Let the bad guys spend their money and spin their wheels.

As hackers get smarter so must we…a locked screen no longer secures a pc. There are still simple measures to secure your pc.

Don’t leave your unattended workstation logged in, especially overnight, even if you lock the screen.

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it is no longer good enough, researchers have found recently. There is new evidence that attackers can use some USB-to-Ethernet adapters to steal credentials from locked Windows computers

Industry experts found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks. These attacks can be pulled off with cheap devices, like the Hak5 LAN Turtle, which costs $50.

The USB device can be configured to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This is not difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

This particular vulnerability is only exposed when a pc is using a wireless connection.

Additionally, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server.

Once an attacker controls a target computer’s network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. The hacker essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer’s network traffic.

According to experts, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 15 seconds.

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user’s plaintext password.

Was all that pretty high tech, involved, and even confusing? This is a high stakes business. Investments into research and development of hacking schemes and equipment pay off. Money and time are invested and risks are taken to illegally obtain personal credentials and passwords. That should be their loss, not yours! Fortunately, despite all they have put into this clever trick, preventing this vector from stealing your personal information won’t cost you a penny or even cost you much time. You are aware and that is the first step.

  • When you leave your computer unattended, log out. SAFE
  • Stay hard wired not wireless when conducting work or using personal credentials. SAFE
  • Secure the physical environment of your workstation. SAFE

Let the bad guys spend their money and spin their wheels. As long as you are aware and prepared, they lose not you.