Comments
USB Hardware Easily Subverted, Researchers Claim
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
7/31/2014 | 4:52:57 PM
Why are there no USB Firewalls yet?
I was reading the Blogpost and Wondering to myself.

Why are their no USB Firewalls yet?

Seems to be a matter of Cost primarily.

The other issue is that if they can hit the BiOS with their attacks ,absolutely anything is possible.

And Hardware Level attacks are much more difficult to erase than just pure Software Hacks.

Lot of Trouble,Looking forwads to this Black Hat Presentation.

Regards

Ashish.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/31/2014 | 5:14:51 PM
Re: Why are there no USB Firewalls yet?
I wonder what percentage of people insert thumb drives they find somewhere? Just leaving compromised USB sticks in hotels and in bars is probably a very efficient way to create a botnet.
Bhori
50%
50%
Bhori,
User Rank: Ninja
7/31/2014 | 6:29:08 PM
Re: Why are there no USB Firewalls yet?
Amazed that still the USB culture prevails in many organizations where numerous flash drives from Employees, Customers, Vendors and even the visitors and trainees find their way into company PCs. From the article, it seems that currently the only way to cover this risk is to restrict thumb drive use. I wonder how culture can be changed quickly and are there any secure alternatives available.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
7/31/2014 | 6:38:48 PM
USBs and the military / intelligence world
The Department of Defense tried imposing an absolute ban on USB removable storage a few years ago but eventually wound up allowing exceptions selectively. USBs were apparently a factor in the Edward Snowden leak scandal as well. One challenge: USB has become the standard interface for connecting all sorts of gadgets to a PC, including keyboard and mouse. Maintaining an absolute ban might make a lot of sense -- except that it's impossible to maintain.
Bhori
50%
50%
Bhori,
User Rank: Ninja
7/31/2014 | 6:39:42 PM
Re: Why are there no USB Firewalls yet?

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.  


Seems that security and cost will be added following some high profile breach. But, still that would be the security added at USB owners end rather than the device which will run it.

pcharles09
50%
50%
pcharles09,
User Rank: Ninja
7/31/2014 | 7:57:19 PM
Re: Why are there no USB Firewalls yet?
@Thomas C,

It's more common that you think. I've heard of hackers spraying USB sticks in corporate parking lots. Guess what happens within a day or two: Curious employees plug them in to either see what's on them OR format them to use for themselves. Either way, the botnet gets stronger.
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Ninja
7/31/2014 | 10:10:29 PM
Re: USBs and the military / intelligence world
It is hard to imagine that the government would put sanctions on USB thumb drives but that would also need to translate to other USB devices.  It seems almost impossible to "Ban" this type of device, they are everywhere.  However as a security precaution, we may all want to reconsider how we use them and consider technology that would scan that device prior to allowing it down lad anything to your computer.  But if we step back that can also translate to other products as well and other I/O devices. Theoretically you could gain access to a computer via a coded message on a microphone or even IR through a camera, that is attached via a USB cable too.  Lots of theories so little time, unless we cluster.
CitizenT128
100%
0%
CitizenT128,
User Rank: Apprentice
7/31/2014 | 10:30:21 PM
NOT new!
This is as old as USB itself.  It's just a fact of life.  As long as you control what's plugged into your PC (or any other USB host device), it's not a problem.  I have known about this "threat" for over a decade, and for me- it's a non-issue.  USB devices have to be recognized by the device they're plugged into.  Generic things, like keyboards and mice and mass storage have default drivers (and any device- be it a USB stick, a mouse or just what looks like a plain cable, can be identified by a PC as any of those if the person who programmed it decided to have it be so).  Otherwise your PC is going to ask you to install a driver (which could be the actual malware).  Just pay attention.

If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild.  There's no way that Anti-Virus software can keep up with all of that.  The vast majority of those are thrown together with malware kits that don't require any real programming skills.  So those are just variations of existing (and detectable) malware, but there are a few unique pieces of code that are made by very skilled, even gifted programmers.  Some are from governments and other organizations and are very selective in what they target, and what they do once they infect a system.  Those are not a threat to me and you (unless you're a criminal, a terrorist, or someone has an interest in you and your activities and associates).  But some are from criminals, ID thieves targeting you and me and anyone with a bank account, a credit card, or a decent credit score.

Just be careful what you do, what websites you visit- no porn or gambling sites- which are more likely to give you a problem than not.  Don't put USB devices or media (like CDs and DVDs) into your machine unless you know where they're from and where they've been.  Don't open Email unless you know who sent it, and why (and try not to be fooled by spoofed messages).  Turn off your preview pane, so Emails don't get opened without you intentionally acting to open them.  (Yes, just opening or previewing an Email can infect you. So can opening a web page, even unintentionally or very briefly.)  And look at your bank and credit card activity every day or at least a few times a week.  Never pick up a USB stick or an SD card that isn't yours.  If you practice behavior that your Mom would approve, you are less likely to be a victim.

The people who want to hurt you are counting on being able to remain anonymous.  If you stick with who and what you know, behave like an upright citizen, and run some good security software you will probably be okay.  And Linux will not protect you from something pretending to be a keyboard or a mass storage device.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:57:31 PM
Re: NOT new!
@CitizenT138: "If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild."

Yikes, thanks. Your mission is accomplished.

Your advice is completely sound and about the best that any of can hope for in trying to avoid hackers who are way ahead of most home and business and even enterprise-scale efforts. Research I've seen generally indicated that plain old human error on the part of well-meaning employees is as big a danger to enterprise systems as anything else.

Yet most companies do very little to educate their employees about safe practices when it comes to using hardward and software (and clicking on those links!).

 
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:59:40 PM
Re: Why are there no USB Firewalls yet?
@Thomas: most people I know who work outside of tech wouldn't think twice about sticking a USB they found into their computer, espeically if it was one handed out as, say, a promotional item somewhere. Education is sorely lacking on this topic.
Page 1 / 2   >   >>


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of January 18, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.