Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


6 posts

Wannabe Geek
Inactive user


Topic # 13167 25-Apr-2007 15:38
Send private message
View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
BDFL - Memuneh
61011 posts

Uber Geek
+1 received by user: 11846

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 68453 25-Apr-2007 18:02
Send private message

Calling this a firewall is a stretch. And there are ways to block access to USB storage devices through security policies, no need to spend money on third party software.





26772 posts

Uber Geek
+1 received by user: 6249

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 68455 25-Apr-2007 18:12
Send private message

There are far easier ways. Disabling USB ports in the BIOS and setting a password is a standard security policy in many companies these days.

BDFL - Memuneh
61011 posts

Uber Geek
+1 received by user: 11846

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 68456 25-Apr-2007 18:14
Send private message

Extreme cases, and much cheaper: apply epoxy to the USB adapter on the PC.

People want others to spend money for nothing... And probably just another program with potential for some bugs to be installed on an otherwise ok machine.

Then people complain about their systems running slow - people install anything and everything these days...







4310 posts

Uber Geek
+1 received by user: 152

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 68460 25-Apr-2007 19:31
Send private message

Windows Vista comes with an excellent option in Group Policy to disable USB drives.

4956 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 68664 27-Apr-2007 14:16
Send private message

bradstewart: Windows Vista comes with an excellent option in Group Policy to disable USB drives.


and in fact any USB device

122 posts

Master Geek


  Reply # 68687 27-Apr-2007 16:55
Send private message

IMHO, this kind of 'security policy' is inane. Locking down Joe Consultant's machine to prevent him stealing company data is;


a) Going to demoralize him, making data theft more likely (I guess I'm not a trusted or valued employee after all).
b) Going to inconvenience him (tell me again why I couldn't take my presentations to the clients site?).
c) Is nothing more than a security blanket. Physical access is everything, as the saying goes.
d) Is probably symptomatic of more serious security concerns - like why Joe has sensitive files on this desktop in the first place.

e) Is out of synch with his physical security access ("hey, I couldn't copy the files but we've got this cool new product...")


Let's face it; Windows is great at being usable and friendly. However, its security reputation is terrible. If you take away the usability, you're not left with very much.

The only time this kind of thinking makes sense to me is with a horde of data-entry 'drones', in which case they should probably be using thin-clients anyway.


MS Word just had another major vulnerability. Better ban that too. Notepad will rise again! It's all about risk & return, people. :)



4310 posts

Uber Geek
+1 received by user: 152

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 68717 27-Apr-2007 22:17
Send private message

Nice trolling there

122 posts

Master Geek


  Reply # 68725 27-Apr-2007 23:22
Send private message

Sorry you think so. My writing style is direct but there's nothing particularly controversial there - just my 2¢. Don't paint me a troll just because you disagree with a post. If anything, correct it. I'm always open to new/better ideas.

4310 posts

Uber Geek
+1 received by user: 152

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 68726 27-Apr-2007 23:29
Send private message

Well there is nothing wrong with the security in Vista, it is in fact very very good.

As for that security policy being inane, well its up to the admin to turn it on, but it is a very valid tool in keeping not only the computer and network safe but protecting against corporate epsionage which is a very big deal in some places.

If you look deep into Vista you will see that Microsoft really have put huge efforts into making it secure, IMO they have done a fantastic job

122 posts

Master Geek


  Reply # 68730 28-Apr-2007 01:02
Send private message

nothing wrong with the security in Vista, it is in fact very very good.


I didn't mention Vista, I commented on the reputation of Windows - the whole product line, the security of which I've found to be less than impressive. However, concerning Vista, It seems like early days to make a statement like that and I'm already seeing articles to the contrary. Some even claim Vista will be more insecure than XP SP2 (http://tinyurl.com/ynm24o). However, to be fair - there's a huge amount of agenda/propaganda/FUD surrounding Windows security (on both 'sides') so I tend to take articles and metrics with a pinch of salt.

As for that security policy being inane, well its up to the admin to turn it on, but it is a very valid tool in keeping not only the computer and network safe but protecting against corporate epsionage which is a very big deal in some places.


I meant policy as in corporate policy, not windows policy. Doesn't matter if you disable USB using a group policy or by ripping the hardware out, it still strikes me as inane. Corporate espionage is, of course, a concern but once the information has been disseminated to an employee, how can you stop them from printing it, photographing it or talking about it? The key it seems would be to only disseminate sensitive information to the relevant, trusted individuals.

For example, in a company I worked for way back, they had a CRM system. The application accessed a DBMS (simple client/server stuff). Lower-level employees had write only access (new records). Sales guys could only access their accounts (the size of which reflected their status & time with the company). Only management had the big picture. Only accountants had access to the accounts. Seems way more feasible to block access to sensitive data at source than attempting to disable storage media, printers, e-mail etc.

I just think the little added security you might get by banning USB is vastly outweighed by the convenience of the thing (much like e-mail, which can also be a source of c. espionage or a virus vector). Even the military (British Army) have opted to log USB use rather than cripple it - which I can understand completely.

If you look deep into Vista you will see that Microsoft really have put huge efforts into making it secure, IMO they have done a fantastic job


Again, it's early days. OpenBSD have only had 2 remote holes in 10 years (http://www.openbsd.org/). That's a fantastic job. If Vista can make the same claim in 10 years time, the beers are on me! Personally, I'll never be looking very deep into Vista. I'm a C# developer - and we rarely have time to concern ourselves with small details like security. :)

5 posts

Wannabe Geek


  Reply # 69586 5-May-2007 11:02
Send private message

I was under the impression a lot of companies disabled the use of usb storage devices as they are a huge security riskk with ppl brining in possible virus or stealing data.... cannot wait to play with GPOs in longhorn if they are going to be called GPOs of course

460 posts

Ultimate Geek
Inactive user


  Reply # 69705 6-May-2007 18:50
Send private message

Maybe they could put some of that fancy driver signing DRM to good use and impliment a 'dont allow sensitive documents to be copied to the USB key'. Although that doesnt rule out copy/paste.

I think at the end of the day. If people are going to steal from you, they're going to steal from you. I had a similar argument put to me when I'd used remote desktop at work one time years ago. It looked like I was setting up some kind of super secret VPN to destroy the company.

In reality there was no added functionality for stealing company data. Everyone can email a file off their workstation. Anyone can rename super-secret-document.doc to weblordpepes-christmas-album.mp3 or another file that noone wants to open and email it home.

One argument you could use against USB keys etc is that they are writable. If joe employee brings a cd/dvd to work full of mp3s then thats not going to be any use for stealing data.

Personally I think I enjoy being trusted not to commit crimes. Makes me feel like a grown up (although some might disagree with regards to my latest IRC antics)

BDFL - Memuneh
61011 posts

Uber Geek
+1 received by user: 11846

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 69715 6-May-2007 19:49
Send private message

weblordpepe: In reality there was no added functionality for stealing company data. Everyone can email a file off their workstation. Anyone can rename super-secret-document.doc to weblordpepes-christmas-album.mp3 or another file that noone wants to open and email it home.


Most e-mail filters look at contents rather than file name extensions...





122 posts

Master Geek


  Reply # 69748 6-May-2007 23:49
Send private message

Most e-mail filters look at contents rather than file name extensions...


You can get around this by compressing and in extreme cases, encrypting the data. Some filters are really anal and will reject anything they don't recognize as 'dangerous attachments'. However, I'm guessing you could bypass this by changing the 'confidential' document to a bitmap (or something innocuous), embedding it into a sizable MS Word doc and then packaging the object within the doc. To any filter this would probably look like a standard text document with embedded images.

The message you receive from Word when you double-click to open the package would suggest the contents are stored as binary & are not even readable by Word itself ("You are about to activate an embedded object that may contain viruses or be otherwise harmful to your computer. It is important to be certain that it is from a trustworthy source. Do you want to continue?").

Anyway, I haven't tried this but it would be interesting to see if it worked. :)

122 posts

Master Geek


  Reply # 69756 7-May-2007 00:29
Send private message

If people are going to steal from you, they're going to steal from you.


Word. Especially if they have physical access to the machine.

Everyone can email a file off their workstation.


Sure, but e-mail is usually logged. I would guess that 90% of the time, BIOS settings are not altered out of the box. If this is the case, you could simply boot a Linux LiveCD (http://www.knoppix.org/) and totally bypass the Windows operating system. Mount your NTFS file-system (C:\) within Linux & merrily copy to your favourite storage media. Eject LiveCD. Take data home to read/decrypt at your leisure without leaving ANY traces of activity within Windows.*

Fortunately, Vista has answered this threat with Bitlocker drive encryption**, but only for Vista Ultimate users (http://tinyurl.com/3843r3 [Microsoft.com]). If you want more powerful drive encryption or don't have access to Bitlocker, I can highly recommend the open-source TrueCrypt software (http://www.truecrypt.org/).

* If the BIOS has been secured (clearly, the CD-ROM must be bootable), try standard backdoor passwords. If no joy, it's trivial to reset the BIOS. You'd still have the sensitive files and the aftermath would look like hardware failure upon forensic analysis.

** Note, Bitlocker uses AES/128bit key by default. This is quite respectable on the surface but the more paranoid of us may not trust Microsoft to not have included some kind of back door. I've read that this is also military policy - different security components in a system are contracted to different companies to provide 'layered security' and prevent this kind of shenanigan.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.