Lock down your USB ports

Kelvyn Taylor

The security risks posed by USB Flash disks (or memory sticks, or Flash keys, or thumb drives, or whatever you wish to call them – why can’t the industry settle on a standard name for them?) are nothing new. Ever since some newly-sacked tech support guy realised he could take away a few sensitive files on a USB drive, IT managers have looked upon these devices with suspicion.

But the surprising thing is, there still seems to be very little control over their distribution and use in many companies. I was speaking to a chap from Kingston Technology the other week, and he mentioned a firm where they’d discovered that Flash disks were one of the biggest purchases on the company’s credit card, yet the IT department knew nothing about them. And taxis all over the world are apparently full to the ashtrays with lost Flash disks.

It’s true that these days, you can buy some of these devices incorporating all manner of security measures, from simple passwords to full encryption, biometrics and even built-in smartcard functionality. These measures are mainly designed to protect data if the devices are lost.

But it’s the growing capacity of these devices – I’ve just seen an 8GB model – that should trigger alarm bells. They can now be used not just to hold files, but also entire bootable environments with applications.

Since the advent of Knoppix, free tools have arrived to create “live” bootable versions of Windows, one of the most popular being the freeware Bart’s PE Builder. This was developed a couple of years ago to let you boot Windows from a CD or DVD, but ever since an enterprising geek discovered the Ramdisk.sys setup loader in Windows Server 2003, it has been possible to run Bart PE from a bootable USB Flash drive. This avoids the problem caused by Windows re-initialising the USB interface at boot time and thus losing the connection to the device.

The whole basic installation, which you create from an original XP installation CD in about five minutes, will fit easily on a Flash drive with 256MB capacity, and dozens of plug-ins are available to add applications such as virus scanners, image viewers, browsers and so on. This setup also gives you full read/write access to NTFS volumes, which is great for IT staff troubleshooting a PC, but also great for anyone who wants to bypass the Windows login and copy files from the PC’s hard disk.

This is almost as annoying as the realisation that Windows can be stripped down to this sort of size. Take a look at nLite, a freeware pre-installation tool that can shrink an installation image of XP down to just 140MB.

Now might be a good time to start looking afresh at managing some of those innocuous-looking USB ports, using tools such as Centennial Software’s DeviceWall or Disknet Pro from Reflex Magnetics. And while you’re at it, why not see what the corporate credit card’s been buying recently?