Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:15 PM
George V. Hulme
George V. Hulme

USB & Firewall System Attacks Surface: Disable Your External Media Ports

It appears as though, more than ever before, if you lose physical sight, and especially control, of your notebook, your data could be hosed. This is even more so now that tools that attack disk-based crypto are surfacing at an alarming rate.

It appears as though, more than ever before, if you lose physical sight, and especially control, of your notebook, your data could be hosed. This is even more so now that tools that attack disk-based crypto are surfacing at an alarming rate.It hasn't been too long since we covered the so-called "cold boot" attacks outlined by several security researchers. The paper, available here, details how encryption keys can be snatched from RAM.

A couple of days ago a researcher released a tool, msramdmp, which is available here, and details how to grab data from RAM.

Today, Kelly Jackson Higgins details, on our sister site, DarkReading, in this story, about additional tools coming to the fore that make it possible for attackers to use Firewire drives to commandeer locked Windows systems.

From the story:

"That Firewire port is, as designed, literally there to let you plug things into your laptop memory banks," says Thomas Ptacek, principal with Matasano Security. "When you think of Firewire, you really should just think of a cable coming directly out of your system's DRAM banks. That's basically all Firewire is."

Ptacek says this tool raises the bar in physical hacking. "People think about physical hacking as something you have to do with a screwdriver and 20 minutes, under cover of darkness. Attacks like Adam's can be done in the time it takes you to pick up a sheet of paper off the office printer," he says.

In the story, Ptacek advises users that the best defense is to disable their Firewire ports. That may be good advice for enterprises with lots of sensitive data on notebooks. It's probably not practical for anyone doing video editing, or managing large graphic files. And while it's not a perfect solution, it's better than nothing. So it's probably a good time for larger enterprises to evaluate whether or not external ports should be disabled, especially for execs and others carrying sensitive information.

The best defense, obviously, is not to lose sight of notebooks. It's also probably time to start calling full disk encryption vendors and ask how they're mitigating the risk to these attacks.

But I wouldn't expect much, as Thomas Claburn reminds us, in this story, of one of Microsoft's 10 Immutable Laws of Security:

"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
PUBLISHED: 2020-12-03
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.