|
Without somehow exploiting a flaw in the controller itself, DMA-style attacks via USB are not possible (at this time).
|
# ? Nov 21, 2016 21:54 |
|
|
# ? May 13, 2024 08:36 |
|
OSI bean dip posted:Without somehow exploiting a flaw in the controller itself, DMA-style attacks via USB are not possible (at this time). Was it firewire that had the native impossible to fix DMA issue, or was that something people were afraid of with the new Thunderbolt stuff?
|
# ? Nov 21, 2016 22:35 |
|
Methylethylaldehyde posted:Was it firewire that had the native impossible to fix DMA issue, or was that something people were afraid of with the new Thunderbolt stuff? Wasn't Firewire, I'm pretty sure. Didn't VT-D block it entirely?
|
# ? Nov 21, 2016 22:40 |
|
eSATA, Firewire, ExpressCard, SCSI, and Thunderbolt to name a few have DMA capabilities and as a result can be a risk.
|
# ? Nov 21, 2016 23:27 |
|
Why are you epoxying the USB ports? Can't you just take a screwdriver to them?
|
# ? Nov 22, 2016 06:31 |
|
Cup Runneth Over posted:Why are you epoxying the USB ports? Can't you just take a screwdriver to them? Epoxying is less likely to cause a short circuit.
|
# ? Nov 22, 2016 07:37 |
|
Fair enough. It's less of a permanent solution than rendering the port inoperable, though.
|
# ? Nov 22, 2016 07:47 |
|
Cup Runneth Over posted:Fair enough. It's less of a permanent solution than rendering the port inoperable, though. If I'm epoxying a port I'm pretty sure it's because I wanted a permanent solution in the first place.
|
# ? Nov 22, 2016 07:54 |
|
This is probably a stupid question but... How do you plug in a keyboard and mouse if you epoxy all the USB ports?
|
# ? Nov 22, 2016 10:01 |
|
Kassad posted:This is probably a stupid question but... How do you plug in a keyboard and mouse if you epoxy all the USB ports? Super glue them in place, or it's a laptop.
|
# ? Nov 22, 2016 14:20 |
|
Methylethylaldehyde posted:Was it firewire that had the native impossible to fix DMA issue, or was that something people were afraid of with the new Thunderbolt stuff? Yes, and the first implementations for thunderbolt had the same issue that wasn't corrected until Thunderbolt2, but there is still backwards compatibility modes that are likely on by default to support legacy thunderbolt devices that can't handle whatever kind of handshaking they added in.
|
# ? Nov 22, 2016 15:38 |
|
Kassad posted:This is probably a stupid question but... How do you plug in a keyboard and mouse if you epoxy all the USB ports? PS/2 is an option. Probably.
|
# ? Nov 22, 2016 18:12 |
|
Kassad posted:This is probably a stupid question but... How do you plug in a keyboard and mouse if you epoxy all the USB ports? It's better to use a software solution than glue the ports shut imo.
|
# ? Nov 22, 2016 18:16 |
|
CLAM DOWN posted:It's better to use a software solution than glue the ports shut imo. The problem with a software solution is that they don't stop devices from interacting with the controller. That and software solutions are temporary in a sense whereas glue or likewise is generally not. Physically restricting USB ports is of course an extreme solution where I would only advocate it in situations where it is warranted.
|
# ? Nov 22, 2016 18:20 |
|
Can't you forbid Windows from installing new drivers without administrator approval? There should be no reason you'd have drivers for an ethernet-over-USB device installed on a desktop in most work places.
|
# ? Nov 22, 2016 18:29 |
|
OSI bean dip posted:The problem with a software solution is that they don't stop devices from interacting with the controller. That and software solutions are temporary in a sense whereas glue or likewise is generally not. Fair, but a software solution is far more flexible and powerful, because you can customize what you allow and what you don't on which system. However you're absolutely right, and only a physical block like glue would stop that.
|
# ? Nov 22, 2016 18:41 |
|
CLAM DOWN posted:Fair, but a software solution is far more flexible and powerful, because you can customize what you allow and what you don't on which system. However you're absolutely right, and only a physical block like glue would stop that. My confidence in any USB security is usually summed up well by this video from 1997: https://www.youtube.com/watch?v=Wpj1SgQQ984
|
# ? Nov 22, 2016 18:53 |
|
CLAM DOWN posted:Fair, but a software solution is far more flexible and powerful, because you can customize what you allow and what you don't on which system. However you're absolutely right, and only a physical block like glue would stop that.
|
# ? Nov 22, 2016 19:00 |
|
CLAM DOWN posted:Fair, but a software solution is far more flexible and powerful, because you can customize what you allow and what you don't on which system. However you're absolutely right, and only a physical block like glue would stop that. Software can be hacked, a cut trace or cement is a lot harder hack.
|
# ? Nov 22, 2016 19:01 |
|
Wiggly Wayne DDS posted:a software solution is another point of failure in your security model, do it properly or not at all ratbert90 posted:Software can be hacked, a cut trace or cement is a lot harder hack. If you glue USB ports shut, how will you use a mouse/keyboard? PS/2 isn't the answer anymore, it's 2016. If you leave 2 ports for those, what's to stop an attacker from unplugging them and using the ports? A proper approach is multifaceted. e: not to mention there are a range of USB devices that are useful in a work environment, and maybe your company even designs and builds hardware that uses USB. Simply gluing the ports shut is a limited, narrow, and destructive solution, like I said you need to take a multifaceted approach. CLAM DOWN fucked around with this message at 19:08 on Nov 22, 2016 |
# ? Nov 22, 2016 19:04 |
|
well no poo poo you tailor the solution based on the business needs, but don't say a software solution is more flexible and powerful when it's lax and vulnerable
|
# ? Nov 22, 2016 19:11 |
|
Just lock the computer in a case with some vent holes. Problem solved.
|
# ? Nov 22, 2016 19:12 |
|
Wiggly Wayne DDS posted:well no poo poo you tailor the solution based on the business needs, but don't say a software solution is more flexible and powerful when it's lax and vulnerable Ok fine, the term "powerful" needs more meaning than that, but 100% it's more flexible, gluing a port shut is about as inflexible as you can get... e: actually gently caress that, a software solution absolutely can be "powerful", you're being wrong by immediately dismissing any software option as "lax and vulnerable", I'm curious what products you've actually tried and used in production CLAM DOWN fucked around with this message at 19:16 on Nov 22, 2016 |
# ? Nov 22, 2016 19:12 |
|
Remove the USB ports with a soldering iron and solder in the keyboard and mouse. After that, epoxy the spot where you soldiered the keyboard and mouse in and hope that they never need to be replaced.
|
# ? Nov 22, 2016 19:14 |
|
if you're at the stage where gluing the port is an option then you may want inflexibility in your security model, you're also locking the keyboard/mouse into the port with the machine in a sealed unit
|
# ? Nov 22, 2016 19:15 |
|
Doesn't PoisonTap exploit poor HTTP(S) implementation more than anything else? Or is the main concern here that you have hashes you can work against on your own time.
|
# ? Nov 22, 2016 19:24 |
|
CLAM DOWN posted:Ok fine, the term "powerful" needs more meaning than that, but 100% it's more flexible, gluing a port shut is about as inflexible as you can get... here is sopho's device control: https://community.sophos.com/kb/en-us/64174 quote:Device Exemptions then there's the other kind of 'endpoint protector', meet cososys' endpoint protector: quote:The extended use of portable devices has not only increased the efficiency and mobility of our daily work tasks but, at the same time has posed another significant threat to companies' data security. USB devices and other portable devices, although small and at a first glance harmless, are one of the top causes for security incidents with millions of dollars in losses for the business. The need for controlling the use of devices in corporate environments has become nowadays a must in order to keep up with latest security challenges. https://www.kb.cert.org/vuls/id/591667 quote:CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent account vulnerability https://www.sec-consult.com/fxdata/..._v10_wo_poc.txt quote:Vulnerability overview/description: Wiggly Wayne DDS fucked around with this message at 19:37 on Nov 22, 2016 |
# ? Nov 22, 2016 19:33 |
|
Wiggly Wayne DDS posted:endpoint protection software Yup, I'm fully aware of all that. Have you used either Check Point port protection, or Bit9 Parity/CarbonBlack USB device features?
|
# ? Nov 22, 2016 19:35 |
|
CLAM DOWN posted:If you glue USB ports shut, how will you use a mouse/keyboard? Are you serious? You glue them in? Or even better, use wireless and glue the wireless dongle in.
|
# ? Nov 22, 2016 19:35 |
|
Can't you just cut the keyboard cable and get access to the USB traces electrically?
|
# ? Nov 22, 2016 19:37 |
|
ratbert90 posted:Are you serious? You glue them in? Or even better, use wireless and glue the wireless dongle in. I can't tell if you're trolling me or not.
|
# ? Nov 22, 2016 19:42 |
|
CLAM DOWN posted:Yup, I'm fully aware of all that. CLAM DOWN posted:e: actually gently caress that, a software solution absolutely can be "powerful", you're being wrong by immediately dismissing any software option as "lax and vulnerable", I'm curious what products you've actually tried and used in production quote:Have you used either Check Point port protection, or Bit9 Parity/CarbonBlack USB device features? Subjunctive posted:Can't you just cut the keyboard cable and get access to the USB traces electrically?
|
# ? Nov 22, 2016 19:42 |
|
Subjunctive posted:Can't you just cut the keyboard cable and get access to the USB traces electrically? Run the keyboard cable through conduit, fill conduit with epoxy. Then open the keyboard and seal the thing with epoxy. Or just throw the computer into this contraption which will solve everything: It is made in the UK so it might break after a few tries.
|
# ? Nov 22, 2016 19:41 |
|
Wiggly Wayne DDS posted:i'm dismissing them categorically unless evidence is presented that they aren't opening more holes than they are closing. I highly recommend not dismissing things that you have never used or tried and don't know anything about. Keeping an open mind is very beneficial.
|
# ? Nov 22, 2016 19:46 |
|
CLAM DOWN posted:I highly recommend not dismissing things that you have never used or tried and don't know anything about. Keeping an open mind is very beneficial.
|
# ? Nov 22, 2016 19:52 |
|
Wiggly Wayne DDS posted:okay the rest is fine about that software being deployed in an enterprise environment but this is just adorable. what did you not like about my security analysis on software endpoint protection suites that made you just shutdown? Is there a reason you're being so hostile? I'm not interesting in engaging with someone who is acting like an angry child.
|
# ? Nov 22, 2016 19:54 |
|
i'm just amused that you're against not trusting security software, and will only listen to people who've deployed specific variants of the same snakeoil
|
# ? Nov 22, 2016 19:57 |
|
Wiggly Wayne DDS posted:i'm just amused that you're against not trusting security software, and will only listen to people who've deployed specific variants of the same snakeoil I never said either of those things. I simply asked a question. You're putting words in my mouth and making assumptions, and doing so in an unnecessarily hostile and unproductive way. You haven't been open to any kind of real discussion since the start, so have a good one.
|
# ? Nov 22, 2016 19:59 |
|
Just implement WUSB, exposed port problem solved.
|
# ? Nov 22, 2016 20:01 |
|
|
# ? May 13, 2024 08:36 |
|
I think what he's trying to get at is that you cannot rely on a software solution to protect USB as USB in itself is flawed. I am not really joking when I say that the best method is to remove the ability for those ports to function as it is in itself the only solution that is surefire short of shredding the computer all together. Trying to block physical access to a machine is really the only option is preventing harmful USB devices from being used, preventing cold boot-style attacks, or preventing DMA access. Applying a software solution, regardless of how open-minded you are about it, is only a bandaid at best and if you're whitelisting specific devices, it doesn't do much to help you. How do you stop this device if it emulates a keyboard?
|
# ? Nov 22, 2016 20:02 |