Attacking The USB Vector
-
Upload
brandon-greene -
Category
Technology
-
view
485 -
download
0
Transcript of Attacking The USB Vector
![Page 1: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/1.jpg)
Attacking the USB Vector
Brandon Greene
![Page 2: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/2.jpg)
Quick Scope
● Information given with an emphasis on Windows 7
● Presentation will focus on USB attacks and countermeasures
● Presentation will cover countermeasures tailored to USB defense, rather than all potential defenses
![Page 3: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/3.jpg)
Basic USB Process
● Device connected
● Address designation
● Descriptors read
● Configurations established
● Device is ready for use
![Page 4: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/4.jpg)
USB Attacks
● USB Toolkit
● HID USB Devices
![Page 5: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/5.jpg)
USB Toolkits (USB Attacks)
● Easy To Use
● Modular
● Versatile
● Not Always Easily Detectable
![Page 6: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/6.jpg)
USB Toolkits (USB Attacks cont.)
● Hacksaw
– Easy to set up
– Modular
– Most successful versions rely on U3 technology
● Katana
– Offers bootable OS
![Page 7: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/7.jpg)
HID Devices (USB Attacks)
● Abuse the trust relationship between human and machine
● Devices that rely on input device emulation
● Allows keyboard input at faster rates than humans
● Attacks generally work on anything with a USB port that takes in input
![Page 8: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/8.jpg)
HID Devices (USB Attacks)
● USB Rubber Ducky
– Open Source
– Configurable
– Offers opportunity to alter firmware to modify device functionality
– Anything that can be done from a keyboard, can be emulated by this device
![Page 9: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/9.jpg)
Attack Device Demo
![Page 10: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/10.jpg)
Notable USB Malware
● Stuxnet
– Propagates mainly via USB
– Avoids network traffic
– Updates and acts via C&C
– Infects intelligently
– Made to infect SCADA and Windows systems using zero day exploits (at least 4)
– Modified behavior based on AV vendors
![Page 11: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/11.jpg)
Countermeasures
● Security Policy
● Personnel
● Physical
● Firmware
● Software
● System Policy
● Host/Network Specific
![Page 12: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/12.jpg)
Security Policy (Countermeasure)
● Who is allowed where
● Where USB devices are allowed/disallowed
● Specifications on what USB devices may be used
● Company provided USB drives
![Page 13: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/13.jpg)
Personnel (Countermeasure)
● EDUCATION!!!
– Don't use dropped USB drives. TURN THEM IN!
– Don't use admin account when unnecessary
– If you're not using your computer, lock it!
– Use a password
– Educate why ALL of these things are important!
![Page 14: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/14.jpg)
Physical (Countermeasure)
● Critical machines should be in a locked and monitored environment
● Personnel to ensure device tampering doesn't happen
● USB Port Locks
● Chassis Lock
![Page 15: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/15.jpg)
Firmware (Countermeasure)
● Password Firmware Access
● Lower USB on the Boot Order
![Page 16: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/16.jpg)
Firmware (Countermeasure)
● Disable USB If It Is Not Needed
![Page 17: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/17.jpg)
Firmware (Countermeasure)
● Chassis Intrusion Detection
![Page 18: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/18.jpg)
Software (Countermeasure)
● AV
– Password the AV where possible ● USB port scan software
![Page 19: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/19.jpg)
Policy (Countermeasure)
● Disable Autorun for all
● Enforce UAC
● Whitelisting/Blacklisting
● Autorun.inf parsing
![Page 20: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/20.jpg)
Host/Network Specific (Countermeasures)
● Network AV
● Firewalls
● HIDS/HIPS
![Page 21: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/21.jpg)
Ecology based Countermeasures
● Military and Government Computers
● Enterprise Based Computers
● Public Computers
● Personal Computers
![Page 22: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/22.jpg)
After Thoughts
● Security of Whitelisting: how secure is it?
● AV vs. Custom Malware
● Countermeasure effectiveness vs. convenience
● USB Banning vs. restricting
● How to spread this knowledge to those who don't know it is needed?
● Is it possible to stop an attack, even with these countermeasures in an espionage-prone environment?
![Page 23: Attacking The USB Vector](https://reader034.fdocuments.in/reader034/viewer/2022042602/55a93ec11a28abb5758b4917/html5/thumbnails/23.jpg)
Why Should You Care?