Removable media devices are now seen as the biggest security threat to corporate security, and yet 80 per cent of firms don't have safeguards in place. That's according to a new study from Centennial Software which claims that four out of five firms have failed to implement effective measures to protect against the threat that …
about time too!!
I work for a Mac Only company, and when I joined I realised how easy it was to literally take all our client data to then possibly pass it on to competitors etc. We found a "hack" that could enable us to disable USB and Firewire ports.
Its already proving useful as a disgruntled member of staff tried it and came to me saying that he could copy stuff to his usb flash drive.
Not too big a problem
This shouldn't be a problem -- just recompile your kernel without USB storage device support. This isn't as hard as it sounds, all you have to do is change the line in your .config file reading
so it now reads
# CONFIG_USB_STORAGE is not set
or, of course, you can use make menuconfig and turn off USB mass storage device support.
There probably is even a patch you can apply to your kernel to make USB mass storage devices behave as read-only devices. (There certainly is support in the SCSI layer for read-only devices -- remember CD-ROMs?) This will prevent anyone from using USB storage devices for abstracting company secrets.
If you want something a little bit less drastic, then you can just add "user,ro,noexec" to the "options" (fourth) field on the line in /etc/fstab which refers to the external USB drive (usually /dev/sda1, but may well be /dev/sdb1 if you have a SATA hard disk). This will allow non-root users to mount the device (you don't allow ordinary users to be root, do you? And you made sure they can't use sudo? Good); but make it read-only and non-executable. (You'll also need "noauto" if you want the machine to be able to boot up without slowing down if no USB stick be plugged in; but you knew that, of course.)
Or, of course, whatever the Windows equivalent is.
the Windows equivalent is
Araldite in the usb sockets !
Given a DOS boot disk with the right configuration can access NTFS and both USB and Firewire, the only real solution is hardware mutilation, or the less extreme araldite option.
computer services are a bigger security risk
Since being upgraded to xp last year, write access on the USB ports has been disabled, however, it merely takes a 5 minute call (ignoring the 30mins on hold obviously) to the monkeys in the frontline computer support for them to enable it for you. Its even easier to talk them into giving you full admin access but thats a different security issue.
Because the dregs of society are generally employed in ours with a 15min training course, before being given full control over the whole corporate network's user access rights, they don't really understand enough to know that a usb drive is not the only way to move files between machines :)
How to disable USB memory devices on 2K and XP
I wrote this months ago in response to an earlier scare:
Yes, this is available as a group policy setting on XP Pro SP2 and Vista, but not on earlier versions or on XP Home.
And after you've read that, consider removing the floppy drives and CD burners from work machines as well. There are easy ways to deploy updates without needing them, and you can then audit as much or as little traffic as you wish.
Value in computer systems
The reason why Microsoft didn't introduce read-only USB mass storage devices from Day One is that they place more value on the software that they supply than on the data that you manipulate with it. And if we're honest Linux probably only has it because it's descended from Unix; but the ability to restrict mere mortals' write access on certain devices can't be a bad thing.
Imagine if kitchen-equipment suppliers decided to block you from cooking food in their pans that was cut up with a different manufacturer's knife, or power tool manufacturers decided to prevent you from using their tools on wood cut with a different manufacturer's chainsaw. Of course these propositions are nonsensical; the value of good food does not come from the equipment used to prepare it, and the value of fine furniture does not come from the tools used to fashion it.
Microsoft are going to have to learn that lesson if they want to stay in business, because every new Linux distribution that comes out is making Vista look less and less attractive.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity
- 'Snoopers' Charter IS DEAD', Lib Dems claim as party waves through IP address-matching