Voir en

français

Computer Security: The rancid USB box of chocolate

|

How convenient were USB sticks in the past…? And how convenient they still are today despite the fact that with CERN’s free and versatile CERNBox service or the commercial “Dropbox” solution there are simpler methods for sharing files and documents between devices. And even more secure and compliant ones!

The basic problem with USB sticks is that they are a black box, a box of chocolates: “You never know what you're gonna get” (Forrest Gump, 1994). And, indeed, how can you know if your USB stick, the one you are about to plug into your computer right now, holds any infected files, viruses, illegal software or software subject to copyright or particular licence conditions. You can’t, even if the USB stick is brand new. We have had cases at CERN where USB sticks came already infected from the factory – USB sticks in sealed plastic packaging… The risk for your computer and CERN is non-negligible: depending on the type of infection/virus and how up-to-date your operating system is, your computer might get infected right away. This is a particular risk for devices which cannot be kept up-to-date at all times, like some control systems used for running our accelerators, infrastructure or experiments!

Worse, our automatic detection tools regularly detect pirated software or copyrighted material arriving via personal USB sticks used previously at home. Of course, what you do at home is your private business and only subject to your local national laws, but once the USB stick is connected at CERN, the use of pirated software or copyrighted material can have significant consequences for the Organization (see our Bulletin articles on the subject: “Do you have 30kCHF pocket money?” and “Music, videos and the risk for CERN”). 

So, help us to protect your devices, CERN’s reputation and the operation of CERN’s accelerators, infrastructure and experiments! Please do not bring your USB sticks from home to CERN (and if you need to, please format them beforehand). Take additional care when plugging in USB sticks from third parties. It is better just to refrain from using USB sticks unless you have a good idea of what is stored on them – in particular for USB sticks found “on the road” (e.g. USB sticks lost by someone, dropped on the floor, handed to you by some stranger). Instead use CERNBox as an alternative. It has sufficient space for big files, synchronises with your CERN home folders, is remotely accessible (even from mobile devices) and provides anonymous access for sharing material with third parties. And please apply the utmost care when using USB sticks to transfer data to production control systems hosted on the Technical Network (TN) or any experiment networks (EN). The corresponding policy, the CNIC Security Policy for Controls (section 6.2.1), stipulates that the “usage of USB sticks being connected to devices on the TN/EN must be avoided by any means and alternative methods for file transfer […] must be used whenever possible. Failure to adhere to this rule will be considered as professional fault putting a risk to the TN/EN.” And, finally, it goes without saying that always keeping your operating systems up-to-date and using decent anti-virus software (you can get it for free from CERN) will definitely provide you additional protection.

___________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch