Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.

Conclusion

I bet you think twice about leaving your laptop unattended. Remember to…

  • RUN YOUR OPERATING SYSTEM UPDATES!!!!!
  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything

 

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack dyn.com, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like http://www.amazon.com) into the IP address you browser needs (54.239.26.128) in order to connect to the remote server hosting the web page you want to visit. dyn.com is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use dyn.com services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at dyn.com, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.

July 2016 updates from Apple

Apple has recently released updates to many of its products. These updates address problems that are believed to be remotely exploitable, so it’s time to run updates on your Macs, iPhones, iPads, and everything else with an Apple logo. Here are the security bulletins for OS X and iOS, but there are also updates for iTunes, Safari, Apple watch, and others.