topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 3:37 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Safe use of USB drives? Is there anything like a USB sandbox application?  (Read 29357 times)

Lutz_

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 229
    • View Profile
    • Donate to Member
Hi all,

I am working in lab with several windows machines running very expensive lab equipment. The head of the lab has disabled all usb ports in fear of virus transfers.  Consequently getting data off these machines is a pain in the b#*t, because only few of the personal are allowed to transfer data off via FTP transfers. 
Is there a better option to keep these machines "safe without any doubt" (paranoia has to be considered) and still somehow enable users to transfer their data on a USB stick?  Is there a way to create a "sandbox" on these windows machines and allow people to only transfer data out of this sandbox to their USB drives and disable any other transfers?

Thanks a lot in advance,
Lutz

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,746
    • View Profile
    • Read more about this member.
    • Donate to Member
Probably not very helpful ideas:

Wonder if you could set up a linux distro on a VM and use something like dropbox.

Or you could always e-mail the files to yourself...

Lutz_

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 229
    • View Profile
    • Donate to Member
Hi Deozaan,

Thanks for your thoughts.  I guess a potential solution would have to be no more than a small program or anything else easy and small. Otherwise my chances of convincing head of the lab are minimal.  No, "of course"  :) one cannot access the internet from these machines, no email - for safety reasons.

Lutz

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
What does the action (disabling USB ports) intend to protect the system from? Are they worried about a bug jumping off the drives on it's own? Disable autorun of USB drives.

Or are they worried of an intentional act (e.g. someone sets off bad program X)? Was the staff ever screened?

How often does what need to be copied off? Would a CD burner be an option?

Lutz_

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 229
    • View Profile
    • Donate to Member
Hi Stoic Joker,

Yes, principally they are worried about bugs jumping off the USB drives. I guess they would like to be protected against malicious intent nevertheless.  No, not all users can be screened - they receive a training before using the machines, though.  These machines do analytics as a service.  Data do need to get transferred perhaps 10 time a day.
Simply disabling autoruns might be efficient, but taking some degree of paranoia into account, I do not believe this primitive solution would have a chance to be implemented.

Thanks a lot for the suggestions!

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,746
    • View Profile
    • Read more about this member.
    • Donate to Member
one cannot access the internet from these machines, no email - for safety reasons.

Sorry. I assumed that they had internet access since people can FTP files to and from them.

How about an OS on a USB stick? Reboot the machine into the USB OS and then access the files from the HDD that way. :P

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Reboot the machine into the USB OS and then access the files from the HDD that way

That's as unsafe as hooking it up to a network, the booting OS could be infected with something :-[

Labs like these do have specific requirements, it can take up to 5 years for a change like that to be officially processed, validated, confirmed, thought about some more, and maybe even approved :o
And then the proposed hardware add-on is no longer available or in use anywhere else :'(

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 3,199
    • View Profile
    • Donate to Member
Are the PCs networked?  Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?

Lutz_

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 229
    • View Profile
    • Donate to Member
Thanks all for your suggestions!

Rjbull, that sounds indeed simple and safe.  :up:
Which program could be used for such a scheduled transfer?

Lutz

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Which program could be used for such a scheduled transfer?

To keep it native and safe sounding just use task scheduler and a batch file.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
Isn't this what YubiKey was supposed to solve?

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,640
    • View Profile
    • Donate to Member
WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.

Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.

Yes! That's what I was thinking of earlier, but I didn't have time to look it up ... Thank you.

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?

I don't think so, about the only thing they could leverage there is the NTFS permissions, and that would (not work on FAT drives) tend to make a mess.

SKA

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 229
    • View Profile
    • Donate to Member

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,640
    • View Profile
    • Donate to Member
USB Switch (free software):
http://www.trinit-so....de/en/usb-waechter/

That's only to control what devices can be connected by the looks - it won't actually stop someone running nasty program X if it happens to be on an allowed device.

OK, just installed it and all it seems to do is block new unrecognised USB devices from being installed.  After that, any type of access seems to be allowed.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Maybe a special set of physical connector should be designed for this situation, unique to that lab, and only installed on the computers over there, ofcourse.
Quite a laborious job, but then no external devices could be used on those computers, and the USB sticks could only be used in that lab. Combined with USB-Switch you could have a pretty secure operation.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Isn't this what YubiKey was supposed to solve?

I do not think that does what you think it does. [1]

That is a login and authentication key, so that you don't have to remember passwords.  A completely different animal from what he's talking about.  And in a lab with a lot of users, a solution coming from the bottom up should probably not include a hardware portion...

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.

No.  A sandbox is an area where you can do more than login/authenticate- you actually *operate* in that environment.  Take sandboxie for an example.  *Everything* that IE does in a sandbox in sandboxie is strictly restricted to that area of the sandbox- memory operations, disk operations, everything.  So if something does something bad, it won't affect anything outside of the sandbox.  Sort of like a virtual machine.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
Hmm... yeah, that's what I thought yubikey was. A usb drive. It's just a login tool?

I'm glad I didn't buy it.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
From the about page:
Disruptive authentication technology

Yubico breaks the authentication price/strength/complexity relationship with the YubiKey.

The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

It's in the form of a usb key, but it stores keystrokes, and automatically enters them under certain circumstances as if it were a keyboard device.