Attack: USB could be the death of me

By Victor R. Garza, Contributor 01 Aug 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

LAS VEGAS -- Seemingly innocuous devices pose a considerable security threat to your company's crown jewels, according to researchers who identified two new bugs in the Microsoft Windows XP Universal Serial Bus [USB] driver.

SPI Dynamics security engineers David Dewey and Darrin Barrall at last week's Black Hat security conference discussing two USB driver bugs that could easily lead to daunting security compromise. In "Plug and Root, the USB Key to the Kingdom," they showed how easy it is to transform a common USB storage device into what is essentially a hardware-based Trojan.

While physical proximity to a machine could lead to easy compromise, Dewey said physical compromise is usually risky and visible. A USB-based Trojan, however, can allow for full data compromise with less than 10 seconds of physical access. Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."

Another example cited is to simply put out a fishbowl of free USB devices that look like thumb-drive freebies at a conference, or typical "marketing swag," as a way to effectively distribute a rootkit that sends information back to the malicious attacker. Dewey stated "someone walks by, picks this up and they root themselves" -- alluding to having the device "phone home" and transport information after a USB device is inserted into a victim's PC.

Other Black Hat news Cisco, Black Hat litigation comes to a close Beefed up OWASP 2.0 unveiled at Black Hat VoIP to get 'Pretty Good Privacy'

A third example is a SneakerNet worm, where an unknowingly infected individual moves unauthorized 'Paris Hilton' images via a thumb drive circulated amongst co-workers.

Dewey stated this was only a few of many simple ways a malicious individual could leverage USB devices to his benefit with the "Walk-Up-and-Own, attack vector."

While this type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices, Dewey showed how to make a USB device look non-removable via in-system programming typically used to update USB device firmware. Dewey suggests countering USB-based attacks by disabling Windows XP AutoRun functionality.

Subsequently, Darrin Barrall presented the hardware "Meta-USB" device, which the team constructed as a tool to attack an OS kernel. The so-called meta-USB device can emulate other USB devices that have device drivers that are typically written with, and assumed to be trusted by, the operating system.

While the Meta-USB device is constructed so it can look like any USB device supported by the Windows operating system, Dewey stated these issues are not specific to Windows. "We'll be able to target some Windows specific drivers that are by default installed, [on Windows] 2000 and later, and we will target those. This same device that we have, however, is USB 2.0 compliant and can be tested against Linux, OS X, whatever you want."

An anonymous source close to the issue said that what was shown was only the tip of the iceberg and that a device like the Meta-USB could be used to "own the box" with much more ease that the presenters described.

Victor R. Garza is a technology/security consultant and lecturer at the Naval Postgraduate School in Monterey, Calif.

Tags: Enterprise Data Governance,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary