Click here to receive your FREE subscription to Campus Technology
Security Focus
Hacksaw Cuts Road Warriors
8/10/2007
Even worse, it doesn't take a lot of imagination to think of even more malignant ways to exploit this concept. Say installing a Trojan horse that logs passwords and logons. (One security expert did this by leaving a bunch of USB drives lying around in the parking lot of a company that had hired him to test their internal security.)
The U3 Open Standard
The key to USB Hacksaw is the emergence of the open-standard U3 smart drive, which was co-developed by SanDisk and M-Systems. U3 allows users to take their applications, along with their data, to any USB-equipped Windows PC and launch applications from the flash drive itself.
How does a U3 drive work? Within a U3 drive there are two partitions, a large data partition that shows up as a regular flash drive and a small 4 MB read-only partition that pretends to be a CD-ROM. Believing that the small partition is a CD, Windows automatically runs the U3 "LaunchPad" program using the "AutoPlay" feature in Windows 2000, XP, and Vista. In the case of "Hacksaw," some additional programs have been placed on the flash drive. Because it is based on "AutoPlay," U3 devices are not compatible with the Mac, Linux, or Windows 98/ME operating systems. When I plug a U3 flash drive into my Mac, I see the large data partition and an icon for a CD/DVD drive, which I can't read.
Why would anyone consider using such a dangerous device? Why not just ban U3 flash drives? The short answer is that portability, ease of use, and convenience trump security every time. How often have you tried to run a PowerPoint presentation from a flash drive on someone else's computer only to find that they are running a different version of the software? Or suffered the frustrations of Web browsing from a computer lacking your own bookmarks? Or dealt with the hassle of synchronizing e-mail downloaded on the road with your primary e-mail program at home?
For road warriors resigned to lugging a laptop through airport security, recreating your home base environment on a remote computer--for example, a hotel business center or remote corporate site--with a something that fits comfortably in your pocket is a very appealing feature. While one vendor (Kingston) has dropped support for the U3 standard, citing lackluster sales, a poll by GetUSB.info of their users in March of this year found that 64 percent owned a flash drive with U3 software. Finally, the biggest players in the industry, SanDisk, Verbatim, and Memorex, all offer U3 products. U3 is probably here to stay.
The problem of someone stealing data from an unattended computer using small USB memory devices has been around for some time. Hacksaw adds a new dimension. Monitoring what is plugged into a corporate computer doesn't address this problem. Disabling AutoRun probably isn't a viable solution, as that would inhibit valid applications. Banning U3 devices will probably work as well as banning iPods other USB memory devices. Encryption helps, but in the real world most of the information we carry around on isn't encrypted or even protected.
So what should security conscious Road Warriors do? Is it our fate to lug our laptops around forever? I'd like to hear from readers about what, if anything, can or should be done about this new threat. You can reach me at the e-mail address below.
Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
