USB firewall for Windows Vista!

Forums › Desktop computing › USB firewall for Windows Vista!

daabomb2002

6 posts

Wannabe Geek
Inactive user

#13167 25-Apr-2007 15:38

i am glad someone decided to make a firewall for usb devices.

http://www.openpr.com/news/19290/Secure-it-Easy-the-first-USB-Firewall-Solution-available-for-Windows-Vista.html

1 | 2

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#68453 25-Apr-2007 18:02

Calling this a firewall is a stretch. And there are ways to block access to USB storage devices through security policies, no need to spend money on third party software.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#68455 25-Apr-2007 18:12

There are far easier ways. Disabling USB ports in the BIOS and setting a password is a standard security policy in many companies these days.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#68456 25-Apr-2007 18:14

Extreme cases, and much cheaper: apply epoxy to the USB adapter on the PC.

People want others to spend money for nothing... And probably just another program with potential for some bugs to be installed on an otherwise ok machine.

Then people complain about their systems running slow - people install anything and everything these days...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

bradstewart

4338 posts

Uber Geek
+1 received by user: 166

Retired Mod

Trusted

Lifetime subscriber

#68460 25-Apr-2007 19:31

Windows Vista comes with an excellent option in Group Policy to disable USB drives.

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#68664 27-Apr-2007 14:16

bradstewart: Windows Vista comes with an excellent option in Group Policy to disable USB drives.

and in fact any USB device

rwales

122 posts

Master Geek

#68687 27-Apr-2007 16:55

IMHO, this kind of 'security policy' is inane. Locking down Joe Consultant's machine to prevent him stealing company data is;

a) Going to demoralize him, making data theft more likely (I guess I'm not a trusted or valued employee after all).
b) Going to inconvenience him (tell me again why I couldn't take my presentations to the clients site?).
c) Is nothing more than a security blanket. Physical access is everything, as the saying goes.
d) Is probably symptomatic of more serious security concerns - like why Joe has sensitive files on this desktop in the first place.

e) Is out of synch with his physical security access ("hey, I couldn't copy the files but we've got this cool new product...")

Let's face it; Windows is great at being usable and friendly. However, its security reputation is terrible. If you take away the usability, you're not left with very much.

The only time this kind of thinking makes sense to me is with a horde of data-entry 'drones', in which case they should probably be using thin-clients anyway.

MS Word just had another major vulnerability. Better ban that too. Notepad will rise again! It's all about risk & return, people. :)

All your base are belong to us.

Lego

Shop now for Lego sets and other gifts (affiliate link).

bradstewart

4338 posts

Uber Geek
+1 received by user: 166

Retired Mod

Trusted

Lifetime subscriber

#68717 27-Apr-2007 22:17

Nice trolling there

rwales

122 posts

Master Geek

#68725 27-Apr-2007 23:22

Sorry you think so. My writing style is direct but there's nothing particularly controversial there - just my 2¢. Don't paint me a troll just because you disagree with a post. If anything, correct it. I'm always open to new/better ideas.

All your base are belong to us.

bradstewart

4338 posts

Uber Geek
+1 received by user: 166

Retired Mod

Trusted

Lifetime subscriber

#68726 27-Apr-2007 23:29

Well there is nothing wrong with the security in Vista, it is in fact very very good.

As for that security policy being inane, well its up to the admin to turn it on, but it is a very valid tool in keeping not only the computer and network safe but protecting against corporate epsionage which is a very big deal in some places.

If you look deep into Vista you will see that Microsoft really have put huge efforts into making it secure, IMO they have done a fantastic job

rwales

122 posts

Master Geek

#68730 28-Apr-2007 01:02

nothing wrong with the security in Vista, it is in fact very very good.

I didn't mention Vista, I commented on the reputation of Windows - the whole product line, the security of which I've found to be less than impressive. However, concerning Vista, It seems like early days to make a statement like that and I'm already seeing articles to the contrary. Some even claim Vista will be more insecure than XP SP2 (http://tinyurl.com/ynm24o). However, to be fair - there's a huge amount of agenda/propaganda/FUD surrounding Windows security (on both 'sides') so I tend to take articles and metrics with a pinch of salt.

As for that security policy being inane, well its up to the admin to turn it on, but it is a very valid tool in keeping not only the computer and network safe but protecting against corporate epsionage which is a very big deal in some places.

I meant policy as in corporate policy, not windows policy. Doesn't matter if you disable USB using a group policy or by ripping the hardware out, it still strikes me as inane. Corporate espionage is, of course, a concern but once the information has been disseminated to an employee, how can you stop them from printing it, photographing it or talking about it? The key it seems would be to only disseminate sensitive information to the relevant, trusted individuals.

For example, in a company I worked for way back, they had a CRM system. The application accessed a DBMS (simple client/server stuff). Lower-level employees had write only access (new records). Sales guys could only access their accounts (the size of which reflected their status & time with the company). Only management had the big picture. Only accountants had access to the accounts. Seems way more feasible to block access to sensitive data at source than attempting to disable storage media, printers, e-mail etc.

I just think the little added security you might get by banning USB is vastly outweighed by the convenience of the thing (much like e-mail, which can also be a source of c. espionage or a virus vector). Even the military (British Army) have opted to log USB use rather than cripple it - which I can understand completely.

If you look deep into Vista you will see that Microsoft really have put huge efforts into making it secure, IMO they have done a fantastic job

Again, it's early days. OpenBSD have only had 2 remote holes in 10 years (http://www.openbsd.org/). That's a fantastic job. If Vista can make the same claim in 10 years time, the beers are on me! Personally, I'll never be looking very deep into Vista. I'm a C# developer - and we rarely have time to concern ourselves with small details like security. :)

All your base are belong to us.

Chr1sm

5 posts

Wannabe Geek

#69586 5-May-2007 11:02

I was under the impression a lot of companies disabled the use of usb storage devices as they are a huge security riskk with ppl brining in possible virus or stealing data.... cannot wait to play with GPOs in longhorn if they are going to be called GPOs of course

Dell

Shop now for Dell laptops and other devices (affiliate link).

weblordpepe

460 posts

Ultimate Geek
Inactive user

#69705 6-May-2007 18:50

Maybe they could put some of that fancy driver signing DRM to good use and impliment a 'dont allow sensitive documents to be copied to the USB key'. Although that doesnt rule out copy/paste.

I think at the end of the day. If people are going to steal from you, they're going to steal from you. I had a similar argument put to me when I'd used remote desktop at work one time years ago. It looked like I was setting up some kind of super secret VPN to destroy the company.

In reality there was no added functionality for stealing company data. Everyone can email a file off their workstation. Anyone can rename super-secret-document.doc to weblordpepes-christmas-album.mp3 or another file that noone wants to open and email it home.

One argument you could use against USB keys etc is that they are writable. If joe employee brings a cd/dvd to work full of mp3s then thats not going to be any use for stealing data.

Personally I think I enjoy being trusted not to commit crimes. Makes me feel like a grown up (although some might disagree with regards to my latest IRC antics)

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#69715 6-May-2007 19:49

weblordpepe: In reality there was no added functionality for stealing company data. Everyone can email a file off their workstation. Anyone can rename super-secret-document.doc to weblordpepes-christmas-album.mp3 or another file that noone wants to open and email it home.

Most e-mail filters look at contents rather than file name extensions...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

rwales

122 posts

Master Geek

#69748 6-May-2007 23:49

Most e-mail filters look at contents rather than file name extensions...

You can get around this by compressing and in extreme cases, encrypting the data. Some filters are really anal and will reject anything they don't recognize as 'dangerous attachments'. However, I'm guessing you could bypass this by changing the 'confidential' document to a bitmap (or something innocuous), embedding it into a sizable MS Word doc and then packaging the object within the doc. To any filter this would probably look like a standard text document with embedded images.

The message you receive from Word when you double-click to open the package would suggest the contents are stored as binary & are not even readable by Word itself ("You are about to activate an embedded object that may contain viruses or be otherwise harmful to your computer. It is important to be certain that it is from a trustworthy source. Do you want to continue?").

Anyway, I haven't tried this but it would be interesting to see if it worked. :)

All your base are belong to us.

rwales

122 posts

Master Geek

#69756 7-May-2007 00:29

If people are going to steal from you, they're going to steal from you.

Word. Especially if they have physical access to the machine.

Everyone can email a file off their workstation.

Sure, but e-mail is usually logged. I would guess that 90% of the time, BIOS settings are not altered out of the box. If this is the case, you could simply boot a Linux LiveCD (http://www.knoppix.org/) and totally bypass the Windows operating system. Mount your NTFS file-system (C:\) within Linux & merrily copy to your favourite storage media. Eject LiveCD. Take data home to read/decrypt at your leisure without leaving ANY traces of activity within Windows.*

Fortunately, Vista has answered this threat with Bitlocker drive encryption**, but only for Vista Ultimate users (http://tinyurl.com/3843r3 [Microsoft.com]). If you want more powerful drive encryption or don't have access to Bitlocker, I can highly recommend the open-source TrueCrypt software (http://www.truecrypt.org/).

* If the BIOS has been secured (clearly, the CD-ROM must be bootable), try standard backdoor passwords. If no joy, it's trivial to reset the BIOS. You'd still have the sensitive files and the aftermath would look like hardware failure upon forensic analysis.

** Note, Bitlocker uses AES/128bit key by default. This is quite respectable on the surface but the more paranoid of us may not trust Microsoft to not have included some kind of back door. I've read that this is also military policy - different security components in a system are contracted to different companies to provide 'layered security' and prevent this kind of shenanigan.

All your base are belong to us.

1 | 2