CSO: The Resource for Security Executives

CSO Newsletters
CSO's free newsletter keeps you informed about the latest articles, analysis, news, reports and other developments at CSOonline.com. Sign up today.


Subscribe to CSO
Our print publication is free to qualified readers in the U.S. and Canada.


Read CSO Online
All issues of CSO are available online.

IN THE AUGUST 2004 ISSUE OF CSO: BACKGROUND CHECKS Bad Checks More organizations are investigating criminal histories and other public records to make hiring and firing decisions. It's up to CSOs to make sure this powerful but flawed weapon doesn't backfire. CONTROL SYSTEMS Out of Control Industrial control systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet. INFORMATION SECURITY Crash Course How do universities cope each fall when students stream back to campus with infected, unpatched PCs? CISOs say it's (almost) all about the education. COUNTERTERRORISM The Short Life, Public Execution and (Secret) Resurrection of Total Information Awareness Was it an Orwellian nightmare or an intelligence savior? John Poindexter says TIA was sucked into a vortex of politics and knee-jerk foolishness before anyone could SECURITY COUNSEL Sarbox Redux Back by popular demand, Fiona Williams, a partner in Deloitte Touche Tohmatsu Security Services, answers readers' questions about the Sarbanes-Oxley Act. FLASHPOINT Dangerous Waters Distributed denial-of-service attacks may reshape the way courts evaluate liability for network security breaches. CSO UNDERCOVER A Joke Gone Bad When should you bend the rules to keep from losing a great employee who makes a mistake?

Drives and Ambition

USB drives are great for exchanging sensitive documents, but how safe are they?

During the past two years, in fact, USB drives have become an incredibly popular way to exchange information. This past spring, for instance, I was teaching a class that had a "no student grades may be sent by e-mail" policy. When one of the professors needed an electronic copy of the roster listing every student's final grade, I simply popped a 64MB drive into my laptop, dragged the file in question to the drive's icon, pulled the drive and plopped it into his hand. As demonstrated by my little exchange with the good professor, physically handing someone a confidential file means that you don't need to worry about VPN settings, e-mail encryption, misaddressed messages or unscrupulous exchange administrators.

But USB drives have a dark side: a range of security problems resulting from the very factors that make them convenient. The problems are so significant that some organizations have tried to outlaw them. Others are trying to minimize the danger through a combination of education and technology.


The First Risk: Data Theft
The obvious risk of high-capacity portable storage is that someone will walk into your organization, slap a USB drive onto one of your computers, copy a few choice documents, then walk away with your goods. Such theft is a real risk, although it's a risk that's not unique to USB.

Back in 1992, a friend of mine walked into a trade show in San Francisco, hot-wired a portable hard drive to the back of a Unix workstation and copied the prerelease operating system that the workstation vendor was demonstrating on the exhibit floor. Fortunately my friend wasn't interested in industrial espionage. He was a journalist who wanted a copy of the operating system for an article he was writing. (The vendor had been less than cooperative.) The whole operation took about 20 minutes, and it happened right under the nose of the company's vice president of marketing.

Today this sort of attack has gone mainstream. Shortly after the release of the Apple iPod, for instance, computer stores started reporting that the portable music player had become a tool-of-choice among software pirates. iPod-equipped thieves were walking into stores, connecting their players to the Macintosh computers on the store floor, and making off with fully enabled copies of Microsoft Office and Adobe Photoshop.

And it's not enough to have the guards at the front desk search visitors for USB drives—they're just too easy to hide, as evidenced by a 1GB USB 2.0 drive the size of a postage stamp that I saw recently. Storage is also being built into many more devices than you might think. Like the iPod, my digital camera can double as a USB drive. That's really handy for dragging .jpeg images off the camera and onto a hard drive. But the storage works just as well for documents. I can show the guard at the front desk all of the pretty pictures on my camera, safe in the knowledge that he won't see that stolen Excel spreadsheet.

Another way that USB drives can result in data theft is when somebody steals the USB drive itself; after all, they're so small and portable. Or one of your busy executives might leave his drive plugged in to a computer at a cybercafé. Many drives have a key chain molded into their plastic bases. If the key chain breaks off, all of the data could fall into the hands of a stranger.


The Second Risk: Data Shadows
If I'm really worried about the guard at the front desk examining my USB drive, I can go one step further and actually delete the confidential files after I copy them onto my portable storage device. Once I get out of the building, it's a simple matter to mount the drive on a Windows-based computer and run an "undelete" program to recover the stolen data.

File undelete programs work just as well on USB storage devices as they do on hard drives. In fact, they work better. That's because USB drives aren't used for temporary files or swapping the way a computer's main disk frequently is. As a result, it's much more likely that a deleted file can be recovered from a USB drive than from a typical hard drive.

After the 9/11 attacks, I read an online post from a frustrated photographer who had spent hours taking photographs around Ground Zero on Sept. 12, only to have a police officer tell him that he was violating the law by taking pictures in a restricted area. (A highly dubious claim, as it turns out.) The officer wouldn't let the photographer go until he deleted all of the images on the man's camera. Of course the images were still there, and several people on the Internet gave the photographer the information he needed to retrieve them.

These file undeletion tricks work because today's computer systems don't actually overwrite the sectors of a file when you click "delete." Instead, they simply remove the file's name from the directory and mark the file's blocks as "available." If you really want to remove the file's contents from a mass storage device—be it a hard drive or a USB drive—you've got to overwrite the individual file blocks with new data. (And in the case of flash RAM that's used in USB drives, you may need to overwrite the data several times if you are trying to protect yourself against attackers who have expensive tools like electron microscopes.)

The ability to recover seemingly deleted information from USB is really a curse, not a blessing. That's because there's no good way of knowing whether that USB drive you're about to hand somebody has an important deleted confidential file on it. For this reason, the Yale University School of Medicine's official policy states that "using a USB minidrive for storage/transport of unencrypted protected health information is not recommended."


The Third Risk: Hostile Code
The third risk with these devices is a surprising one: the risk of computer viruses and hostile code. When you insert a USB drive into a Windows-based computer, the computer checks to see if there is a file called autorun.inf in the root directory. If there is, the computer executes the program pointed to by this file.

Because autorun programs run automatically without your choosing and without notification, an attacker can use this feature to run code on your organization's computers without your permission. For example, a bad guy could send a USB drive to somebody in your company and make it look like a promotional gift. Presented with a 128MB gift drive, who wouldn't plug it in to their computer? The Trojan horse could install itself and then erase its own files on the flash drive, making detection all but impossible. What's more, if the Trojan horse was written specifically as an attack against your organization, a commercial antivirus system won't recognize it.


Managing the Risks
So what's a good CSO to do?

For starters, give your employees the education and the tools they need to properly sanitize their USB drives. MacOS 10.3 lets you specify "empty trash" or "secure empty trash" when you delete files; the latter actually overwrites the files, making it all but impossible to retrieve them from the USB drive. Likewise, Apple's Disk Utility allows you to select "zero all data" when creating a new file system. Sadly, Windows provides no similar easy-to-use sanitization tools: Your best bet is purchasing a site license to a program such as SecureClean by WhiteCanyon (www.whitecanyon.com).

Next, you can mandate the use of encryption on USB drives. The cheapest way to do this is by using the encryption that's built into Microsoft Word and Excel: Documents that require a password to open are automatically encrypted using either a 40-bit or 128-bit cipher, depending on the version of Office that you happen to be using.

Easier-to-use encryption can be found with Lexar Media's JumpDrive Secure Version 2.0. This version has a device driver that splits the JumpDrive into two partitions: an unencrypted "public" partition and an encrypted "secure" partition that requires you to type a pass phrase before accessing it. The pass phrase is used to generate a 256-bit AES encryption key; that's pretty strong security. But don't trust the original JumpDrive Secure; that USB drive didn't actually use encryption, just a simple password that was verified by the device driver.

I spent a month this summer trying out the JumpDrive Secure. It worked flawlessly on the PC, but I couldn't get it to work on my Mac, despite the fact that the device was allegedly supported by both platforms. By the time you read this, those problems may well be addressed. Alternatively, you can simply use a disk encryption product such as PGPdisk or even the encrypted file systems that are built into most modern operating systems.

Finally, beware geeks bearing gifts.


Simson Garfinkel, CISSP, is a technology writer who is based in the Boston area. He can be reached at machineshop@cxo.com.


ILLUSTRATION BY ANASTASIA VASILAKIS




Most Recent Responses:

It does not appear that most USB drives will run an autostart procedure upon insertion. We have been looking into this with an eye to using usb drives as promotional devices, with a presentation firing up upon insertion - but it does not work. There are a few types of USB drives that appear to support autorun.inf, but I have not evaluated them. [google usb drive autorun for info] http://www.hsc-us.com/industrial/usb/UDOEM.html

Robert Taylor
Director
Kadlec Medical Center
Email
Print