Comments on: (In)security at the University of Birmingham

By: CSIR

CSIR — Mon, 19 Mar 2007 18:00:51 +0000

I bought a “PQI Cool Drive” must be around 4-5 years back for a small fortune. It has a hardware write protect switch, small but works. No idea as to whether still in production, very high qality hence probably not the most popular in today’s buy 1 get 1 free market.

http://www.pqi.com.tw/product2.asp?oid=&cate1=18&PROID=31

By: Clive Robinson

Clive Robinson — Tue, 06 Mar 2007 18:33:22 +0000

Mike,

“risks of using any old USB flash drive instead of a floppy disk for file transfer”

Only if they know what the write protect tab is for

Seriously though no mutable storage device is immune including CD-Rs that have not been closed properly so as normal you pay your money and take your chosen risk.

The downside of floppy disks is tha lack of capacity, I have seen one or two Power Point Slides (not the whole presentation) that would not fit into 1.44Mbyte (or 2MByte if you bend the specs a bit).

The sad thing is that it would not be that difficult to make a USD thumb drive with a proper write protect switch or other more reliable security mechanism however it appears not to be a “market option” at present.

You might want to have a chat with a company like FTDI in Glasgow

http://www.ftdichip.com/

They specialise in designing USB devices and they might well be able to help you come up with quite a good design for a USB device that would meet your customers requirments…

By: Mike Bond

Mike Bond — Fri, 02 Mar 2007 09:18:47 +0000

I’ve just been advising some potential customers about the risks of using any old USB flash drive instead of a floppy disk for file transfer between unetworked key management workstations and their main network. Would people agree with my assessment that floppy disks are the safest way of transferring a file without accidentally running it, or having other local attacks performed?

BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc

I was talking to Mark at FC 2007. Birmingham is expanding and there’s a lectureship up for grabs in case anyone is interested (by 9th march)… http://www.jobs.ac.uk/jobfiles/BK196.html

Mike.

By: csir

csir — Mon, 26 Feb 2007 19:50:25 +0000

They even use WEP for wifi… then again like the CS wifi I would imagine you cant do much other than steal bandwidth in theory.

BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc. I’m sure he and his most excellent students would quite enjoy a thought provoking lecture from you guys.Spend long enough reading Ross Anderson’s book http://www.cs.bham.ac.uk/~mdr/

By: Dan Cvrcek

Dan Cvrcek — Sun, 25 Feb 2007 19:10:33 +0000

I’m just thinking if one could use such computer for spreading trojan horse programs to the machines of lecturers via USB flash disks. It is, of course, quite unlikely but some students might be interested in the content of some hard drives http://it.slashdot.org/article.pl?sid=06/06/08/2151222

By: Mark Lomas

Mark Lomas — Sun, 25 Feb 2007 17:57:47 +0000

I imagine that many university departments do this - a couple of weeks ago I saw a similar piece of Dymo tape at UCL.

Microsoft’s recommended way of hiding the login dialogue is the automatic login facility - http://support.microsoft.com/kb/315231 - but read all of their warnings before doing this.

It is a good idea to set up a distinct security policy for such machines. Disable the password-protected screensaver and make sure that the account used cannot login to other machines.