Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Wolfgang S. Rupprecht]

"George N. White III"  writes:
> I assume the OP's intent was for the system to ignore devices newly
> connected when the screen is locked, so existing devices such as the
> keyboard used to unlock the screen remain available for use. Apple
> systems do something like this.  If you connect a USB storage device
> to a macOS box while the screen is locked, nothing happens. After the
> screen is unlocked, the device must be unplugged and plugged in again
> before it can be used. You can, however, connect a USB mouse or
> keyboard to a macOS system that is locked and use the new USB device
> to unlock the system.

Delaying the discovery seems superior in another way too.

Whitelisting certain classes of devices has another security problem.
If usb keyboards are whitelisted (as they probably will need to be if
the person uses a dock for their laptop) then someone could connect a
small computer that imitates a keyboard.  That phony usb keyboard can
hammer the victim computer with rapid-fire password guesses.  It makes
breaking the lockscreen a lot less painful than the alternative of
typing a large number of password guesses.

-wolfgang
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[George N. White III]

On Tue, Nov 22, 2016 at 12:08 PM, Kevin Fenzi  wrote:

> On Tue, 22 Nov 2016 13:00:19 +0100
> Jeandet Alexis  wrote:
>
> > Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a
> > écrit :
> > > I have opened a bug, 1396837, in the Red Hat Bugzilla.
> > > My suggestion is for all USB port to not enumerate any devices
> > > plugged in while the screen is locked, even if it is password
> > > protected.  I feel that the integrity of Linux has to be defended
> > > against this hybrid attack.
> > What about Yubikey and equivalents?
>
> You might want to take a look at the 'usbguard' package.
>
> I don't think everyone is likely to be happy to disable usb when
> screens are locked, as there's a number of cases of things people might
> want to keep going in that case.
>


I assume the OP's intent was for the system to ignore devices newly
connected
when the screen is locked, so existing devices such as the keyboard used to
unlock the screen remain available for use.   Apple systems do something
like this.
If you connect a USB storage device to a macOS box while the screen is
locked,
nothing happens.  After the  screen is unlocked, the device must be
unplugged
and plugged in again before it can be used.   You can, however, connect a
USB mouse or keyboard to a macOS system that is locked and use the new USB
device to unlock the system.


There is value to an approach that everyone can use with minimal
effort/disruption
even if it is only partly effective.



> However, if you use usbguard you can just allow those specific devices
> you want to have access.
>

Usbguard also supports policies of the form "only one keyboard can be
connected
to a system" and "storage devices can't also claim to be keyboards".



-- 
George N. White III 
Head of St. Margarets Bay, Nova Scotia
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Kevin Fenzi]

On Tue, 22 Nov 2016 13:00:19 +0100
Jeandet Alexis  wrote:

> Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a
> écrit :
> > I have opened a bug, 1396837, in the Red Hat Bugzilla.
> > My suggestion is for all USB port to not enumerate any devices
> > plugged in while the screen is locked, even if it is password
> > protected.  I feel that the integrity of Linux has to be defended
> > against this hybrid attack.  
> What about Yubikey and equivalents?

You might want to take a look at the 'usbguard' package. 

I don't think everyone is likely to be happy to disable usb when
screens are locked, as there's a number of cases of things people might
want to keep going in that case.

However, if you use usbguard you can just allow those specific devices
you want to have access. 

kevin


pgpnrDIwozvhg.pgp
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Jeandet Alexis]

Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a écrit :
> I have opened a bug, 1396837, in the Red Hat Bugzilla.
> My suggestion is for all USB port to not enumerate any devices
> plugged in while the screen is locked, even if it is password
> protected.  I feel that the integrity of Linux has to be defended
> against this hybrid attack.
What about Yubikey and equivalents?
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[jharbold]

I have opened a bug, 1396837, in the Red Hat Bugzilla.
My suggestion is for all USB port to not enumerate any devices plugged in while 
the screen is locked, even if it is password protected.  I feel that the 
integrity of Linux has to be defended against this hybrid attack.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Neal Becker]

http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/

wonder if fedora/linux is vulnerable?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org