Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Security Windows Communications Microsoft Network OS X Operating Systems Privacy Software The Internet Apple

Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com) 82

An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.
This discussion has been archived. No new comments can be posted.

Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials

Comments Filter:
  • USB whitelisting (Score:5, Insightful)

    by Anonymous Coward on Wednesday September 07, 2016 @07:37PM (#52844545)

    This is why ALL of my USB devices are white listed on my computers.

    There is no reason to allow rogue/unidentified hardware to be connected to a computer.

    • by Anonymous Coward

      Care to explain how?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Through udev rules on Linux and group policy under Windows.

      • by Anonymous Coward

        Windows wise it'd be something like

        REGEDIT4

        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
        ;Prevent installation of devices not described by other policy settings
        "DenyUnspecified"=dword:00000001
        ;Allow installation of devices that match any of these device IDs
        "AllowDeviceIDs"=dword:00000001

        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]
        ;xbox one controller
        "1"="HID\\VID_045E&PID_02FF&IG_00"
        "2"="USB\\

    • by Anonymous Coward on Wednesday September 07, 2016 @07:48PM (#52844605)

      White listed... Here you go with your white superiority again. Always trying to keep the black man down

      • by Anonymous Coward

        They're not. They have their own, it's called a blacklist.

  • It runs special software? Impressive.
  • How can I protect my computer against that?
    • by Anonymous Coward

      Set your computer on fire.

    • I put super glue on all my ports to prevent that.
    • by Tuidjy ( 321055 )

      In windows, set the group policy so that USB devices are not automatically installed. Of course, you could also simply disable your USB hubs, but that may reduce the functionality of your PC beyond what you'd consider acceptable.

    • How can I protect my computer against that?

      The best way is to not allow people to plug usb devices into your computer. Physical access trumps all.

    • by Anonymous Coward
    • Another alternative is to use proper cryptography between your machine and the necessary server.

      I'm not that used to Windows and Active Domain, so I can't comment much.

      The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate.
      The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.

      • by Anonymous Coward

        I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.
        So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

        • I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue. So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

          This made my day. Thanks for the laugh.

        • I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.

          Unix: depends on configuration.
          (goes from straight "everybody trust everyone else" like NIS and NFS servers, all the way up to Kerberos - everything is authentified over an encrypted link)
          (and the home variant: use SSH + keys for everything)

          Windows:
          I've read some very appalling description of how it works.
          No or not enough encryption.

          So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

          Accroding to the summary, the key redirects to different (attacker-controlled) name server and Active Domain server (either running inside the USB adapter, or running elsewhere

      • Another alternative is to use proper cryptography between your machine and the necessary server.

        The alternative is using authentication algorithms that don't suck. If Microsoft used a PAKE none of this would be possible. It's almost as if they are trying to get everyone hacked.

        The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate. The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.

        LDAP is used for backend authentication of incoming authentication and authorization requests. A client connecting to another UNIX server is not connecting to LDAP it is connecting to that server using whatever authentication mechanism is offered by the protocol associated with the connection.

        Regardless sending credentials in

  • by complete loony ( 663508 ) <Jeremy.Lakeman@nOSpaM.gmail.com> on Wednesday September 07, 2016 @08:03PM (#52844687)
    Exactly what kind of credentials?
  • This is essentially the Rubber Ducky dongle that's been used in Mr Robot. Esmail and his tech consultants doesn't invent stuff like that, so this must have been available for a while.

  • by jellomizer ( 103300 ) on Wednesday September 07, 2016 @08:07PM (#52844705)

    You can plug in a hardware device into a computer and it may communicate with it. Just as long it tells the computer the correct response timely you can process the data sent to it in any way possible.
    What may be just as easy is a pass threw sub connector where you plug your keyboard into one end. It will send keyboard data to the PC just fine. But log it and connect to a wireless network and send the data to different spots.
    You can run all the system checks and not realizing they keyboard extension cable is the actual hack.

    • This is one criticism I've had of USB. Under the guise of being user friendly, OS programmers have made the OS automatically do all sorts of stupid and insecure things when you plug something into the USB port. CD/DVD drives used to have the same problem (automatically running an executable off the disc) until it became such a common vector for malware that Microsoft finally disabled the autorun feature by default.

      When you plug in a USB device, you should get a pop-up asking if you want to access it in
  • The evil maid strikes again. Seriously this is a non issue. Unless they let absolutely everyone into the server room at your workplace.
    • Nah, you just leave a bunch of them lying around in a public area. Eventually someone's going to pick one up and plug it in.
  • This kind of attack could run on any USB device with a modified firmware (e.g. memory stick). If you don't want to hack an existing USB device, then for a few bucks you can make your own. It also doesn't have to interfere the original functionality of the USB device, so if you aren't paying attention, the device could perform it's task undetected.

  • I can see this being super useful (for the perpetrators I mean) in scenarios where pcs are left either locked (session running, yet needs pass) or even before logging any account. Windows time to desktop from a login screen is so fast it looks like every service, such as the PnP one is already up and accepting software installation. Does anyone have deeper knowledge if such a thing might happen? As in: has anyone ever tested plugging a PnP device whilst a Win pc is locked, then found ways to check it DID in
  • Seriously sick of trying to deal with customers who forgot their own damn passwords. This would be a godsend!

  • Now with convenient red LED to let you know when password stolen! Time to upgrade my Ethernet USB password stealers!
  • Comment removed based on user account deletion

Avoid strange women and temporary variables.

Working...