Click here to receive your FREE subscription to Campus Technology
Security Focus
Hacksaw Cuts Road Warriors
8/10/2007
Even worse, it doesn't take a lot of imagination to think of even more malignant ways to exploit this concept. Say installing a Trojan horse that logs passwords and logons. (One security expert did this by leaving a bunch of USB drives lying around in the parking lot of a company that had hired him to test their internal security.)
The U3 Open Standard
The key to USB Hacksaw is the emergence of the open-standard U3 smart drive, which was co-developed by SanDisk and M-Systems. U3 allows users to take their applications, along with their data, to any USB-equipped Windows PC and launch applications from the flash drive itself.
How does a U3 drive work? Within a U3 drive there are two partitions, a large data partition that shows up as a regular flash drive and a small 4 MB read-only partition that pretends to be a CD-ROM. Believing that the small partition is a CD, Windows automatically runs the U3 "LaunchPad" program using the "AutoPlay" feature in Windows 2000, XP, and Vista. In the case of "Hacksaw," some additional programs have been placed on the flash drive. Because it is based on "AutoPlay," U3 devices are not compatible with the Mac, Linux, or Windows 98/ME operating systems. When I plug a U3 flash drive into my Mac, I see the large data partition and an icon for a CD/DVD drive, which I can't read.
Why would anyone consider using such a dangerous device? Why not just ban U3 flash drives? The short answer is that portability, ease of use, and convenience trump security every time. How often have you tried to run a PowerPoint presentation from a flash drive on someone else's computer only to find that they are running a different version of the software? Or suffered the frustrations of Web browsing from a computer lacking your own bookmarks? Or dealt with the hassle of synchronizing e-mail downloaded on the road with your primary e-mail program at home?
For road warriors resigned to lugging a laptop through airport security, recreating your home base environment on a remote computer--for example, a hotel business center or remote corporate site--with a something that fits comfortably in your pocket is a very appealing feature. While one vendor (Kingston) has dropped support for the U3 standard, citing lackluster sales, a poll by GetUSB.info of their users in March of this year found that 64 percent owned a flash drive with U3 software. Finally, the biggest players in the industry, SanDisk, Verbatim, and Memorex, all offer U3 products. U3 is probably here to stay.
The problem of someone stealing data from an unattended computer using small USB memory devices has been around for some time. Hacksaw adds a new dimension. Monitoring what is plugged into a corporate computer doesn't address this problem. Disabling AutoRun probably isn't a viable solution, as that would inhibit valid applications. Banning U3 devices will probably work as well as banning iPods other USB memory devices. Encryption helps, but in the real world most of the information we carry around on isn't encrypted or even protected.
So what should security conscious Road Warriors do? Is it our fate to lug our laptops around forever? I'd like to hear from readers about what, if anything, can or should be done about this new threat. You can reach me at the e-mail address below.
Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Tiffin U's New Online College to Use Pearson's eCollege for Course Management
Beginning this fall, students in Tiffin University's newest online program, Ivy Bridge College, will use eCollege, a course management system from Pearson, for all of their online courses. The 2,350-student Tiffin U is located in Tiffin, OH and offers both on-campus and online classes. Since 2005, those online courses have been managed through Jenzabar Internet Campus Solution.
- California Community Colleges Adopt SunGard Banner Software
California's Rio Hondo College and Sierra College have selected software from the Banner Unified Digital Campus and other solutions from SunGard Higher Education to help address their growing enrollments and to help improve student retention and services.
- Luidia Releases eBeam Interact 2.1 for Interactive Whiteboards
Luidia has released a new version its eBeam software for use with classroom-based interactive projection environments. eBeam Interact 2.1 offers both new and upgraded features, including enhanced screen recording and a comprehensive online image gallery, as well as the company's Scrapbook Image Writer feature.
- McGill U Library Scanning Rare Books with Kirtas
McGill University Library in Montreal will be using a Kirtas Technologies APT BookScan 2400RA to digitize its collections. The company says that the 2400RA is capable of acquiring page images at the rate of 2,400 pages per hour. The library will be working with Ristech, a Canadian reseller, to implement the digitization solution.
- Ball State U Web Sites Now Managed with Sitecore
Ball State University in Muncie, IN has gone public regarding its deployment of a Web site content management system from Sitecore. Ball State chose Sitecore's software to revamp its 220-plus sites, integrating common new media applications and garnering a next-generation user experience that has won several awards from education and new media marketing organizations. Now, Ball State maintains uniformity across all university Web sites and said it has enhanced its recruiting efforts through the site's new look and interface.
- Bio-Key Launches Emergency Alert Platforms for Schools
Bio-Key International has announced the release of two new emergency alert and management solutions for the education market. MobileSRO is designed specifically for the K-12 environment, while MobileCampus caters to higher education and other campus-based organizations.
