Welcome Guest.   Make a donation to an author on the site October 23, 2014, 10:49:29 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2013! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Safe use of USB drives? Is there anything like a USB sandbox application?  (Read 8518 times)
Lutz_
Supporting Member
**
Posts: 228


View Profile Give some DonationCredits to this forum member
« on: March 11, 2011, 01:34:43 PM »

Hi all,

I am working in lab with several windows machines running very expensive lab equipment. The head of the lab has disabled all usb ports in fear of virus transfers.  Consequently getting data off these machines is a pain in the b#*t, because only few of the personal are allowed to transfer data off via FTP transfers. 
Is there a better option to keep these machines "safe without any doubt" (paranoia has to be considered) and still somehow enable users to transfer their data on a USB stick?  Is there a way to create a "sandbox" on these windows machines and allow people to only transfer data out of this sandbox to their USB drives and disable any other transfers?

Thanks a lot in advance,
Lutz
Logged
Deozaan
Charter Member
***
Posts: 6,418



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: March 11, 2011, 01:51:12 PM »

Probably not very helpful ideas:

Wonder if you could set up a linux distro on a VM and use something like dropbox.

Or you could always e-mail the files to yourself...
Logged

Lutz_
Supporting Member
**
Posts: 228


View Profile Give some DonationCredits to this forum member
« Reply #2 on: March 11, 2011, 02:03:19 PM »

Hi Deozaan,

Thanks for your thoughts.  I guess a potential solution would have to be no more than a small program or anything else easy and small. Otherwise my chances of convincing head of the lab are minimal.  No, "of course"  smiley one cannot access the internet from these machines, no email - for safety reasons.

Lutz
Logged
Stoic Joker
Honorary Member
**
Posts: 5,328



View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: March 11, 2011, 02:25:50 PM »

What does the action (disabling USB ports) intend to protect the system from? Are they worried about a bug jumping off the drives on it's own? Disable autorun of USB drives.

Or are they worried of an intentional act (e.g. someone sets off bad program X)? Was the staff ever screened?

How often does what need to be copied off? Would a CD burner be an option?
Logged
Lutz_
Supporting Member
**
Posts: 228


View Profile Give some DonationCredits to this forum member
« Reply #4 on: March 11, 2011, 03:52:26 PM »

Hi Stoic Joker,

Yes, principally they are worried about bugs jumping off the USB drives. I guess they would like to be protected against malicious intent nevertheless.  No, not all users can be screened - they receive a training before using the machines, though.  These machines do analytics as a service.  Data do need to get transferred perhaps 10 time a day.
Simply disabling autoruns might be efficient, but taking some degree of paranoia into account, I do not believe this primitive solution would have a chance to be implemented.

Thanks a lot for the suggestions!
Logged
Deozaan
Charter Member
***
Posts: 6,418



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: March 11, 2011, 04:01:16 PM »

one cannot access the internet from these machines, no email - for safety reasons.

Sorry. I assumed that they had internet access since people can FTP files to and from them.

How about an OS on a USB stick? Reboot the machine into the USB OS and then access the files from the HDD that way. tongue
Logged

Ath
Supporting Member
**
Posts: 2,234



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #6 on: March 11, 2011, 04:28:14 PM »

Reboot the machine into the USB OS and then access the files from the HDD that way

That's as unsafe as hooking it up to a network, the booting OS could be infected with something embarassed

Labs like these do have specific requirements, it can take up to 5 years for a change like that to be officially processed, validated, confirmed, thought about some more, and maybe even approved ohmy
And then the proposed hardware add-on is no longer available or in use anywhere else Cry
Logged

rjbull
Charter Member
***
Posts: 2,776

View Profile Give some DonationCredits to this forum member
« Reply #7 on: March 11, 2011, 04:32:41 PM »

Are the PCs networked?  Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?
Logged
Lutz_
Supporting Member
**
Posts: 228


View Profile Give some DonationCredits to this forum member
« Reply #8 on: March 11, 2011, 05:13:11 PM »

Thanks all for your suggestions!

Rjbull, that sounds indeed simple and safe.  thumbs up
Which program could be used for such a scheduled transfer?

Lutz
Logged
Stoic Joker
Honorary Member
**
Posts: 5,328



View Profile WWW Give some DonationCredits to this forum member
« Reply #9 on: March 11, 2011, 06:36:27 PM »

Which program could be used for such a scheduled transfer?

To keep it native and safe sounding just use task scheduler and a batch file.
Logged
Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: March 11, 2011, 07:16:11 PM »

Isn't this what YubiKey was supposed to solve?
Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
4wd
Supporting Member
**
Posts: 3,353



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: March 11, 2011, 10:25:39 PM »

WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.

Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?
Logged

I do not need to control my anger ... people just need to stop pissing me off!
Stoic Joker
Honorary Member
**
Posts: 5,328



View Profile WWW Give some DonationCredits to this forum member
« Reply #12 on: March 11, 2011, 11:07:48 PM »

WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.

Yes! That's what I was thinking of earlier, but I didn't have time to look it up ... Thank you.

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?

I don't think so, about the only thing they could leverage there is the NTFS permissions, and that would (not work on FAT drives) tend to make a mess.
Logged
SKA
Charter Member
***
Posts: 218

View Profile Give some DonationCredits to this forum member
« Reply #13 on: March 12, 2011, 12:10:54 AM »

USB Switch (free software):
http://www.trinit-soft.de/en/usb-waechter/

SKA
Logged
4wd
Supporting Member
**
Posts: 3,353



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: March 12, 2011, 02:05:08 AM »


That's only to control what devices can be connected by the looks - it won't actually stop someone running nasty program X if it happens to be on an allowed device.

OK, just installed it and all it seems to do is block new unrecognised USB devices from being installed.  After that, any type of access seems to be allowed.
Logged

I do not need to control my anger ... people just need to stop pissing me off!
Ath
Supporting Member
**
Posts: 2,234



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: March 12, 2011, 04:48:10 AM »

Maybe a special set of physical connector should be designed for this situation, unique to that lab, and only installed on the computers over there, ofcourse.
Quite a laborious job, but then no external devices could be used on those computers, and the USB sticks could only be used in that lab. Combined with USB-Switch you could have a pretty secure operation.
Logged

wraith808
Supporting Member
**
Posts: 6,417



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: March 12, 2011, 09:17:53 AM »

Isn't this what YubiKey was supposed to solve?

I do not think that does what you think it does. [1]

That is a login and authentication key, so that you don't have to remember passwords.  A completely different animal from what he's talking about.  And in a lab with a lot of users, a solution coming from the bottom up should probably not include a hardware portion...
Logged

Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: March 12, 2011, 05:47:08 PM »

Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.
Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
wraith808
Supporting Member
**
Posts: 6,417



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: March 12, 2011, 08:12:08 PM »

Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.

No.  A sandbox is an area where you can do more than login/authenticate- you actually *operate* in that environment.  Take sandboxie for an example.  *Everything* that IE does in a sandbox in sandboxie is strictly restricted to that area of the sandbox- memory operations, disk operations, everything.  So if something does something bad, it won't affect anything outside of the sandbox.  Sort of like a virtual machine.
Logged

Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: March 13, 2011, 04:29:12 AM »

Hmm... yeah, that's what I thought yubikey was. A usb drive. It's just a login tool?

I'm glad I didn't buy it.
Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
wraith808
Supporting Member
**
Posts: 6,417



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: March 13, 2011, 08:21:31 PM »

From the about page:
Quote
Disruptive authentication technology

Yubico breaks the authentication price/strength/complexity relationship with the YubiKey.

The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

It's in the form of a usb key, but it stores keystrokes, and automatically enters them under certain circumstances as if it were a keyboard device.
Logged

Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.046s | Server load: 0.04 ]