digg

Facebook Connect Join Digg About

IT Managers gluing up USB ports

news.com.au Network manageres are using tubes of super glue to protect their systems from data theft. Outfits are getting so hot and bothered at the loss of corporate data that they are removing writable drives and ordering network staff to pour superglue into USB ports. Nothing a little "cut and paste" won't fix!

Who dugg this? Made popular Jul 4, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

124 Comments

show profanity settings
expand all
  • inactive, on 10/12/2007, -3/+43A school where I maintained some PCs had an IT supervisor who got sick of having to replace 30-50 mouse balls every month due to student theft.
    This jerk superglued the mice shut. Sure, the balls stopped being stolen, but of course within a week the mice also stopped functioning due to dust and grime build up.
    New mice were bought TWICE and the same thing with the superglue was done each time.
    I don't know how many hundreds of dollars this guy wasted through not just getting cheapo optical mice instead.
  • LordLucless, on 10/12/2007, -1/+29"with a USB porn on it"

    Freudian slip much?
  • aphexcoil, on 10/12/2007, -4/+32Just disable USB ports in the BIOS and password protect the BIOS! If they can already get inside the computer to reset the BIOS, then they already can get the hard-drive out of it.
  • inactive, on 10/12/2007, -0/+27Gee, I guess nobody would ever think of emailing the data out. Or scp-ing it out. Or ftp-ing it out. Or using an ssh tunnel over a socks proxy to send it out. Or even just using a cell phone camera, pen camera or other camera device to just photograph what's on the screen. Or just print the data out and take it. Or transmit it to a machine that has drives. Or plug a mouse in that has a usb connector on itself. Or plug a serial-to-usb port into the back. Or plug a keyboard with a USB porn on it into the machine.
  • nullmind, on 10/12/2007, -1/+25At my high-school we had such a problem with theft of equipment that we did rent the equipment to students. But unlike mentioned above (giving each student a mouse) we gave each student a mouse when they wanted to use a computer, and they where required to check-out the equipment before leaving the library.

    Someone did steal an entire computer once though.
  • grungyhamster, on 10/12/2007, -5/+27I say removing computers from the workplace. Paper and pen has served this purpose for generations! It could go on for a while more.
  • cyssero, on 04/18/2009, -1/+19Another good point.. but so many OEM motherboards like Dell, Gateway etc. don't allow you to customize options like this. But I guess if security is a real concern, you'd be buying machines that do let you disable it in the BIOS.
  • GarethSaxby, on 10/12/2007, -2/+20@zybch; I hate to tell you this, but that's fairly common practice at schools. Kids will even nick the keys off of a keyboard given half the chance; I've seen mice go missing, let alone just the ball. We've started introducing optical mice here, but a lot of schools buy sets of all in one packaged systems for a discount; They all come with cheapy ball mice.
  • dnthomps, on 10/12/2007, -8/+22http://www.google.com/search?hl=en&q=disable+usb+drives
  • filippod, on 10/12/2007, -0/+14A real solution: server based computing and appropriate user rights and policies.
  • inactive, on 10/12/2007, -3/+17honestly pouring glue into them is a retarded idea.
    these kinds of desktop pc's are just ***** in the workplace anyway, using a terminal you could remotely disable the ports without ruining hardware in the process.
    otherwise, just disable them in the bios and password the bios, if someone is going to go to the trouble of using a live cd to crack your bios password then simple superglue in the usb ports won't prevent them sending information off.
  • theone3, on 10/12/2007, -4/+16Yeah. I'm sure thats what all the kids will want. A mouse in their pencil case. And you can just imagine the queue for lost mice. Not to mention the batteries, etc, etc.
  • cyssero, on 04/18/2009, -4/+15Someone with real malicious intent could circumvent this or if the CD-ROM drive was conected, load a live OS and be able to use USB devices.

    I'm sure there are millions of other ways to stop USB devices, though.. but gluing them does seem like a quick and dirty solution.
  • blaksaga, on 10/12/2007, -0/+10You can prevent people from accessing usb with a live cd by disabling the cdrom as a bootup option in the bios. Then make sure to set a bios password.

    Or how about just opening the case and removing the usb connector cables from the motherboard?
  • inactive, on 10/12/2007, -1/+10Wouldn't glue in the USB ports void the warranty, or service agreement, should one of the machine's motherboards need to be replaced?
  • adml_shake, on 10/12/2007, -3/+12Not even that is good enough, a quick search on google will get you the backdoor passwords put into almost all those bios's. Then bam, your right back where you started.
  • GliTCH82, on 10/12/2007, -0/+9As an IT consultant with many years experience in the business of fixing and securing machines for corporations, it never ceases to amaze me how incompetent some of these system adminstrators are. There are plenty of OS, software and hardware solutions to secure systems but these administrators either aren't resourceful enough, or don't want to go through the effort of learning to do things the right way.

    A domain with a good security policy, individual strong passwords and proper file system and administration security profiles only need to be set once. Voiding your motherboard warranty by super gluing USB ports, and then having to re-glue them again when you get a replacement board is definitely not intelligent.
  • portwojc, on 10/12/2007, -1/+9"What sort of robot turns down a free blast of searing hot resin?" - Futurama
  • tigerdyr, on 10/12/2007, -0/+8If they're not blocking the users internet connection too - they really shouldn't bother.
  • natemc, on 10/12/2007, -0/+8why the glue? it just makes it a bugger to clean out and if the business leases the machines then they will have some explaining to do when they return them.

    The best solution would be a jumpered system that would disable the USB ports with no way around it. Would save alot of headaches especially when they end up needing the port for something down the road.

    You can't stop everything though, even if you plugged up the USB ports a industrious luser with a screwdriver could just open the case and find the header on the motherboard or if someone was interested in the data bad enough, they would just steal the hard drive out of it or the entire machine.
  • Agret, on 10/12/2007, -1/+8@ justice7 if you were in the computer just take out the hard drive?
  • Oniony, on 10/12/2007, -0/+7Ah, well those ones you disguise with confetti.
  • inactive, on 10/12/2007, -0/+6no we all get it, it's just a dumb way to prevent it.
    disable them in the bios. it'll be just as effective, possible more so because it'll stump would be thiefs and possibly left you catch them in the act while they are scratching their heads as to why it's not working
  • narzy, on 10/12/2007, -1/+7software solutions don't work, people interested in stealing data (company inside jobs) use flash drives, super glue a a quick, easy, and extremely effective way to disable a USB port. Other physical steps that I've taken are having a machine shop custom build metal cages for the PS2 ports to prevent mouse and keyboard theft and replacing ball mice with optical. Locking computers to work areas is also effective. Another thing I do for clients with sensitive data is make sure there are no burners in the office, most of the time employees in such Establishments don't need CD or DVD Roms either so I will disconnect those. If they need an external file, they can download it, or contact the IT staff. Physical security is key, cheap physical security sells.

    It doesn't stop there however, volumes are encrypted and passwords rotated, systems only use firefox (IE is actually disabled completely) and strict group policies are in place. The computer is the companies property, not the employees, if you want a ton of crap on your home computer, great, have at it, but not on company systems. Packet monitoring and network traffic is also retained for an undisclosed amount of time to ensure data isn't leaving the company via the interweb, users also don't get warnings, their first last and only warning is when they sign the UAP (User Access Policy) you violate it, take a hike, no more computer privileges for you, and seeing as the companies I've worked for require computer access, no more job for you.

    Encryption isn't optional, your data is encrypted whether you like entering your rotating complex password or not, I also implement RSA OTP rings, that adds to the cost, but in my time I've never had a compromise. It may seem strict, but if you were our customer, you would be glad to know your data is safe with us. This is what it takes to be as secure as possible in today's environment, and I'll be the first to tell you it's no where near 100% secure, but it's the best we can do.

    No one is exempt, recently the CEO of the company that hired us wanted us to compromise, we flat out would not do it. We explained calmly and rationally why we wouldn't and he is happy with us now. Laptops also don't enter the building, just another escape route for data, and we sniff for wireless networks daily at different times, if one is found instant termination.
  • inactive, on 10/12/2007, -0/+6"Most windows machines get python installed by default these days, do they not?"

    Uh... What are you smoking?
  • DarkElf109, on 10/12/2007, -0/+6...Or, install WinZip, 7-Zip, etc., compress the files you need, and email them to yourself. Gmail, Yahoo! Mail, even a home account will work for this. If the data's over 10 megs, just split the files, and send a few emails. It's not that hard. In fact, depending on the placement of the USB ports (I've had to work with some older machines where the ports are only on the back), it may be easier to just email it to yourself than to plug the USB drive in.
  • MrZop, on 10/12/2007, -1/+7You all done seem to realize the point. sure, you can load an OS, sure you can possibly open it up and reset the bios, sure you can go into the bios and enable USB, yeah, there are alot of things you can do.

    The point of the superglue is to stop quick data thiefs. most of the information that they are trying to keep are on terminals that people wont get much time at. so the "Hit and run" usb drive method is what they are trying to stop. and a physical blockage is a nice solution. personally, i'd just remove the USB ports by ripping them right off the motherboards. but that seems a little too destructive. or put a sheetmetal backing that blocks the USB. i dunno. a physical block is always better then a software block.

    (Didn't mean to reply, meant to make a new comment)
  • CheezeMonkey, on 10/12/2007, -1/+6how to steal data:

    1. go up to an employee
    2. say you're from IT
    3. open up the computer
    4. take the hard drive "back to the IT offices for modifications"

    You'd be surprised how gullible the average person is.
  • cstewart28, on 10/12/2007, -1/+6Who needs USB?? Just email either the whole data or bits of it to pc with working USB ports..... DOH!
  • nickyc, on 10/12/2007, -0/+5Microsoft have an adm file which you can import into a group policy. You can find info at http://support.microsoft.com/?kbid=555324. I have used this successfully without any problems on many secure networks, including schools. It is a computer policy so it disables access to USB / CDRom/ Bluetooth regardless of the user logging on, a bit like the glue solution!!
  • garble7, on 10/12/2007, -1/+6With Vista you can turn on a Policy that will allow USB keyboard/mice to be used but not any other types of USB hardware. You can also allow only certain USB flash drives (The teachers for example) while disabling all of the other ones that may be tried
  • berberrama, on 10/12/2007, -1/+6@Seumas Hahahahahaha "...USB porn...". This is very funny. Hee hee hee
  • BTexas108, on 10/12/2007, -1/+6I think the point is that most people aren't going to be taking a computer apart and resetting the bios, much less finding a backdoor password into the bios. This may work in an environment where data theft isn't as much of a concern, but it is possible to get around if the person is motivated enough. Glue on the other hand is going to be fairly hard for someone to remove but it makes me wonder what will happen when mobo's are shipped with nothing but usb ports for the keyboard/mouse/printer.
  • colol, on 10/12/2007, -0/+4@zybch

    Clear nail polish, baby, clear nail polish. Properly applied, it seals up the access panel from casual theft while still being easily reversible (nail polish remover) for cleaning or ball replacement. Used it for years in the high school labs where optical was out of the budget because all of our lovely computers used AT keyboards and serial mice. In 2001.
  • inactive, on 10/12/2007, -3/+7and it doesn't suprise me this story comes out of australia. the industry here is full of idiot the likes of you couldn't imagine. just big turds in a little bowl.
  • rocket_rob_71, on 10/12/2007, -0/+4Would thin clients solve this?
  • inactive, on 10/12/2007, -0/+4Awesome. A software-only solution? Nobody with bad intent would _ever_ think of bringing along a knoppix CD to bypass *that*! :)
  • inactive, on 10/12/2007, -1/+5the level of technical expertise is particularly low in my neck of the woods... mention freebsd or postgresql and you get a blank look, even from so called guru's
  • berberrama, on 10/12/2007, -0/+4I work in IT. This is just my opinion. Any IT personnel who willfully destroy computer equipment - Such as placing superglue in the USB ports should have their employment terminated!

    We have four methods to help reduce data theft.

    1) Windows boxes have their registries edited to prevent USB use and installation.
    2) Group policies are used to prevent access to configuration or installation interfaces.
    3) Some units have a metal plate covering the USB ports.
    4) Some units don't even have USB ports.

    In our case the leasing company told us that any units damaged (by placing superglue or other substances) in USB ports may NOT be returned at the end of the lease and we would automatically pay the buyout fee.

    In any event, we found the bigger problem (after preventing USB, CD burning, floppies, etc.) was that a couple people simply began to upload (or email to themselves) data they wanted to keep. (We improved our firewall and access rights to this effect).

    As such it was the responsibility of the IT managers to ensure constructive solutions were initiated as it was unacceptable to simply destroy equipment. From a financial, moral and professional responsibility.
  • x3n1, on 10/12/2007, -1/+5Disclaimer: If you had misplaced the motherboard manual it might be useful to note where the pins originated prior removal. You may also be aware that some registry editing should be post-backup.

    Some ideas:
    Disable USB ports within the registry; and disabled edits
    Remove header pins from the motherboard for front-panel
    And; restrict access to the rear components
  • GarethSaxby, on 10/12/2007, -1/+5Someone thinking for once, heh. I'm certain that you can disable devices on a per-usergroup basis, so if you go through the domain controller you could easily set it across the entire network with almost none of the effort. Not only do you prevent hardware damage from putting glue inside of a computer or "ripping" the USB ports out as some have suggested, but it means that the people who need USB ports, such as technicians or in the case of schools, faculty staff, can still use them.
  • cyssero, on 04/18/2009, -0/+4I wonder how hard it would be to remove the glue, when the lease is up on the PCs.. ?
  • usergentoo, on 10/12/2007, -0/+3what about a ethernet hardrive those work pretty good
  • DarkElf109, on 10/12/2007, -0/+3But you do need to be able to boot to CD/USB drive. And any sensible admin will have the computers bios's set to boot to HDD and nothing else, and the bios locked down with a password.
  • k3bravo, on 10/12/2007, -0/+3Instead of destroying motherboards and using software fixes, why not just use powered KVM extenders and physically locate the CPU to a secure location. All the user gets is a keyboard, mouse, and a monitor attached to the KVM. We have used this solution for years and our end users love it. No bulky beige box cluttering up the work environment and some of the users get multiple systems attached to the KVM if the need it.
  • cyssero, on 04/18/2009, -1/+4Schools that get tech upgrades every couple of years? Government organisations? I don't know where you live mate, but in Australia I.T. equiptment and even cars are leased to organisations. After the lease is up, you have the oportunity to buy the equiptment at a lower price. Makes sense to me!
  • GarethSaxby, on 10/12/2007, -0/+3My school has a set of thin client systems. They're rubbish, heh. Whilst I can only account for the "Sumo" systems from the ST series that we aquired a few years ago, they don't operate on the same basis as the rest of the hardware throughout the school, which easily confuses both faculty staff and students. Network Integration isn't simple at all, they're effectively segmented off excluding file and printer shares, and access to user areas requires the user to open their own storage space with \serverusersdirectoryusername, which puzzles even some of the ICT staff. Rolling them out network wide is not something that will ever happen, and I suspect that within a few years the existing units will also be "retired", thanks to our technology college status.

    Of course, I didn't set them up... It may well be a poor installation, but compared to the rest of the systems within the ICT department, they're easily the worst there.
  • GarethSaxby, on 10/12/2007, -2/+5It would be far too awkward to use wireless mice, not only because of, whats already been mentioned, that lost/stolen mice and battery costs would result in it being far too expensive of a venture, but you have to teach kids how to use them. Whilst most children are tech savvy... Not all of them are. Conflicting RF bands and kids pissing around using their mice on other computers would result in far too much time being wasted, and for those kids who don't want to do ICT lessons (It's probably strange to most folks on Digg, but there are some people who don't like this sort of thing) "forgetting" their mice would be far too easy. Wired is the only way for any large scale work place, it's just not worthwhile.
  • cazabam, on 10/12/2007, -1/+4So that's the USB drive option sorted, but they still haven't sorted the more dangerous issue: the one port that has more data going in and out than any other. You got it ... the network RJ45 connector! While ever that little hole is open, people could be transferring data from one system to another almost unhindered. When will we learn!
  • cyssero, on 04/18/2009, -0/+3Thin clients would solve the problem. But they usually lack processing power and can be more expensive than standard desktop machines. There's always a catch to something..
  • Fetching more discussions...
    Show 51 - 100 of 124 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.