Rogue Device Spotlight: Penetration Testing Teensy

RISK ASSESSMENT RATING: 5.33

 

Popularity: 4

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The Penetration Testing Teensy may be gaining a following, but it is still less popular than its “distant cousin” the Arduino microcontroller or the more polished Rubber Ducky.

 

Simplicity: 6

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The Pentest Teensy is an out of the box solution for USB HID spoofing, and at $20, it costs little enough that it can be experimented with. However, the need to create a program for the Teensy that meshes with the target is a less than trivial endeavor. This may be a problem for the more ambitious amateurs, but pre-built, automated tools like Dave Kennedy’s SET provide a set of easier attacks for those with less experience.

Impact: 6

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

A properly executed USB HID spoof can be extremely detrimental to an organization, as it can gain access to many systems and store information on the device itself. That being said, properly executing a USB HID spoof is no small matter. Without the proper configuration, or with some careful authentication on the target, attacks simply will fail at compromising anything, much less mission-critical access.

 

Penetration Testing Teensy

While they lack the processing power required to run an operating system or traditional security tools, the flexibility and exceptionally low cost of hobby microcontrollers such as the Arduino make them perfect for purpose-built rogue devices. With their small size and minimal energy requirements, these microcontrollers are extremely well suited for covert installations where other types of devices simply wouldn’t work. Hidden inside of an everyday object or computer peripheral and powered by nothing more than energy leeched off of their host device, a microcontroller can turn almost any object into a potential rogue device.

One of the most widely researched security applications of microcontrollers is USB Human Interface Device (HID) spoofing; the microcontroller poses as a standard USB keyboard and sends keystrokes as if they were typed in by a human operator. Currently, the most commonly used microcontroller for HID spoofing is Paul Stoffregen’s Teensy, as it officially supports mimicking USB keyboards. While some researchers have combined the Teensy with additional hardware to increase its functionality, most techniques will work with the device right out of the box, making it very easy to replicate.

 

Hardware Specifications (Teensy 2.0)

  • CPU: ATMEGA32U4 8 bit AVR @ 16MHz
  • RAM: 2.5K
  • ROM: 32K
  • I/O: 25 pins (12 analog, 7 PWM)
  • Coms: SPI, UART, I2C
  • Dimensions: 1.2 inches x 0.7 inches

 

Pictures

teensy

 

Notable Features

While not as popular as the better known Arduino microcontroller, the Teensy is quickly finding a following in the security field thanks to its robust support of the USB HID protocol. Spoofing a USB keyboard on the Arduino takes a combination of hardware, software, and arcane microcontroller knowledge; with the Teensy it is simply a matter of looking at the example source code included in the documentation. This out-of-the-box support for USB HID, combined with the Teensy’s diminutive physical size, make it the logical choice for building into USB keyboards and mice.

Even though the stock Teensy is capable of spoofing a USB HID device and passing keystrokes to the computer’s operating system, additional hardware can be added to make more advanced attacks possible. With the addition of DIP switches, the Teensy can be configured in the field without needing to connect it to a computer. If an SD card is added, the Teensy has a USB storage device which can be used to upload or download files to the host computer.

In the most basic terms, the Teensy is only able to send keystrokes blindly to the host operating system in the hope that they are working as expected. If the software or operating system on the host computer is different than what the Teensy was programmed for, the commands being sent may fail or have unexpected results. Without a very good idea of what the software environment is like on the target machine, the effectiveness of a USB HID attack is greatly limited.

Technically, USB HID spoofing attacks are no different than if the attacker themselves sat down at the computer and typed the commands in; however, the Teensy has the advantage of typing faster than any human can and typing without mistakes. It’s also much less suspicious to plug in a device the size of a USB flash drive and walk away than to be seen typing away at a computer.

 

Conclusion

At only $20, the Teensy is cheap enough that it doesn’t need to be recovered after use, making it ideal for permanently embedding into peripherals. With only a few extra pieces of hardware added, the Teensy can be made into a very formidable USB HID spoofing development platform, perfect for experimenting with more advanced attacks based on source code that has already been made available from existing research.

That said, the logistics of HID spoofing make it largely impractical as a general purpose tool. The programming on the Teensy must closely match the target operating system and software to be effective, and even then, the entire attack assumes that there is no authentication required.

While a successful USB HID attack can be tricky, the potential for damage is quite high. Complex attacks like installing backdoors or copying data off of the target machine can be done in seconds, potentially without the need to install any additional software.

The Security Market’s Biggest Challenge

CRN News

The Security Market’s Biggest Challenge

May 28, 2015

By Meghan Ottolini

 

The biggest challenge facing the security market today may not be outdated servers or public cloud — it just may be end users.

“The biggest problem[s] I see are users. So, you’ve got really, really complicated computer systems. It’s not [their] job to maintain a computer system,” said Alex Jordan, senior scientist at Waltham-Mass.-based Raytheon BBN.

“We need better tools, we need better strategies,” he said.

 

 

(Original Article)

 

Rogue Device Spotlight: Rubber Ducky

RISK ASSESSMENT RATING: 6.00

 

Popularity: 6

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While maybe not well-known in non-security circles, the Rubber Ducky is an InfoSec favorite due to its low price, ease of use, and general quality. The tool is prevalent and accessible enough to qualify as a fairly popular rogue device.

 

Simplicity: 6

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

Between the pre-built nature of the device and the the community forums that provide support and tips, the Rubber Ducky qualifies as one of our more n00b-friendly devices. However, this is still a device that doesn’t just plug and go; it does requires some knowledge to use and deploy properly.

 

Impact: 6

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The Rubber Ducky, used by an expert in the right setting, can be extraordinarily detrimental – with data storage capabilities and a sleek outer appearance, it fits right into the standard office setting. More impressively, the tool and community allow even a fairly inexperienced user to cause a dent in an organization’s security. All of that ease of use and professional polish only gets the user as far as USB HID spoofing can get you – which can be very far in poorly segmented “tootsie pop” systems, or when executed on an administrator’s system; or not particularly far when faced with an appropriately secured computer or network.

 

Rubber Ducky

The techniques and hardware needed to perform USB HID spoofing attacks with hobby grade microcontrollers has been fairly common knowledge since at least 2010, but the homebrew nature of most of these devices has kept their numbers relatively low. While it doesn’t take much technical knowledge to construct a functional USB HID spoofing device, putting together a polished and reliable tool that doesn’t look suspicious plugged into a computer is another matter entirely.

Seeing the need for a standardized and professional keystroke injection tool, the team at Hak5 came up with the Rubber Ducky: an easily scriptable USB HID spoofing dongle that is externally indistinguishable from a standard USB flash drive. Beyond the hardware itself, Hak5 has also created a community around developing and sharing scripts for the Rubber Ducky; greatly improving its adaptability and likelihood of success when compared to homebuilt devices.

 

Hardware Highlights:

  • CPU: AT32UC3B1256 32 Bit AVR @ 60MH
  • I/O: Type A USB, JTAG
  • OS: Open Source, scripts written in Duckyscript
  • Storage: MicroSD
  • Supported OSes: Windows, Linux, Mac OS, Android, iOS

 

Pictures:

rubberducky

 

Notable Features:

The most obvious difference between the Rubber Ducky and homebrew solutions is its outward appearance; rather than being a collection of cobbled together circuit boards, the Rubber Ducky looks exactly like a USB flash drive. Plugging it into a computer and leaving it connected looks normal in nearly any setting. The ability to hide in plain sight is a huge advantage for a tool like this, and could easily mean the difference between success and failure for an attacker.

The Rubber Ducky is designed to stay hidden: through the use of composite firmware on the device, it’s possible for it to emulate a USB keyboard while at the same time making its MicroSD card available to the host operating system as a USB storage device. This helps keep the Rubber Ducky hidden: not only does it look like a flash drive, it actually works like one. Equally important, it gives the Rubber Ducky a place to store extracted files on and launch exploits from, opening up numerous possibilities beyond simple keystroke injection.

Programming the Rubber Ducky is made exceptionally easy through the use of “Duckyscript”: a simplistic scripting language not unlike Windows “Batch” files. With Duckyscript, the user only needs to know a handful of plain-English commands to program the hardware; a big improvement over the type of low-level programming necessary to inject keystrokes with a bare microcontroller. Not that any programming is actually required to use the Rubber Ducky: there’s a web-based “Duck Toolkit” which will let users generate a Duckyscript file based on their selected presets, and even a forum and Wiki dedicated to collecting community created scripts.

 

Conclusion

Compared to the microcontroller-based, homebrew keystroke injectors that came before it, the Hak5 Rubber Ducky is an exceptionally polished device. From the build quality to the software environment and community, the Rubber Ducky takes the best parts of the independent projects that came before it and turns them into a cohesive final product. The importance of a standardized hardware and software platform for keystroke injection experimentation and research can’t be overstated and, at under $50, Hak5 has made entry into the field very affordable.

But for all its advanced features and polish, the Rubber Ducky still can’t escape the reality of keystroke injection. Authentication on the target machine will stop the Rubber Ducky in its tracks, and even a single unexpected dialogue popping up can completely derail the attack. So while it may be a well designed and supported product, its real-world effectiveness is still very much up for debate.

12 Cybersecurity Startups in Boston

Beta Boston

12 Cybersecurity Startups in Boston

May 15, 2015

By Kyle Alspach

 

Rapid7 just expanded into a larger office in Boston while Veracode and Bit9 areeyeing IPOs for coming years. But those aren’t the only cybersecurity firms in the Boston area with a big opportunity ahead. At the earlier stage, the area has a growing cluster of security companies looking to protect against increasingly sophisticated attackers.

Among them is Threat Stack, which just announced a $2.7 million new funding round.

Here are a dozen of the local cybersecurity companies we’re watching.

Name Location Focus
BitSight Cambridge cybersecurity ratings
CloudLock Waltham cloud data
Co3 Systems Cambridge security response management
Confer Waltham intelligence collection and sharing
Conjur Cambridge cloud security
Content Raven Marlborough secure document sharing
CounterTack Waltham cyber threat detection
Cybereason Cambridge tracking actions of possible attackers
ITADSecurity Natick tracking physical hard drives
Pwnie Express Boston penetration testing
Threat Stack Cambridge cloud security
WireOver Cambridge secure file sending

 

 

(Original Article)

BYOD and Shadow IT – An Overview

BYOD and Shadow IT – An Overview


BYOD is a reality for almost all organizations

With 74% of companies using or adopting BYOD policies, the future is here – whether IT and security departments like it or not. Organizational networks are now at the mercy of devices, both authorized and unauthorized, that are brought into the organization. Hardware prices are going down and with the expectation of constant connectivity, many employees consider it necessary to bring their “gear” with them to work. These devices can include everything from cellphones to tablets to computers, and they all present a real potential threat to your network security.

Some Organizations Have Tackled It…

There are three obvious solutions to tackling the issue of BYOD: Accept unmitigated BYOD, regulate BYOD, or ban BYOD. Of those three, most would agree that the first option is simply not viable within most secure organizations. IT and security teams need to know what is actually within the area of the netwokrk.

…Some Have Given Up

While it may be tempting to simply ban all outside devices, this is also not a viable option for most organizations. Many employees will circumvent the new policy in order to keep their connectivity to the outside world or more efficiently complete tasks. While there are some who would argue that Shadow IT is no longer the threat it once was, this increasingly applies to non-organizational software solutions, not to the physical hardware being brought into offices.

You’ve accepted that BYOD is going to happen – now what?

There is an art to tackling the realities of having a BYOD policy that enables employees to work as efficiently as possible without sacrificing the security of having complete control of all IT. This process is a combination of policy, technological solutions, and psychological understanding of the situation. With all of these solutions, however, visibility and validation are key. While having a robust BYOD policy might be great on paper, the reality is that employees can and will often bypass your policy, sometimes by accident and sometimes on purpose. Without a combination of visibility and open channels of communication, no BYOD policy by itself will be able to satisfy the IT needs of the company while keeping your sensitive networks secure.

Further Resources

We like to share resources on important security topics within Pwnie Express. Below are a few resources on the topics of BYOD and hardware Shadow IT:

BYOD

Dark Reading: The Good and Bad of BYOD

CIO Insight: 10 Best Practices for BYOD

devops.com: Dev and Ops Coming Together to Combat the Weakest Security Link – BYOD

CMO: Think Apple before your network becomes a lemon

Wired: Companies Weigh BYOD vs. COPE, but What Really Protects Data?

ZDNet: 74 percent using or adopting BYOD

NoJitter: IT Security Can Be So Inconvenient…

Shadow IT

Washington Post: Small business advice: What You need to know about Shadow IT

Tech Target: Shadow Technology: Four Ways to reduce its use, minimize its impact

CSO Unplugged: The Rise of Shadow IT – Should CIOs Take Umbrage?

Information Week: IoT and the Looming Mobile Tidal Wave

Institute of Information Management: A View from Behind the Curtain

Defeating BYOD Threats

MIT Enterprise Forum Cambridge

Defeating BYOD Threats

May 11, 2015

By Randall Cronk

 

Paul-Paget

Pwnie Express is a startup with a unique idea for how organizations should protect themselves against threats posed by people bringing their own unsecured devices to work. Rather than try to control these devices and their security settings, Pwnie Express has devised a simple but effective way to make these devices — and their security state — visible to management so further action can be taken if needed. Here CEO Paul Paget explains how it all works and how the idea evolved.

PODCAST

 

(Original Article)