USB HID Attacks

So, all the hackers are running around saying "hardware is the new software." Better than that, they are proving it to be true. I saw a post this summer about the "Rubber Ducky" attack the folks over at HAK5 are working on. If you aren't familiar with the rubber ducky stuff, check out episode 709. The potential for these attacks is amazing. Let's pause and think about HID.

HID stands for Human Interface Device, this is a fancy way of saying PC input devices. For the purposes of this discussion we are specifically referring to keyboards and mice. These days when you plug in a USB mouse or keyboard, what happens? It works! No authentication, no authorization, maybe minimal auditing in some environments. So what if that device you plugged in wasn't a keyboard or mouse but was simply reporting itself as one of those. For the 1337 folks reading this I get that you understand the potential, for the non-nerds that are reading I just inserted a device that is mimicking your keyboard. Now I am hearing the naysayers already: "We have autorun turned off." "We have least-user privileges.." etc.. Let me respond to that with: it doesn't matter. This is direct memory access, your user object is not relevant. Irongeek, Adrian Crenshaw, gave a great talk this year at Defcon. Check out his website, and this page specifically. He named his attack Programmable HID USB Keystroke Dongle: PHUKD. I apologize for the language but that name sums it up quite well. Here's an excerpt from Irongeek:

So, why would a pen-tester want one?

1. Likely types faster than you can, without errors. This is important when physical access time to the target system is limited. 
2. Works even if U3 autorun is turned off. 
3. Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and the box is popped as Dave Kennedy likes to say.
5. The HID can also be set to go off on a timer when you know a target will be logged in, or by sensor when certain conditions are met. 
6. You could embed a hub and a flash drive in your package so that you have storage and the programmable USB HID all in one nice neat package.
7. Embed your device in a USB toy or peripheral (lots of spare room in a printer or dancing USB penguin) and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
8. After your Trojan USB device is in place, program it to "wake up", mount onboard storage, run a program that fakes an error to cover what it is doing (fake BSOD for example), do its thing, then stop (leaving the target to think "it's just one of those things").

Awesome dude! Now you are asking, "how do I defend against this?" There are some ways to stop unrecognized devices from being activated but that's only devices that weren't previously installed. Lots of these offerings are also commercial tools which only work on Windows and are also not cheap. Speaking of Windows, don't go thinking you are safe if you use some other operating system. This style of attack will work on any platform that recognizes USB HID. This means every modern operating system is a potential victim.

I expect to see some defenses start popping up soon. Until then, you better start deciding how to defend against this and keep in mind that telling your employees "Don't use USB devices on your work computer" doesn't actually prevent them from doing it. You need that policy in place, but you must have a technical control backing it up and enforcing it. You also can't just go enforcing without the policy, so make sure you have both of them ready to deploy at the same time. If you are a Windows environment and you want some control, check these out:
Checkpoint Poinstec
Lumension Device Control


New Operating System

I am now running Backtrack 4 R1 and enjoying the improvements that have been made to the base functionality. I still don't think I would recommend it as a primary OS for just playing with a computer, but I do like having it readily available without using a VM or a separate partition. It still isn't easy to get or a screensaver working but it can be done. The underlying OS is Ubuntu 8.10 and it's running the 2.6.34 kernel. It definitely isn't as slick as Ubuntu 10.4 but it's not supposed to be. Once I get some other things working I will post some "how-to" videos for those of you who might want them.

"Why Vulnerability Research Matters"

Please read this article. I cannot believe, that's a lie, we are still having this discussion. Do people really think that if there was no sponsored or white hat vulnerability research that there would be no black hat hacking? Without getting too political this seems like gun control all over again.


Smartphones and their cameras.

Isn't it handy to have that Palm/Blackberry/iPhone/Android or whatever device that allows you to automatically upload pictures to FaceBook, Twitter, or anywhere public? I think these devices are pretty awesome and definitely help keep us all connected. Did you also know that your device is probably telling everyone exactly where you took your pictures? These phones are using a metadata structure called Exchangeable image file format or Exif. If you want to get particularly nerdy, you can read this link to understand more about that format. For those of you who just want a non-technical description, this is information about your image file that is stored "within" the picture file. Some of that information can be that location the picture was taken. For example, here's a picture of my brother and I at my sister's wedding:
This picture was taken with my Android-powered Nexus One. Examining the Exif data reveals the following:

 [Make                                ] = "google"
 [Model                               ] = "Nexus One"

 [GPSLatitudeRef                ] = "N"
 [GPSLatitude                     ] = 39 deg 37' 0.000"
 [GPSLongitudeRef             ] = "W"
 [GPSLongitude                  ] = 106 deg 5' 0.000"
 [GPSAltitudeRef                ] = Above Sea Level
 [GPSDateStamp                ] = "2010:02:20"

This shows the type of device, location and date. To disable this "feature" check your phone's camera settings and if you don't see a setting there, you may have to disable GPS functionality completely when taking pictures. If you need more information, look up your device, write to the manufacturer, and/or read this


Cool Product Updates

Guidance software has partnered with Lofty Perch and released an updated version of EnCase designed to help folks in the critical infrastructure world. I am interested in checking this out since modifying the software is only part of the battle. The SCADA, PLC, and other embedded devices still have to track, audit and store the data accurately for the forensics to be worth anything.

Metasploit and Rapid7 have been churning out massive functionality with VxWorks exploits, PHP meterpreter functionality, and many more. Metasploit is growing by leaps and bounds since the Rapid7 acquisition. I would love to get a hold of Nexpose and try some of this stuff out. If anyone has some experience with these software packages I would love to hear about it.