Slashdot Mirror
Colleges Wrestle With Thumb Drives
Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"
Or, as the GP suggested, use a more secure system.
Of course, no system is absolutely secure, but I feel that here we're dealing with stupidity, not malice - dumping Windows and Windows viruses seems like a foolproof plan to me. (Of course, nothing ever is foolproof.)
If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).Or using the camera on his mobile phone to make some screenshots. (I still can't believe that somebody took the time to take pictures of and then post the whole of Harry Potter.)
Ignore this signature. By order.
The Harry Potter leak was a group effort. Everyone was responsible for only a range of pages instead of one person doing the whole book. But yeah, you're spot on with the cameras. It's difficult to secure sensitive information group when we have so many avenues of data collection in this so-called digital age. The best (fair) solution I can think of for beating cameras is to actually have a person walking around in the area and watching for people doing questionable things. Good old fashioned security that's simple to implement and really hard to beat. I don't know why it's not used more instead of people putting their trust in expensive and ultimately insecure solutions.
The eternal struggle of good vs. evil begins within one's self.
Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
seriously, why can't people see past this fact. if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering, in which case i'm sure they can manage to lock down a few graphics workstations
If you mod me down, I will become more powerful than you can imagine....
Just my 2cents..which in today's world won't even buy me a piece of Double Bubble.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.
In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."
The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...
I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.
What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.
Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.
I prefer the "u" in honour as it seems to be missing these days.
I've heard about sys admins crazy gluing USB ports closed, but having a physical lock on the port instead seems a better idea. I found one company seeing a USB/lock and key set:d ex.php
http://www.lindy.com/us/productfolder/04/40454/in
http://www.lindy.com/us/catalog/07/01a/index.php
but I don't have the impression that the key is unique, so what's stopping me from buying the product and unlocking someone else using the same product?
Many student numbers are nine digits, you might have noticed. That's because, back in the golden age, when student records were put into computers, someone decided that the 9-digit number uniquely assigned to each person was perfect for the task: no identity conflicts, and 30 years later, when the student wants a transcript, no problem.
Many large universities continued to use SSNs into the nineties, and I have no doubt many continue to use them. And when you'd teach a class, all the forms that came through had student names and their SSNs. So they're not just on thumbdrives, they're everywhere.
Each system has seperate password requirements. Some require passwords with 15 or more letters, some balk at anything larger than 14. Some require 2 caps, 2 numbers, and 2 special characters. Some require more of one and less of the other. Many of them prevent you from recycling passwords and limit use of derivative passwords. In theory, all of these policies help to make the system as a whole stronger. In practice, people can't or aren't willing to remember 4 passwords that meet all of these requirements.
!L0v3MyW!f343v3R is a great password, but after 4 years of having to create 4 of these every month, creativity runs short. Of course if you guess too many times and you happen to lock yourself out of a system on a Friday afternoon you might as well sit on your hands and start whistling until Monday morning. As a result almost everyone resorts to writing passwords down on scraps of paper and stashing them within arms reach of their computers. (who here has seen a password taped under a keyboard?) All in all much less secure than slightly less restrictive passwords.
Admins worrying about security and productivity would push for a smartcard system wich allows for extremely secure logins without hassling the users with unbearable passwording schemes. Admins that simply push for more restrictive password policies are out of touch with actual users and harming that which they intended to strengthen.
Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.
All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.
Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.
Then it wont matter if some department loses a hard disk containing million SSNs. Will it?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
KeePass
It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to change
a password.
I used to re-use the same three or four passwords everywhere. But now
nearly all of mine are quite random.
Give it a try.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
I have had a USB drive of some sort or another for quite a few years. I had the first 512mb drive available, first 1gb, first 4gb, owned and threw away a defective 16, and now use an 8gb Sandisk FireFlash. (SanDisk is probably the best brand going for small, fast, and reliable)
When I first was noticed to have a 1gb flash drive, my manager flipped out. We were not in a hugely secured environment, but he was formerly a branch manager of a bank so he saw this as a huge problem. We did deal with a large amount of customer information, but this never needed to be on my flash drive. I used the drive to assist in maintaining about 110 PCs, mostly loaded it with software tools, text files describing walk throughs to fix common issues, etc. We went round and round a bit and finally just dropped the issue and I was not bothered anymore.
Now I work in an IT department elsewhere, and I do have to carry sensitive materials. With all the switches, routers, server, etc, I have to keep passwords for them all. Having these items available on hand at any time in addition to a large number of software tools to suport > 500 machines of various types necessitates a flash drive - you just can't carry your laptop everywhere nor rely on the availablility of a network connection.
My solution now is to use OS X's "filevault" technology. Among the items I am not worried about, there is a small (10mb) encrypted disk image. Because the data on the image is frequently being changed and updated, I keep the main copy on the flash drive, and periodically (weekly or so) sync it with my laptop. The copy on the laptop is write protected to prevent temptation of editing it instead of the copy on the flash drive. The password to the vault is in the keychain on my laptop, which is encrypted with my login password. So if I plug in the flash drive to my laptop, I just double click to open the vault without any password to type. I can also open the read-only copy of the vault that is synced on my laptop if that's handier.
If I am in the field and either don't have my laptop with me, or it's inconvenient to haul it out, I just get out the flash drive and plug it into the machine and double click the vault. I have to enter the password since it's not on my laptop with its keychain, but that's not a big deal. The filevault is not supported on anything besides OS X, but it's supported directly by the OS and does not require any additional software or setup, it' just works when plugged in.
For the PCs I have a second 4gb flash drive that I use mainly for shuttling information between PCs, and it does not contain any sensitive information.
The biggest problem I have now with the flash drive is the very high risk of forgetting it somewhere. It's really easy to plug it into a machine, start working on something, get distracted by several other issues all at once, and hurredly rush to the next fire, only to leave the flash drive parked in the machine I was working on first. By the time I realize I don't have my flash drive, it can be up to a day later, and it's really hard to figure out where it was left behind. I've put a lot of thought into this problem, including various "phone phone" ideas, use of a lanyard, etc, and the solution I have come up with is working well. I have a small camera bag that I used to keep my powershot camera in. I now have a larger camera, so the bag has been repurposed. It's a LowePro, built well with a belt loop. It nicely holds my palm pilot, iPod, earbuds, an iTrip transmitter, AND a flash drive. How does this help you wonder? The fireflash has a removable clear acrylic cap that securely attaches to the flash drive, and the lanyard loop is on the cap, not on the drive. The drive came with a 5" lanyard, so I attached that to the loop on my Lowepro, and stuff the flash drive in the front pocket of the bag. When I am using the flash drive, I have to remove it from the cap to plug it in (or reach the computer for that matter) This leaves a clear acrylic cap dangling 5" dow
I work for the Department of Redundancy Department.