Slashdot Mirror
Colleges Wrestle With Thumb Drives
Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"
Could anyone explain that? I don't see the point.
You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.
You're worried about the student's data? Then teach them to use encryption and require them to use it.
Both things neither require a lot of examination nor a lot of money. What's the big deal?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.
My institute of higher learning utilizes Deep Freeze on all computers and restores them all to their original state (except for a 'storage' partition) every weekend. It seems to do the job quite well.
Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?
there are 10 types of people in this world; those who get this joke, and those who don't
seriously, why can't people see past this fact. if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering, in which case i'm sure they can manage to lock down a few graphics workstations
If you mod me down, I will become more powerful than you can imagine....
"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.
In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."
The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...
I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.
What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.
Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.
I prefer the "u" in honour as it seems to be missing these days.
The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.
Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.
The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
- We can train users to understand the implications of relying on portable storage.
- Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
- Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.
This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.
I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.
I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.
I've heard about sys admins crazy gluing USB ports closed, but having a physical lock on the port instead seems a better idea. I found one company seeing a USB/lock and key set:d ex.php
http://www.lindy.com/us/productfolder/04/40454/in
http://www.lindy.com/us/catalog/07/01a/index.php
but I don't have the impression that the key is unique, so what's stopping me from buying the product and unlocking someone else using the same product?
Many student numbers are nine digits, you might have noticed. That's because, back in the golden age, when student records were put into computers, someone decided that the 9-digit number uniquely assigned to each person was perfect for the task: no identity conflicts, and 30 years later, when the student wants a transcript, no problem.
Many large universities continued to use SSNs into the nineties, and I have no doubt many continue to use them. And when you'd teach a class, all the forms that came through had student names and their SSNs. So they're not just on thumbdrives, they're everywhere.
Put computer in a secure cuff so it can't be opened.
Password the BIOS, lock out all boot options bar hard disc.
Run everyone as a restricted user using dynamic accounts (ZENworks for example, or deep freeze if you're stuck in the 90's)
Disable all onboard bluetooth, wifi etc
Not all that difficult really.
Each system has seperate password requirements. Some require passwords with 15 or more letters, some balk at anything larger than 14. Some require 2 caps, 2 numbers, and 2 special characters. Some require more of one and less of the other. Many of them prevent you from recycling passwords and limit use of derivative passwords. In theory, all of these policies help to make the system as a whole stronger. In practice, people can't or aren't willing to remember 4 passwords that meet all of these requirements.
!L0v3MyW!f343v3R is a great password, but after 4 years of having to create 4 of these every month, creativity runs short. Of course if you guess too many times and you happen to lock yourself out of a system on a Friday afternoon you might as well sit on your hands and start whistling until Monday morning. As a result almost everyone resorts to writing passwords down on scraps of paper and stashing them within arms reach of their computers. (who here has seen a password taped under a keyboard?) All in all much less secure than slightly less restrictive passwords.
Admins worrying about security and productivity would push for a smartcard system wich allows for extremely secure logins without hassling the users with unbearable passwording schemes. Admins that simply push for more restrictive password policies are out of touch with actual users and harming that which they intended to strengthen.
Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.
All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.
Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.
Then it wont matter if some department loses a hard disk containing million SSNs. Will it?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
KeePass
It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to change
a password.
I used to re-use the same three or four passwords everywhere. But now
nearly all of mine are quite random.
Give it a try.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
One place I worked at just put epoxy in all USB ports. Then they bought 200 signature capture pads, that work on USB. Heh.
I used to wonder what was so holy about a silent night, now I have a child.
I have had a USB drive of some sort or another for quite a few years. I had the first 512mb drive available, first 1gb, first 4gb, owned and threw away a defective 16, and now use an 8gb Sandisk FireFlash. (SanDisk is probably the best brand going for small, fast, and reliable)
When I first was noticed to have a 1gb flash drive, my manager flipped out. We were not in a hugely secured environment, but he was formerly a branch manager of a bank so he saw this as a huge problem. We did deal with a large amount of customer information, but this never needed to be on my flash drive. I used the drive to assist in maintaining about 110 PCs, mostly loaded it with software tools, text files describing walk throughs to fix common issues, etc. We went round and round a bit and finally just dropped the issue and I was not bothered anymore.
Now I work in an IT department elsewhere, and I do have to carry sensitive materials. With all the switches, routers, server, etc, I have to keep passwords for them all. Having these items available on hand at any time in addition to a large number of software tools to suport > 500 machines of various types necessitates a flash drive - you just can't carry your laptop everywhere nor rely on the availablility of a network connection.
My solution now is to use OS X's "filevault" technology. Among the items I am not worried about, there is a small (10mb) encrypted disk image. Because the data on the image is frequently being changed and updated, I keep the main copy on the flash drive, and periodically (weekly or so) sync it with my laptop. The copy on the laptop is write protected to prevent temptation of editing it instead of the copy on the flash drive. The password to the vault is in the keychain on my laptop, which is encrypted with my login password. So if I plug in the flash drive to my laptop, I just double click to open the vault without any password to type. I can also open the read-only copy of the vault that is synced on my laptop if that's handier.
If I am in the field and either don't have my laptop with me, or it's inconvenient to haul it out, I just get out the flash drive and plug it into the machine and double click the vault. I have to enter the password since it's not on my laptop with its keychain, but that's not a big deal. The filevault is not supported on anything besides OS X, but it's supported directly by the OS and does not require any additional software or setup, it' just works when plugged in.
For the PCs I have a second 4gb flash drive that I use mainly for shuttling information between PCs, and it does not contain any sensitive information.
The biggest problem I have now with the flash drive is the very high risk of forgetting it somewhere. It's really easy to plug it into a machine, start working on something, get distracted by several other issues all at once, and hurredly rush to the next fire, only to leave the flash drive parked in the machine I was working on first. By the time I realize I don't have my flash drive, it can be up to a day later, and it's really hard to figure out where it was left behind. I've put a lot of thought into this problem, including various "phone phone" ideas, use of a lanyard, etc, and the solution I have come up with is working well. I have a small camera bag that I used to keep my powershot camera in. I now have a larger camera, so the bag has been repurposed. It's a LowePro, built well with a belt loop. It nicely holds my palm pilot, iPod, earbuds, an iTrip transmitter, AND a flash drive. How does this help you wonder? The fireflash has a removable clear acrylic cap that securely attaches to the flash drive, and the lanyard loop is on the cap, not on the drive. The drive came with a 5" lanyard, so I attached that to the loop on my Lowepro, and stuff the flash drive in the front pocket of the bag. When I am using the flash drive, I have to remove it from the cap to plug it in (or reach the computer for that matter) This leaves a clear acrylic cap dangling 5" dow
I work for the Department of Redundancy Department.