Protect your thumb drive and the data on it like it is made of solid gold and diamonds
A few days ago, over lunch, I ran to a gas station, grabbed a diet Dew and headed to the car. On the way back, I found a flash drive laying on the ground. It was laying in an empty parking space and there were no other vehicles or customers around so I grabbed it. Thought, hey, my lucky day.
It sat in my car while I finished my day at work and the whole day was wondering if this was someones attempt at a ‘social engineering’ attack or just someone that lost their drive. I won’t compromise my organizations network in any way shape or form, so it had to wait.
I know what kind of data is stored on a lot of drives and it ranges from purely innocent filled with someone’s kids photos right on up to deviant sexual and criminal acts. So all the while I was chomping at the bit to see what was on it. If it was something of the more seedy nature, I’d keep the drive, and wipe it for future personal use. If it was of a criminal nature, I’d hand it over to the proper authorities. If it was something else, I’d see if I could track the owner down.
I started to look through the drive and what was MOST disturbing is that there were several files on there with financials for both the person (who happens to own a computer support business) as well as an organizations financials. This really alarmed me and I started to wonder what would have happened if someone else of the ‘less than ethical nature’ would have picked this up.
I started by looking at file properties. Several files had the authors name included with them. I went through some of the Power Point Presentations and found the organization this person belonged to. Together with the name, I was able to do some simple searches and compiled several other pieces of information about this person, the business, the organization and a lot of things that really put this person into a situation that he REALLY doesn’t want to be in.
After putting several of the pieces of information together, finding several phone numbers for this person and decided to do the right thing and give him a call.
I contacted this person and left my name and phone number for him to call me back. Once he did, I was vague on where I’d found it and he pinpointed exactly where he may have dropped it. He also described what the drive looked like as well as some of the information he had on it. We arranged a time to meet up and once I saw him, I realized I was meeting the correct person due to the online photo of him on the organizations web site. I also was able to verify it was him due to the photos of him on the drive.
I gave him the drive and he handed me a business card for his computer business. I did my best not to laugh when he did that. I don’t know about you, but I’m not interested in doing business with someone who is as flippant as losing a flash drive with a lot of information on it. Several other reasons I’m not interested in doing business with him is the following;
- He keeps personal, business and organizational information all on the same flash drive.
As cheap as flash drives are these days, you should have several, one for business, one for personal, one for pictures, etc. This way, if you happen to lose one, you don’t lose everything.
- He doesn’t encrypt his files on the flash drive.
Most drives now come with encryption software already loaded and all you have to do it enable it. It’s a simple process and even if you set an easy password on it, you’ve still at least got it encrypted and most people would look at that and end up just wiping it and keeping the drive.
- He wasn’t worried about how I found him or if I saw any of the other information on the device.
This in itself told me that there was something on there that he may not have wanted to know I saw. Maybe it was the organization that he was a part of, maybe it was some of the pictures (no, it wasn’t porno, but he could have been with photographed out with another woman instead of his wife), who knows. All I know is that he wasn’t too concerned with who saw the data or what data was seen.
I let him know that Information Security is my business and that he may want to at least encrypt the device as there aren’t as many people out there that are as willing to let the data go, he didn’t seem too concerned about it. Seeing as how there was financial data on there, that REALLY sent chills up my spine. As an Info Sec professional, I know what’s out there, I’ve seen it and worked through stolen credit card numbers both my own as well as co-workers, parents and associates. I know what havoc it can wreak and what I had to go through to get it straightened out.
What’s the lesson taken away from this? It’s easy.
Encrypt your flash drives. Put a small file on the root of the flash drive (text file is best) that is unencrypted that is titled “PleaseReadIfFound.txt”. In that file, you don’t have to list your name or phone number, but at least list an e-mail that is fairly nondescript and a message stating that if someone finds it to please contact you via e-mail and let you know that they found it. If the flash drive is important enough (or should I say the data), go ahead and offer some type of reward. It’s really up to you.
But for the love of all things that are sacred, PLEASE encrypt your flash drives unless you want to end up in court trying to prove that someone stole your identity or trying to prove that someone stole your credit card numbers and they’re the ones paying $1,000 an hour for those hookers down town. Again, this is the worst case scenario, but it can and has happened before.
My personal drives are all for a specific purpose. Work, pictures, personal, financial, etc. I also have an e-mail account set up for each one. On each one, I have that text file that reads as follows;
“Hello, thank you for reading this before destroying the data on this drive. I appreciate the time and would request that you please forward an e-mail to [email protected] letting me know that you found it. I can either come to you, or we can meet somewhere of your choice. I’ll be more than happy to pay for the gas you use to meet up. Thank you.”
I’ve been fortunate enough to never have to look for an e-mail in one of these accounts however; I’m fairly confident that if someone does find it, it’ll take them more time than it’s worth to decrypt it. Yes, nothing is impossible to decrypt, but most people will end up just wiping the drive instead of tying up resources trying to decrypt a drive for days, or weeks on end.
Was this article helpful, entertaining, do you have ideas on encryption or stories to share about a similar incident? Let me know in the comments.
Information Security Correspondent
Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.