Gallery

USB drives (me to distraction)

Posted on 21 Sep 2005 at 17:33

Steve Cassidy demonstrates the variety of threats posed by the increasingly popular USB flash drive

This is fairly understandable if you consider that this utility has been developed as part of a wider systems-management helper platform, but unfortunately for me it leaves a lot of holes in terms of likely scenarios. I agree that it's common practice to assume your user population can be readily divided up into saints and sinners, and that's what security groups are for, but in the case of USB flash drive 'threats' I don't think it's sensible to expect even the saints to keep up their good reputation. I've copied files to a USB flash drive and had it back in my pocket in well under a minute on a properly configured machine, which is a short enough time to be inside the screen-locking or account logout period for most people's configurations.

A similar feature set can be found in DeviceWall from Centennial Software at www.devicewall.co.uk. Like LANguard, this is one of those centrally managed, distributed-client, policy-driven utilities, but in this case the feature mix is a little larger in scale. DeviceWall knows about different classes of removable storage, acknowledging that a BlackBerry is a different thing from an iPod, and that both are not the same as aUSB flash drive. The same XP group-driven assignments of rights is at the heart of what you can do with the system: pick a class of devices, attach a list of groups to it and then assign each group an appropriate level of access.

Again, this doesn't quite go as far as to audit the content of those removable drives that are permitted to a person when they log in: for that level of security, it seems you need DeviceLock from www.protect-me.com. This bridges the gap between the need to track the users and the need to track the devices they might use and, critically, it includes the feature of logging what's been plugged in, using the concept of a USB device whitelist. Each drive has an ID string associated with it, allowing you to declare known trusted devices on a per-machine or per-domain basis. There's even support for barring the whole class of USB plug-in devices altogether, which makes it possible to secure machines in kiosk applications against roving felons with USB keyboards, for example.

I have no doubt that a growing arms race will develop between these products and the more - let's be charitable and say 'individual' - utility writers. It can't take long, for example, before someone works out how to clone a whitelisted USB flash drive ID, or to take advantage of the fact that a drive that's been hidden from the user by a security policy is still, at some level, present to the machine's operating system. And I don't want to think about potential for trojans that lock the content of your handy USB flash drive and won't unlock it until you pay some money to a dodgy website. It does seem like only a matter of time before these little keyring baubles become an even mixture of blessing and curse.

Hot-swap blues

Buying and operating servers appears to be a tough, intelligent, hard-boiled sort of world. There's a lot of engineering machismo expressed in all those tall racks and the hefty warning messages on any large 'enterprise' class box about how many people it will need to lift the thing. We also see lots of engineering effort being expended in particular directions; it's actually quite hard nowadays to find a non-rack-mount specification, for example. Also, many rack-mounted servers have additional features to help with the presumed life cycle of a box in a server room where space is tight, the air is ice cold and circulating rapidly, and the emphasis is on continuous uptime with very little option to announce maintenance co-operatively.