5

I am working on security for an organisation, we have purchased some encrypted USB keys but wanted to stop any employees leaking data. is there any way to stop their laptop accepting any key but the encrypted one's and also stop the use of the encrypted keys on other PC's.

I do not want to prevent any specific attack, but it is just the users of the system are not very well informed, and I don't want them to leave any data on their home computers or for the data to be given to someone else who have knowledge of the encryption code.

Harris Mirza
  • 53
  • 1
  • 1
  • 4

5 Answers5

3

Almost, but not really.

Each USB device has a "Vendor ID" and a "Product ID", which the OS uses to determine which type of device it is. These IDs are officially registered and guaranteed unique. And you can set policies in Windows to restrict which device IDs are allowed to connect. Problem solved.

Except no. It's up to the device to correctly report its IDs. And it's possible (and in fact common) for malicious devices to impersonate legitimate devices in order to bypass this feature. There's even a pass-through USB device you can use to change the ID seen by Windows for any USB device specifically to thwart this feature.

tylerl
  • 82,225
  • 25
  • 148
  • 226
2

To stop the users from using other keys than the approved "encrypted USB keys", you may add some OS-side filters, as @LucasKaufmann explains. But most ways to filter devices can be worked around; basically, the filter will ask for the device vendor identifier and model, possibly the serial number, and decide whether the device is "allowed" or "not allowed" based on this information. A user could modify a programmable USB device to mimic an approved key, by sending the same identifiers to the machine. This will defeat most filters.

The problem of preventing the use of the approved encrypted keys on other machines than the user's approved laptop or desktop system is dual: this time, any filtering should occur in the encrypted USB key, who should reject "unapproved" laptops. This seems even harder to maintain.

At that point, you might want to shift the problem. From your description, I suppose that you want users to be able to exchange data files between their "approved" laptops/desktop systems, but not with non-approved machines. To obtain this functionality, you might be able to setup a VPN linking the approved machines together, thus avoiding the use of any USB device at all -- at that point, you can then configure the laptop OS to refuse all USB devices altogether (this can be done in software, or in a more physically aggressive way by pouring epoxy glue in the USB ports).

(Of course, if the USB keys have already been bought, or, even worse, using encrypted USB keys is the pet idea of some upper manager, then not using the keys might not be an acceptable option. However, I still encourage you to write down, in specific details, what security properties you are trying to achieve -- namely, the attack model.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

This is possible, software like Symantec Endpoint Protection can essentially control this. The problem is that if they really want to use their own USB sticks, they could easily modify the firmware of their pendrives.

The benefit of software like Endpoint Encryption is that you can use right about any pendrive and it will install it's own proprietary encryption software on the pen drive. So you can use any USB drive and EPE will enforce that all files are encrypted before being written on to the pendrive. (note that this is also bypassable using above described technique)

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
0

It's certainly possible, but how easy it is to do will depend on your operating system. In Windows, you (for past versions - I don't use windows any more) denying access to these files would prevent new devices being accessed:

%SystemRoot%\Inf\Usbstor.pnf %SystemRoot%\Inf\Usbstor.inf

In a Linux/Unix/*nix environment, you could use UDEV rules to run a script on USB connect, and then vet the devices using that script. This question on superuser may be of use.

Community
  • 1
Owen
  • 1,066
  • 5
  • 9
0

None of the answers have really addressed the second part of your question "stop the use of the encrypted keys on other PC's".

I don't have a complete solution to this, but an idea that may get you started.

You create a TrueCrypt container on the disk. Instead of using a password, generate a random key file, and use only the key file (no password) - you can do all this easily from the "Create Volume" wizard. Save the key file in your profile. That way, you have access to the key file on any corporate machine, where the USB stick is authorised, but don't have the key file on any untrusted PC. This will actually work with any USB stick; it doesn't need hardware encryption.

This procedure works for you, assuming you follow it correctly. But if you're doing this in a corporate environment, this does not protect you against malicious or careless users. But you may be able to cobble something together:

  1. The IT department creates the initial TrueCrypt container and stores the key file in the user's profile.
  2. Create a custom AutoPlay action that triggers when a relevant USB drive is inserted, and mounts the TrueCrypt container (and deploy this using Group Policy)
  3. Use Group Policy to hide the drive letter of the USB drive - so only the TrueCrypt container is accessible to the user.

With this in place, users can effectively use these USB drives like normal drives. They are encrypted and only readable on corporate PCs - and in a way that is pretty transparent to users. I don't know if any commercial products implement this scheme.

The only thing I would ask: what do your users actually need USB drives for? It's usually just as easy to use a network share.

paj28
  • 32,736
  • 8
  • 92
  • 130