Slashdot Mirror
Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com)
An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.
This is why ALL of my USB devices are white listed on my computers.
There is no reason to allow rogue/unidentified hardware to be connected to a computer.
It runs special software? Impressive.
How can I protect my computer against that?
Exactly what kind of credentials?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This is essentially the Rubber Ducky dongle that's been used in Mr Robot. Esmail and his tech consultants doesn't invent stuff like that, so this must have been available for a while.
You can plug in a hardware device into a computer and it may communicate with it. Just as long it tells the computer the correct response timely you can process the data sent to it in any way possible.
What may be just as easy is a pass threw sub connector where you plug your keyboard into one end. It will send keyboard data to the PC just fine. But log it and connect to a wireless network and send the data to different spots.
You can run all the system checks and not realizing they keyboard extension cable is the actual hack.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The evil maid strikes again. Seriously this is a non issue. Unless they let absolutely everyone into the server room at your workplace.
Seven puppies were harmed during the making of this post.
Does that get you passwords, or anything, with encrypted home/user directory and a strong password?
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
This kind of attack could run on any USB device with a modified firmware (e.g. memory stick). If you don't want to hack an existing USB device, then for a few bucks you can make your own. It also doesn't have to interfere the original functionality of the USB device, so if you aren't paying attention, the device could perform it's task undetected.
Anons need not reply. Questions end with a question mark.
says the person who has one of these things that does work
No, but this doesnt either. It just gets you the credential tokens, not the password itself.
I don't believe this runs arbitrary code on the computer, the only code that runs is the built-in usb-ethernet drivers.
The OS installs the adapter and sends DHCP requests through it. It responds with extra config options in the DHCP response telling it the URL to the web proxy configuration file. The OS then sends an authentication request to the configured web proxy. This is the credentials that get stolen. Windows will send out an NTLMv2 hashed password you then need to crack.
I really don't see why windows can't ask before installing ANYTHING from usb. Clicking "OK' is not that big a deal relative to the effort of plugging in a usb device.
I can see this being super useful (for the perpetrators I mean) in scenarios where pcs are left either locked (session running, yet needs pass) or even before logging any account. Windows time to desktop from a login screen is so fast it looks like every service, such as the PnP one is already up and accepting software installation. Does anyone have deeper knowledge if such a thing might happen? As in: has anyone ever tested plugging a PnP device whilst a Win pc is locked, then found ways to check it DID install (maybe even that it ran whatever form of "autorun")?
Seriously sick of trying to deal with customers who forgot their own damn passwords. This would be a godsend!
Because realistically most people are pretty dumb when it comes to using a computer. Autorun is a thing because otherwise more than half of computer users would never be able to launch a program.
That's why we have consistent UI's getting thrown out of the window and now most app developers are basically going with the approach of "throw everything randomly up in their face and hopefully they'll see a button that does what they want". Makes it easier for the average idiot to stumble upon what they want - makes it a lot harder for someone to navigate a program expecting it to work like most other programs do.
I had kinda thought all this would improve as the older generation faded away and most younger people literally grew up using computers, but truthfully the younger generation is no better. They're no longer AFRAID of using a computer/phone/whatever, but they're certainly not any BETTER at it.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Windows doesn't provide the USB dongle with a password at any point, as implied by the article. It 'auto-installs' signed drivers already on the PC or if configured, downloads them from the internet ... SIGNED DRIVERS ... SIGNED BY MICROSOFT. Not just any random driver on the USB device.
Windows does not do 'auto-run'
OS X doesn't do anything implied in this article either. If it doesn't have a driver for your USB device already, it just doesn't work, with the exception of printers there isn't a magic way that it reads drivers from the USB device or random internet sites.
This story is simply bullshit.
Yea TFA is worthless and does not disclose anything of relevance. This isn't about USB or device drivers. It is about getting windows to automatically do stupid crap over a network like trying to login to something. The IE Advanced option for example "Enabled Integrated Windows Authentication" is I believe enabled by default in at least Windows 7.
If you can get a browser or some internal service to attempt login by initial DHCP/WPAD/whatever you can make short work of the authentication attempt to derive most passwords because Microsoft insists on using completely worthless CHAP based authentication protocols (e.g. Kerberos, MSCHAPv2) which subject users to at the very least offline dictionary simply for trying to logon... and by default it tries automatically... which is just awesome.
Now with convenient red LED to let you know when password stolen! Time to upgrade my Ethernet USB password stealers!
Breaking news! Physical access to computers, makes them more susceptible to security exploits.
or the device just sends an error response and then Windows sends out an NTLMv1 hash - and you don't NEED to crack it.
Another alternative is to use proper cryptography between your machine and the necessary server.
I'm not that used to Windows and Active Domain, so I can't comment much.
The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate.
The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
how is this any different than say, a modified router? Or a computer acting as a gateway? Is this device just intercepting unencrypted network traffic? Like any point on the internet can?
That would be no more earth-shattering than hearing that someone found a way to read my postal mail.
If you want privacy, you should be using end-to-end network encryption of some sort. Be it VPN, pgp email, ssh, etc. If you're sending in the clear and trusting every member of a huge network of random actors between you and your destination, you're stupid. Once it leaves your computer, it's fair game. It doesn't matter if it's getting sucked up at one of the NSA's big facilities, your ISP, the public kiosk's router, or a random ethernet adapter you found laying on the ground.
I work for the Department of Redundancy Department.
This is simply bullshit.
Yeah, exactly like you 'working at a carrier'.
Windows will actually happily and by default send the credentials in clear text over wireless if you're using 802.1x without a Windows approved RADIUS server. The article and the summary is dumb because no USB device gets credentials by plugging it in. This is probably a network attack and could be done anywhere on a network.
Custom electronics and digital signage for your business: www.evcircuits.com
That could be made optional, confirmation still only needed the first time.
If we have learned anything from malware people will just say yet to that regardless even if the device is known or unknown to be trusted. Users are funny that way.
The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.
The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).
If you're sending in the clear and trusting every member of a huge network of random actors between you and your destination, you're stupid.
This is exactly what Microsoft is enabling today in 2016 with "integrated authentication".... Apparently a sufficient number of people have not taken the opportunity to tell them how stupid they are.
There are some small caveats but none of them matter. The passwords aren't set in the clear but might as well be given the ease of deriving them from challenge material.
It's bitztream, the autism-hating Slashdot troll!
I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.
Unix: depends on configuration.
(goes from straight "everybody trust everyone else" like NIS and NFS servers, all the way up to Kerberos - everything is authentified over an encrypted link)
(and the home variant: use SSH + keys for everything)
Windows:
I've read some very appalling description of how it works.
No or not enough encryption.
So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.
Accroding to the summary, the key redirects to different (attacker-controlled) name server and Active Domain server (either running inside the USB adapter, or running elsewhere on the network with the key doing redirection of connections)
Without proper cryptographic authentication in place, the attacked workstation will blindly trust these servers.
Most typical installtion of Unix services run encryption (e.g.: SSH for remote access, LDAPS for authentication/log-in, even DNSsec is possible for names) or can be authenticated (NFS support kerberos). Such a different server will fail the cryptographic authentication and will be rejected.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]