http://www.edgeblog.net/2006/defending-against-u3-switchblade/

October 12, 2006
Defending against U3 & Switchblade
Filed under: Security — bill @ 10:22 pm

U3U3 is a fun new technology for USB flash devices. U3 flash drives contain a partition that emulates a CD-ROM drive, where U3 enabled applications are installed. The CD emulation means that these devices will auto-play on most XP, 2000 and 2003 computers, when the drive is inserted. The talented folks over at hak5.org have created several projects, including Switchblade and its younger cousin Hacksaw, which exploit this technology for hacking/pen testing.

U3 reinforces the old security axiom, “if I can touch it, I own it.” Using auto-play with exploit code is nothing new. CDs can be used in this manner. What is new is the ability to run this on a writeable device. As the hak5 guys have proven, this is a deadly combo. Plug your USB drive in, wait for it to suck off password hashes or key files, install a back-door, and be gone. This works even if the screen is locked. One more reason why at some companies, the janitor is the richest guy in the place.

As pen testers, U3 is just one more tool to make our lives easier. As security managers, developing a defense in depth against U3 is difficult. Here are a few suggestions to make it easier. Most of these are just good general security practices, but U3 increases their importance:

1. Assign the least amount of privileges possible to your users. Programs run with U3 execute with the privileges of the logged-on user. Unless, of course, the hacker includes a privilege escalation exploit on the drive.
2. Keep systems patched. This reduces the # of possible exploits.
3. Never leave systems logged in with admin access. Locking the screen does not protect against auto-play. Admins should always log out when done.
4. Disable auto-play. (Instructions below)
5. Restrict USB devices. Several vendors offer solutions to disable USB ports, or restrict them to authorized devices.
* GFI EndPoint Security
* ControlGuard Endpoint Access Manager
* SafeEnd Protector
* Device Lock
* SecureWave Sanctuary
* DeviceWall
* TriGeo USB-Defender

There are mulitple ways to disable auto-run. The best way is to use group policy. Go to computer config>admin templates>system and find the “turn autoplay off option. This option makes a registry entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer. You can also create this key manually. For stand-alone PCs, the TweakUI PowerToy from Microsoft can also be used. TweakUI offers a disable autoplay option under the “My Computer section.

The last tool in your arsenal is training. Teach your users not bring in USB devices from home, or plug-in flash drives the find or are sent in the mail. This seems like common sense, but several security testers have shown that users will pickup drives on the ground and plug them in to their PCs to see what is on them. The most famous example of this is the test Steve Stasiukonis wrote about in the Dark Reading blog. 20 Flash drives on the ground outside a bank yielded 15 compromised systems. Flash drives work better for this type of test than CDs, because users perceive them as valuable since they are re-writable. A good security education program would prevent this.

If you have other ideas for protecting against flash drives and U3, we’d love to hear about them.

-Bill
Permalink
Thanks for stopping by.
If you found this article useful, please leave a tip.

3 Comments »

1.
Bill said,

October 23, 2006 @ 11:50 am

Nice piece!
2.
edgeblog » 10 New Immutable Laws of IT Security said,

October 23, 2006 @ 4:25 pm

[...] An unsupervised janitor is the richest guy in your company - See rule 4. As I’ve discussed before, a USB key with U3 and a PC with AutoPlay is all it takes to get passwords, install software, and generally 0wn a PC. Couple that with your administrator’s terminals and you have a recipe for disaster. Would you really trust your janitor to do the right thing if I offered him $1,000 to plug a USB drive into a PC for 10 minutes and then bring it back to me? Physical security extends beyond the data center to include every system that has privileged access. How secure are your admin’s home PCs? Your CIO’s? [...]
3.
dante said,

March 4, 2007 @ 6:56 am

hello bill, i had a question about your switchblade article, i am not sure switchblade can run if the screen is password protected. i have tried on two laptops, and it only works when the screen is not locked. if i have missed something, please let me know… thanks for your time.

RSS feed for comments on this post · TrackBack URI
Leave a Comment

Name (required)

E-mail (required)

URI

*
Categories
o Home
o Books
o Compliance
o Data Center Design
o General
o Networks
o Politics
o Popular
o Scripting
o Security
o Software
o Systems
*
Pages
o About
o Donate
*
Archives
o May 2009
o January 2009
o November 2008
o October 2008
o September 2008
o August 2008
o January 2008
o October 2007
o June 2007
o May 2007
o March 2007
o February 2007
o January 2007
o December 2006
o November 2006
o October 2006
o September 2006
*
e-Tip Us!

*
Book Recommendations
o 19 Deadly Sins of Software Security
o Cheat at Windows SysAdmin
o Experts’ Guide to OS/400 & i5/OS Security
o Google Hacking
o Google Maps Applications
o Gray Hat Hacking
o Grid Networks: Advanced Tech
o Hacking iSeries
o How to Break Software Security
o How to Break Web Software
o How to Cheat at Infosec
o Internetworking Technologies Handbook
o Metasploit Toolkit
o Metasploit Toolkit for Penetration Testing
o Protect Your Windows Network
o RFID Security
o Security Warrior
o SELinux By Example
o Silence on the Wire
o Stealing the Network: How to Own a Continent
o Stealing the Network: How to Own a Shadow
o Stealing the Network: How to Own an Identity
o Stealing the Network: How to Own the Box
o The Security Development Lifecycle
o Ubuntu Hacks
o Windows Powershell in Action
o WordPress 2 Quickstart
o Writing Secure Code, 2nd ed.
o Zen of CSS Design
*
Friends
o EdgeBack
o edgeproxy
o Gadget Workshop
o iQuotient
o IronScale
o R3publicans
o Raging Wire
o Secure Insanity
o The Digerati Life
*
Security Links
o CERT/CC
o CVE
o Foundstone
o Full Disclosure
o Infosec Institute Blog
o OSSTMM
o Switchblade
*
CERT⁄CC
o Microsoft Releases Service Pack 2 for Windows Vista and Windows Server 2008
o Novell Releases Updates for GroupWise
o NSD DNS Buffer Overflow Vulnerability
o Cisco Releases Security Advisory for CiscoWorks TFTP Vulnerability
o Mac OS X Includes Known Vulnerable Version of Java
*
Northern Cal Jobs (Dice)
o SW Engr 2
o SW Engr 2
o Technical Support
o Entrepreneurial Leader
o Oracle DBA
o Installation Technician
o Oracle DBA
o Software Engineer
o Systems Engineer Intern/Graduate - College
o CIO


Xobni outlook add-in for your inbox
Digg!

©2006 William L. Dougherty • Design based on Corporate Pro by Mystical Twilight ·



--
map{ map{tr|10|# |;print} split//,sprintf"%.8b\n",$_}
unpack'C*',unpack'u*',"5`#8<3'X`'#8^-@`<-CPP`#8V/C8`"