To add slightly to the debate (hopefullly without muddying the waters),
an exercise a few years ago to install our LMS into a prison (for
circulation administered by staff and Trustee prisonsers - no OPAC, no
'Public' PC's) produced an absolute requirement from HMPS Security
Service to block all USB ports on the PC in the OS - and prove to them
that they were blocked - before we could install.
Keyboard stayed on a serial PS2 connector, which gave us a problem with
barcode readers as we'd moved to USB readers and had to revert to serial
Keyboard Wedge readers within the prison.
In fact globally we have only moved to USB mice, not USB keyboards,
except as extra keyboards for laptops. Even the very latest desktops we
use - Viglen for staff back-office, RM for counter and public - come
with USB mice but serial keyboards and appropriate connectors on the
motherboard.
But:
'..Also, key loggers can be USB or PS2, so it's not just a USB
problem...'
So do we have, in fact, two issues - Keyloggers in general, and USB port
management in particular?
Regards
JU
-----Original Message-----
From: lis-pub-libs: UK Public Libraries
[mailto:[log in to unmask]] On Behalf Of ROWE, Niall
Sent: 23 February 2011 17:36
To: [log in to unmask]
Subject: Re: [LIS-PUB-LIBS] USB stick security risks
Hi all,
As this has been raised on this list, I thought it would be worthwhile
letting people know our experiences in case it helps other authorities.
Handforth and Wilmslow libraries are Cheshire East libraries (not
Manchester as the article implies). A reported problem with a keyboard
malfunctioning at Wilmslow library led a member of staff to the
discovery a device plugged in-line with a keyboard into a PC. Checks
with our ICT Security Team confirmed that the device was a key logger.
Checks on the other PCs in the authority revealed a further device at
Wilmslow library and another at Handforth library.
Immediate action was taken to move the keyboards from the rear USB ports
to a port on the front of the PC (all PCs are desktop mounted) so any
logger would be immediately identifiable by both users and staff (the
latter have been asked to perform twice daily visual checks on the PCs).
The incident was reported to the police, who subsequently took away key
loggers and PCs for investigation, which is still ongoing. It was also
reported to the National Anti Fraud Network, NWWARP (North West Warning
Advice and Reporting Point) members, and the Society of Chief Librarians
(Northwest).
The Council Communications Team published a press release on the matter,
which highlighted the dangers of key loggers and we did have various
subsequent reports from customers who had experienced fraud on their
bank accounts, which may have been attributed to the use of key loggers
in Cheshire East libraries.
As a result of the incident we are revising our People's Network Terms
and Conditions of Use, and are investigating the use of further physical
security measures - whether cases for the base units, or USB locks which
have a cable guard feature (essentially locking cables in to place to
prevent removal). The potential risk will be weighed against the cost of
preventative measures before any final decisions are made.
A couple of things to note: hardware key loggers have the keyboard
plugged directly into them, with the logger then plugged in to the PC.
The device gets its power from the PC, but otherwise works independently
of the PC, so doesn't require installing, and has no interaction with
the operating system. The PC only registers that a keyboard has been
plugged in, so standard anti-virus/anti-malware products do not detect
or protect against them, hence our investigation into physical blocking
options. Also, key loggers can be USB or PS2, so it's not just a USB
problem.
If you've never seen a key logger before (hopefully you won't have come
across them in your libraries), the following site has a couple of good
images on it, especially the image at the bottom which shows how they
look when plugged in to a PC:
http://www.safield.co.uk/usb-keylogger-p-857.html. Whilst not illegal,
these devices obviously pose a significant security risk to users.
The email from Chaz Cozens (Essex) clarifies the difference between key
loggers and other USB devices, so I won't cover that.
Please feel free to contact me if you have any questions.
Kind regards,
Niall Rowe
Systems Librarian
Cheshire Libraries
Address: Bibliographical Services, 91 Hoole Road, Chester, CH2 3NG
Tel: 01244 976715
Mobile: 07786666203
Email: [log in to unmask]
Visit: www.cheshirewestandchester.gov.uk/libraries
www.cheshireeast.gov.uk/libraries
http://libcat.cheshire.gov.uk <http://libcat.cheshire.gov.uk/>
From: lis-pub-libs: UK Public Libraries
[mailto:[log in to unmask]] On Behalf Of Andrew Coburn SLBS LY
LS
Sent: 23 February 2011 11:36
To: [log in to unmask]
Subject: FW: USB stick security risks
Posted on behalf of my colleague.
Andrew Coburn
Acquisitions & Cataloguing Manager
Essex Libraries
I feel I need to add some clarification as there are two different
subjects being discussed here..
USB keyloggers are nothing to do with the USB memory sticks that are
inserted and removed in the same session by customers. A USB keylogger
is inserted by a criminal (there is no legitimate use for the unattended
use of keyloggers on a public machine) between the USB keyboard plug and
the USB socket on the PC. It then stores all "conversations" between
the keyboard and the PC. You are therefore right in saying that the
allowed use of USB devices therefore has no effect on the use of
keyloggers.
In regard to the use of U3 and similar USB devices (raised on the
original thread) the simple solution is not allow the use of executable
files on the PN machines; this can easily be set using lockdown software
or Windows policies, depending on which your local authority uses. In
Essex we do not allow our users to run any executable, script or macro
as all of these can be exploited by hackers (we do allow users to save
executables should they wish to). We have very few complaints about
this and no recorded successful hacking attack either against ECC,
another site or a customer's details from a PN machine. This still
allows users to use USB sticks (and indeed any USB devices that appears
as a hard drive, such as many cameras, phones and audio devices) for the
uploading, saving and transportation of data without problem.
Regards,
Chaz Cozens
Library Systems & e-Government Manager/Information Champion for
Libraries
Adults, Health & Community Wellbeing
Essex County Council
Email: [log in to unmask] www.essex.gov.uk
EssexWorks
For a better quality of life
________________________________
From: lis-pub-libs: UK Public Libraries
[mailto:[log in to unmask]] On Behalf Of Day Robert
Sent: 23 February 2011 10:40
To: [log in to unmask]
Subject: Re: USB stick security risks
I saw this story also (and we've had discussions internally in the past
about the possibility of such an occurence and how we would deal with
it) Whilst I do not underplay the potential risks of public PCs being
compromised in this way I do think there's a danger in linking it with
the use of USB sticks since I would presume (having no experience of
using one myself it has to be a presumption) that all these keyloggers
require in order to operate is a keyboard that connects via USB (and I'd
expect that the majority of PCs put in during the last 5 years have a
USB keyboard) therefore whether a service allows or does not allow USB
mass storage devices such as memory sticks, etc is irrelevant to this
particular risk.
Regards
Robert Day
Cambridgeshire Libraries
________________________________
From: lis-pub-libs: UK Public Libraries
[mailto:[log in to unmask]] On Behalf Of Hammond, Sarah
Sent: 23 February 2011 09:59
To: [log in to unmask]
Subject: USB stick security risks
I seem to remember somebody asking a question about the security risks
posed by folk using USB sticks on public library computers.
Here's an article on that very subject that may be of interest:
http://nakedsecurity.sophos.com/2011/02/14/hardware-keyloggers-discovere
d-public-libraries/
Regards
Sarah Hammond
Conference Support Team Member
Conference, English Language and Thesis Cataloguing Team
The British Library
Boston Spa
Wetherby
West Yorkshire
LS23 7BQ
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. If you receive this
email by mistake please notify the sender and delete it immediately.
Opinions expressed are those of the individual and do not necessarily
represent the opinion of Cambridgeshire County Council. All sent and
received email from Cambridgeshire County Council is automatically
scanned for the presence of computer viruses and security issues.
Visit www.cambridgeshire.gov.uk
Click here
<https://www.mailcontrol.com/sr/pJMNlj6G6YTTndxI!oX7UpRUG+IHZ5e6rDUNQRmC
HHPZ4aTGyFEDuJvj957f8eUOrq4atxCWG0ilpYdScFxEUA==> to report this email
as spam.
________________________________
This email (including any attachments) is intended only for the
recipient(s) named above. It may contain confidential or privileged
information and should not be read, copied or otherwise used by any
other person unless express permission is given. If you are not a named
recipient, please contact the sender and delete the email from your
system. It is the recipient's responsibility to ensure that appropriate
measures are in place to check for software viruses.
************************************************************************
Note: This E-Mail is intended for the addressee only and may include
confidential information.
Unauthorised recipients are requested to please advise the sender
immediately by telephone and then delete the message without copying or
storing it or disclosing its contents to any other person.
We have taken all reasonable precautions to ensure that no viruses are
transmitted from the Authority to any third party. Copyright in this
e-mail and attachments created by us unless stated to the contrary
belongs to the Council.
Any liability (in negligence or otherwise) arising from any party
acting, or refraining from acting on any information contained in this e
mail is hereby excluded.
Should you communicate with anyone at the Council by e-mail, you consent
to us monitoring and reading any such correspondence.
Printing this email? Please think environmentally and only print when
essential!
************************************************************************
****************************************************************************************
This Email, and any attachments, may contain Protected, Restricted or Legally Privileged information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly.
If this Email has been misdirected, please notify the author immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately.
Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents.
Islington Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this e-mail. All Email communications may be subject to recording and / or monitoring in accordance with relevant legislation.
Information contained in this Email may be subject to public disclosure under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004. Unless the information is legally exempt from disclosure, the confidentiality of this Email and your reply cannot be guaranteed.
If you wish to re-use the information, perhaps for commercial purposes, in a way which, without permission, might breach our copyright, please first read our policy on Re-use of Public Sector Information which can be found on our website http://www.islington.gov.uk/freedomofinformation or alternatively e-mail [log in to unmask] Any part of this Email which is purely personal in nature is not authorised by London Borough of Islington.
Contact Islington switchboard: +44 20 7527 2000 www.islington.gov.uk
****************************************************************************************
|