What "Contraband" can IT actually detect?

Rustynuts

[H]F Junkie
Joined
Feb 6, 2003
Messages
10,346
OK, my company seems totally paranoid about security, but some of the claims seem a bit outlandish. Then again, I am a networking idiot. :p

We can't even connect out phones via usb to either charge or download work photos. I can see this as a possible security threat, but still. We can't use any run of the mill thumb-drive, we have to use some specially ordered thumb drive (all of 4 gig :rolleyes:) that costs like $100 supposedly. Note the thumbdrives work normally, not encrypted or password protected, or seem to scan anything transferred, etc., so not sure what the deal is. The "approved" thumbdrives also seem totally cheesy and not that well constructed (Kingston).

Also we cannot even connect a plain old digital camera. :rolleyes: I assume there may be some risk from the SD cards? Also they claim they can "detect" such items connected to any PC and will come and confiscate said item.

I say mostly hogwash just to scare people "straight" to prevent viruses (since typical users are even bigger morons than I am :D). Or can IT depts. actually play such Big Brother shens?
 
Charging USB devices shouldn't be an issue for users. You can find wall chargers for almost any device these days. Your company would be smart to invest in some, just to avoid the problem that they're trying to prevent.

I wouldn't think that it would be very difficult to detect any time a USB device is connected to a computer on the network, especially if the computers are locked down by the IT department and running monitoring software. I'm not sure they'd always know what was hooked up, but if an alarm goes off and you have an IT guy and a security guard at your desk a minute later, it doesn't much matter.

Seems odd that with those policies in place they would allow any thumb drives, unless those particular drives let them tightly control how/what gets copied to and from the drive.
 
Its their network, they can run it however they like, and if you violate the rules, you are subject to whatever they throw at you, even losing your job.

Depending on their past experience, gov mandates, sensitivity of the information they likely formulated these rules for a reason.
 
They can literally track absolutely everything if they want to. They're not bluffing if they've configured things appropriately. Follow procedures and don't get fired...it's not that hard.
 
They can literally track absolutely everything if they want to. They're not bluffing if they've configured things appropriately. Follow procedures and don't get fired...it's not that hard.
yep
There is monitoring software that will detect a new usb device being added and send an immediate report as well as monitor everything else.
In some situations just hooking up a phone to the computer can be a federal felony.
 
Seems odd that with those policies in place they would allow any thumb drives, unless those particular drives let them tightly control how/what gets copied to and from the drive.

As I said, I've used one and there seemed to be no limitations or extra security involved. Weird.
 
In some situations just hooking up a phone to the computer can be a federal felony.

I used to do that all the time at previous jobs when taking site photos for work, etc. Much easier to do with the cell phone I always have than lugging an extra camera around. Hook up the phone, download all the pics. Simple. Guess I'll see if I can do the SD card swap securely.
 
The draconian USB security policy is at least in part about mitigating the stupid, old, and incredibly effective trick of throwing infected USB sticks into the parking lot of your target.

Special $100 4GB Kingston USB sticks that seem to work normally? It's probably one of these, and they're probably using something like this USB management server, which can do all of the paranoid things you were thinking of and more. They could even set it up to set off alarms if you plug your legit USB stick into the wrong PC (scroll down and select the "Compliance" tab), so detection of non-legit USB devices is most definitely doable.
 
Since we don't know what your organization is, we don't know if there are any federal rules, regulations, or mandates regarding data loss/data theft, or even what kind of data your org works/deals with.
Maybe they're just trying to cover their ass and prevent as many possible areas of intrusion.
 
easiest way to find out what they can detect is to start plugging stuff in. Better start a'pluggin
 
easiest way to find out what they can detect is to start plugging stuff in. Better start a'pluggin

LOL. I already did before I got training. Plugged my personal phone in to charge. IT never showed. Probably on some report somewhere. :D
 
USB drive can be compromised as soon as it is plugged into a compromised PC.

CDR/DVDR won't be compromised.

Further, for a while some companies were selling USB sticks with bloatware installers crammed into them at the store designed to autoexecute when plugged in.
 
The draconian USB security policy is at least in part about mitigating the stupid, old, and incredibly effective trick of throwing infected USB sticks into the parking lot of your target.

Special $100 4GB Kingston USB sticks that seem to work normally? It's probably one of these, and they're probably using something like this USB management server, which can do all of the paranoid things you were thinking of and more. They could even set it up to set off alarms if you plug your legit USB stick into the wrong PC (scroll down and select the "Compliance" tab), so detection of non-legit USB devices is most definitely doable.

Definitely not one of those models. Looked kind like this but older maybe. More square tail end. Hate the huge sliding cover thing.

kingston_data_traveler.jpg


I've owned a data traveler USB before. Still have it. But to use the encrypted side you did have to login every time if I recall. Could still be used as a normal USB if you wanted. The DT login screen popped up each time you plugged it in I think. The work one I used had no such login. I would feel better if it physically popped up an AV scan each time it was plugged in or transferred files. Kind of like how my personal Internet security AV software does for downloads from the web.
 
I work in an ISO audited IT department for a financial institution and we have to be very very careful, everything has to be locked down, laptops encrypted etc etc. Its not so much to protect against viruses but to stop the transfer of data from the network without prior consent.

Also we can see when USB devices are blocked, even a basic AV such as Sophos Endpoint can do this! Mcafee AV can also block USB and they sell special USB memory sticks that you allow or disallow via the console.
 
I know there is software out there that lets you manage USB domain wide based on the manufacturer and model ... so it's possible that they have blocked everything except this specific model of USB drive.

 
The draconian USB security policy is at least in part about mitigating the stupid, old, and incredibly effective trick of throwing infected USB sticks into the parking lot of your target.

Special $100 4GB Kingston USB sticks that seem to work normally? It's probably one of these, and they're probably using something like this USB management server, which can do all of the paranoid things you were thinking of and more. They could even set it up to set off alarms if you plug your legit USB stick into the wrong PC (scroll down and select the "Compliance" tab), so detection of non-legit USB devices is most definitely doable.

Infected USB drives got the Flame virus into that Iranian uranium enrichment facility.
 
Solarwinds LEM/Trigeo sends us these alerts everytime a USB device is connected to an end user's computer:

Attached "SPH-L710" (MTP USB Device) at 2014-01-17 14:50:12.0 on ws-main14.domain.local



USB device ID: USB\VID_04E8&PID_6860\A310AFC1

User Account: jdoe
It also allows to whitelist a device beased on the USB Device ID like Ciggwin mentioned.
 
One thing you can do is get an external USB battery pack.

Plug the battery pack into your computer via USB, and then plug your phone into your battery pack. The battery pack precludes anything but electricity from passing to or from the phone.

There are secondary benefits also. Even if all you have access to is a bone stock USB port that only does 0.5amps, most battery packs have at least one 1-2amp output port. You leave the battery pack connected to the computer 24/7 which keeps the battery pack charged (even at 0.5amps) and then you quick charge your phone from your battery pack at 1-2amps. This actually works great to make any USB port viable for long-term quick phone charging, even the USB ports on the front of Cable TV boxes, etc.
 
We use Sophos here to control the USB/optical drives. Client requirements make us lock them down. I get alerts when any of the policies we have set up are broken.

We know all and see all ;)
 
company's network and machines... company's rules.

My employer is starting to do something similar for security reasons. There will be Ironkeys that can be used by authorized users only, but that still doesn't completely secure the network.

remember it's not just about connecting usb keys for copying data. Some usb keys can have a virus on them or some botnet that even the most skilled user might not even know about. I've seen it first hand where a friend brought a usb from home, used it at work and brought it back home to work on his stuff at the house. somehow at the office he downloaded something that was compromised. Turns out his work machine was infected and he almost lost his office machine and his home machine. Lost a week of productivity from the incident.

As for charging. All mobile devices come with a wall charger these days. Shouldn't bean issue to find a wall outlet and charge.
 
Nice timing on this topic as we may have start locking down thumb drives soon.
For anyone else who does this, what are you using to enforce and monitor usb devices?
 
We track everything that is plugged into a machine here. Approved thumb drives and HDD's only, and they all come from the IT dept. Phones arte denied mounting, but can charge off usb port, but most of our users bring a wall charger since the USB charges so slowly.
 
I work for a healthcare provider and our USB's work just fine.....unsure if its HIPPA compliant or not....


Anyone else work medical IT?
 
I consult and have worked in the Medical IT field for that past 15 years.

When it comes to HIPAA compliance I take things 2 ways:
1. common sense - lock your systems down, educate users, control environment and network.
2. Caution Approach - it's it smells funny, looks funny, rubs you the wrong way.... Pass. It's not worth the trouble or the fines. and the fines aren't cheap!

It's worked for me so far! However, I still have some facilities using XP and I don't know when they plan to switch..... but hey that's not my call.
 
LOL. I already did before I got training. Plugged my personal phone in to charge. IT never showed. Probably on some report somewhere. :D

You should plug one computer into another with a USB cable. You'll get reported twice!
 
There are a few reasons companies have a strict policy involving USB drives. First, it may be that they do not want you to save any information to an external source. This is true in many financial and health industries as well as government industry. Second, it may be they are worried about viruses or bloatware, this was a big problem now long ago and today there are many countermeasures to it, but some companies feel the financial risk involved is too great. Third and most likely is the amount of espionage being done by the Chinese using parts manufactured within their borders. The US government has a ban on pretty much all hardware/software coming out of china.

As for how a company can see when you use it? There are so many programs out there that can do this, I am honestly surprised you don't believe them... I have worked with software that not only would tell you when they plugged in the device and what device it was, but correlated it to where they were located in the building and what time, and then sent a page to security with the information so they could confiscate it and take the individual in. There is software and systems that can even go further than that. It is all about gathering information. Badging in? I now know where you are and how long you have been there. Logging into a service? I know what you are doing with your time. PKI cards? I know when you are at your computer. Sure some of these you can get around, but you start throwing them all together and even if you do try to circumvent the system, there is enough information from various programs to give them a good idea where they might find you. Most of this information is actually used for auditing purposes to help determine budgeting and policy. It's not so much for policing, but for forecasting.
 
Last edited:
I'm glad my company does not restrict USB. We have like 500MB of storage on our home drives if that, and like 50MB for email, that's just not enough. Everybody stores locally and backs up to USB/external drives.
 
One thing you can do is get an external USB battery pack.

Plug the battery pack into your computer via USB, and then plug your phone into your battery pack. The battery pack precludes anything but electricity from passing to or from the phone.

There are secondary benefits also. Even if all you have access to is a bone stock USB port that only does 0.5amps, most battery packs have at least one 1-2amp output port. You leave the battery pack connected to the computer 24/7 which keeps the battery pack charged (even at 0.5amps) and then you quick charge your phone from your battery pack at 1-2amps. This actually works great to make any USB port viable for long-term quick phone charging, even the USB ports on the front of Cable TV boxes, etc.

Just bring your wall charger that came with your phone, less hassle, less problems and does not go against the companies rules.

We straight up block USB devices, storage that is, you can plug in your phone and it will charge but you cant access it :) best of both worlds!

^^ your company sounds poorly managed, why are people dealing with their own backups with their own devices?
So what happens when someone takes that USB drive home, and it gets comprimised and then bring it to work and your network gets hosed?

End users never understand, or want to, why I.T does things, in the end it is for company policy /security. If you need more than 50Mb of email space, write to them why and explain....

most people do not need alot of email space, they just instead use email as a method of hording crap, like contact info (save it in a contact list?) Attachements (save them to your documents?) and so on.
 
most people do not need alot of email space, they just instead use email as a method of hording crap, like contact info (save it in a contact list?) Attachements (save them to your documents?) and so on.

THIS. "I NED MOAR SPACE!!!!"

Why?

"...CAUSE I DO!!!!"

Digital hoarding is a serious problem.
 
There are certainly lots of ways of doing everything you listed. For DLP we use a vendor called Code Green. It actually creates a hash of the protected data and we have extremely granular control over what can leave, how it can leave, and even when.
 
@ OP,

You do realize that these rules are in place not only for network security but for the security of data? By being able to track what is being plugged into your systems, they can also determine who is stealing data and/or accessing it for malicious purposes.

There are greater threats to a business than viruses and malware. One of these is leakage of information (e.g. PII, confidential information, trade secrets, top secret documents, etc.), which must've gone way over many people's heads if all they're thinking about is how inconvenient it is for them not to be able to charge their phone or camera.

Last I checked, you're at work to work. If it's work-related, your employer should provide you with other means to connect, but otherwise you can keep your personal stuff where it belongs: at home.
 
THIS. "I NED MOAR SPACE!!!!"

Why?

"...CAUSE I DO!!!!"

Digital hoarding is a serious problem.

So true....So true.

We have some processes that take photos and they insist that they must keep the photos FOREVER and be able to access them at all times, so no archiving. And it's not like we are any kind of health institute or investigating murders or anything like that.
 
@ OP,

You do realize that these rules are in place not only for network security but for the security of data? By being able to track what is being plugged into your systems, they can also determine who is stealing data and/or accessing it for malicious purposes.

There are greater threats to a business than viruses and malware. One of these is leakage of information (e.g. PII, confidential information, trade secrets, top secret documents, etc.), which must've gone way over many people's heads if all they're thinking about is how inconvenient it is for them not to be able to charge their phone or camera.

Last I checked, you're at work to work. If it's work-related, your employer should provide you with other means to connect, but otherwise you can keep your personal stuff where it belongs: at home.

This. People always complain about USB policies getting in the way of work, but I cannot think of a legit situation where someone in the enterprise should ever need USB drives for anything. 'I took some files home and worked on them from home.' -There's a VPN for that. 'I wanted to give this document to so-and-so down the hall' -Do it over the network the proper way, so that it's scanned and logged.

So true....So true.

We have some processes that take photos and they insist that they must keep the photos FOREVER and be able to access them at all times, so no archiving. And it's not like we are any kind of health institute or investigating murders or anything like that.

Put together a quick report detailing how much money it costs to keep those files around accessible forever, and if it winds up being any sort of meaningful amount then go to your boss and say 'This is how much money we're spending to do this. Are we sure that we actually need to do this? We can save X dollars per year by avoiding it, so that is something I think is worth pursuing.' If your boss is proactive, (s)he will go through the proper channels to determine what requirements those people ACTUALLY have and what can really be archived. If they're not proactive enough to do that, well, that's their loss, not yours.

The easiest way to get management to change something is to show them the real costs and values in terms of dollar amounts.
 
Last edited:
I would discourage anyone from ever charging their phone on a computer (or USB port) that they do not own and trust completely. If you absolutely must then you should look into charge only USB cables.
 
OK, my company seems totally paranoid about security, but some of the claims seem a bit outlandish. Then again, I am a networking idiot. :p
.....
I say mostly hogwash just to scare people "straight" to prevent viruses (since typical users are even bigger morons than I am :D). Or can IT depts. actually play such Big Brother shens?

So some of the new machines allow you to tie the serial number of the HDD to the machine, no other HDD works, so that leaves you with the corp image, there are a few ways that you could overcome this, but it really doesn't get you past the company's security.

So going on the face that you have to use the company image, I could, using the right software control each and every aspect of your experience. I run our company's proxy servers, so I can see everywhere you go, even if you connect to our guest network and surf, and if I turned on SSL decryption I can see everything you do (CC#'s SSN's everything), and that's if I don't log into your machine and just watch your screen while running a keystroke logger. Or I could just install something like Spector Pro and get everything you do emailed to me on or off the network.

That being said, about 3 years ago I tested some endpoint security software that allowed me to manage every single exit point on your machine, from IR, USB, Display, everything, I could set it up so that you could only use the USB key that I gave you based on serial, but only your username would allow it, and then only read it, no writing, or not allow you to use display ports. It was basically a on/off/read/write switch for everything.

We have people who really violate, or attempt to violate our rules, we have a very harsh talk with them that they do NOT own the machine they are using, or any thing on it, all of it belongs to the company. Our TOS ever tells them that should they bring in a HDD from home, we can search it, make copies of the tasty photos of your wife/girlfriend, and keep them forever as proof why we needed to terminate your employment.

Also, you should know, as a Security Engineer for the last 15 years, just because someone violates our rules, doesn't mean I come running because they tried to go to some adult website, we look for people who KEEP doing it, and then see what else they are doing. Kind of like if you are a security guard for a store and you see someone stuff a $10 shirt into their backpack, sure you could run down and grab them, but if they don't leave the store, it's not stealing, and you won't ever know if they are going to walk over and steal a $2000 ring out of the jewelry display. Catch them for the big stuff, not the small crap.

Or you could do what the FBI does and just seal the USB ports up with epoxy. ;)
 
I work in an ISO audited IT department for a financial institution and we have to be very very careful, everything has to be locked down, laptops encrypted etc etc. Its not so much to protect against viruses but to stop the transfer of data from the network without prior consent.

Also we can see when USB devices are blocked, even a basic AV such as Sophos Endpoint can do this! Mcafee AV can also block USB and they sell special USB memory sticks that you allow or disallow via the console.

I also worked for a financial institution that was audited by the FDIC. The only thing I got dinged on was the USB ports not being locked down. I made the necessary and the CEO got peeved when he could not take his work home and "work" on it.

The other employees started to complain also because they could no longer bring in their music and pictures, finally they started complaining and I was "relieved" of my job for doing what the federal government told me I should be doing.

good riddance I say
 
I work for a healthcare provider and our USB's work just fine.....unsure if its HIPPA compliant or not....


Anyone else work medical IT?
I have worked with a few clients on it.
Technically having a usb device policy in place that all the users have signed meets the requirements.
How ever that will not save you from fines if they decide since the technology exists to enforce the policy and you didn't use it so you get a huge fine.
When there is a breach remember they are all about passing the buck and making it your fault not theirs for making the wrong rules that didn't cover the vulnerability.
I expect to see more and more companies locking them down, just like in the old days of disconnecting the floppy drive.
The more things change the more they stay the same.
 
Last edited:
Back
Top