Slashdot Mirror
Colleges Wrestle With Thumb Drives
Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"
Could anyone explain that? I don't see the point.
You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.
You're worried about the student's data? Then teach them to use encryption and require them to use it.
Both things neither require a lot of examination nor a lot of money. What's the big deal?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.
My institute of higher learning utilizes Deep Freeze on all computers and restores them all to their original state (except for a 'storage' partition) every weekend. It seems to do the job quite well.
Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?
there are 10 types of people in this world; those who get this joke, and those who don't
seriously, why can't people see past this fact. if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering, in which case i'm sure they can manage to lock down a few graphics workstations
If you mod me down, I will become more powerful than you can imagine....
"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.
In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."
The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...
I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.
What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.
Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.
I prefer the "u" in honour as it seems to be missing these days.
The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.
Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.
The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
- We can train users to understand the implications of relying on portable storage.
- Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
- Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.
This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.
I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.
I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.
I don't understand why this is so hard, clearing temp drives at the end of a user session and keeping master images for your computers (most universities bulk order their systems so keeping a comprehensive set shouldn't be way too difficult) for periodic resets should get rid of most problems from unauthorized software, and malware. To combat unneccesary use of thumb drives, give the students and faculty centralised file storage, my university does this by allocating home directories that are connected to whenever you use your username/password to access a computer with around 100MB of storage. This drive can be accessed using ftp from anywhere in the world. And to prohibit rampant loss of important information, make it inaccessible. There really is no reason for a professor to have SSNs. There really is no reason for anyone to have access to the SSNs except maybe department managers for say admissions, bursar's office, financial aid, and registrar, and maybe the deans. Other than that, there really is no need for email or web access restrictions, just scan for viruses and malware using comprehensive inward and outward looking firewalls with virus scanners. It really is pointless to block any content in a college environment considering almost anything can be claimed under academic freedom.
I've heard about sys admins crazy gluing USB ports closed, but having a physical lock on the port instead seems a better idea. I found one company seeing a USB/lock and key set:d ex.php
http://www.lindy.com/us/productfolder/04/40454/in
http://www.lindy.com/us/catalog/07/01a/index.php
but I don't have the impression that the key is unique, so what's stopping me from buying the product and unlocking someone else using the same product?
Many student numbers are nine digits, you might have noticed. That's because, back in the golden age, when student records were put into computers, someone decided that the 9-digit number uniquely assigned to each person was perfect for the task: no identity conflicts, and 30 years later, when the student wants a transcript, no problem.
Many large universities continued to use SSNs into the nineties, and I have no doubt many continue to use them. And when you'd teach a class, all the forms that came through had student names and their SSNs. So they're not just on thumbdrives, they're everywhere.
Also sys admins should look at a good password policy. That means not always to change passwords every X days.
Where I work I have several different logins and passwords. As many need change every 30 days, most I have lesser secure passwords.
There are some that are selected for me and thise I place in a file. Pretty unsecure as well. And everybody else is doing the same thing.
Security is something people should realy think hard about, especialy the social part of it. You can blame people that they give away passwords for a pencil, but you could also try to solve this.
Education and training will only help you so far. hardend securety is also not the whole security and can even work agains the security.
Sorry, I do not have a solution.
Don't fight for your country, if your country does not fight for you.
Was the "thumb wrestling" pun in the title intentional?
Put computer in a secure cuff so it can't be opened.
Password the BIOS, lock out all boot options bar hard disc.
Run everyone as a restricted user using dynamic accounts (ZENworks for example, or deep freeze if you're stuck in the 90's)
Disable all onboard bluetooth, wifi etc
Not all that difficult really.
Sounds stupid to me.
;) ).
If the IT admins really want to make their life easy, why don't they just use one of those hardware solutions where if you reboot the PC (or press some button while booting) the PC gets restored to a known state (like a vmware "revert to snapshot"), and then have networked file servers for students to store some of their permanent _uni/college_ related stuff on. If the IT staff aren't totally lazy they might even back up the student's network stuff regularly (haha).
Basically the hardware card diverts all disk writes to some other location and subsequent reads are read from the new location until the system is "reverted", in which case everything appears back to the original state.
This sort of thing is done in some cybercafes- and you can even reboot the machine remotely to revert it (if it's not totally messed up
If a student wants to start from a known state he/she can just reboot the PC, or use their laptop.
Then additionally require the students not to tamper with the uni's "default" image (which would typically involve opening up the PC, and mucking about to bypass the hardware thingy). Along with "no unauthorized access to other people's accounts and machines" that should be quite a reasonable policy and I doubt it would really trouble students doing legitimate stuff.
I'd even do this in a corporate environment if I were in charge of IT, but with a few more "corporate style" policies.
Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.
All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.
Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.
Then it wont matter if some department loses a hard disk containing million SSNs. Will it?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I'm perplexed as to why universities are still struggling with this issue. 2 years ago, when I was a senior lab tech at the college I was attending, we implemented a comprehensive security model which blocked booting from USB drives, executing data from USB drives and saving of sensitive data onto USB drives.
Through the use of a properly designed infrastructure, a proactive network monitoring model and the native functionality provided by system BIOS and Active Directory, it is not that difficult to secure your network while still providing a relatively open environment where students and teachers and work effectively.
I mean come on people! If a student lab tech can figure this out and it work effectively for 2 years, what does that say about university network admins?
linuxdevices.com
KeePass
It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to change
a password.
I used to re-use the same three or four passwords everywhere. But now
nearly all of mine are quite random.
Give it a try.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
I think there ought to be a law that outright bans a driver from thumb wrestling especially at universities where our future leaders are being formed.
I don't know how many times I've been cut off in traffic and see the driver thumb wrestling with some university student. It makes my blood boil. Oooo...
It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl.
There are some schools where circumventing computer security is taught as part of the curriculum.
When our name is on the back of your car, we're behind you all the way!
One place I worked at just put epoxy in all USB ports. Then they bought 200 signature capture pads, that work on USB. Heh.
I used to wonder what was so holy about a silent night, now I have a child.
At my university, we've got a whopping 100 MiB of storage. The whole IT seems to be stuck in the 90's, with multiple semi-independent networks scattered around the buildings (you need several different accounts to log in at different locations) and 802.11 only slowly spreading.
I can fully understand usage of thumb drives, as central storage by the university is complicated and not enough. Installing a crappy VPN solution that makes me change my local network's subnet because it blatantly uses all available private networks except 192.168.1.1/24 for having access to a mere 100 MiB of storage and a handful of programs is neither worth the time nor the effort.
stevedcc wrote:
> University networks are not like work networks. You can't enforce
> a standard set of tools and be sure that no one needs to run
> anything else
If by ``work networks'' you mean industrial software development
environments -- well, you also can't enforce a standard set of tools.
Let me put it this way: I really hope management over at my
*competitors* lock down their engineering team's tool set, since
that would give my group, which has no such artificial restrictions
on software tools we can use (so long as everythings's okay with the
license), a significant competitive advantage.
An unjust law is no law at all. - St. Augustine
From TFA: "using unprotected storage devices" Getting students to use condoms has always been difficult!
Seriously, though, this is about several points, not just data theft. There does need to be a set of policies in places to prevent data theft and this should focus on education (hmmm... at a school, no less). There is software available to help protect the data (don't know anything about it) b ut the main issue should be education followed by physical security.
The other issue is viruses. One very simple step is something like 'trustnoexe', which prevents software from running from the USB/CD/floppy drives. A properly locked-down PC where only trusted software is allowed to run is still a very useful machine and is much safer in a public environment than one that is totally free.
As for protecting as many users as possible from bad internet traffic, we're examining the idea of using WebSense and it looks pretty good. It combines white-listing with black-listing with an interface for selecting (at a very granular level) what to block or allow and for whom. Pretty nice (though, in my environment, I'm kind of against it as it'll be used to block things that I feel the public should be aloowed access to if they so wish it, but that's political, not technical).
I have had a USB drive of some sort or another for quite a few years. I had the first 512mb drive available, first 1gb, first 4gb, owned and threw away a defective 16, and now use an 8gb Sandisk FireFlash. (SanDisk is probably the best brand going for small, fast, and reliable)
When I first was noticed to have a 1gb flash drive, my manager flipped out. We were not in a hugely secured environment, but he was formerly a branch manager of a bank so he saw this as a huge problem. We did deal with a large amount of customer information, but this never needed to be on my flash drive. I used the drive to assist in maintaining about 110 PCs, mostly loaded it with software tools, text files describing walk throughs to fix common issues, etc. We went round and round a bit and finally just dropped the issue and I was not bothered anymore.
Now I work in an IT department elsewhere, and I do have to carry sensitive materials. With all the switches, routers, server, etc, I have to keep passwords for them all. Having these items available on hand at any time in addition to a large number of software tools to suport > 500 machines of various types necessitates a flash drive - you just can't carry your laptop everywhere nor rely on the availablility of a network connection.
My solution now is to use OS X's "filevault" technology. Among the items I am not worried about, there is a small (10mb) encrypted disk image. Because the data on the image is frequently being changed and updated, I keep the main copy on the flash drive, and periodically (weekly or so) sync it with my laptop. The copy on the laptop is write protected to prevent temptation of editing it instead of the copy on the flash drive. The password to the vault is in the keychain on my laptop, which is encrypted with my login password. So if I plug in the flash drive to my laptop, I just double click to open the vault without any password to type. I can also open the read-only copy of the vault that is synced on my laptop if that's handier.
If I am in the field and either don't have my laptop with me, or it's inconvenient to haul it out, I just get out the flash drive and plug it into the machine and double click the vault. I have to enter the password since it's not on my laptop with its keychain, but that's not a big deal. The filevault is not supported on anything besides OS X, but it's supported directly by the OS and does not require any additional software or setup, it' just works when plugged in.
For the PCs I have a second 4gb flash drive that I use mainly for shuttling information between PCs, and it does not contain any sensitive information.
The biggest problem I have now with the flash drive is the very high risk of forgetting it somewhere. It's really easy to plug it into a machine, start working on something, get distracted by several other issues all at once, and hurredly rush to the next fire, only to leave the flash drive parked in the machine I was working on first. By the time I realize I don't have my flash drive, it can be up to a day later, and it's really hard to figure out where it was left behind. I've put a lot of thought into this problem, including various "phone phone" ideas, use of a lanyard, etc, and the solution I have come up with is working well. I have a small camera bag that I used to keep my powershot camera in. I now have a larger camera, so the bag has been repurposed. It's a LowePro, built well with a belt loop. It nicely holds my palm pilot, iPod, earbuds, an iTrip transmitter, AND a flash drive. How does this help you wonder? The fireflash has a removable clear acrylic cap that securely attaches to the flash drive, and the lanyard loop is on the cap, not on the drive. The drive came with a 5" lanyard, so I attached that to the loop on my Lowepro, and stuff the flash drive in the front pocket of the bag. When I am using the flash drive, I have to remove it from the cap to plug it in (or reach the computer for that matter) This leaves a clear acrylic cap dangling 5" dow
I work for the Department of Redundancy Department.
As a CxO at an academic medical center, you become aware that the electronic documents that are the work product of the morbidity and mortality working group are stored on a somewhat restricted departmental share. While not discoverable, they are sensitive.(!) So you address this, and in the fullness of time you come to realize that external storage media often do contain The Only Copy of a Business Record, of the sort that state and federal regulations require you to maintain a copy for 5-to-30 years, depending on the document in question. So, you address this, but then you bolt upright in a drenching sweat and thank the heavens that you only dreamt that you were a CxO in an academic medical center; luckily, in reality, your occupation is the less stressful 'bomb squad guy.' The moral of the story is that there are no good USB devices or bad USB devices, just good and bad uses of USB devices. Avoid the ones that can blow up on you.
If you think about it, for a business to be effective information and data need to be able to spread just as easily as they do in any college environment. In a business you need to be able to borrow software or libraries or papers as well.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In May, a professor at Bowling Green State University in Ohio lost a flash drive containing Social Security numbers of 199 former students. And professors have SS#'s because why? If the school is using them as identifiers, then that is a severe security problem regardless of theft of flash drives.
-Kinsey
Here's a solution my university's library came up with:
Our computers use Novell software, and logging in requires knowledge of your Novell username and password. Guests can log in to use the web, but they aren't granted access to any of the Microsoft Office or Macromedia Studio software. If a computer is left alone for 20 minutes, it shuts down/resets. When a computer is shut down/reset, it removes all new files and programs that were installed on the computer during usage. That way they stay clean of all the shit students put onto the computers, regardless of one's opinion of Novell. If a student forgets to back up his/her data, whether by burning it to a CD, putting it onto a flash drive, or e-mailing it to yourself, you're kind of screwed.
Come to think of it, my university also lends USB drives to students and faculty. It's not that big of a problem with the security measures placed upon our computers.
The real problem our university has had was when people use bittorrent or other P2P software to share media files and block up the university's entire network. There's a considerable lag when this occurs, and it drives me nuts. There are cases where we couldn't even access the wireless internet because of this.
Get a Mac.
Security issues solved omgasp!
I find this pretty ironic. At the Co-Op (the university's bookstore) they had PNY branded thumb drives with the UConn logo on it. Students had space allocated to them on the network. We used DC++ over the network for EVERYTHING. I was one of a few students to bring a laptop to class and actually type verbatim during lectures (my handwriting sucks). From there, some professors even asked me if I could give them a cd of their lectures so they could make fair tests and quizzes. This is a radically misdirected article that has no real impact if you really experienced what goes on. I hope whoever came up with this goes back and gets a firsthand view of what exactly takes place
Once upon a time (1995), i started to study. I took an introductory unix course and was, dor a few years very happy with using my network drive on the Computing centre's fileserver, connected by only 10Mbit/second. Everything was running and whichever Pizza-box in the comptuing centre i used, my data was there. I could access it from everywhere, and since the size of a floopy was 1.4Mb, people where pretty careful about their document sizes. Nobody said somethin like "oh i scanned the newspaper Article in 300x300dpi and 24bit color, because quality can never be high enough". My Documents (50Mb quota by then) where stored at exactly one place, which was located behind a steel door whith access control (only computing center Employes could enter). The room has a proper climate control and a backup power system.
A few years later i started to work at a chair where people where using floppies to transport around data from the measurement computers to the next room. I was a little bit puzzled, but due to the complete Network incompetence of everyone this practice continued when thumbdrives appeared. It got worse. before everybody took care about document sizes, but now there was no stopping anymore. Everybody created ppt files wirh bitmap-graphics overkill, hard to edit with the argument "it fits on the USB-Stick, doesnt it.
We are now in a even worse Situation. Security issues are getting harder and the bounty-hunters appreciate that sneaker-nets are impossible to control. Who would argue with the hard working employe who takes the spreasheet home to work on it? In the meantime "Sorry i had to do it" counts as an excuse for "i was too lazy to listen to the admin how to acces the Network from home".
My opinion: Give your employes or Students an available, reliable, backupped, web-accessible network drive and good support and the use of thumb-drives will decline *strongly*.
Incidents referenced that actually occurred: two; stolen memory.
Incidents referenced not stated as actually happening: one; malware.
Incidents of "mandates" referenced: zero. Plus, the UConn IT guy says they can't do that anyway, so putting that in the headline makes it worth a -1.
This article seems to be pieces of three different articles that never got finished, thrown together into one big pile of FUD. Any one of them would make a good article if there were enough on-topic material. I'll give the guy a break and assume he was under pressure to produce an article on a slow news day.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
no, not really, any developer should have the hell locked down.. it's some false Microsoft thing that developers should install their own stuff because remote management has been terrible for so long. In your case, who else knows that software? Who will continue your work in your absence? What resources are being captured by management and should they be getting a better deal or using different tools than the standard because developers are more efficient that way. By not locking down, they are loosing massive amounts of information and not maintaining good engineering discipline of their process... that is neither ISO approved nor Lean manufacturing. If you need a tool, it should be approved and documented. It's not about what's good for YOU, it's about building a company process and sticking to it.
a. USB Bluetooth that can be easily hidden in the back.
b. A majority have them anyways...
If something is so important that you feel the need to post it on the internet... It probably isn't that important.