'Trojan mouse' was just a hint -- almost any hardware device that can be plugged into a computer can compromise its security Much of the computer security blogosphere was abuzz last week over NetraGard’s clever hack of a client’s network using a specially modified Logitech mouse USB mouse. The mouse contained firmware code that automatically launched when the socially engineered user plugged it in to his or her computer. The attack code simply dialed home to let NetraGard know it had been successful in penetrating the victim’s network. Victory and success!Many readers were unaware that hardware, especially a mouse, could be used to deliver auto-launching exploit code. But for others, this doesn’t come as a surprise.[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]I developed my first USB virus nearly 7 years ago, when I was working for Foundstone. I figured out I could use hidden desktop.ini files to autolaunch any contained executable. It bypassed autorun- and Autoplay-blocking defense mechanisms. I had discovered that I could do this on a USB key, and my coworker at the time, Aaron Higbee, quickly moved my exploit to USB devices. In short order, we had built a digital-camera roaming worm as a demo. It was a sweet day for discovery, although we both blew off the real work we’d been hired to do. Luckily, Foundstone was supportive of our efforts and told us to focus on further USB exploits. Ultimately, I was incredibly surprised to see, even heading into this year, USB-infecting vectors remain a major threat (although Microsoft’s new default treatment of autorun and Autoplay has significantly diminished that risk).IT security admins must understand that a computer can be compromised by almost any hardware device plugged into it. Hardware is hardware — the instructions coded into it and its firmware takes precedence over software. When we talk trust boundaries in computer security, you always have to remember the hardware boundary must be discussed and defended. If I, as the attacker, can convince a victim to plug in some sort of hardware or if I plug it in myself, then it is, for all intense purposes, game over. If I can plug something into your USB, DMA, FireWire, and now mouse port, I’ll likely succeed in carrying off a malicious action. Heck, it might be game over if all the attacker does is remove existing hardware. Two years ago, disk encryption vendors were re-alerted to the fact that their software disk encryption programs could be circumvented by malicious hackers freezing the RAM memory and analyzing its stored contents on another computer. A different researcher proved he could retrieve encryption keys stored deeply inside the world’s specialized Trusted Platform Module encryption chips.This isn’t news. Thousands of people around the world have known this for a very long time. You shouldn’t be any more worried about it today than you’ve been over the past two decades — at least until these sorts of vectors start to become popularly exploited. Most bad actors don’t need physical access to your machine for exploitative actions. The fake antivirus programs and malicious email links are still working quite well and infecting tens of millions of users.If you are worried that your assets are at higher risk of physical attack, let this column be your wake-up call and show it to management.You can take steps to protect yourself. End-user education is always worth trying. Let your end-users know that anything they plug into their computer could launch malicious code. That free USB key at the conference show? They shouldn’t plug it in, nor should they attach free mice, free keyboards, or whatever if they are at elevated risk of physical attack.System configurators can disable unneeded ports in the system’s BIOS or within the controlling operating system. Disabling in the BIOS is better; that way, OS-boot-around attacks can’t succeed. Unfortunately, you can’t disable every port. Make sure all the normal antimalware and computer security defenses are enabled. You may not stop the initial compromise, but you might be able to detect or stop the subsequent actions.And until better solutions are discovered, you will have to live with some amount of physical risk. The reality is that most of us are facing far more malicious risk from far less sophisticated attacks. Good computer security defense is about evaluating your current threats and knowing which ones to concentrate on.This story, “Yes, even a mouse can infect your network,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe