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.







TODO:

- Make Root Partition Read Only





To simply install Fedora Core on a USB drive:



- Check your BIOS to ensure your computer can boot off a USB

- Ensure that your USB drive has an MBR on it. If it doesn't (which is likely) download and run the "HP USB Disk Storage Format Tool" (search for it on Google - its home keeps changing). This will install an MBR on the USB drive.

- Remove your internal harddrive. If it is inserted, the installer won't ask to load the USB drivers.



- Install Fedora Core using the 'linux expert' command line boot option

- When it asks to load additional drivers, select the "usb-storage" driver

- Install to the USB drive: /dev/sda

- Make sure that grub is installed to the boot sector of the USB drive



- When the installation reboots to the installed media, leave the CD in and select "rescue"

- Skip that stage that asks to find your existing linux image

- Go to the command line

- Mount the / partition (/dev/sda2) on /mnt/system (or whatever mount point it gives you) and the /boot partition (/dev/sda1) on /mnt/system/boot

- Use chroot to change the root to /mnt/system (or wherever you mounted your drives to) and cd to /boot.

- Need to edit the initrd that gets installed with Fedora Core

- Run mkinitrd to load all the neccessary modules into intrd

- mkinitrd --preload=ehci-hcd --preload=usb-storage --preload=scsi_mod --preload=sd_mod /boot/{initrdname}.img {kernel-no}

- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"

- Finally, edit the grub boot loader to point it to the new initrd img

- vi /boot/grub/grub.conf

- add the following lines under the boot choices

title Fedora Core Encrypted ({kernel-no})

rootnoverify (hd0,0)

kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet

initrd (hd0,0)/boot/{initrdname}.img



- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.


Sources:

https://www.linuxforums.org/forum/li...isk-drive.html, How to set up a Fedora Core 4 on a USB disk drive, "ROXOFF", 20 Dec 2005

www.linuxjounal.com/article/7743, Encrypt Your Root Filesystem, Mike Petullo, 01 Dec 2004

lukeross.name/blog/10, Fedora: encrypted root partition, Luke Ross, 20 Feb 2006

Re: U3 Technolgy on Flash Drives

More Tidbits of Hacker Wisdom from Mike:

Notes on prepping the USB drive for Telework:



Run Bastille to harden the OS:

- www.bastille-linux.org

- follow the instructions for Fedora Core/RHEL

- This will bring the OS up to the recommendations of both SANS and the Center for Internet Security



Strip the Services:

- Bastille doesn't go far enough

- Run system-config-services and stop all the unneccessary services (at all run levels)



Installing the CISCO VPN:

- There is no installation binary for Fedora Core

- Make sure the kernel-headers are installed for your version of the kernel

- uname -a to get the kernel number

- yum install kernel-headers-{kernel-no.}

- Once its installed, create a profile

- Profiles are in /etc/opt/vpnclient

- Then to make it accessible by non-root accounts:

- chmod 4111 /opt/cisco-vpnclient/bin/cvpnd



- to connect: vpnclient connect {profilename}

- to disconnect: vpnclient disconnect





Rdesktop:

- install rdesktop

- yum install rdesktop

- to run

- rdesktop -f -a 24 {term server hostname}

- this will run it in full screen with a color depth of "millions"



Trimming the OS:

- edit /etc/inittab to delete "mingetty" lines to remove the tty consoles

- delete man pages

- others!!!





Change Splash Screen:

- /usr/share/gdm/themes/FedoraBubbles

- edit *.png

- /usr/share/pixmaps/*.png



xor