Security Saturday!
Today I was reminded of the importance of physical security. We went out mountainbiking and a buddy of nice managed to slice half his ear on a tree in the first three minutes. I spent some time with him at the emergency treatment at the hospital (for which they now wanted you to call and make an appointment).
It reminded me that many digital securities are actually feeble when confronted with physical attacks.
So today let us look at a very fun physical attack tool, the Rubber Ducky.
What the Quack?
Yeah, a rubber ducky ( https://shop.hak5.org/products/usb-rubber-ducky-deluxe ). The name has been chosen because of the involvement of a rubber ducky in the original development process (it has since been made an optional part instead). The rubber ducky is a keyboard simulation USB that was originally made to quickly execute actions on multiple computers in succession. For example if a system administrator needs to manually update 30 laptops, he would program the right key combination into the ducky, and then insert the ducky into every laptop one by one.
What happens is that the ducky can type at the speed that the USB interface can accept input, which is many times faster than any human can type. This makes the entire process pretty efficient, since you only need to type the command needed once (to the ducky). Executing them on the 30-something target laptops is a matter of milliseconds per computer, as far as the execution itself goes.
Now this tool can be used maliciously. Every computer ever trusts the user. However, nobody trusts the new guy when he spends minutes typing at the CEO's computer, trying desperately to add a new user account to later log in remotely to the CEO's computer.
But if the new guy just drops off some documents at the CEO's office, nobody would suspect that he also inserted a rubber ducky with a pre-tested and verified keyboard input that will also add a new account that can be used to later log into that same laptop remotely. To the ducky, this is a matter of milliseconds. To the new guy, it is less time looking like the suspicious new guy, and more time remoting into the CEO's laptop. Fun times for everyone!
Why I tell you this?
No reason, I was just reminded that (especially the more academic) people tend to forget that the physical attack is timeless, ruthless, and sometimes even pretty elegant. It is not for nothing that we have such a majestic romanticized image of Ninjas, whose best weapon was their stealth.
Stay safe out there!
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
