Hello, Following Badusb, the code release (https://github.com/adamcaudill/Psychson) and other older stuff, I'm asking myself if it's not an opportunity to integrate more control on usb in tails as an example for other other distributions
Badusb is not fully new as many attacks show that USB was lacking security http://theinvisiblethings.blogspot.ca/2011/06/usb-security-challenges.html http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/ https://srlabs.de/badusb/ http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ Some ways to control it better http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg01-usb-write-blocking-with-usbproxy-dominic-spill Lock USB when screensaver is active http://www.openwall.com/lists/oss-security/2014/08/08/30 echo "0" > /sys/module/usbcore/parameters/authorized_default either with logind or dbus-monitor No automount (already the case?) except for a defined whitelist that user can easily extend/import/export something to prevent rubber ducky http://www.usbrubberducky.com https://hakshop.myshopify.com/collections/usb-rubber-ducky By default, mount usb storage as ro,noexec,nodev,nosuid unless defined specific in whitelist. Possible with udev but depends on the rest of the environment, sometimes not playing will if udev, udisk, u* Those control should apply to all usb devices as not only storage can be used by malware For now, it only seems QuubeOS going in the direction of more control ( http://theinvisiblethings.blogspot.ca/2014/08/qubes-os-r2-rc2-debian-template-ssled.html ) Comments? Cheers, J
_______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
