[HN Gopher] Usbkill - anti-forensic tool to halt computer when n...
___________________________________________________________________
Usbkill - anti-forensic tool to halt computer when new USB device
is connected
Author : berkas1
Score : 327 points
Date : 2020-08-06 09:39 UTC (13 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| brian_herman wrote:
| I thought this was https://usbkill.com/ I think maybe this would
| be more effective in anti-forensic because it actually destroys
| the computer?
| csunbird wrote:
| Gets the work done, somehow.
| numlock86 wrote:
| Obligatory $5 wrench comment: https://xkcd.com/538/
|
| Something like this is probably good when you - as a person - are
| not around when your hardware gets extracted from your place. But
| then again, why would it be running openly and unattended in the
| first place?
| ex_amazon_sde wrote:
| Can we please stop endlessly repeating this? Life is much more
| complex than that.
|
| A small laptop, a phone or a tablet can be stolen from you
| while powered on and unlocked by a simple thief that has no
| intention, nor ability, to capture and torture you.
|
| The thief could then quickly hand the device to other people
| that flash it and sell it in a different country. But first
| they might extract any valuable data.
| numlock86 wrote:
| > Life is much more complex than that.
|
| > [...] a simple thief that has no intention, nor ability, to
| capture and torture you
|
| By your comment I assume you live in a developed country
| and/or are not within a regularly oppressed minority, which
| of course, is a nice privilege. Sadly not everyone is that
| lucky and torture over something simple as $1 online
| transactions is pretty real.
| Nasrudith wrote:
| That isn't priveledge but a matter of the threat model to
| protect against - stop with the irrelevant pseudomoralist
| privledge shaming shit.
|
| If they wanted protection against that they would
| recommended a gun or several mercenary bodyguards. Which
| would require money and connections. But the topic isn't
| "How to quickly kill or incapacitate three or more men with
| only your barehands while having legal cover".
| dividedbyzero wrote:
| In many places, law enforcement will pressure but not torture
| you to provide decryption keys, maybe imprison you for a while,
| fine you, ...
|
| But that may be preferable than them knowing about all those
| highly illegal nuclear doomsday space arms technology knowledge
| deals you've brokered, or that collection of child porn, or
| those detailed assassination plans, or whatever. Maybe the
| authorities suspect something, maybe a SWAT team will snatch
| your laptop, but if all evidence is in there and encrypted, you
| may get off with a lot less than otherwise.
| kwhitefoot wrote:
| In the UK you might well be in prison for five years for
| refusing to hand over the keys.
|
| https://www.schneier.com/blog/archives/2007/10/uk_police_can.
| ..
|
| Not sure what the situation is now.
| DanBC wrote:
| Section 49 to force key disclosure should only happen if:
|
| + The person being given the notice has the key
|
| + Investigators need the key to prevent or detect crime
|
| + Disclosure is proportionate
|
| + They can't get the encrypted material by other means
|
| Not complying with the is a criminal offence. The maximum
| sentence is 2 years, unless it's a case involving child
| sexual exploitation or national security where the maximum
| sentence is 5 years.
|
| There is a code of practice for use of these powers here:
| https://www.gov.uk/government/publications/code-of-
| practice-...
|
| I think that properly regulated key disclosure powers are
| important. I'm not sure we're (the UK) are getting it right
| with RIPA. I'd want to see stronger audit and oversight of
| the S49 notices, and better advice given to people who are
| served S49 notices.
|
| For example: I have no idea how many people are served S49
| notices, and I don't really know how to find out. I don't
| know how many people have been imprisoned for not
| disclosing keys; I don't know what sentences they've been
| given; and I'm not clear on how to find that out. I feel
| that it should be easier for citizens to have clear data
| about these really intrusive powers.
|
| EDIT: I just found this page, and it seems like it's small
| numbers of people. But still, it's a bit worrying. https://
| wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
| Jaruzel wrote:
| > _Investigators need the key to prevent or detect crime_
|
| That's a bit scary. 'Detect crime' could be pure
| speculation on the polices' part.
|
| "We think you've done something bad, let us see the
| contents of your phone. No we don't have any evidence
| already as we're detecting the crime right now."
| DanBC wrote:
| I'm not sure that would be proportionate.
|
| It's not great, but it's better than before where this
| kind of crime detection had much less regulation.
| tupac_speedrap wrote:
| Get out spook.
| worewood wrote:
| Hidden operating system is the way to go. Usbkill turns the
| machine off, when asked you supply the public password.
| londons_explore wrote:
| Investigators will say "you sent this email to your dad
| at 09:29 on Tuesday, yet it wasn't sent from your phone
| or laptop according to device logs. You either have
| another device you haven't given us, or you haven't
| decrypted the right partition".
| ta17711771 wrote:
| You sent shit to your dad from the wrong
| machine/partition.
| R0b0t1 wrote:
| "Prove it."
| Nasrudith wrote:
| Bootdrives with no cache are the perfect answer to this
| through a lawywe."USB boot drive. There are no logs kept
| to it. I'm not hiding anything, it is just good sense to
| use a computer which doesn't persist any state limiting
| any malware to session only in the very worst case."
| tyingq wrote:
| Veracrypt has a hidden volume feature where you give up a
| distress key, and a hopefully plausible second volume is
| decrypted instead of the real one.
| giomasce wrote:
| Also, you can decide to reveal your secret after having
| discussed the matter with a lawyer.
| berkas1 wrote:
| This (link) is actually referred to as a Rubber-hose
| cryptanalysis -> https://en.wikipedia.org/wiki/Rubber-
| hose_cryptanalysis
| gamblor956 wrote:
| Destroying evidence is considered a crime on it's own. Use
| something like this at your own legal risk, since it's usually
| far easier to prove obstruction than it is to prove the
| underlying crimes that were being investigated.
| captainmuon wrote:
| Interesting project, I'm sure this is useful for people at risk.
|
| Somewhat related, I'm wondering about the physical security of
| computers. There is an attack where they open your PC, take out
| the ram, and freeze it immediately so the bits don't decay and
| they can extract your encryption keys.
|
| All BIOSes have an option for cassis intrusion detection, but
| I've never seen a case that has the necessary cable. Has anybody
| here set up a chassis intrusion kill switch that erases the
| RAM/shuts down the PC etc. if the case is opened improperly? Can
| you buy anything like this on the market?
| alfiedotwtf wrote:
| Back in the BBS days, there were textfile describing how to
| wire your beige box to either turn on strong magnets or ignite
| termite if a case was detected.
|
| ... I don't know of anyone actually implementing this though :)
| geerlingguy wrote:
| I would imagine that's thermite and not termite ;)
|
| If the latter, the server would probably be okay, and it
| would take a very long time for the termites to damage the
| surrounding room enough to be a security deterrent.
| DoofusOfDeath wrote:
| Probably just a debugging technique.
| hinkley wrote:
| Well, it certainly complicates debugging.
| Teknoman117 wrote:
| or a _bugging_ technique?
| kibwen wrote:
| Nah, it's termite. You're trying to destroy your logs,
| right?
| Fjolsvith wrote:
| This was a plot device used in the TV series _Mr. Robot_
| Season 2, Episode 3, about 27 minutes in.
| Nasrudith wrote:
| I think in most cases the thermite trap would probably get
| you into more trouble for ATF violations and not even help by
| adding destruction of evidence and whatever they imagined was
| on the drive unless you had some authority like security
| clearence and classified documents or some sort of legal
| pretext to justify uses of such flammable boobytraps.
| codezero wrote:
| It's funny when I think back, I was a teen in the 90s and did
| plenty of questionable stuff online and w/ local BBS scene
| (Kevin Mitnick was busted in Raleigh and many rumors existed
| about his presence in the BBS scene, obviously fantasy
| though!).
|
| Nobody I know who got arrested ever managed to destroy
| anything. When I think about it, we all assumed the cops
| would storm in when we were in the act of doing something
| bad, probably like in the movies lol, when in practice, they
| tend to pick you up when you are really off guard, duh.
|
| Very few people had automatic protections because like, our
| parents would probably get mad if we burned down the house :)
|
| When it came to me, the FBI did knock on my front door, and I
| managed to dd if=/dev/random of=/dev/hda
|
| I lost my entire BBS, all the custom code and ANSI I had for
| it, among other ancient treasures that I'd probably still
| have with my napster mp3s :)
|
| Of course they didn't come for me, there had been a flasher
| in the neighborhood on halloween...
| jandrese wrote:
| The FBI was investigating a flasher?
| codezero wrote:
| I could be remembering incorrectly, but it may have been
| reoccurring or not even really the FBI, but state police
| or something and my parents said it was the FBI.
|
| I only saw people in suits with a black car outside
| knocking on the door, also this was like 30 years ago so
| don't twist my arm :)
| luckylion wrote:
| Some ideas have been tested, there was an entertaining talk a
| few years back at DefCon:
| https://www.youtube.com/watch?v=-bpX8YvNg6Y
| [deleted]
| asimpletune wrote:
| Touch Bar MBP's are protected against this right?
| [deleted]
| osivertsson wrote:
| I doubt there is a need to open the case for a sophisticated
| attacker. If there is even the slightest opening for air you
| can run camera optics and freeze spray tubes to RAM I would
| imagine.
| NovemberWhiskey wrote:
| This is why security-sensitive devices are often encapsulated
| and potted in epoxy or similar.
| seanhunter wrote:
| Here's details of this attack for people who want more details
| https://citp.princeton.edu/our-work/memory/
|
| If memory serves correctly they achieved the best results by
| using a can of compressed air to freeze the ram in place before
| removal.
|
| //Small edit to wording
| close04 wrote:
| Many of the measures that provide effective physical security
| also make a device really unsuited for personal usage. Look
| at HSMs for an example of this. And even they rely on being
| stored in a physically secure room and protected from theft.
|
| It's a matter of being more determined than your attacker.
| Imagine a device that will irretrievably brick itself if
| tilted more than a certain angle, if left unpowered for more
| than a certain time, etc. and that has to be under constant
| guard. This seems almost incompatible with any kind of
| personal use. And some measures may only work in one
| instance, with the attacker planning for them the second time
| they have an operation.
|
| Many attackers also don't have the same restrictions the
| police has. In the Ulbricht case the police may have been
| forced to use a device that copies the data with no human
| intervention just to preserve the chain of evidence and not
| have suspicions that the agent operating the laptop altered
| it while installing additional software. An attacker
| operating in the grey/dark area might just immobilize the
| user, snip the wrist cable, and then retrieve the necessary
| data either directly at the console or by siphoning it via
| the network. Or the police may just start video recording in
| great detail every step from the moment an agent touched the
| laptop until the data was exfiltrated to remove suspicions of
| tampering.
|
| But such a tool would be of great effect against an
| undetermined, unsophisticated attacker committing a crime of
| opportunity.
| zzz61831 wrote:
| Personal computers have an advantage here: it is acceptable
| for them not to work when they are not directly used by
| someone. It means they can be stored in safes when not used
| and have all the encryption keys securely erased when not
| used. For example, a screen locker could stop all the
| processes and erase all the keys from registers and memory
| assuming both disk and memory encryption. And the locker
| itself could be triggered by some proximity sensor, RFID,
| camera, whatever, not just input inactivity timeout.
| close04 wrote:
| Storing your personal computer in a safe when not using
| it is probably the very definition of "almost
| incompatible with any kind of personal use". And at this
| point you just move the weak link from the device to the
| safe's lock. HSM-like physical security is good for
| making the device tamper proof and ensuring than no data
| can be retrieved under any circumstances other than the
| one accepted "regular use" way.
|
| Putting a regular device in a safe leaves it exposed to
| someone unlocking the safe and compromising the device by
| implanting a keylogger inside or even by putting a
| replacement identical device there and waiting for the
| user to type the boot password.
|
| As for methods of emergency clearing sensitive data from
| memory while in operation, whatever method is employed
| will work once. The next time the attacker is ready for
| that particular method. For example the police might just
| have to completely immobilize the suspect (and their
| hands) and keep the laptop in the vicinity while the
| "dead man's switch" is bypassed.
| hinkley wrote:
| > And even they rely on being stored in a physically secure
| room and protected from theft.
|
| Not exactly. You don't want someone sneaking in and
| misappropriating the HSM to authorize something bad. And if
| you set the system up for unattended recovery from a power
| failure, then in all likelihood someone walking off with
| the server the HSM is in can use those keys indefinitely.
| But there are options.
|
| Some HSMs have self-destruct mechanisms that attempt to
| prevent physical access to the private key (ie by lapping
| the chip). Some vendors (nCipher, IIRC) have a smart card
| (a second HSM) that is required to authorize certain
| activities, like signing, or key recovery. In fact they had
| a byzantine generals solution that either had the key or a
| password for the key split between n cards. In the latter
| case you needed one of the original HSMs in order to clone
| the key, so a movie plot where you kidnap the entire team
| at a conference doesn't work. During initial setup the cert
| would be generated on the first HSM and copied to the
| others, having never seen daylight.
|
| That system was quite difficult to explain to users, and I
| had to document it just so _I_ wouldn 't get confused and
| trigger a reset of the evaluation hardware (at which point
| all of our test artifacts have to be rebuilt).
|
| It might be more complicated to start WWIII than to protect
| a signing certificate, but only just.
| close04 wrote:
| > Not exactly. You don't want someone sneaking in and
| misappropriating the HSM to authorize something bad.
|
| I think we're talking about exactly the same thing :).
| That's what I meant by "even they rely on being stored in
| a physically secure room and protected from theft".
| Despite all the hardening that is applied to the device,
| it must always be kept secure and supervised. As an
| example, this is what Safenet considers the intended
| installation environment should be [0].
|
| This can't be effectively applied to a personal computer.
|
| [0] http://cloudhsm-safenet-docs-5.3.s3-website-us-
| east-1.amazon...
| claudiawerner wrote:
| Does anyone have pointers as to whether this is even possible
| with DDR4 on modern machines?
| aaron695 wrote:
| I think the real question is has it ever been used in the
| wild on any DDR?
|
| "In recent years, however, it has become increasingly
| challenging to execute cold boot attacks or perform
| physical memory forensics due to the introduction of DRAM
| memory scramblers. Modern processors with DDR3 and DDR4
| DRAM scramble data by XOR'ing it with a pseudorandom number
| before writing it to DRAM [5], [6]. These scramblers were
| initially introduced to mitigate the effects excessive
| current fluctuations on bus lines by ensuring bits on the
| memory bus transition nearly 50% of the time"
|
| DDR4 is also yes in the lab -
|
| https://web.eecs.umich.edu/~misiker/resources/HPCA17-coldbo
| o...
| Asmod4n wrote:
| Chenbro makes cases with intrusion detection, bought one nearly
| 20 years ago and they still make similar ones:
| http://www.chenbro.com/en-global/products/TowerServerChassis...
| macNchz wrote:
| I have a Lenovo M93P Tiny which came with a chassis intrusion
| switch installed. It seems you can have it block
| startup/require a password when the case is opened and notify
| some central admin. I don't know what happens if you open the
| case while it's running, though.
|
| I'm not sure if it's something they offer on current models, or
| to individuals at all (I bought it used from a corporate IT
| asset liquidator so it was likely originally purchased as part
| of a bulk deal). Regardless it makes a great little Linux box!
| R0b0t1 wrote:
| That feature is fairly common but practically quite useless
| and easy to circumvent if you can find the model information.
| Even with PCI-DSS enclosure compliance you can get in if you
| can take power tools to it. The assumption is power tools
| would be too obvious to use in a typical installation.
| destory-everyth wrote:
| Work at a big bank , we won't procure laptops without this
| and yes we will know when you have opened it and you won't be
| able to boot it , I think something happens with bitlocker
| also but not sure.
| umvi wrote:
| > Interesting project, I'm sure this is useful for people at
| risk.
|
| Could you expound on what this means? In the USA/UK, people
| most "at risk" of police kicking down the door seizing their
| laptops/computers while they are still running are child
| pornographers.
|
| Perhaps this can be used "for good" under oppressive regimes
| (i.e. if you are a dissenting journalist) but then I think you
| won't get a fair trial anyway and having a kill switch just
| means more prison.
| captainmuon wrote:
| I know a shocking amount of innocent people who have been
| target of surveilance and criminal investigations or who even
| had their homes raided - in western european countries.
| Thankfully the courts are still working as they should, and
| all but one were fully acquitted.
|
| It can happen if you are a political activist in any fashion.
| Nothing violent, just speaking out for rent control and
| against gentrification can get you in trouble. Or hanging
| around with the wrong people.
|
| When it happens, you want to leave them as little rope as
| possible to hang you with. As I said, the courts still are
| honest and they won't make up evidence, but they will take
| everything they can find to make a case - and to learn about
| your structures and networks while they are at it.
|
| You are right, that in real oppressive regimes all bets are
| off. If they want to get you, they won't stop at their own
| laws. But even then, these techniques are useful against
| industrial espionage. If you are doing business in certain
| countries, the "evil maid" is quite real...
| toxik wrote:
| This is a somewhat pessimistic outlook on humanity, first off
| I would say that those who are most commonly at risk are
| those with trade secrets. Patented tech and investment intel
| for example.
|
| As for the dissenters, I'm sure they would appreciate their
| co-conspirators remain secret.
| umvi wrote:
| > This is a somewhat pessimistic outlook on humanity, first
| off I would say that those who are most commonly at risk
| are those with trade secrets. Patented tech and investment
| intel for example.
|
| Can you provide any evidence at all of police or "thugs"
| (or anyone, really) kicking down doors to get at trade
| secrets being a common problem? Because there are countless
| news articles of police raids seizing computers to stop
| child porn[0].
|
| I speculate any tool billed as "anti-forensic" will be used
| for immoral purposes more commonly than moral purposes.
|
| [0] https://en.wikipedia.org/wiki/Jared_Fogle#Child_pornogr
| aphy_...
| Teknoman117 wrote:
| It is an _absolute certainty_ that any tool to improve
| privacy and security is going to be used by malicious
| actors.
|
| That does not mean it should be banned. Knives are used
| for many things from cutting food and opening boxes to
| killing people. Nitrate based fertilizers can be used for
| vastly improving crop yields but can also be used for
| bombs. Encryption can be used to protect your sensitive
| personal data from criminals and prying eyes, but can
| also be used by the criminals themselves to hide their
| activities.
|
| No state (even if it was the most ethically illuminated
| utopia) has the power to protect every person in every
| place at every time. Banning defensive tools is asinine
| as rarely does it mean that a criminal won't use them
| against you.
| toxik wrote:
| The threat model in corporate espionage is absolutely one
| of theft of property. It's a lot easier to steal
| somebody's laptop than to hack it.
| Nasrudith wrote:
| That is a dangerously naive viewpoint - trusting that the
| only instances are the ones they proudly brag about? When
| they have been caught not even allocating all of the
| funds for Child Pornography prevention they have been
| allocated while using "the children" as an excuse to
| undermine cryptography?
|
| It is doubly foolish to believe that the police are the
| only users of forensic software when there is credit card
| theft and multmillion dollar ransomware rings out there.
| Robbing a bank by force or by heist is foregone jail but
| snatching a laptop from a banker? Far more petty in risk
| and disguised as mere property theft as opposed to the
| data theft.
| pjc50 wrote:
| _Suspected_ child pornographers. There was some concern that
| the door kicking had gone too far on too little evidence once
| it reached Cliff Richard.
| _kbh_ wrote:
| Memory encryption technologies such as AMD's Secure Encrypted
| Memory (SME). Would be your best bet to combat this, along with
| other anti-evil maid protections.
|
| https://en.wikichip.org/wiki/x86/sme#Overview
| https://www.qubes-os.org/doc/anti-evil-maid/
| captainmuon wrote:
| There are also things like TRESOR [1] which keep all
| encryption keys inside the CPU. I'm not sure what the current
| state of the art is.
|
| There are so many possible evil maid attacks that I think it
| would be useful to add a pysical layer, just in case.
|
| [1] https://en.wikipedia.org/wiki/TRESOR
| fortran77 wrote:
| Agreed; but this USBKill is a good protection for ordinary city
| police, or even a grab-and-run crime at a coffeeshop (with a
| usb key attached to your wrist with a cord).
| [deleted]
| jokoon wrote:
| I dont understand. Is USB just always insecure because of
| hardware?
| raziel2p wrote:
| Yes, but that's unrelated. The idea here is that if a USB
| device is connected to your machine, it's an indicator that
| your machine is compromised. Mouse jigglers that stop your lock
| screen from activating are very common when confiscating
| machines: https://www.cru-
| inc.com/products/wiebetech/mouse_jiggler_mj-...
|
| And of course, depending on the OS, it's possible to craft a
| USB stick that copies files to a remote server as soon as it's
| plugged in.
| netsec_burn wrote:
| An alternative approach may be to check idVendor and
| idProduct (lsusb) to see if either matches a mouse jiggler
| supplier or product.
| jki275 wrote:
| Those can be easily spoofed. I don't know if current mouse
| jigglers in use have a specific Id or not, but there's no
| reason they would have to have a recognizable Id.
| DarkWiiPlayer wrote:
| Not sure if a blacklist-aproach is the most reasonable
| solution when you're in a situation that you have to worry
| about these things in the first place.
| sasaf5 wrote:
| Once I have seen a coworker improvising one of these by
| placing a second (optical) mouse on top of a mechanical
| wristwatch.
| vinay427 wrote:
| Hmm, this is actually rather nifty, although one issue I
| see is it will only last a few days at most. I don't know
| how long people who confiscate laptops normally need to run
| mouse jigglers.
| daffy wrote:
| > depending on the OS, it's possible to craft a USB stick
| that copies files to a remote server as soon as it's plugged
| in.
|
| Is this possible with Linux?
| michaelt wrote:
| You can get a 'USB rubber ducky' [1] which emulates both a
| USB memory stick and a USB keyboard, allowing you to script
| keystrokes for the keyboard [2]
|
| So it can do anything a newly plugged in keyboard can do.
| Which, if the user is already logged in, makes grabbing the
| user's files easy.
|
| [1] https://shop.hak5.org/collections/usb-rubber-
| ducky/products/... [2] https://github.com/hak5darren/USB-
| Rubber-Ducky/wiki/Payloads
| daffy wrote:
| This will only work, I suppose, if the attacker knows
| beforehand a keychord that will focus a terminal.
| DarkWiiPlayer wrote:
| on most desktop linux distros: <windows>terminal<enter>
| is enough
| jonathanstrange wrote:
| Hehehe...on my machine that selects "Emacs (Terminal)".
| Good luck with those key combos...
| kryptiskt wrote:
| Yes, the device can present itself as both a keyboard and
| storage device and send the copy commands via keystrokes.
| unionpivo wrote:
| yes. Mouse jiggers pretend to be regular mice an keyboard.
| maeln wrote:
| Yes and no. The idea is to emulate a keyboard and mouse.
| You then use OS shortcuts to, for example, start a terminal
| and type command in it. So it can work with Linux but,
| because of the diversity of Distribution, DE, etc, it is
| more difficult to be sure of the shortcuts that you can
| use, whereas on windows or mac, they will usually always be
| the same (for exemple, Windows+R on windows to launch a
| launcher, and then type cmd.exe).
| pfundstein wrote:
| In a similar vein, there's antijiggler[1] which only locks the PC
| when a new device is connected.
|
| [1] http://www.codefromthe70s.org/antijiggler.aspx
| raziel2p wrote:
| Seems like a lot of code for what should be, on Linux anyway, a
| simple udev rule?
|
| echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-
| changed.rules
|
| Then just put whatever you want to be ran in /root/usb-
| changed.sh.
| darkwater wrote:
| I think you would at least add an allowlist of safe (i.e. owned
| by you) USB ids you don't want to shut your pc/laptop down if
| connected
| kawsper wrote:
| Your script can have the allowlist so you don't have to
| fiddle with udev everytime you introduce or retire USB-
| devices.
| darkwater wrote:
| But then it's not a oneliner anymore, and the original
| project starts to make sense.
| loa_in_ wrote:
| It doesn't warrant to make a product that replaces a
| dedicated feature of the system. To whitelist in usbkill
| you have to do more than one line too.
| zelon88 wrote:
| I really like this concept.
|
| That's why I've made similar projects. One to detect when USB
| storage devices get attached to domain workstations, and email
| the administrator with device and user info.....
| https://github.com/zelon88/Workstation_USB_Monitor
|
| And one which detects USB HID devices, confirms them, and
| notifies the administrator.....
| https://github.com/zelon88/Rubber_Ducky_Defender
| 0xdeadb00f wrote:
| A hotplugd script can be used to mimic this on OpenBSD
| blue52 wrote:
| Amazing work of art, bravo.
| el_oni wrote:
| I attended a talk by GSK and there was part of the talk about
| security. They don't allow usb devices to be plugged into their
| analysis computers. But every year they get an intern that tries
| to charge their phone from the PC USB.
|
| Something like this, that doesnt halt the computer but shows a
| warning on screen and logs information would perhaps be a
| solution to their problem. Although in the case of industrial
| espionage maybe locking the system would be worth it...
| lozf wrote:
| At a former gig for a post-production facility we used CoSoSys
| EndpointProtector to restrict USB access to workstations. Works
| as described in your second paragraph, (logs and warning) admin
| can then allow approved devices remotely if necessary.
| SV_BubbleTime wrote:
| I worked for a car mfg that had that on all their laptops. It
| was annoying and I'm 99% certain no one ever checked up on
| the alerts and instead was just logging in case there was an
| issue later.
| Benmcdonald__ wrote:
| How does this work for usb typec? When I plug in my power cable
| will my computer shutdown?
| deadbunny wrote:
| It lists the ability to whitelist devices in the article.
| AnotherGoodName wrote:
| And does it work for things that look exactly like USBC but are
| actually Thunderbolt? (with all its direct memory access via
| DMA and all of that nastiness).
|
| See the Apple combo USBC/Thunderbolt ports.
| waldfee wrote:
| If you are paranoid about something like this happening, just use
| https://www.qubes-os.org/. all usb devices are jailed in a non-
| networked vm by default.
|
| In general, if what you do warrants that level of paranoia, qubes
| will help you massively.
|
| Micah Lee held a great overview talk at HOPE 2018:
| https://www.youtube.com/watch?v=f4U8YbXKwog
| kawsper wrote:
| How does that work with input devices like keyboard and mouse?
| waldfee wrote:
| generally it is advised to use ps2 input (like most laptop's
| integrated keyboard and touchpad).
|
| details on using usb keyboard and mouse here:
| https://www.qubes-os.org/doc/usb-qubes/
| czechdeveloper wrote:
| I don't think it solves same problem.
| waldfee wrote:
| it does not solve the same problem, correct. it's still a
| great tool if your threat model warrants it.
| gjs278 wrote:
| great but it has nothing to do with disabling a physical
| server
| portpecos wrote:
| Can you give an example of a threat model that would
| warrant it?
| smogcutter wrote:
| You're a journalist. Source gives you a usb drive full of
| documents. Source is in reality hostile/compromised, so
| is the usb drive.
| bra4you wrote:
| I saw this solved with a USB stick on a keychain and the computer
| shuts down when the stick is removed. Does anybody still have the
| link?
|
| Ah. Found it:
| https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...
| sn_master wrote:
| "immediately terminates the connection"
|
| Reminds me of some old Firewalls that would actively poll active
| connections, and when one is made that violates their rules,
| "immediately" terminate it. Often times, an attacker can embed a
| lot in just a single URL in the query string (stolen passwords
| etc) that would be done in < 5ms, faster than the firewall can
| act (if not even faster than the polling interval itself),
| specially if there is plenty of rules and active connections
| and/or the machine is slow (e.g playing games).
|
| That's like choosing to not have a door on your house, because
| you know you can run fast and shoot the thief when they enter.
|
| Maybe its not as bad for hardware due to the inherit latencies
| involved, but I am always skeptic about things that use polling
| vs sitting in the middle at the kernel before a USB connection is
| allowed to happen to the OS in the first place.
|
| The default (aka the one that nobody will change) connection-
| polling interval for this thing is 250ms, which doesn't seem too
| small for me for many conceivable attack scenarios.
|
| For Mac, it runs this:
|
| os.system("killall Finder ; killall loginwindow ; halt -q")
|
| This won't prevent windows from reopening after a reboot.
|
| A possible exploit for this could be the USB pretending to be a
| keyboard, opening an exploit website or an app with malicious
| argument values, then you immediately shutdown the Mac, reboot
| manually and boom, the website/app opens up and the machine gets
| owned anyway post-reboot!
|
| Also, lack of Windows support is upsetting, considering there
| isn't much code change required to do so.
|
| The "melt" feature is one I really like and respect the thought
| they put to make it.
| bausano_michael wrote:
| I think it's aimed at scenarios in which the attacker is not
| aware of this utility running. Otherwise they could just kill
| it before inserting the USB.
| sn_master wrote:
| Well, for attack vectors like Mouse Jiggler (I have one, very
| cheap on Amazon) or polymorphic USB devices, it would work if
| the attack is unaware of the utility's existence. For
| polymorphics specifically, I checked the code, and it does
| indeed validate the Ids of the devices, not just their count.
|
| For others, even if the attacker is unaware of the utility,
| those shortcomings are still serious enough (e.g. rapid
| keyboard typing).
| raxxorrax wrote:
| > In case the police or other thugs come busting in
|
| I like this wording.
|
| Disclaimer: Not a comment on current political happenings.
|
| But seriously, the use case of disallowing USB sticks on devices
| is unnecessary hard to configure. Just an option to disallow
| certain device classes would be appreciated.
| daraps wrote:
| I just disable all hotplugging support in my OS. Anything
| plugged into the machine must be manually mounted, enabled,
| etc. This works really great for me as it's rare that anything
| is attached to this machine other than the charger.
| InsomniacL wrote:
| how would you authenticate the USB stick that is allowed
| though? Without some sort of authentication mechanism an
| attacked could clone the device id of an allowed device. better
| than nothing though! :)
| the8472 wrote:
| There's the USB Authentication Protocol where devices
| identify themselves through digital signatures. But i don't
| know whether each device has a unique ID or its one cert for
| the whole production series.
| mschuster91 wrote:
| > But seriously, the use case of disallowing USB sticks on
| devices is unnecessary hard to configure.
|
| This will not help against hardware that exploits bugs in the
| USB stack of the operating system.
|
| Assuming the threat model is police or secret service seizing
| one's server, it is feasible that the attackers also have
| knowledge of the running OS (IIRC one can distinguish between
| Windows, Linux and xBSD by simply looking at TCP fingerprints)
| and thus can use a targeted exploit.
| agumonkey wrote:
| typical social pattern: - nothing -
| hard work to make something easy to use - hard work to
| make something easy to control - control
| microcolonel wrote:
| This is fairly straightforward with udev, a couple lines of
| config should be sufficient.
| pnutjam wrote:
| any directions?
| bartvk wrote:
| This guide is pretty good:
| http://reactivated.net/writing_udev_rules.html
|
| Some ten-odd years ago, I wrote how to create udev rules to
| execute a command after connecting a particular USB device:
|
| https://www.vankuik.nl/2008-12-19_Linux_USB_device_handling
| lizardmancan wrote:
| not as easy but more fun to ruin the usb device.
|
| if they use mousewiggling the screensaver could use other
| triggers/patterns to keep the box on. say 1 google search per 15
| min minimum. randomly moving the mouse seems a good reason to
| shut down.
| nialv7 wrote:
| What's stopping the forensic people from just spoofing the USB
| device IDs?
| deadbunny wrote:
| How do they get the IDs?
| nialv7 wrote:
| They could just look around and see what USB devices you own.
| USB vendor/product IDs are not secret.
| topspin wrote:
| Nothing. And that's not the problem this program is intended to
| solve.
| nialv7 wrote:
| It is. The program tries to prevent use of unauthorized USB
| devices, yet it uses the easily spoofed USB device IDs to
| authenticate them.
| topspin wrote:
| It isn't. The problem this program solves is thwarting a
| naive attempt to alter the state of the USB bus. The design
| assumes the attacker is not aware of the consequences of
| adding or removing devices and has no reason to employ
| spoofed devices or any other Ever Greater Adversary
| Regression techniques you can imagine.
| [deleted]
| codethief wrote:
| From going through the discussion I'm getting the impression that
| the only feasible attack vector provided by USB is by emulating a
| keyboard like a USB Rubber Ducky. Is this really the case?
|
| For instance, if my laptop is locked (with a proper[0][1] lock
| screen like xscreensaver) and that lock screen is capturing all
| keyboard input and magic SysRq keys[2] are disabled, too, is
| there really no way an attacker could use a USB device to hack my
| laptop?
|
| Similarly, if my laptop is _not_ locked but comes with unusual
| key bindings (maybe even a different keyboard layout), what are
| the chances of me getting hacked with a USB device? (Let 's
| assume that the attacker manages to secretly plug in said USB
| device but doesn't want to access my unlocked laptop directly -
| maybe because we're in an open office and people are watching.)
|
| My impression had always been that USB devices are dangerous
| beyond simple keyboard emulation but I might be wrong.
|
| [0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/
|
| [1] https://www.jwz.org/xscreensaver/toolkits.html
|
| [2] https://en.wikipedia.org/wiki/Magic_SysRq_key
| boring_twenties wrote:
| > [0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/
|
| Sorry for the digression, but WTF is this guy doing? Looks like
| he redirects all requests that have HN as the referrer to a
| picture of a testicle. Copy-pasting the link (i.e., dropping
| the referrer) seems to work, though.
| busterarm wrote:
| Besides keyloggers, another reason people want this is because
| law enforcement has USB keepalive devices that will simulate
| mouse movement/keypresses to keep your computer from going to
| sleep.
|
| They do this to make sure your computer stays on and your RAM
| doesn't get powered off, which will allow them to read any
| decrypted data in memory whether or not your data is encrypted
| on disk.
|
| When they raid you, they come with massive UPS devices that
| they plug your computers into to give them as long a window as
| possible to get your data.
| isatty wrote:
| How will they replug my single PSU workstation to their UPS'?
| jefftk wrote:
| Use insulated tools and a steady hand to cut into the power
| cord and splice in the UPS. The UPS is configured to match
| phase with the power that's already in the cord.
| bsdz wrote:
| .. or get a HotPlug https://www.cru-
| inc.com/products/wiebetech/hotplug_field_kit...
|
| Just discovered this now myself. The same company sells
| mouse jigglers.
| busterarm wrote:
| Which is why if you want to defend against the easy
| versions of these and make people have to do work, only
| plug your desktop PCs into standalone outputs not on a
| surge protector.
|
| Yes, it won't defend against cord cutting.
|
| Edit: A more interesting defense I think would be to
| modify a surge protector for this specifically to defeat
| HotPlug. Only put your computer on a specific outlet and
| wire it so that if any other outlets complete circuit to
| kill power to the whole thing.
| jefftk wrote:
| HotPlug is one of the turnkey versions of this, yes
| Ericson2314 wrote:
| And now, we've come full circle to plug-and-stop-playing.
| reallymental wrote:
| "Tip: Additionally, you may use a cord to attach a USB key to
| your wrist. Then insert the key into your computer and start
| usbkill."
|
| This line particularly caught my eye. I wonder what's the
| percentage of people (I'm presuming people working in security or
| those who are trying to avoid detection) go to this extreme?
|
| Is is even extreme?
| berkas1 wrote:
| I don't think that wrist-key is an extreme (never seen it
| actually, but I still think this solution is a cautious one).
|
| For me an extreme measure would be to modify my motherboard in
| a way that I could connect RAM to my wrist and tear it away
| when necessary.
| nkrisc wrote:
| Now that would be interesting: have your RAM strapped to your
| wrist and connected to your Mobo by a breakaway cable.
|
| Bonus points if they cut it when the tackle you because they
| thought it was a deadman switch, like mentioned in the link.
| baq wrote:
| not a security expert but a commonly heard phrase is 'depends
| on your threat model' :)
| moritonal wrote:
| "To prevent Ulbricht from encrypting or deleting files on the
| laptop he was using to run the site as he was arrested, two
| agents pretended to be quarreling lovers. When they had
| sufficiently distracted him, according to Joshuah Bearman of
| Wired, a third agent grabbed the laptop while Ulbricht was
| distracted by the apparent lovers' fight and handed it to agent
| Thomas Kiernan. Kiernan then inserted a flash drive in one of
| the laptop's USB ports, with software that copied key files."
|
| https://en.wikipedia.org/wiki/Ross_Ulbricht
| daffy wrote:
| > Kiernan then inserted a flash drive in one of the laptop's
| USB ports, with software that copied key files.
|
| How exactly does this work? Is there a sort of software that
| runs automatically when you insert the stick, or did he have
| to click on it?
| sumtechguy wrote:
| You can present yourself as a standard file system or some
| device you know has a known exploit in the driver on the
| other side. Then on the USB 'drive' side you have a full
| out arm CPU. It can issue commands too as it is connected
| to the serial bus. Many USB drives already have small
| embedded CPU in them.
| R0b0t1 wrote:
| >Many USB drives already have small embedded CPU in them.
|
| For most common hardware this is just an 8051 variant
| that sets up the USB and DMA peripherals. It's easy
| enough to get something more powerful, but I am doubtful
| you'd want to reuse consumer hardware.
| sumtechguy wrote:
| The 8051 is a decently capable CPU (it is the cpu at the
| heart of the furby toy). At one point they built whole
| computer ecosystems around it. Remember the point here is
| to take over the computer not have a full out modern OS.
| They USB manufactures use them because they work well on
| low power and are decently cheap and small. Now most usb
| sticks do not do much more than like you say. But that
| would not stop someone from reflashing the firmware in it
| who is making one of these things. The use case here is
| different than what most people would use it for.
| Sometimes you will see an older ARM design too.
| klyrs wrote:
| Speculation: It's possible to produce keyboard and mouse
| inputs, and also present as a storage device -- autorun
| isn't even necessary (though spurious inputs would be quite
| visible to somebody using the computer and something like a
| mirrored mouse, custom keyboard layout / shortcuts could
| foil this)
| daffy wrote:
| That would only work on a known operating system and
| window manager with known keyboard shortcuts, unless a
| terminal is already focused.
| InitialLastName wrote:
| One of Atmel's USB-capable microcontrollers had a HID
| Keyboard example program that when you pressed a button
| (on a Windows host) would start Notepad (via the run
| command) and type "Hello, I'm an Atmel SAMXXXX".
|
| Great bit of example code, but opens a world of
| possibilities for what you could do with, say, a HID +
| Mass Storage composite device.
| janekm wrote:
| In theory, you could fingerprint the host OS first and
| then run the appropriate commands (of course more tricky
| with more custom Linux setups, does CTRL+ALT+Fn still
| work to get to a text console?):
| https://www.cise.ufl.edu/~butler/pubs/sadfe11.pdf
| daffy wrote:
| Yeah, I was thinking of custom window-manager setups. You
| can usually get a tty console by ctrl-meta-f1 etc., but
| that wouldn't help, since you'd have to enter a password.
| I suppose an advanced version could try different
| combinations and test each by entering a command that
| would be detected by the stick.
| Jaruzel wrote:
| On Windows, it's just 'Win+R 'CMD' [Enter]' and you have
| a terminal/console. Presumably, if the agents were
| monitoring the perp properly, they would know what OS
| they would be targeting.
|
| I type the above SO often every day, it should be on my
| gravestone. :D
| TedDoesntTalk wrote:
| On Windows, autorun.inf. This technique has been around
| since at least the 90s when CD-ROM drives were introduced
| to PCs... it is how a newly inserted CD (and later usb
| disk) can automatically execute software on insertion:
|
| https://www.instructables.com/id/Autorun-anything-off-of-
| a-u...
| pfundstein wrote:
| Autorun has been disabled by default for a long time
| (with good reason). And it has never worked with USB
| drives, only ones which emulated a CD drive such as U3
| USB drives.
| noisem4ker wrote:
| Autorun attempts results in a prompt since Vista.
|
| Apparently, autorun from USB volumes was enabled for XP
| SP2:
|
| https://support.microsoft.com/en-us/help/967715/how-to-
| disab...
|
| >Before Windows XP SP2, AutoPlay was disabled by default
| on removable drives, such as the floppy disk drive (but
| not the CD drive), and on network drives. Starting with
| Windows XP SP2, AutoPlay is enabled for removable drives.
| This includes ZIP drives and some USB mass storage
| devices.
| anonymfus wrote:
| Autorun and AutoPlay are different things. AutoPlay is
| what asks you if you want to open media in File Explorer
| or some other application.
| derefr wrote:
| I've always been surprised that autorun wasn't re-enabled
| when app stores / code signing was introduced. If
| Microsoft or Apple is willing to sign an installer saying
| that it's something safe to install, isn't that proof
| enough to let it run when you insert the USB key it's on?
|
| I know this isn't really very relevant for the specific
| combination of _installers_ and _physical media_ any
| more, since it 's rare for anyone to be _trying_ to
| install something off a CD /DVD/USB these days (other
| than a new OS, of course.)
|
| But I could see the use case for physical media doing
| something _other_ than running an installer (e.g. DRMed
| disks launching the equivalent of a FUSE server to mount
| the "rest" of the disk); or for non-physical media (e.g.
| macOS DMG disk images) being able to autorun their
| embedded installer. Either way, the code signing that the
| platforms are _already doing_ would be enough to make
| these safe, no?
| toast0 wrote:
| Windows code signing does not include a step where
| Microsoft inspects the code. The developer gets a
| certificate from a commercial CA and signs the code. If
| the certificate is an EV certificate, that's basically
| it. If it's a regular certificate, Windows does a
| callback to Microsoft that seems to just be a popularity
| check --- if the certificate has been used a lot, then
| the prompts go away.
|
| At best, Windows code signing lets you know who signed it
| and that that person was able to pay a CA some money, not
| that it's safe to run.
| derefr wrote:
| Regular developer code-signing, yes. But I'm talking
| about the code-signing that's done _by Microsoft_ (rather
| than by your own Microsoft-signed cert) on the Microsoft
| Store backend; or the code-signing that 's manually done
| _by Microsoft_ when a third party submits a driver
| package to them for inclusion as a Windows update.
| fortran77 wrote:
| Microsoft limited autorun about two decades ago, and
| finally got rid of it completely in 2011.
|
| https://www.theregister.com/2011/02/08/microsoft_windows_
| aut...
|
| You should try Windows 10! It's very good. At least give
| it a whirl so you can have accurate facts to what it
| does, and not spread FUD about it.
| pfundstein wrote:
| Maybe rubber-ducky style keyboard emulation?
| emiliobumachar wrote:
| How about a bluetooth dongle in your pocket? Less visible, and
| unless there hostiles know about it, they will separate you
| from the computer.
|
| A phone could work. An apparent car key would be better. Best
| would be a piece of clothing, like a belt.
| paledot wrote:
| That would work great for half an hour, until your Bluetooth
| connection drops for no reason, the dongle pairs with your
| car or phone instead, decides it's a headset now, or one of
| the hundred other things that inevitably go wrong with
| Bluetooth.
| sumtechguy wrote:
| hehe, Do not think like an engineer in this case. Think
| like someone who only has to get it right once but can try
| 100 times. So even if you have a flake connection. Just so
| long as it works that 'one time'. You are good.
| nullc wrote:
| There are bluetooth low energy key fobs that work for this.
| atum47 wrote:
| I've made a video about disabling the USB to prevent rubber ducky
| attacks a long time ago.
|
| never thought about shutting down the computer.
|
| https://youtu.be/RtRsBTGZUgc
| M5x7wI3CmbEem10 wrote:
| does encryption offer any benefit if you're using a cloud syncing
| solution?
___________________________________________________________________
(page generated 2020-08-06 23:00 UTC)