Penetration Testing mailing list archives
RE: USB delivered attacks
From: "Brian Taylor" <drak3 () comcast net>
Date: Sat, 5 Jun 2004 14:21:48 -0400
-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] <SNIP> "This is old news though, security 101 kind of stuff. Just because a new toy comes out does not imply it should not play by the rules of the other toys in the chest. If this is found in an audit then the company that hired you has real policy issues for you to outline to them and they will then need to address." I agree fully with Ron. We're now crossing into that infinite, inky pit known as "a hacker could...". It is sort of a déjà vu from the thread on the Incidents list. We have had good testing and results that actually gave some great answers. USB keys and other (tiny) removable devices have given us a new pain from a security standpoint. But like anything else, it has to start with policy. BUT the process has to follow as well. In this example, I have seen policies that stated that booting from cd or floppy is not allowed on workstations or servers, yet their IT departments (who built servers or sent orders to vendors to configure them) had no process or subsequent audits about disabling these features from the BIOS during build time. They simply applied the stock image and were done with it. However, if everything was done properly, you would simply add to your list of areas to check as technology changes. You aren't re-inventing the wheel every time something new comes out that is simply a variation on a theme (floppy-->zip drive-->CD--USB key-->???). Lock down bootable devices when appropriate. Audit and update list of devices as technology/trends change or on an annual basis.
From a physical-access pen-testing standpoint, this is definitely one of
those "DOH!" issues. Of course *we* think about things like that, but do your average clients? I would assume many of the pen-testers here also suggest policy to their clients. In that regard, this is definitely one for them to consider. Both in policy and audits to ensure that it is being done at the most crucial point--the introduction of a new resource on the network. Sorry to bring policy in a pen-testing discussion, but I believe that there is some overlap. IMO, finding holes in technology, policy and process can yield the same results. --BT
Current thread:
- Re: USB delivered attacks, (continued)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re: USB delivered attacks Gadi Evron (Jun 07)
- Re: USB delivered attacks Kurt Seifried (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re:USB delivered attacks Peter Harmsen (Jun 07)