Latch USB Monitor: New tool to monitor PNP devices with LatchElevenPaths 11 diciembre, 2014 Latch USB Monitor is a tool that monitors Plug ‘n Play device (PNP) changes in Windows and gives the user the possibility of tracking incoming devices, and react accordingly to a preconfigured Latch response. For instance, it would allow to block USB ports so it will not recognize a new inserted memory USB stick until it is authorized with the movile device. This means that Latch USB Monitor will ask Latch servers what to do when a certain PNP device is detected in a Windows machine. So the administrator has a tool to potentially react to plugged devices, and modify the behavior and scripts launched in any way, at any moment, just sliding a bar from his mobile device. How it works Latch USB Monitor works as a service and has a GUI to configure it. That means it still works and monitors incoming devices even when no user is logged in. The service is constantly monitoring any device with the characteristics given by the user. When it occurs, it asks Latch servers and reacts in the way that the user has configured it. It may as well be used as an alerting system, with no action associated to an event. So if a device is plugged to the machine, a blocking message is sent by Latch to the mobile device, but no action is taken. Latch USB Monitor with some configured rules How to install it No special instructions. Just accept the license and choose the path. If, for the sake of security, you do not want the service to run as SYSTEM, you may change it to whatever account you wish, as long as it has privileges to run as a service, and network access. A config file is created in XML format. This file contains sensitive information. Take care with the permissions specially in shared computers. Pairing with Latch First of all, a Latch account has to be set with a pairing token. Go to Latch management and add the App ID and secret. A timeout is specified here. This means that if the computer is not connected to a network or, for any other reason it cannot get a response from Latch in the specified time limit (0 milliseconds by default which corresponds to no timeout) the «no response» action is applied. How to add and configure a device Each monitored device, may have these fields: Device (optional): If your device is currently plugged in, you can choose it from this dropdown menu where all attached devices are listed. Description (optional): Giving a meaningful description of the device helps you better identify it in the main list. Device Instance ID: The ID that uniquely identifies a device in a Windows machine. When an arriving Device Instance ID is detected it goes through a matching system that can be used to discard or allow the rule. If the string set matches, the Latch query will be launched. This is treated as a string, so «Starts with», «Contains»… may be used to match. Operation ID: The operation ID used in Latch. Actions.Open (optional): If the Latch query responds with an «on», the process specified here will be launched, with the specified argument set (optional). Actions.Closed (optional): If the Latch query responds with an «off», the process specified here will be launched, with the specified argument set (optional). Actions.No response (optional): If the Latch query doesn’t respond (because there’s no connectivity, for instance, after the timeout declared in «Latch settings»), the process specified here will be launched, with the specified argument set (optional). Device details with pendrive example The tool is written in C# and may be freely downloaded from: https://elevenpaths.com/downloads/LatchUSBMonitor.zip. You may want to check out Latch Event Monitor, too. We encourage you to use it. Esta tarde en Madrid: Sinfonier MeetUpLatch para Windows: Enterprise Edition (I)
Telefónica Tech Boletín semanal de Ciberseguridad, 28 de enero – 3 de febrero LockBit Green: nueva variante de LockBit Recientemente, investigadores de vx-underground han detectado que los gestores del ransomware LockBit están utilizando una nueva variante de ransomware, denominada LockBit Green. Esta nueva variante...
Martiniano Mallavibarrena Ciberseguridad en el cine: mito vs. realidad con 10 ejemplos Los múltiples aspectos de la ciberseguridad (ataques, investigaciones, defensa, empleados desleales, negligencia, etc.) llevan años siendo parte del argumento de infinidad de películas y series de TV. En la...
Daniel Pous Montardit Resiliencia, clave en sistemas Cloud-Native En el primer post de la serie Cloud-Native, ¿Qué significa que mi software sea Cloud Native?, presentamos la resiliencia como uno de los atributos fundamentales que nos ayudan a...
Telefónica Tech Boletín semanal de Ciberseguridad, 21 – 27 de enero Killnet apunta contra objetivos en España Esta semana el grupo hacktivista Killnet anunció una campaña de ataques contra Alemania, dando lugar a la realización de ataques de Denegación de Servicio...
Gonzalo Fernández Rodríguez ¿Qué significa que mi aplicación sea Cloud Native? El término Cloud Native es algo que va más allá de mover las aplicaciones alojadas en un data center a una infraestructura proporcionada por un proveedor Cloud, sea Cloud...
Telefónica Tech Boletín semanal de Ciberseguridad, 14 – 20 de enero Vulnerabilidades críticas en los router Netcomm y TP-Link Se han descubierto una serie de vulnerabilidades en los routers Netcomm y TP-Link. Por un lado, los fallos, identificados como CVE-2022-4873 y CVE-2022-4874, se tratan de un...