Human Interface Device Attacks

Try as you might to keep malicious code off your network, one way of bypassing a lot of security measures is for an attacker to gain physical access to a device.  One interesting way an attacker may try to compromise a system is to insert a pre-programmed USB stick that is read as a HID (Human Interface Device - like a keyboard).  It's not actually a keyboard though.  It looks like a thumb-drive, but it's programmed to enter a pre-set string of keyboard commands.  In about 9 or 10 simple lines of code, it can act just like a human typing on a keyboard who is opening up a program, writing a script, saving it, and running it.  The executable that is created can then do whatever the code was designed to cause.  In this example (this is a bit old but still very relevant), the code creates a reverse shell that reaches out to another computer that has been set up elsewhere to receive the connection.  All that needed to happen to get the hacker into the box was about 20 seconds of unattended access to a workstation.
 

 
Most antivirus software will not protect you against this kind of an attack (Webroot will though, and more about that below).  All of the actions this device causes look like they came from a user.  You even get the UAC prompt, and it clicks "Yes" on it.  Some variants of this attack might not even need to compile an executable.  With sufficient command line functions, it could be possible to gain access to a system without running a new executable.  Or it could potentially take advantage of remote access capabilities already installed on the system.
 
So what protects against this kind of attack?
 
There are, of course, the more obvious things.  Don't leave your computer unattended and logged in.  Don't plug in devices from strangers.  And keep the PC itself away from potential threats.  That means if it's a POS device, lock it in a cabinet and don't expose the USB ports.  Or, at least lock down the USB ports with physical USB port locks.
 
But what do you do if you have devices you can't lock the ports on?  What do you do if you have a policy that allows your employees to take a device home?  What if you are expected to allow your workers to use foreign USB devices? 
 
For antivirus software, age heuristics (like those found in Webroot SecureAnywhere Business Endpoint Protection) can be handy if it's an attack that utilizes creation of an executable file.  If it's a brand new, unique file that's never been seen before, as would likely be the case in kind of attack, setting the age heuristics to a high setting would flag such a file as a threat by default just by virtue of being new and unseen.  That's one way to go about it.
 
Another way to go about it is to prevent outbound connections on your network to sites and IP addresses that are not on a whitelist.  This is a great way to shield yourself against this type of attack.  Webroot Web Security Service has a feature like this in which you can configure it to allow internet access only to a pre-defined list of connections that you control.  So while you retain unfettered access to company-related websites and any other sites you see fit, you don't allow access to unfamiliar sites/addresses.  That means if this attack launches on one of your workstations, whether it's the kind that builds an executable or not, the attempt to reach out to the receiving computer fails.  The file runs, but it can't actually do anything to let a hacker into your box.  Plus, you get alerted that your box attempted to reach out to a foreign IP address, allowing you to follow up on what happened.
 
The best approach is a dual-layered one that utilizes both an antivirus solution to detect executable threats and a web security system to prevent unwanted outbound connections.  Webroot offers both solutions.  If you're rightly concerned about this type of attack, and your existing protection can't do what Webroot can do, grab a free trial of Webroot SecureAnywhere Business Endpoint Protection and Webroot Web Security Service and see what Webroot can do for you.