Thursday, January 27, 2022

BadUSB, or There and Back Again

In that often misunderstood time between mullets and the switch to laptops without normal USB ports (I am looking at you, Apple), a traditional part of an on-premises pentesting was to grab all those USB drives you got from those many conferences you attended, wipe them to remove the informercials, white papers, and and other cruft, put a little script that would be called when the drive was automounted in a Windows or Mac (primarily Windows because it was easier), and then drop them on the parking lot of the company you are doing your engagement on.

The script was pretty simple: when run it would collect the IP, some computer info, and username. And then it would send that info to a collecting site (cannot call it C&C because it is not doing that much work), which would then parse all the info in a nice spreadsheet which you would then bring to your meeting with your customer as the list of users that may need some security retraining. After all, if a pentester can do that, so can a malicious attacker (are there non-malicious attackers?). It is a nice way to deploy a virus, or a program to help the attacker to get a foothold in the system.

Those were simpler times.

Talks were given and dongles were created to avert such an attack because, well, it was easier to buy them than asking IT department to push a group policy to disable automount. Or telling users not to mount any USB device they find on their computers.

But, we are talking about BadUSB! Yes, and it was first mentioned in 2014. The short version is that thanks to the typical development methodologies similar to those used in IoT development, namely get a product out there as quickly and cheaply as possiblw with complete disregard to supply chain security or security testing in general, a lot of USB devices are built on controllers which can be reprogrammed in the field. And reprogrammed they are, this time carrying malicious payloads like programs to spy on the user or get a foothold on the system.

Sounds familiar? I think so. Adding your code to the USB device's hardware to it is but an evolution of the principle of having code in a USB drive that is run when it automounts.

Fast forward almost a decade and we begin the year with the FBI sending warnings about this new attack vector called BadUSB that groups like FIN7 created to deploy ransomware even though they have been doing that for many years now.

There is no one-size-fits-all technical solution for BadUSB, not that have stopped vendors peddling software to address it. We will go over detailed a plan of action to minimize the effectiveness in a future article, but it sufices to say the old adage of "select your partners and wear protection" still applies. Also, end users are one of the most important lines of defense in the security domain. Work with them, empower them to understand and make the call; it can work if you do it right. Make the presentation enjoyable and memorable. I mean, if I could make that work at a medical institution to the point our box of found USB drives had to be replaced with a bucket, so can you.

Monday, January 17, 2022

Proper tab isolation in Firefox (a request for support)

There are a few things I seek on a web browser:

  • Platform independent. While most of my work is done in Linux, I like to have the same experience in OSX, Windows, and even (somewhat) smart phones. This is also important when i recommend a browser to someone.
  • not spying on me. Problem is, most of them do, but that is a topic for another article.
  • Good privacy and security settings.

I am not particularly religious about browsers; I have used Firefox, Chrome, Safari, That Microsoft One, Brave, Opera, and a few others I can't remember the name (short of the screen capture and the crowdcity link, I am trying to type this in one sitting). I think each of them have good and bad features. Let me talk about my favourite feature in Safari; to do so I need a screen capture:

It shows the browser in incognito/secure/secret/sneaky/something mode (pick your term, collect them all). It has 3 tabs right now. The 2nd and the 3rd tabs are connected to two distinct gmail accounts: one with a ton of emails (someone needs to do some cleaning) and one which is not as popular as the first. The third one was me helping someone create a gmail account but I decided to take the screenshot before going any further. Note there are possible 3 gmail sessions using 3 different accounts in 3 different tabs in the same browser. Take your time to process that.

I will wait.

FYI, I normally would use that with slack: at time I have 5 to 6 open slack sessions -- maybe work, vendor, project I am working on (like the conference mentioned in an earlier article), and so on -- using different accounts. Or two different AWS accounts (think developer and test user). And all of that in the same browser at the same time. And they are all happy.

Now, I use Firefox a lot because it is portable and it (and its derived browsers) can be rather privacy-conscious:

There are many features it has, but this kind of tab separation it does not. They have something called containers which (1) only work in normal (not incognito mode) and (2) do not offer the feature Safari does. So this leads into...

And now my shameless request

The Mozilla people has a website where you can ask for features. People post them and they get voted on by viewers like you, thank you. Guess what I requested? Right you are: tabs that are fully isolated so you can run the same program logged in as different users without conflict. If you want to help make this happen, do create an account and vote for it. The link to my request is

Container tabs should work in private/incognito mode


20220212 Update

They are canning the site with where you submitted ideas and requests for Mozilla:

It is being replaced with a new one, but the old stuff is not being transfered. So, thanks for everyone who voted even though it no longer counts.

Saturday, January 8, 2022

Thoughts on taking the CISSP exam

There are a lot of sites, articles, and videos with lots of useful and helpful information on how to prepare for the CISSP exam, including why you should (or not) consider getting this certification to begin with.

This is not one of them.

Everyone has a study strategy -- watching videos, reading books, taking a live/online class -- so I will not comment on that. What I did after is where I want to focus on, namely taking practice exams. Short version is learn from my mistakes. Long version is that there are

  • Known knowns: what you already know from your experience and previous study.
  • Known unknowns: what you know that may be in the exam but you have never studied or dealt with. For many, that would be binary math and cryptography.
  • Unknown unknowns: what may be in the exam and you have no idea it even exists to begin with.

What you know, you know so no need to spend much time on that besides refreshing. What you know you do not know, you can study/practice/figure some way to learn. But, if you do not know that you do not know something that may be in the exam, it will bite you. You need to convert the unknown unknowns into known unknowns so you can work with them. To find them, focus on those practice tests at least for the last two weeks before the exam. You are using these exams to probe were you need to work on. Examine the results and explanations associated with the questions you did get wrong. In my case, they could be grouped as:

  1. Rushing to read and missing a keyword. Read the entire question and all the answers. I know that sometimes the question starts with 5 sentences of story time before getting to the point, but take your time to read it all. Then read it again to identify the key points in both question and answers. Slow is fast, fast is slow. But, there is too slow; don't be James May.
  2. Choosing an answer, second guessing, and then finding out the original answer was right. This is specially true for those questions you are not really 100% sure of the answer, and was how I missed most of the practice questions by far. Train and trust your gut.
  3. Not eliminating the answers you know for sure are not right. As mentioned above, you will face questions that you are not sure of the right answer for some reason, like some encryption detail, but you may be able to deduce it. To do that, remember a Sherlock Holmes quote, "once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." First thing you need to do then is get rid of all the answers that could not possibly be true. Sometimes that will leave you with two answers, which means you have increased your chances of getting the right answer from 1 in 4 to 1 in 2 (it might be even better depening on how you want to calculate it).
    NOTE: this may not work with questions you need to select 4+ answers from a list. In one of the practice questions I took, it turned out I needed to select all of them. I read the explanation, try to understand the thought process, and then add to my study notes.
  4. Trying to solve it as an engineer instead of as manager. This is reference to the famous "think as a manager" quote associated with this exam. Technical me may want to write my own solution while managerial me would refer to policy, buy a tool, or contract someone. If both technical and managerial questions are listed, pick the later for this exam.
  5. (last but not least) you may be missing some knowledge. When I find those, I look at the explanation, add what I think will help me to my notes, and then check for futher info (in a book or online).

Full Disclosure: Items 1-4 were where I needed to work on.