Attacking The USB Vector
-
Upload
brandon-greene -
Category
Technology
-
view
485 -
download
0
Transcript of Attacking The USB Vector
Attacking the USB Vector
Brandon Greene
Quick Scope
● Information given with an emphasis on Windows 7
● Presentation will focus on USB attacks and countermeasures
● Presentation will cover countermeasures tailored to USB defense, rather than all potential defenses
Basic USB Process
● Device connected
● Address designation
● Descriptors read
● Configurations established
● Device is ready for use
USB Attacks
● USB Toolkit
● HID USB Devices
USB Toolkits (USB Attacks)
● Easy To Use
● Modular
● Versatile
● Not Always Easily Detectable
USB Toolkits (USB Attacks cont.)
● Hacksaw
– Easy to set up
– Modular
– Most successful versions rely on U3 technology
● Katana
– Offers bootable OS
HID Devices (USB Attacks)
● Abuse the trust relationship between human and machine
● Devices that rely on input device emulation
● Allows keyboard input at faster rates than humans
● Attacks generally work on anything with a USB port that takes in input
HID Devices (USB Attacks)
● USB Rubber Ducky
– Open Source
– Configurable
– Offers opportunity to alter firmware to modify device functionality
– Anything that can be done from a keyboard, can be emulated by this device
Attack Device Demo
Notable USB Malware
● Stuxnet
– Propagates mainly via USB
– Avoids network traffic
– Updates and acts via C&C
– Infects intelligently
– Made to infect SCADA and Windows systems using zero day exploits (at least 4)
– Modified behavior based on AV vendors
Countermeasures
● Security Policy
● Personnel
● Physical
● Firmware
● Software
● System Policy
● Host/Network Specific
Security Policy (Countermeasure)
● Who is allowed where
● Where USB devices are allowed/disallowed
● Specifications on what USB devices may be used
● Company provided USB drives
Personnel (Countermeasure)
● EDUCATION!!!
– Don't use dropped USB drives. TURN THEM IN!
– Don't use admin account when unnecessary
– If you're not using your computer, lock it!
– Use a password
– Educate why ALL of these things are important!
Physical (Countermeasure)
● Critical machines should be in a locked and monitored environment
● Personnel to ensure device tampering doesn't happen
● USB Port Locks
● Chassis Lock
Firmware (Countermeasure)
● Password Firmware Access
● Lower USB on the Boot Order
Firmware (Countermeasure)
● Disable USB If It Is Not Needed
Firmware (Countermeasure)
● Chassis Intrusion Detection
Software (Countermeasure)
● AV
– Password the AV where possible ● USB port scan software
Policy (Countermeasure)
● Disable Autorun for all
● Enforce UAC
● Whitelisting/Blacklisting
● Autorun.inf parsing
Host/Network Specific (Countermeasures)
● Network AV
● Firewalls
● HIDS/HIPS
Ecology based Countermeasures
● Military and Government Computers
● Enterprise Based Computers
● Public Computers
● Personal Computers
After Thoughts
● Security of Whitelisting: how secure is it?
● AV vs. Custom Malware
● Countermeasure effectiveness vs. convenience
● USB Banning vs. restricting
● How to spread this knowledge to those who don't know it is needed?
● Is it possible to stop an attack, even with these countermeasures in an espionage-prone environment?
Why Should You Care?