Author Topic: Safe use of USB drives? Is there anything like a USB sandbox application? (Read 30851 times)

Lutz_ · « **on:** March 11, 2011, 01:34 PM »

Hi all,

I am working in lab with several windows machines running very expensive lab equipment. The head of the lab has disabled all usb ports in fear of virus transfers. Consequently getting data off these machines is a pain in the b#*t, because only few of the personal are allowed to transfer data off via FTP transfers.
Is there a better option to keep these machines "safe without any doubt" (paranoia has to be considered) and still somehow enable users to transfer their data on a USB stick? Is there a way to create a "sandbox" on these windows machines and allow people to only transfer data out of this sandbox to their USB drives and disable any other transfers?

Thanks a lot in advance,
Lutz

Deozaan · « **Reply #1 on:** March 11, 2011, 01:51 PM »

Probably not very helpful ideas:

Wonder if you could set up a linux distro on a VM and use something like dropbox.

Or you could always e-mail the files to yourself...

Lutz_ · « **Reply #2 on:** March 11, 2011, 02:03 PM »

Hi Deozaan,

Thanks for your thoughts. I guess a potential solution would have to be no more than a small program or anything else easy and small. Otherwise my chances of convincing head of the lab are minimal. No, "of course"

one cannot access the internet from these machines, no email - for safety reasons.

Lutz

Stoic Joker · « **Reply #3 on:** March 11, 2011, 02:25 PM »

What does the action (disabling USB ports) intend to protect the system from? Are they worried about a bug jumping off the drives on it's own? Disable autorun of USB drives.

Or are they worried of an intentional act (e.g. someone sets off bad program X)? Was the staff ever screened?

How often does what need to be copied off? Would a CD burner be an option?

Lutz_ · « **Reply #4 on:** March 11, 2011, 03:52 PM »

Hi Stoic Joker,

Yes, principally they are worried about bugs jumping off the USB drives. I guess they would like to be protected against malicious intent nevertheless. No, not all users can be screened - they receive a training before using the machines, though. These machines do analytics as a service. Data do need to get transferred perhaps 10 time a day.
Simply disabling autoruns might be efficient, but taking some degree of paranoia into account, I do not believe this primitive solution would have a chance to be implemented.

Thanks a lot for the suggestions!

Deozaan · « **Reply #5 on:** March 11, 2011, 04:01 PM »

one cannot access the internet from these machines, no email - for safety reasons.
-Lutz_ (March 11, 2011, 02:03 PM)

Sorry. I assumed that they had internet access since people can FTP files to and from them.

How about an OS on a USB stick? Reboot the machine into the USB OS and then access the files from the HDD that way.

Ath · « **Reply #6 on:** March 11, 2011, 04:28 PM »

Reboot the machine into the USB OS and then access the files from the HDD that way
-Deozaan (March 11, 2011, 04:01 PM)

That's as unsafe as hooking it up to a network, the booting OS could be infected with something

Labs like these do have specific requirements, it can take up to 5 years for a change like that to be officially processed, validated, confirmed, thought about some more, and maybe even approved

And then the proposed hardware add-on is no longer available or in use anywhere else

rjbull · « **Reply #7 on:** March 11, 2011, 04:32 PM »

Are the PCs networked? Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?

Lutz_ · « **Reply #8 on:** March 11, 2011, 05:13 PM »

Thanks all for your suggestions!

Rjbull, that sounds indeed simple and safe.

Which program could be used for such a scheduled transfer?

Lutz

Stoic Joker · « **Reply #9 on:** March 11, 2011, 06:36 PM »

Which program could be used for such a scheduled transfer?
-Lutz_ (March 11, 2011, 05:13 PM)

To keep it native and safe sounding just use task scheduler and a batch file.

Paul Keith · « **Reply #10 on:** March 11, 2011, 07:16 PM »

Isn't this what YubiKey was supposed to solve?

4wd · « **Reply #11 on:** March 11, 2011, 10:25 PM »

WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.

Could they all have their schedulers set to copy their data files to folders on a remote PC to which users had read-only permissions, so users could get the data off that, without being able to affect the originating PCs?
-rjbull (March 11, 2011, 04:32 PM)

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?

Stoic Joker · « **Reply #12 on:** March 11, 2011, 11:07 PM »

WRT AutoRun, one of the latest Windows updates, (KB971029), disables it completely for USB with XP onwards.
-4wd (March 11, 2011, 10:25 PM)

Yes! That's what I was thinking of earlier, but I didn't have time to look it up ... Thank you.

Conversely, can Security/Group Policy be used to set USB drives to write-only so there's no chance of reading anything off of them?
-4wd (March 11, 2011, 10:25 PM)

I don't think so, about the only thing they could leverage there is the NTFS permissions, and that would (not work on FAT drives) tend to make a mess.

SKA · « **Reply #13 on:** March 12, 2011, 12:10 AM »

USB Switch (free software):
http://www.trinit-so....de/en/usb-waechter/

SKA

4wd · « **Reply #14 on:** March 12, 2011, 02:05 AM »

USB Switch (free software):
http://www.trinit-so....de/en/usb-waechter/
-SKA (March 12, 2011, 12:10 AM)

That's only to control what devices can be connected by the looks - it won't actually stop someone running nasty program X if it happens to be on an allowed device.

OK, just installed it and all it seems to do is block new unrecognised USB devices from being installed. After that, any type of access seems to be allowed.

Ath · « **Reply #15 on:** March 12, 2011, 04:48 AM »

Maybe a special set of physical connector should be designed for this situation, unique to that lab, and only installed on the computers over there, ofcourse.
Quite a laborious job, but then no external devices could be used on those computers, and the USB sticks could only be used in that lab. Combined with USB-Switch you could have a pretty secure operation.

wraith808 · « **Reply #16 on:** March 12, 2011, 09:17 AM »

Isn't this what YubiKey was supposed to solve?
-Paul Keith (March 11, 2011, 07:16 PM)

I do not think that does what you think it does. [1]

That is a login and authentication key, so that you don't have to remember passwords. A completely different animal from what he's talking about. And in a lab with a lot of users, a solution coming from the bottom up should probably not include a hardware portion...

Paul Keith · « **Reply #17 on:** March 12, 2011, 05:47 PM »

Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.

wraith808 · « **Reply #18 on:** March 12, 2011, 08:12 PM »

Yeah, I haven't actually tried the yubikey but isn't that what a sandbox really is? A login and authentication key in a limited environment?

As much as hardware is a pain, isn't it sort of impossible for software to ever really match hardware in this case? A software could easily have a single point of breakage and we're talking about complicated data transfer.
-Paul Keith (March 12, 2011, 05:47 PM)

No. A sandbox is an area where you can do more than login/authenticate- you actually *operate* in that environment. Take sandboxie for an example. *Everything* that IE does in a sandbox in sandboxie is strictly restricted to that area of the sandbox- memory operations, disk operations, everything. So if something does something bad, it won't affect anything outside of the sandbox. Sort of like a virtual machine.

Paul Keith · « **Reply #19 on:** March 13, 2011, 04:29 AM »

Hmm... yeah, that's what I thought yubikey was. A usb drive. It's just a login tool?

I'm glad I didn't buy it.

wraith808 · « **Reply #20 on:** March 13, 2011, 08:21 PM »

From the about page:

Disruptive authentication technology

Yubico breaks the authentication price/strength/complexity relationship with the YubiKey.

The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

It's in the form of a usb key, but it stores keystrokes, and automatically enters them under certain circumstances as if it were a keyboard device.