Slashdot Mirror
Worm Attack Prompts DoD To Ban Use of External Media
An anonymous reader writes "The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVDs [...] The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks."
Dave Richards, the administrator of the Largo, Florida computer network, came up against this problem. He made the system mount USB disks as FTP shares, and made the file browser hide any executable files on the share so they couldn't be transferred.http://davelargo.blogspot.com/2008/02/hp-thin-clients-and-usb-access-for.html
I'm not surprised the DoD just completely shut the door on these things, but I think that for most admins, a solution like Dave's would be a really good compromise.
Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
http://www.kb.cert.org/vuls/id/889747
But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
It needs to be said:
In linux, one can remove exec permissions from a whole device via the noexec switch in /etc/fstab .
---There is no technological defense against PEBKAC.
You are absolutely wrong. If a system is designed properly, or set up properly, the user cannot wreak havoc on a system or the network.
In windows, there are many ways to do X behavior that changes the system. Therefore, Windows is hard to secure properly. It is possible, only by globally applying over-secure regedits that disable even basic functionality. Instead, I propose Linux as a good starting point.
PEBKAC, at least in the business setting can be effectively eliminated by the use of simply being unable to even execute the programs.
Games? Not on the HD.
Web browser? If you need it, you'll be in the webbrowser group.
Some document program? does your job require documents, if it does, you'll have that.
Are you a developer for 3d stuff? If so, you get DRI rights. If not, no permission. Can Windows restrict access to the 3d device?
My question is why do you grant rights to users when they do not justify those rights? We need to provide granular access so that the user is limited in what they do and act only in prescribed ways.
As for that, the only way users can then screw things up is if they do not back up their user files, which you should already have thought of. A morning rsync of the /home (which should be mounted from the server) should take care of basic backup issues. Then it turns to your problem of access to the backups (which could be automated also). It really is a game of admin vs user, and you must outsmart stupidity. You do that by providing 1 way as the only way.
---Something about "internet license"
meh. You do that by providing a punishment via the lines of willful negligence. If one does not provide basic security to prevent infection/takeover or notices and takes no heed, one is guilty and owes a fine to the party harmed. In the course of a botnet, that would be the proportion of bandwidth they used (based upon the actions of the the takeover tool).
Simply put: use the laws we already have now, and not some new, easily to corrupt, new license.