USB Drives and Security Ambition
USB drives are great for exchanging sensitive documents, but how safe are they?
By Simson Garfinkel
August 01, 2004
—
CSO
—
USB drives (those cheap, thumb-size storage devices that plug in to laptops and desktops) are reasonably cheap, reusable, fast, durable and much more convenient to carry around than a stack of CD-ROMs. They work on Macs, PCs and even Linux-powered laptops. And these little devices are just the thing for exchanging sensitive documents
During the past two years, in fact, USB drives have become an incredibly popular way to exchange information. This past spring, for instance, I was teaching a class that had a "no student grades may be sent by e-mail" policy. When one of the professors needed an electronic copy of the roster listing every student's final grade, I simply popped a 64MB drive into my laptop, dragged the file in question to the drive's icon, pulled the drive and plopped it into his hand. As demonstrated by my little exchange with the good professor, physically handing someone a confidential file means that you don't need to worry about VPN settings, e-mail encryption, misaddressed messages or unscrupulous exchange administrators.
But USB drives have a dark side: a range of security problems resulting from the very factors that make them convenient. The problems are so significant that some organizations have tried to outlaw them. Others are trying to minimize the danger through a combination of education and technology.
The First Risk: Data Theft
The obvious risk of high-capacity portable storage is that someone will walk into your organization, slap a USB drive onto one of your computers, copy a few choice documents, then walk away with your goods. Such theft is a real risk, although it's a risk that's not unique to USB.
Back in 1992, a friend of mine walked into a trade show in San Francisco, hot-wired a portable hard drive to the back of a Unix workstation and copied the prerelease operating system that the workstation vendor was demonstrating on the exhibit floor. Fortunately my friend wasn't interested in industrial espionage. He was a journalist who wanted a copy of the operating system for an article he was writing. (The vendor had been less than cooperative.) The whole operation took about 20 minutes, and it happened right under the nose of the company's vice president of marketing.
Today this sort of attack has gone mainstream. Shortly after the release of the Apple iPod, for instance, computer stores started reporting that the portable music player had become a tool-of-choice among software pirates. iPod-equipped thieves were walking into stores, connecting their players to the Macintosh computers on the store floor, and making off with fully enabled copies of Microsoft Office and Adobe Photoshop.
And it's not enough to have the guards at the front desk search visitors for USB drives—they're just too easy to hide, as evidenced by a 1GB USB 2.0 drive the size of a postage stamp that I saw recently. Storage is also being built into many more devices than you might think. Like the iPod, my digital camera can double as a USB drive. That's really handy for dragging .jpeg images off the camera and onto a hard drive. But the storage works just as well for documents. I can show the guard at the front desk all of the pretty pictures on my camera, safe in the knowledge that he won't see that stolen Excel spreadsheet.
Another way that USB drives can result in data theft is when somebody steals the USB drive itself; after all, they're so small and portable. Or one of your busy executives might leave his drive plugged in to a computer at a cybercafé. Many drives have a key chain molded into their plastic bases. If the key chain breaks off, all of the data could fall into the hands of a stranger.The Second Risk: Data ShadowsIf I'm really worried about the guard at the front desk examining my USB drive, I can go one step further and actually delete the confidential files after I copy them onto my portable storage device. Once I get out of the building, it's a simple matter to mount the drive on a Windows-based computer and run an "undelete" program to recover the stolen data.
File undelete programs work just as well on USB storage devices as they do on hard drives. In fact, they work better. That's because USB drives aren't used for temporary files or swapping the way a computer's main disk frequently is. As a result, it's much more likely that a deleted file can be recovered from a USB drive than from a typical hard drive.
After the 9/11 attacks, I read an online post from a frustrated photographer who had spent hours taking photographs around Ground Zero on Sept. 12, only to have a police officer tell him that he was violating the law by taking pictures in a restricted area. (A highly dubious claim, as it turns out.) The officer wouldn't let the photographer go until he deleted all of the images on the man's camera. Of course the images were still there, and several people on the Internet gave the photographer the information he needed to retrieve them.
These file undeletion tricks work because today's computer systems don't actually overwrite the sectors of a file when you click "delete." Instead, they simply remove the file's name from the directory and mark the file's blocks as "available." If you really want to remove the file's contents from a mass storage device
The ability to recover seemingly deleted information from USB is really a curse, not a blessing. That's because there's no good way of knowing whether that USB drive you're about to hand somebody has an important deleted confidential file on it. For this reason, the Yale University School of Medicine's official policy states that "using a USB minidrive for storage/transport of unencrypted protected health information is not recommended."
The Third Risk: Hostile Code
The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.
Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody
Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response
A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change
5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it
IT risk assessment frameworks
How to do end-to-end encryption
How to compare and use enterprise antivirus
Also find sample data protection policies in CSO's tools, templates and policies library
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Overcome Top 7 Admin Challenges of Active Directory
- Insiders Can Ruin Your Company. Take Action.
- Top Solutions and Tools to Prevent Devastating Malware
- X-Ray of the PCI Process-4 Proactive Steps
- Streamline Compliance and Increase ROI
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
CSO Corporate Partners
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
