Backtrack 5 to be released next Week and Xoom Backtrack 5 Coming Soon?

Pentesters rejoice, just one more week until Backtrack 5 will be released!

May 10th, 2011

According to the Backtrack Website:

BackTrack 5 will be based on Ubuntu Lucid (10.04 LTS), and will (finally) support both 32 bit and 64 bit architectures. We will be officially supporting KDE 4, Gnome and Fluxbox while providing users streamlined ISO downloads of each Desktop Environment (DE). Tool integration from our repositories will be seamless with all our supported DE’s, including the specific DE menu structure.

The full source code will be included also with this release, which is something new.

Also, the guys at Offensive Security have been working on getting Backtrack 5 running on a Motorola Xoom:

And it sounds like if they do not have an Android/ ARM hardware version of Backtrack 5 available on May 10th, it could be soon thereafter. Check out their blog post for more information and additional screenshots!

Pentesting with Programmable HID: Owned by a USB Keyboard

Most corporate (and government) IT experts know the danger of rogue USB drives. In 2008, one of the largest exploitations of the military was caused by a simple USB drive that was purposely infected with malware. Since then, turning off the “Autorun” feature has been a common mantra amongst security professionals to stop infected USB’s from running their automated payload. 

But, what if the system did not know that the device being plugged in was a USB flash drive? What if it thought it was a keyboard, or a mouse? What if it was in fact a keyboard, mouse or even an office toy? 

What if the device could run automated commands, like copying off all the data in certain directories, running an onboard malware program, or automatically taking you to a rogue site? What if the device could detect when you were sitting at the keyboard? When you turned on your office lights or even moved? 

Welcome to the world of Programmable HID (Human Interface Device) hacking. This new area of social engineering attacks is very deceiving and effective. Using a device that can be used as is, or inserted into a real keyboard, mouse or office toy, hackers are able to run a plethora of attacks against a machine. 

And because the system thinks it is a human interface device, anti-virus has little if no effect. Because it is programmable via the simple Arduino language (same technology used in robotics), the attack options are limited only by the imagination of the hacker. And as you will see, some of them have a pretty evil imagination. 

The video above is from Defcon 18. The exceptional presentation by Adrian Crenshaw (aka Irongeek) demonstrates his work with transforming the Teensy USB device into a pentesters dream. He shows the dangers and capabilities of USB HID hacking and how to defend against them. Adrian is extremely knowledgeable and his light, witty demeanor makes watching the video not only informative, but very enjoyable. 

Just don’t borrow a mouse from this guy!