The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,310 other followers

Meet PoisonTap, the $5 tool that ransacks password-protected computers | Ars Technica

Posted by jpluimers on 2016/11/23

Too bad Ars Technica redirects https to http while preaching anyone should use https.

Anyway: OS device driver install and network configuration should probably be less automatic than it is now.

All the more reason to go fully https (hello LetsEncrypt, goodbye Embarcadero).

A video showing how it works is below.

The clever device emulates a USB ethernet adapter (that virtually every operating system has default drivers for) then fakes being 1.0.0.1 handing out DHCP address 1.0.0.10 with a netmask of 128.0.0.1 thereby routing almost all network traffic over it.

It makes a tiny peace of the internet unreachable (like 1.0.0.1 itself in Brisbane Australia).

More details on how it works at [WayBackSamy Kamkar: PoisonTap – exploiting locked computers over USB.

Lets not leave this out:

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

  • Use HTTPS exclusively, at the very least for authentication and authenticated content
    • Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
  • Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
  • When loading remote Javascript resources, use the Subresource Integrity script tag attribute
  • Use HSTS to prevent HTTPS downgrade attacks

Desktop Security

  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

–jeroen

via Joe C. Hecht – Google+

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: