Monday, December 01, 2008

Windows, USB drives, Military

If you hadn't heard, there is a ban on removable re-writable media in effect for the US Military. From what I'm hearing, this could be indefinite. I'm not in any position to know this for a fact, but I've heard that they're looking for a solution to this problem. If it was as easy to fix as not enabling autorun, I'm sure that it would have blown over and personnel would be getting their usb drives back.

The above really illustrates the problem of security in a Windows environment. Targeted exploits are being written that are not caught by virus scanners because they're not common enough in the wild. The virus scanners are doing pattern matching and no one has entered the new pattern. Consumer Reports pointed out just how bad the situation was in 2006.

The interesting thing about this is that this worm/virus probably propagated without the user having admin access. Most people take for granted that when running as a limited user it's harder to infect the system. It looks like this didn't stop this virus, since most of those users won't be running as an admin.

Perhaps it's time that the U.S. Military stopped depending on Windows and decided to use other operating systems. The NSA has provided a very valuable Linux kernel security addon called SELinux. It should be possible to create policies that would prevent this from happening on a linux system.

To begin, the USB drive should not be mounted with execute permission. This will prevent casual program execution. Using SELinux, it should be possible to limit the user to running only applications specified by the admin in the most restricted environment. I don't know how it's done, but it should be possible to prevent all shells and interpreted programs from running code from the USB drive.

I know what you're going to say next. There's a lot of windows applications that are needed. Run them in a virtual machine, but prevent that virtual machine from having access to USB drives. If the user needs data from a drive, the user will have to copy it to an appropriate location. This option will work well in the field. Laptops with virtualization enabled processors will be able to run VMWare or some other vm product reasonably well enough for most applications. Harden the laptop with all of the security that it needs.

In an office environment skip Citrix and provide the users with a virtual machine running on a software like Qumranet's (purchased by RedHat recently) virtual machine products. Watch the video of 1080p HD video being streamed from the virtual machine to a thin client. I hear that Wyse, makers of thin clients, is having a record year with the economy in a slump.

No comments: