Attacking The USB Vector

•

0 likes•1,012 views

The following presentation explores the ability to attack the USB vector using USB toolkits and HID devices. The presentation also looks at what is necessary to defend against these attacks

Technology

Quick Scope
● Information given with an emphasis on Windows 7
● Presentation will focus on USB attacks and
countermeasures
● Presentation will cover countermeasures tailored to USB
defense, rather than all potential defenses

Basic USB Process
● Device connected
● Address designation
● Descriptors read
● Configurations established
● Device is ready for use

USB Attacks
● USB Toolkit
● HID USB Devices

USB Toolkits (USB Attacks)
● Easy To Use
● Modular
● Versatile
● Not Always Easily Detectable

USB Toolkits (USB Attacks cont.)
● Hacksaw
– Easy to set up
– Modular
– Most successful versions rely on U3 technology
● Katana
– Offers bootable OS

HID Devices (USB Attacks)
● Abuse the trust relationship between human and
machine
● Devices that rely on input device emulation
● Allows keyboard input at faster rates than humans
● Attacks generally work on anything with a USB port that
takes in input

HID Devices (USB Attacks)
● USB Rubber Ducky
– Open Source
– Configurable
– Offers opportunity to alter firmware to modify device
functionality
– Anything that can be done from a keyboard, can be
emulated by this device

Notable USB Malware
● Stuxnet
– Propagates mainly via USB
– Avoids network traffic
– Updates and acts via C&C
– Infects intelligently
– Made to infect SCADA and Windows systems using
zero day exploits (at least 4)
– Modified behavior based on AV vendors

Countermeasures
● Security Policy
● Personnel
● Physical
● Firmware
● Software
● System Policy
● Host/Network Specific

Security Policy (Countermeasure)
● Who is allowed where
● Where USB devices are allowed/disallowed
● Specifications on what USB devices may be used
● Company provided USB drives

Personnel (Countermeasure)
● EDUCATION!!!
– Don't use dropped USB drives. TURN THEM IN!
– Don't use admin account when unnecessary
– If you're not using your computer, lock it!
– Use a password
– Educate why ALL of these things are important!

Physical (Countermeasure)
● Critical machines should
be in a locked and
monitored environment
● Personnel to ensure
device tampering doesn't
happen
● USB Port Locks
● Chassis Lock

Firmware (Countermeasure)
● Password Firmware
Access
● Lower USB on the Boot
Order

Firmware (Countermeasure)
● Disable USB If It Is Not
Needed

Firmware (Countermeasure)
● Chassis Intrusion
Detection

Software (Countermeasure)
● AV
– Password the AV where possible
● USB port scan software

Policy (Countermeasure)
● Disable Autorun for all
● Enforce UAC
● Whitelisting/Blacklisting
● Autorun.inf parsing

Host/Network Specific
(Countermeasures)
● Network AV
● Firewalls
● HIDS/HIPS

Ecology based Countermeasures
● Military and Government Computers
● Enterprise Based Computers
● Public Computers
● Personal Computers

After Thoughts
● Security of Whitelisting: how secure is it?
● AV vs. Custom Malware
● Countermeasure effectiveness vs. convenience
● USB Banning vs. restricting
● How to spread this knowledge to those who don't know it
is needed?
● Is it possible to stop an attack, even with these
countermeasures in an espionage-prone environment?

Similar to Attacking The USB Vector

Hacking and Forensics on the Go - 44CON 2012

44CON

wanna be h4ck3r !

Eslam El Husseiny

Embedded Linux Systems Basics

Max Henery

This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw. The presentation was done as part of null/OWASP/G4H Monthly Meet

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014

Anant Shrivastava

Microcontrollers as an emerging attack platform: Offense and Defense. Presentation was given at Philadelphia Region Electronic Crimes Task Force. Presentation is intended to provide an overview of the new and emerging technologies that can be used to circumvent traditional anti-virus and malware detection software. Discussed techniques can also be used as a method for covert data exfiltration.

Microcontroller mayhem - ECTF & USSS 2011

warezjoe

Fear and Loathing on your Desk: BadUSB, and what you should do about it Presented at Kiwicon 9, 10-11 December 2015, Wellington New Zealand. For over 15 years USB has been the universal computing peripheral interface. In simpler times the host computer and the USB device trusted each other, and so USB implementations historically placed little emphasis on security issues. But what if malicious firmware were loaded into a USB device? How can you protect yourself from BadUSB? This talk will review public implementations of BadUSB, and (the distinct lack of) available defensive techniques. A hardware gadget will then be presented to make most of your problems...disappear.

BadUSB, and what you should do about it

robertfisk

Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution. During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet. All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...

CODE BLUE

The Deck by Phil Polstra GrrCON2012

Philip Polstra

CISSP Week 14

jemtallon

ELC_NA-2015-AFT_for_CI-Igor.Stoppa

Igor Stoppa

Endpoint Security Shifting Paradigms 5

tafinley

Introduction to Firmware

Caroline Murphy

Day1 ubuntu boot camp

Darlene Parker

Lecture 7 - Security

Alexandru Radovici

Infrastructure Security

UTD Computer Security Group

Usb Control

tafinley

Cloud Security with LibVMI

Tamas K Lengyel

Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July. Watch the webinar here - https://youtu.be/BQWcUjzxJE0 Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources

OWASP Delhi

Getting started with hacking android & i os apps tools, techniques and re...

n|u - The Open Security Community

Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.

Ple18 web-security-david-busby

David Busby, CISSP

Similar to Attacking The USB Vector (20)

Hacking and Forensics on the Go - 44CON 2012

wanna be h4ck3r !

Embedded Linux Systems Basics

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014

Microcontroller mayhem - ECTF & USSS 2011

BadUSB, and what you should do about it

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...

The Deck by Phil Polstra GrrCON2012

CISSP Week 14

ELC_NA-2015-AFT_for_CI-Igor.Stoppa

Endpoint Security Shifting Paradigms 5

Introduction to Firmware

Day1 ubuntu boot camp

Lecture 7 - Security

Infrastructure Security

Usb Control

Cloud Security with LibVMI

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources

Getting started with hacking android & i os apps tools, techniques and re...

Ple18 web-security-david-busby

Recently uploaded

Join me in this session where I'll share our journey of building a fully serverless application that flawlessly managed check-ins for an event with a staggering 80 thousand registrations. We'll dive into three key strategies that made this possible. Firstly, by harnessing DynamoDB global tables, we ensured global service availability and data replication across regions, boosting performance and disaster recovery. Next, we'll explore how we seamlessly integrated real-time updates into the app using Appsync subscriptions, making the experience dynamic and engaging for users. Finally, I'll discuss how provisioned concurrency not only improved performance but also kept costs in check, highlighting the cost-effectiveness of serverless architectures. Through these strategies and the inherent scalability of serverless technology, our application effortlessly handled massive user loads without manual intervention. This session is a real world example to the power and efficiency of modern cloud-based solutions in enabling seamless scalability and robust performance with Serverless

How we scaled to 80K users by doing nothing!.pdf

Srushith Repakula

The Metaverse: Are We There Yet?

Mark Billinghurst

Oauth 2.0 Introduction and Flows with MuleSoft

shyamraj55

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Julian Hyde

Speed Wins: From Kafka to APIs in Minutes

confluent

Intro in Product Management - Коротко про професію продакт менеджера

Mark Opanasiuk

Webinar Recording: https://www.panagenda.com/webinars/easier-faster-and-more-powerful-notes-document-properties-reimagined/ Have you ever felt frustrated by the small properties dialog in Notes? Had to create an agent or button to quickly change a field? Searched endlessly for the field you wanted to compare each time you selected a new document? Wished you could just make the damned thing bigger? Luckily, there is a solution – and you probably already have it installed! With the free panagenda Document Properties (Pro) you get the properties dialog you always needed. Big, resizable, full-text searchable. View multiple documents at once or compare them with a diff viewer. Modify any field, and finally have an easy way to handle profile documents for all users. Join HCL Lifetime Ambassador Julian Robichaux to discover how Document Properties can simplify your work and assist you daily when using Domino applications – in the client or the designer. You will never look back! Key takeaways from this session - What Document Properties is, which editions there are, and how you can find it in Notes and Domino Designer - How you can search for and edit any field, compare documents, or CSV export all data - How to find, edit, and even delete profile documents - Which configuration settings are available to customize feature

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

panagenda

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

FIDO Alliance

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

ScyllaDB

Microsoft CSP Briefing Pre-Engagement - Questionnaire

Exakis Nelite

PLAI - Acceleration Program for Generative A.I. Startups

Stefano

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

FIDO Alliance

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

FIDO Alliance

Are you wondering why everyone is talking about the Flutterwave scandal? You’re not alone! It’s been in the news a lot. We’re going to tell you all about the Flutterwave Scandal in a way that’s easy to get. Keep reading, because we’re going to share the whole story with you. The company Flutterwave is headquartered in San Francisco, California, United States. In 2016, Iyinoluwa Aboyeji, Olugbenga Agboola, and Adeleke Adekoya established Flutterwave. It offers a payment infrastructure to international merchants and payment service providers throughout Africa. The company operates in various African countries including Nigeria, Kenya, Uganda, Ghana, South Africa, and others. They focus on digital payments, helping businesses accept and process payments on various channels like the web, mobile, ATM, and POS. Recently, they’ve been in the news due to allegations of misconduct within the company, which has affected their reputation and value. Flutterwave is an essential player in the African fintech landscape, aiming to drive growth for banks and businesses through digital payment solutions. The Flutterwave scandal involves allegations of misconduct and inappropriate behaviour towards female employees by the company’s co-founder and CEO, Olugbenga Agboola. Reports have surfaced from both current and former employees about bullying, intimidation, and sexual harassment at work. The allegations of inappropriate behaviour towards female employees at Flutterwave, specifically involving the CEO Olugbenga Agboola, were brought to public attention in April 2022.This was when Clara Wanjiku Odero, an ex-employee and current CEO of Credrails, published a Medium post and a series of tweets on April 4, 2022, accusing Flutterwave and Agboola of bullying. These allegations were part of a broader range of misconduct claims that surfaced around the same time The reasons behind the scandal are rooted in accusations of unethical behavior within the company. The allegations suggest a workplace culture that allowed for misconduct and failed to protect employees from harassment and intimidation. Specifically, the Flutterwave scandal refers to the series of events where the CEO was accused of engaging in improper conduct with female colleagues. This led to a broader investigation into the company’s practices and raised serious concerns about the fintech’s corporate governance. The scandal had significant repercussions, including a drop in the company’s stock price and a loss of trust among customers and partners. The trust that customers and investors had in Flutterwave was greatly damaged. People started to doubt the company’s integrity and whether their money and personal information were safe. Market Impact The scandal shook the entire fintech market. Flutterwave’s competitors saw this as an opportunity and started to attract customers who were leaving Flutterwave.

Breaking Down the Flutterwave Scandal What You Need to Know.pdf

UK Journal

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

FIDO Alliance

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf

FIDO Alliance

This talk offers actionable insights at an executive level for enhancing productivity and refining your portfolio management approach to propel your organization to greater heights. Key Points Covered: 1. Experience Transformation: - The core challenge remains consistent across organizations: converting budget into user-centric designs. - Strategies for deploying design resources effectively in both startups and large enterprises. 2. Strategic Frameworks: - Introduction to the "Ziggurat of Impact" model, detailing layers from basic system interactions to comprehensive customer experiences. - Practical insights on creating frameworks that scale with organizational complexity. 3. Organizational Impact: - Real-world examples of navigating design in large settings, focusing on the synthesis of consumer products and customer experiences. - Emphasis on the importance of designing systems that directly influence customer interactions. 4. Design Execution: - Detailed walkthrough of organizational layers affecting design execution, from touchpoints and customer activities to shared capabilities. - How to ensure design influences both the micro and macro aspects of customer interactions. 5. Measurement and Adaptation: - Techniques for measuring the impact of design decisions and adapting strategies based on data-driven insights. - The critical role of continuous improvement and feedback in refining customer experiences.

Structuring Teams and Portfolios for Success

UXDXConf

What's New in Teams Calling, Meetings and Devices April 2024

Stephanie Beckett

When you think of a highly secure meeting environment, do you instantly think 'Microsoft Teams'!? Or do you think about some unknown application, troublesome UI and daunting login process...? If you think the latter - let's change that! In this session Femke will show you how using Teams Premium features can create secure, but also good looking meetings! PRETTY. Make sure your company's brand is represented before, during and after the meeting with Customization policies in place. SECURE. Lets utilize Meeting templates and Sensitivity Labels to protect your meeting and data to prevent sensitive information from being leaked. After this session, you will have a clear understanding of the capabilities of Teams Premium features and how to set up the perfect meeting that suits your organizational requirements!

ECS 2024 Teams Premium - Pretty Secure

Femke de Vroome

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf

The Metaverse: Are We There Yet?

Oauth 2.0 Introduction and Flows with MuleSoft

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Speed Wins: From Kafka to APIs in Minutes

Intro in Product Management - Коротко про професію продакт менеджера

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Optimizing NoSQL Performance Through Observability

Microsoft CSP Briefing Pre-Engagement - Questionnaire

PLAI - Acceleration Program for Generative A.I. Startups

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

Breaking Down the Flutterwave Scandal What You Need to Know.pdf

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf

Structuring Teams and Portfolios for Success

What's New in Teams Calling, Meetings and Devices April 2024

ECS 2024 Teams Premium - Pretty Secure

Attacking The USB Vector

1. Attacking the USB Vector Brandon Greene

2. Quick Scope ● Information given with an emphasis on Windows 7 ● Presentation will focus on USB attacks and countermeasures ● Presentation will cover countermeasures tailored to USB defense, rather than all potential defenses

3. Basic USB Process ● Device connected ● Address designation ● Descriptors read ● Configurations established ● Device is ready for use

4. USB Attacks ● USB Toolkit ● HID USB Devices

5. USB Toolkits (USB Attacks) ● Easy To Use ● Modular ● Versatile ● Not Always Easily Detectable

6. USB Toolkits (USB Attacks cont.) ● Hacksaw – Easy to set up – Modular – Most successful versions rely on U3 technology ● Katana – Offers bootable OS

7. HID Devices (USB Attacks) ● Abuse the trust relationship between human and machine ● Devices that rely on input device emulation ● Allows keyboard input at faster rates than humans ● Attacks generally work on anything with a USB port that takes in input

8. HID Devices (USB Attacks) ● USB Rubber Ducky – Open Source – Configurable – Offers opportunity to alter firmware to modify device functionality – Anything that can be done from a keyboard, can be emulated by this device

9. Attack Device Demo

10. Notable USB Malware ● Stuxnet – Propagates mainly via USB – Avoids network traffic – Updates and acts via C&C – Infects intelligently – Made to infect SCADA and Windows systems using zero day exploits (at least 4) – Modified behavior based on AV vendors

11. Countermeasures ● Security Policy ● Personnel ● Physical ● Firmware ● Software ● System Policy ● Host/Network Specific

12. Security Policy (Countermeasure) ● Who is allowed where ● Where USB devices are allowed/disallowed ● Specifications on what USB devices may be used ● Company provided USB drives

13. Personnel (Countermeasure) ● EDUCATION!!! – Don't use dropped USB drives. TURN THEM IN! – Don't use admin account when unnecessary – If you're not using your computer, lock it! – Use a password – Educate why ALL of these things are important!

14. Physical (Countermeasure) ● Critical machines should be in a locked and monitored environment ● Personnel to ensure device tampering doesn't happen ● USB Port Locks ● Chassis Lock

15. Firmware (Countermeasure) ● Password Firmware Access ● Lower USB on the Boot Order

16. Firmware (Countermeasure) ● Disable USB If It Is Not Needed

17. Firmware (Countermeasure) ● Chassis Intrusion Detection

18. Software (Countermeasure) ● AV – Password the AV where possible ● USB port scan software

19. Policy (Countermeasure) ● Disable Autorun for all ● Enforce UAC ● Whitelisting/Blacklisting ● Autorun.inf parsing

20. Host/Network Specific (Countermeasures) ● Network AV ● Firewalls ● HIDS/HIPS

21. Ecology based Countermeasures ● Military and Government Computers ● Enterprise Based Computers ● Public Computers ● Personal Computers

22. After Thoughts ● Security of Whitelisting: how secure is it? ● AV vs. Custom Malware ● Countermeasure effectiveness vs. convenience ● USB Banning vs. restricting ● How to spread this knowledge to those who don't know it is needed? ● Is it possible to stop an attack, even with these countermeasures in an espionage-prone environment?

23. Why Should You Care?

Attacking The USB Vector

Recommended

Recommended

More Related Content

Similar to Attacking The USB Vector

Similar to Attacking The USB Vector (20)

Recently uploaded

Recently uploaded (20)

Attacking The USB Vector