USB risks (continued)

To: Harlan Carvey <keydet89@xxxxxxxxx>
Subject: USB risks (continued)
From: Gadi Evron <ge@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Jun 2004 18:09:20 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040618135209.10752.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040618135209.10752.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 0.6 (Windows/20040502)

I'm emailing this to bugtraq as well. A discussion there might producemore interesting results than "MS sucks" on FD. This is rather importantand has grown in importance over the last couple of years. There were afew discussions on the subject, but nothing to help formulate a plan onhow to defend against it.


Here goes...

 This issue has been discused in pentest list. Take

a look at:

>>http://archives.neohapsis.com/archives/sf/pentest/2004-05/0136.html

I don't think the issue is that it's been discussed,
more that it hasn't been really resolved/addressed.

I already replied to Harlan off-list, but I figured I might as wellreply about some of this here as well.

First off, it has been discussed rather fully on pen-test and thearchives would make a good resource.

Auto-run certainly isn't a new issue and a factor in every hardening ofa Windows system for a while now. It was a big "thing" 2 years ago.

It should be tested further, but the risk of the USB as a mechanism forstealing information and/or introducing a Trojan horse/gaining access toa PC is what we need to be concerned about.

Regular usage of a USB drive makes the cleaning crew potentially therichest sort on earth.


What I believe issues that would have to be addressed in the future, are:

[Please keep in mind that USB performs as a hub/client model and thatthe main driver for USB devices is built into Windows, unlike what Ioriginally thought before looking further into this]


1. Better systems to track/deny usage of USB drives (all-together or of
   particular types, negatively or positively). Several systems
   already exist, from removing USB/gluing the plug to programs
   that sit on a Domain.
2. Buffer Overflow:
   I personally find the USB driver to be rather unstable, although
   others disagree. A buffer overflow in the driver can be catastrophic
   and _perhaps_ even effect very strong crypto-systems. Maybe systems
   like eToken, although I haven't looked into it, so i can't say.
3. SDK's:
   Many SDK's exist for developing USB drivers. If a backdoor is put
   into even just one of them...
   There is a huge market for USB coders. Any kiddie interested?

On the organizational level, it should be addressed in a matter ofpolicy, and enforced by different monitoring systems.

This issue isn't singular to USB, but it highlights the problem rathernicely.

Some future trends might be wireless control of remote systems via USB,going to a PC with a PDA and choosing what to get.change, or simplycopying automatically using the USB autorun capability (there was a POCon the pen-test discussion).

These are all valid threats, but the main threat of copying data to aUSB drive covertly and disappearing is what scares me currently. Also,what stops a person from copying work-related material to a digitalcamera memory stick?


Nothing if not your policy and enforcement+monitoring of it.

Other than the pen-test discussion there was a discussion here a fewmonths ago on domain USB monitor services, and a USB device (oncewireless, once for copying data automatically) showed on these TV shows:

Threat Matrix and Jake 2.0.

The reason I think this should be discussed further is because I trulybelieve in the risk. It is "out there", known and there is even a POC..but no real discussion on organizational counter-measures and defensivestrategies.


Here is Harlan's post:

>> This is an interesting topic of discussion.  Like one
>> poster, I first saw this in the most recent issue of
>> 2600.  I began looking into it, and almost immediately
>> came up with this particular MS KB article:
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214

>> As you can see, KB136214 states pretty clearly that
>> *be default*, autorun.inf file processing is NOT
>> enabled for USB-connected thumb drives.  I haven't
>> tested it myself, but another poster has stated that
>> while items in the "open=" line may not be launched,
>> the "icon=" line seems to be processed.

>> I read Gadi's comments:
>> http://catless.ncl.ac.uk/go/risks/23/41/4

>> I had some questions for Gadi, and fired off an email
>> but have yet to hear back.

>> While I do agree wholeheartedly that USB-connected
>> devices are definitely an issue within a network
>> infrastructure, it's not yet clear to me that the pose
>> the threats that have been presented.

        Gadi Evron.

--
Email: ge@xxxxxxxxxxxxx  Work: gadie@xxxxxxxxxxx Backup: ge@xxxxxxxxxxx
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06

GPG key for encrypted email:http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc

ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

Follow-Ups:
- Re: USB risks (continued)
  - From: RSnake

Prev by Date: Re: Unprivilegued settings for FreeBSD kernel variables
Next by Date: TSL-2004-0036 - kerberos
Previous by thread: Internet Scanner 7 Restriction Bypass Vulnerability
Next by thread: Re: USB risks (continued)
Index(es):
- Date
- Thread