Colleges Wrestle With Thumb Drives

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

What the hell is this about?

Could anyone explain that? I don't see the point.

You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.

You're worried about the student's data? Then teach them to use encryption and require them to use it.

Both things neither require a lot of examination nor a lot of money. What's the big deal?

Re:What the hell is this about?

This one seems to be about people being able to move data around on removable storage. Why does a college have a problem with this?

We had a situation at work where we had to lock down the floppy drives on machines because people might steal stuff. The fact that they also had email and web access didn't make any difference to the people making the policy.

Re:What the hell is this about?

There really should be more enlightened approaches to net security than filling the USB ports with superglue.

Especially at a University, where you want people to take and share information. Seriously, deniable makes a great point. I taught a series of workshops at a small college that took the "no removable storage" approach to keeping themselves "secure". The IT Director eventually got fired and now they're being a little more reasonable.

Re:What the hell is this about?

This was exactly my train of thought.

I spent a good deal of my life in an university. As a student, a tutor, and finally I briefly also worked there. If anything, an university is a place where information is flowing. Yes, usually only after publishing (because, well... nobody wants to tempt a colleague to crib), but then whatever you want, whatever you need, it's there. Mostly because you DO need it.

Try to write any kind of scientific report without quoting sources.

Not to mention that it is virtually impossible to (re)create everything on your own. You have to build on the foundation laid down by someone else. I cannot start a math paper by proving that inverting a matrix is possible.

I also cannot do all on my own because I do need the expertise of other people with different knowledge. It's humanly impossible to learn everything, especially at the depth and detail required today when you want to create something "new". I could not design the hardware layout for an integrated circuit that I need. I'm not a hardware developer. But I know someone who can. He can probably not create the microcode for it, but that's no problem because that's what I can do.

Cooperation has always (well, at least since the day when it became impossible to know everything that's necessary yourself) and will always be the corner stone of research. If there is something college and university should teach, it's the only cooperation and not egoism leads to success and results.

Re:What the hell is this about?

I spent a good deal of my life in an university.

lol

Re:What the hell is this about?

Yeah... I don't see the issue either. They weren't "banning" floppy discs 20 years ago. Or CDs 10 years ago.

If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

Re:What the hell is this about?

If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

Or, as the GP suggested, use a more secure system.

Of course, no system is absolutely secure, but I feel that here we're dealing with stupidity, not malice - dumping Windows and Windows viruses seems like a foolproof plan to me. (Of course, nothing ever is foolproof.)

If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

Or using the camera on his mobile phone to make some screenshots. (I still can't believe that somebody took the time to take pictures of and then post the whole of Harry Potter.)

Re:What the hell is this about?

The Harry Potter leak was a group effort. Everyone was responsible for only a range of pages instead of one person doing the whole book. But yeah, you're spot on with the cameras. It's difficult to secure sensitive information group when we have so many avenues of data collection in this so-called digital age. The best (fair) solution I can think of for beating cameras is to actually have a person walking around in the area and watching for people doing questionable things. Good old fashioned security that's simple to implement and really hard to beat. I don't know why it's not used more instead of people putting their trust in expensive and ultimately insecure solutions.

Re:What the hell is this about?

Universities really CAN'T lock systems down in the kind of way a workplace can. I'm doing a Master's degree in Information Technology (basically a one year conversion course Computing Science for those with different first degrees). We have to write software for our dissertations and this often involves making use of other people's software, sometimes libraries, sometimes compiled programs. We wouldn't be able to do our dissertations if we couldn't install more software. It's not practical to have to have to get permission for every peice of software every student needs. I'm sure many of the academic staff also need to do these things in order to do their own research.

University networks are not like work networks. You can't enforce a standard set of tools and be sure that no one needs to run anything else

Well, even that is false

Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.

Re:

You can get sacked for breaking policy. Policies suitable for companies are often inappropriate for universities or colleges.

I don't know why you're even talking about windows. It's not even relevant.

Plus it's as easy to bypass lockdown on default installs

Re:

And being sacked matters why to someone who allowed himself to be hired to spy on the company in the first place?

Imagine you're a corporate spy. Your job: Infiltrate a competing company and copy their secrets. What do you do? You try to get hired, grab wha

Re:Well, even that is false

This describes my office perfectly. The corporate IT policy bans everything: USB flash memory; Digital Music Players (like my iPod); Portable exernal drives; coming in or out of the building with *anything* that can store data; Any website that even faintly looks like you could upload something (Flickr, Gmail, Hotmail, photobucket, &tc); any program not available on the corporate NetInstall craplet; any encryption any time any where. Every person outside of R&D has this massive WindowsXP install regardless of what they actually need or want.

I've seen them fire people over it.

however... all the managers have laptops and we go in and out every day with them. Each department have a fleet of burners and scanners. Every single member of R&D has at least 2 USB memory sticks. and I've been using my iPod everyday for over 5 years.

So what's the point? Surly I am not about to steal corporate secrets, and the mechanisms preventing me if I was inclined to do so, have nothing to do with site or IT security. A disgruntled employee who didn't understand the difficulty in marketing such things is in no way going to be able to figure out what to take and how to do so (or even be able to get to the part of the building where he could have access to the data). The segmentation of the network encourages the use external memory to transfer data from the segment containing the devices that create the data to the workstations of the people that analyze data.

Re:

I'm fairly sure there is some kind of policy that your superiors have to observe, too. Maybe it's just SOX. In short, they don't care about it either. Someone set a policy. A manager gets it, groans, then executes it. To the letter. Does he care if it work

Re:

Try saying "maybe" to a CEO some time and see what happens...

or try telling him that the article he read in CEO Monthly is a pack of garbage.

Locking down toolsets and competitive advantages

stevedcc wrote:
> University networks are not like work networks. You can't enforce
> a standard set of tools and be sure that no one needs to run
> anything else

If by ``work networks'' you mean industrial software development
environments -- well, yo

Re:What the hell is this about?

What's the big deal?

Making user responsible in *any* way for their own security or for the computer they use is a no-no, it flies in the face of 15 years of learned helplessness regarding computers.

Never mind that computers are a basic tool of the modern age, computers are magical black box administered by a priestly class, and only nerds should know anything about them. And encryption? That's for the government or terrorists, AND NO ONE ELSE!

Re:

Indeed, what would happen to our beloved Darwin Awards [darwinawards.com] without these idiots?

Universities shouldn't have to secure data

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.

Re:

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl.

While I agree with you in principal, at least one part of the story related to staff at the university losing a USB drive with 199 Social Security numbers on it. Staff should be required to use encryption as a minimum. Where I went to college, the admin network was segregated from the student network; and had stricter rules. It just makes sense; there is far too much sensitive information in that network to allow it to be connected to the outside world without controls. In a sense, the admin network is a corporate network. While I don't believe they need to be as draconian as some government agencies (swapping hard drives for internal/public networks), certainly they do need to keep tight controls.

Just my 2cents..which in today's world won't even buy me a piece of Double Bubble.

Re:

I think the issue has mostly to do with working on student data. E.G., your social security number got sneaker netted and never deleted. The article fails to convey this properly, but does hint at it with discussion of notifying students of the ZIP drive.

Breaching Security

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl.

There are some schools where circumventing computer security

Deep Freeze

My institute of higher learning utilizes Deep Freeze [faronics.com] on all computers and restores them all to their original state (except for a 'storage' partition) every weekend. It seems to do the job quite well.

Re:Deep Freeze

We restore the partitions on every boot, images are loaded from a central server, your profile is stored on a central server and loaded when you log in. Works very well.

Re:

How long does it take to boot to do that?

Re:

For the most part, not very long. The process does a type of checksum on the drive; if the checksum matches, then it boots normally. if not, then the image is rewritten, either from another partition on the drive (similar to how OEMs used to put a partit

High Security leads to a false sense of security.

Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...

am I?

am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?

desktops = bad

seriously, why can't people see past this fact. if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering, in which case i'm sure they can manage to lock down a few graphics workstations

Re:

Even when I was at college 30 year ago, when online computer access was mainly through mechanical and glass teletypes, there was at least one online graphing terminal (a Tektronics, I think)

Re:

if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering

You could use computers running JUST a web browser as terminals, or use X terminals. A "terminal"

Huh?

"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.

In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."

The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...

I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.

What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.

Re:

The article was an Advertisement and Slashdot just gave "Fortigate-5000 technology from Sunnyvale, CA". Free press Great Job

SSNs

Many student numbers are nine digits, you might have noticed. That's because, back in the golden age, when student records were put into computers, someone decided that the 9-digit number uniquely assigned to each person was perfect for the task: no identi

Re:

Our state system is 8 digits but the college I attended for undergrad was 9 (it started with a P but that doesn't really count, eh?) We also keep record of SSN if the student provides it (it isn't required for anything except work study or financial aid -

Re:

Are they sure that a janitor didn't accidentally throw the zip drive away when they were cleaning up the other useless trash left by students?

Re:

and then they have some idiot storing SSN's on an unencrypted flash drive...

What does an university needs with social security numbers? Does it pays social security to students???

Portable storage blues

The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.

Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.

The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
- We can train users to understand the implications of relying on portable storage.
- Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
- Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.

This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.

I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.

I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.

physical port lock

I've heard about sys admins crazy gluing USB ports closed, but having a physical lock on the port instead seems a better idea. I found one company seeing a USB/lock and key set:
http://www.lindy.com/us/productfolder/04/40454/ind ex.php [lindy.com]
http://www.lindy.com/us/catalog/07/01a/index.php [lindy.com]
but I don't have the impression that the key is unique, so what's stopping me from buying the product and unlocking someone else using the same product?

Re:

I was also hoping to find a software solution to lock USB ports for Windows XP Home Edition, but the closest thing I could find was this incorrect Microsoft knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb; en-us;823732 [microsoft.com]
Windows XP Ho

Not only the drives

Also sys admins should look at a good password policy. That means not always to change passwords every X days.

Where I work I have several different logins and passwords. As many need change every 30 days, most I have lesser secure passwords.
There are some

Re:

Sometimes I have to question what some admins consider "good" password policy. I work in an environment where I have to access no less than 4 password protected systems on a daily basis. Each system requires the passwords to expire after 30 days, but since

I use a small program for this . . .

KeePass [keepass.info]

It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to cha

Really Not Difficult

Put computer in a secure cuff so it can't be opened.
Password the BIOS, lock out all boot options bar hard disc.
Run everyone as a restricted user using dynamic accounts (ZENworks for example, or deep freeze if you're stuck in the 90's)
Disable all onboard

Huh? What are they smoking?

Sounds stupid to me.

If the IT admins really want to make their life easy, why don't they just use one of those hardware solutions where if you reboot the PC (or press some button while booting) the PC gets restored to a known state (like a vmware "revert t

Loss of SSN should not be a serious issue.

Why losing a drive containing SSN of some 199 old students become a serious issue? In this day and age of information storage, it is high time we view SSN as public information. The number of strangers who have legal access to my name, address and social security number is staggering. Doctor's office staff, university offices, payroll department of employers ...

Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.

All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.

Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.

Then it wont matter if some department loses a hard disk containing million SSNs. Will it?

Re:

The problem with the SSN being public is that it's the only unique for identifying you. Nothing else is singularly unique and does not change- name, birthday, address, etc. Of course one could use several of the non-unique identifiers to create what would

FTW: One Solution

One place I worked at just put epoxy in all USB ports. Then they bought 200 signature capture pads, that work on USB. Heh.

thumb drive early adopter, lessons learned

I have had a USB drive of some sort or another for quite a few years. I had the first 512mb drive available, first 1gb, first 4gb, owned and threw away a defective 16, and now use an 8gb Sandisk FireFlash. (SanDisk is probably the best brand going for small, fast, and reliable)

When I first was noticed to have a 1gb flash drive, my manager flipped out. We were not in a hugely secured environment, but he was formerly a branch manager of a bank so he saw this as a huge problem. We did deal with a large amount of customer information, but this never needed to be on my flash drive. I used the drive to assist in maintaining about 110 PCs, mostly loaded it with software tools, text files describing walk throughs to fix common issues, etc. We went round and round a bit and finally just dropped the issue and I was not bothered anymore.

Now I work in an IT department elsewhere, and I do have to carry sensitive materials. With all the switches, routers, server, etc, I have to keep passwords for them all. Having these items available on hand at any time in addition to a large number of software tools to suport > 500 machines of various types necessitates a flash drive - you just can't carry your laptop everywhere nor rely on the availablility of a network connection.

My solution now is to use OS X's "filevault" technology. Among the items I am not worried about, there is a small (10mb) encrypted disk image. Because the data on the image is frequently being changed and updated, I keep the main copy on the flash drive, and periodically (weekly or so) sync it with my laptop. The copy on the laptop is write protected to prevent temptation of editing it instead of the copy on the flash drive. The password to the vault is in the keychain on my laptop, which is encrypted with my login password. So if I plug in the flash drive to my laptop, I just double click to open the vault without any password to type. I can also open the read-only copy of the vault that is synced on my laptop if that's handier.

If I am in the field and either don't have my laptop with me, or it's inconvenient to haul it out, I just get out the flash drive and plug it into the machine and double click the vault. I have to enter the password since it's not on my laptop with its keychain, but that's not a big deal. The filevault is not supported on anything besides OS X, but it's supported directly by the OS and does not require any additional software or setup, it' just works when plugged in.

For the PCs I have a second 4gb flash drive that I use mainly for shuttling information between PCs, and it does not contain any sensitive information.

The biggest problem I have now with the flash drive is the very high risk of forgetting it somewhere. It's really easy to plug it into a machine, start working on something, get distracted by several other issues all at once, and hurredly rush to the next fire, only to leave the flash drive parked in the machine I was working on first. By the time I realize I don't have my flash drive, it can be up to a day later, and it's really hard to figure out where it was left behind. I've put a lot of thought into this problem, including various "phone phone" ideas, use of a lanyard, etc, and the solution I have come up with is working well. I have a small camera bag that I used to keep my powershot camera in. I now have a larger camera, so the bag has been repurposed. It's a LowePro, built well with a belt loop. It nicely holds my palm pilot, iPod, earbuds, an iTrip transmitter, AND a flash drive. How does this help you wonder? The fireflash has a removable clear acrylic cap that securely attaches to the flash drive, and the lanyard loop is on the cap, not on the drive. The drive came with a 5" lanyard, so I attached that to the loop on my Lowepro, and stuff the flash drive in the front pocket of the bag. When I am using the flash drive, I have to remove it from the cap to plug it in (or reach the computer for that matter) This leaves a clear acrylic cap dangling 5" dow

Re:

One! Two! Three! Four! I declare a Thumb War!