7

Lets say my PC & server is in an environment where a theoretical attacker has physical access to the machine while I'm not there. Now the data is encrypted on the hard drive with TrueCrypt. However if I'm not there I usually don't bother dismounting the encrypted containers as it's time consuming to enter the long password to remount them each time. So the data is readable if you have access to the machine and know the password to log in. Now I assume the data must also be readable if I'm not logged in either as they could plug a device into one of the USB ports and copy the unencrypted data on the hard drive partitions that are mounted.

My plan is to stop a casual attacker, e.g. flatmate, colleague etc plugging in and copying data from the hard drive. Obviously it's less likely they're going to open up the case and hot plug in something into the PCI bus to do it. Also it's unlikely they will walk off with the PC to do a thorough job of it.

How do I disable unused USB ports etc when the computer is in 'locked' mode so that they can't just plug in and copy data from the hard drive? Any other precautions that I could take?

Methods and or suggestions for Windows 7 and Linux would be great. Thanks!

bangdang
  • 1,834
  • 11
  • 9
zuallauz
  • 131
  • 1
  • 1
  • 7
  • 5
    From what you wrote, it's the typical security/usability tradeoff: are your data worth *at least* the time you spend entering the password? If not, why bother with any encryption at all? – Piskvor left the building Mar 28 '12 at 09:54
  • If the account is locked then they cannot copy any data. If they were to log into another user, then the locked user's data would be secure, I still feel your trying to solve the wrong problem. – Ramhound May 07 '12 at 11:29
  • 2
    In that scenario, you should also worry about FireWire, which has DMA support – ixe013 May 08 '12 at 12:59
  • On Linux USB-devices are not normally automounted. Normally you need root-access to do so. What Linux are you talking about here? – Nils May 10 '12 at 11:01
  • @Nils: Most of the consumer-oriented Linux distros (Ubuntu comes to mind) automount USB devices R/W for the logged-in user (which usually means "user with an X server at display :0"), out of the box. More detail from the OP is needed, indeed. – Piskvor left the building May 11 '12 at 09:23
  • Sorry, using Ubuntu 12.04 server – zuallauz May 11 '12 at 09:24
  • Even so - do you have that problem if you set your default-runlevel to 3 in /etc/inittab, too? I see no reason to run a graphical GUI on a linux server. – Nils May 11 '12 at 20:35

7 Answers7

14

The standard approach is to fill the USB ports with epoxy resin. Of course, this must be combined with similar approaches to seal the case, so the attacker can't get in via the PCI bus, etc.

Note that even if you do this, law 3 still applies: if a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

EDIT: reflecting update to question:

In the specific scenario you outline, then to block it, just turn off auto-run. It should already be off in Windows if you've got it patched properly; in Linux how to turn it off (or even if it's on) depends on Distro, Desktop Environment, etc.

However, please do note that the specific scenario you outline does not make sense. If the attacker is serious enough to build a custom USB stick to do this, then they are not going to be so casual that they give up when it doesn't work, and will try something else. Boot from a LiveCD, copy your TrueCrypt volumes, install a keylogger, and wait to get the password in the mail, for example. Law 3: it's their computer now.

Actually an attacker serious enough to build such a stick probably isn't going to bother because they'll not expect auto-run to still be on.

Community
  • 1
Graham Hill
  • 15,474
  • 37
  • 63
  • 1
    This is the "standard approach"? I was thinking more on the lines of disabling via the BIOS or, if it's necessary to make them available without reboot, Device Manager. +1 for "law 3". – Iszi Mar 28 '12 at 13:20
  • 1
    Hmm, I may have reacted badly to him not being bothered to type in his password. By god, if I've got to remember half a dozen sixteen character passwords, he should too! – Graham Hill Mar 29 '12 at 10:03
  • This is a flippant, unhelpful answer. My use case is stopping a casual attacker, e.g. flatmate, colleague etc plugging in and copying data from the hard drive. Obviously it's less likely they're going to open up the case and hot plugging something into the PCI bus to do it. Also it's unlikely they will walk off with the PC to do a thorough job of it. Its more of a deterrant. All I want is a piece of software which runs on Windows/Linux which locks the USB ports so that it won't install any new devices when the computer screen is 'locked' and therefore their autocopying device won't work. – zuallauz May 05 '12 at 01:03
  • 3
    @zuallauz It is a realistic answer that is relatively commonly practiced. That would be a handy bit of software as you're asking for it, but I'm not aware of its existence. As far as Windows / Linux go, the hardware won't talk to a device unless the kernel recognizes it, but that doesn't help if you have some devices on. – Jeff Ferland May 05 '12 at 02:01
  • @zuallauz - You are trying to solve the wrong problem. If you walk away from your computer then you shouldn't be logged into your computer. If your computer is locked then they cannot copy the data. – Ramhound May 07 '12 at 11:26
7

I can give you a Linux solution. Firstly, you'll need to use this script to lock your screen; secondly, this only disables usb storage devices

#!/bin/sh
sudo modprobe -r usb_storage
gnome-screen-saver --lock

You can modify this to totally disable the usb stack - you'll need to modprobe -r on ohci, xhci and ehci and any other prefixes to hci you can find. In my kernel, these are baked into the core binary, so there is nothing I can do to remove them from the kernel.

Be aware that removing those host controllers will also totally wipe out your usb keyboard and mouse - so ensure you're running serial.

You can also do this the hard way - i.e. no support at all, using the techniques here or by totally removing the relevant controllers from the kernel.

As to whether this can be done on Windows - from looking, not so easily. You can disable USB storage classes using something akin to this method - and you can definitely lock the screen from a script using Rundll32.exe User32.dll,LockWorkStation. However, I suspect a dedicated solution for this would be best.

On the likelihood of USB cloning devices actually working - well the USB spec simply defines a bus. At the host end, you need device drivers capable of communicating with the device for it to work. These exist for mass storage devices, obviously, however, in order to automatically install drivers you need Windows - Linux has no such autorun capability (that I know of). However, Windows does. In which case, a simple solution would be:

  1. Turn off autorun. Windows will then not run any applications automatically on inserting a USB device.
  2. Turn off automatic driver installation. To do this, go to run and type gpedit.msc. Go to Computer Configuration, Administrative Templates, System, Device Installation, Device Installation Restrictions. From here, you can totally disable driver installation - "Prevent installation of devices not described by other policy settings" will do exactly this. (source).

Under these circumstances, there would be no way for an inserted USB device to actually initiate a copy of your disk assuming no bugs in the USB device drivers that could be exploited for this purpose (very, very unlikely).

(Not that I'm paranoid, but I tend to run systems I care about with device driver installation blocked anyway, just for good measure. Also, UAC these days, along with driver signing if you're using x64 Windows, should prompt before installing a driver, so you should be good. But just in case...)

Community
  • 1
  • 2
    As for "Turn off autorun" - this is more or less the default in all version of Windows since XP SP2: you'll get a pop-up dialog with the autorun item preselected, but you need to activate it manually (which is not possible when the screen is locked :)). – Piskvor left the building May 07 '12 at 12:18
  • 3
    @Piskvor true, but if there are ever any bugs in the new autorun functionality, having it turned off is better than having it turned on. Given we're talking about the unlikely case of USB devices capable of cloning hard disks... –  May 08 '12 at 07:50
  • 1
    That is undeniable. Fewer things enabled == fewer things to go wrong :) – Piskvor left the building May 11 '12 at 09:24
6

If you're using some sort of endpoint protection, they may have the ability to disable USB flash drives. I know the Symantec Endpoint Protection has the ability to disable USB flash while allowing other USB devices.

David Yu
  • 221
  • 1
  • 4
6

For Windows 7

You can write a PowerShell script for the lock and unlock screen event to disable the installation of new USB devices. Your script must change the local GPO settings at every lock and unlock from your screen.

  1. Step: Unlock or lock screen event

  2. Step: Change the GPO

  3. Step: Update the GPO to take effect

Maybe a solution

Community
  • 1
LaPhi
  • 161
  • 3
2

Becrypt Disk Protect Enhanced is the closest thing I know of to solve your problem. Here is a document on the exact feature I think you're looking for in the software.

XOR
  • 135
  • 1
  • 7
1

We have a standard USB based solution - where you enter your PIN to view the data on USB - if you leave your desk- no problem.

All the data will be protected - No user can copy these files to any other location ( email, HDD, Network drive etc ), NO screen capturing, recording, screen sharing allowed.

This way No user will ever be able to take away your data from your USB drive.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Sunil
  • 11
  • 1
  • 1
    I don't mind if they copy from the USB drive. I mind if they copy the hard drive. Like they plug in a USB based hacking device, it auto installs the drivers etc then runs a script which copies all the data on the hard drive to the device. – zuallauz Apr 03 '12 at 20:27
  • @zuallauz: Can you give an example of the type of device you're trying to protect against? It sounds like you're trying to defend against an imaginary threat. (At least, since Windows machines starts disabling autorun by default.) – David Schwartz May 08 '12 at 05:57
  • @DavidSchwartz I'm also wondering about this. How can USB auto-run itself if auto-run is disalbed by default in OS? Is it even possible? – sed May 08 '12 at 11:13
  • If the computer is locked then software cannot be installed. By default auto-run is disabled in Windows 7. – Ramhound May 10 '12 at 15:32
  • Isn't this how the FBI got Ross Ulbricht, he was distracted and they plugged in a USB drive for just a couple of seconds? – Gabriel Fair Sep 12 '20 at 02:41
0

Why don't you disable the USB-ports in the BIOS?

Apart from that - this is a weak protection if anyone has physical access.

Nils
  • 121
  • 7