Just When You Thought

by Bryan

9 comments

1 Badtux { 10.07.14 at 12:52 am }

Inserting a virus into a USB device is an issue only if you accept USB devices from external sources and plug them into your computer. And if you do that, you’re an idiot anyhow.

I analyzed this and discovered that there’s no problem with the USB protocol, there is a problem with operating systems and BIOS’s that simply accept that something plugged in is a HID device without requiring any kind of validation from the user. If OS’s would simply do the simple things that are done for Bluetooth devices, such as requiring you to type some keys on a keyboard before enabling a keyboard HID device, there would be no problem.

Note that no — zero — changes are needed to the USB protocols to change this. None. It can be completely 100% handled on the OS side. It’s just more sensational to claim that it’s an “unpatchable” problem. No, it isn’t.

In the meantime, don’t put any USB keyfobs into your computer where you don’t know where they’ve been… unfortunately current BIOS’s simply accept HID devices without question, even bogus ones like are created by the overwritten USB keyfob firmware in question.

– Badtux the Security Penguin

2 Kryten42 { 10.07.14 at 9:24 am }

I agree with badtux. 🙂

Nobody plugs anything into my systems without me. Bitdefender requires a password to allow Win to enable a newly connected device, then scans for malware if allowed. No problems here. 🙂

For my UEFI BIOS, I disable all USB legacy support, and use a ‘Trusted Computing’ device (which is not USB) to enable the system to boot. So even if someone tried to boot my system while I wasn’t here, they wouldn’t get far as my key is always with me. Before the TCG EFI protocol, you could password protect the BIOS, but that was a joke as the pwd was usually known or easily bypassed. Newer UEFI BIOS have strengthened this considerably. They also have 2 PWD’s for the BIOS, Admin (unlimited) and User (limited). *shrug* Better than they were, and generally better than nothing. 🙂

Oh, and my data & NAS HDD’s are all SED. 🙂 They cost twice as much, but for me, worth it.

Security is such fun! 😉 😀

3 Badtux { 10.07.14 at 11:46 am }

Kryten, even UEFI BIOS’s will usually pass through a keyboard or mouse as a “generic” device prior to booting the OS, which is the problem here — the USB keyfob that is the heart of this attack claims to be a flash device on its outside, but its firmware allows it to present itself as a keyboard and mouse device too, which means that once you mount it with your OS, it can at some point seize control of your keyboard and mouse to run a virus in sectors that were hidden from the initial virus scan.

So there’s two issues here: 1) The attack relies on you not having to type a password in order to obtain superuser permissions. It’ll work on Windows 7. It won’t work if your desktop OS is Windows 2008R2. Guess which one I’m running on my PC? 2) The attack relies on you not having run-time virus protection operating. The antivirus that I’m using checks all blocks of code loaded into memory for viruses before it’ll run them, so even if you think you’re loading something innocuous that already passed virus check off of the USB keyfob, and it in fact turns out to be infected with a virus, the antivirus will (hopefully) detect that it’s a virus and keep it from running.

In other words, this is an attack vector, but not an especially powerful one, and one that’s easy to defeat with fairly simple strategies. I’m much more worried about drive-by browser hijackings, to tell you the truth. I browse the Internet a lot more often than I plug unknown USB devices into my system, and most web sites today are so useless if you don’t enable Javascript that you have to hope and pray that the spaghetti code that is a typical browser’s Javascript interpreter has no holes in it.

But if you listen to the “security researchers” OMG the world is ending! OMG! Sheesh. Trying to drum up business for their security consulting firm, are they? Ya think?

– Badtux “the sky is NOT falling” Penguin

4 Bryan { 10.07.14 at 3:39 pm }

Actually, I was trying to figure out how this would cause me any problems because I’m the only person who uses my machines, and the really important machine is never connected to a network of any kind. I do hand transfers, [‘sneaker net’ as it use to be called] and it only involves data or source code, not executables, on CD/DVD.

I do use flash drives, my camera, and my phone connected through the USB port, and all of them to upload or download, but I control the process. Their example of taking data with a phone is something I’ve done multiple times when I change phones to avoid re-entering my contacts. Snowden didn’t need malware to grab what he wanted from NSA, he used flash drives as they were intended to be used.

I posted this for your reactions, because I didn’t really see the major problem, and was looking for more input on it.

The ‘Net is a hell of a lot more likely as a source of problems that USB, as I get reminded by ESET every day when it flashes a warning about a blocked address coming up in the ad space on sites I visit daily. Ads are the common vector these days.

5 Kryten42 { 10.07.14 at 10:21 pm }

Oh sure badtux. But not when you have a TPM (usually based on the Infineon TPM modules, such as ASUS use on some of their Motherboards). I don’t use TPM for anything other than booting (I definitely don’t follow M$ TPM spec’s!)

Jeff Wilcox has a good discussion going relating to TPM & Linux by way of example:
Installing an Infineon TPM in the Gigabyte GA-77X-UP5 TH motherboard

OT: Hey Bryan… speaking of HP (another thread. Didn’t want to make two posts!) 😉

Confirmed: HP is splitting into two separate companies

About time! Way past actually! This was proposed in the late 90’s. When Carly FUBAR became CEO, she killed the idea totally. *shrug*

6 Bryan { 10.07.14 at 10:58 pm }

Carly made the problem worse buying DEC. HP should have dumped the no profit PC business and concentrated on printers that actually worked and sold. They went super-cheap on the hardware side, and still couldn’t make money. They will dump all the debt on the hardware side and probably kill it in bankruptcy.

7 Badtux { 10.08.14 at 11:09 am }

Carly bought Compaq, which had bought DEC. Which made no sense at all, because Compaq’s product line totally overlapped with HP’s product line with the exception of the DEC product line, and DEC hadn’t been able to make a go of it as a going concern with that product line so clearly that wasn’t a profitable business to be in.

HP’s PC business has actually been making a profit lately. Thing is, it’s a consumer-products profit — around 5%, or slightly above inflation — rather than the exorbitant Apple-level profits that tech investors demand for premium goods of around 20%. The printing business, which is being made part of the PC business, has better returns, but of course mostly from ink, and it’s still a consumer-products profit rather than a premium tech-products profit. HP’s bigger business-level printers actually are fairly good quality today, the printers at the end of iCarly’s realm had collapsed in quality but her successors rebuilt the business. The entry level printers are of course junk, but so are everybody else’s. The big multi-function inkjet printer on my printer cabinet to the right is an HP 8600, it is a workhorse, it scans, copies, and prints just fine. Its predecessor, the 8500, was junk. Neither one was Apple-priced, and neither one made Apple-level profits for HP, but not everybody has to be Apple.

Well, unless you’re a Wall Street tech investor who wants every company you invest in to be Apple. Thing is, there’s a market for computers and printers that actual real people can afford. HP was filling that market. With junk, admittedly, but they were still actually making (modest) profits in that market. I suppose it does make sense that the company selling HP Lefthand clustered iSCSI servers and high end managed infrastructure switches maybe doesn’t need to be the same company that makes the laptops issued to workers, they are very different businesses and the Lefthand gear makes them a lot more profit per sale. Also gets far, far, far fewer sales.

So yeah, HP minus consumer products is going to be more profit per sale, which is what the investors are looking for. But it’s also going to be far fewer sales… and each sale is going to be fiercely contested by Dell, EMC, Netapp, Cisco, and other industry giants, all of which have their own competitors in that product space, and the R&D needed to stay current in that market space is enormously expensive even if you’re largely selling products created by startups you bought, those startup products need follow-ons and those follow-ons don’t create themselves. It really makes no business sense at all in the long run, but investors want big profits *now*, not modest profits over the long run. It’s the same short-term thinking that destroyed too many other American companies. SIGH.

8 Steve Bates { 10.08.14 at 9:38 pm }

I am so glad I turned down the position Compaq offered me when it was independent. My reason was not deep: 30 or 40 miles one way is too far to commute every morning in Houston traffic. But saying no spared me all the subsequent unpleasantness of acquisitions of and by Compaq.

9 Bryan { 10.08.14 at 11:55 pm }

The print media is being destroyed by Wall Street in much the same way. The profit margins of many companies are small, but they make up for it in volume. Grocery stores make around 5% overall, but they make it every year.

Yeah, 20% would be great, but making a profit is success to everyone but the get rich quick boys. I wish my money market account was making 5%, like it was not that long ago. Today “long term” is a year at most as far the gamblers on Wall Street are concerned, and as long as executive compensation is tied to stock price there is no change on that thinking on the horizon.