Tag Archives: security awareness

Danger of USB Devices

There has been lots of news recently regarding a flaw in USB devices that could lead to an unwanted attack. USB stands for Universal Serial Bus and is often associated with thumb drives used to store data. There are many other uses for USB devices, such as your mouse and keyboard. There are even monitors that connect via USB.

Each USB device has a microchip that contains instructions on how it will work. In addition, USB devices are separated into different classes; for example Human Input Devices (HID) for keyboards and mass storage devices like thumb drives. The computer looks at this classification to determine how to handle the device.

From a visual perspective, it is not possible to determine how a USB device will be treated because it is the firmware on the device that contains this information. A good example we have used for years is the teensy device, or rubber ducky. This device looks like a regular thumb drive, but when plugged in, acts like a HID (keyboard).

The concern here is that in an enterprise, there are often controls that block mass storage devices to load onto the end user computers. There are multiple reasons to block these devices. First, the company is trying to stop a malicious user from stealing a bunch of data using a tiny thumb drive. Remember the movie “The Recruit” where they stole info using a thumb drive? Another reason these devices are blocked is that they could contain malicious software ( malware). Block the device, block the malware.

The concern we often see with these controls is that it is difficult to block the human input device because we need a keyboard and a mouse. The idea of the rubber duck is that you, the attacker, can program a sequence of keystrokes onto the device and when it is plugged in it will execute the keystrokes. This technique allows attackers to bypass many controls and possibly gain unauthorized access to the system.

One can disassemble a rubber duck and see the sd card to see it is not a real thumb drive. The issue with this recent news is that regular thumb drives could be recoded to work as a HID without your knowledge. We haven’t seen many details of how to pull this off remotely, however we should be cautious anytime we plug a device into our system.

I will not stop using USB devices anytime soon. Diligence and user awareness are important here.

Ebay Password Breach

Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach.  The key here is encrypted passwords, which hopefully means strong security.  That is just an assumption though.  It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials.  We often overlook the idea that credentials are actually very valuable.  We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics.   Those keys that protect the rest of all of that data.

Ebay believes that no other data (financial, etc) was accessed during the breach.  This is the good news.   The bad news is we now need to change our passwords again.  Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes.  There are a lot of different passwords we can come up with.  I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.

Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it.  Previously people have mentioned advertising on the site how the password is protected.  It is an interesting idea.  The question is: does it make you more or less of a target?   There are a lot of factors that go into that determination.

If you advertise that you use bcrypt with 10,000 iterations, is good or bad?   Will the bad guys just turn around looking for that easier score or will they accept that challenge.  Now advertise that you are just storing passwords using MD5 with no salt.   The difference between the two is like seeing a wireless network with and without a password.  Of course, the problem we also have is whether or not the description provided would mean anything to the average user.  My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure.  It is server side, so do users care?   I am not really sure.    I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.

Spread the word when you see that a site has been breached.  Let your friends and co-workers know so they too can take the appropriate steps to protect them selves.  We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.