INFO SECURITY: Thumb Drive Security

Protect your thumb drive and the data on it like it is made of solid gold and diamonds

A few days ago, over lunch, I ran to a gas station, grabbed a diet Dew and headed to the car. On the way back, I found a flash drive laying on the ground. It was laying in an empty parking space and there were no other vehicles or customers around so I grabbed it. Thought, hey, my lucky day.

It sat in my car while I finished my day at work and the whole day was wondering if this was someones attempt at a ‘social engineering’ attack or just someone that lost their drive. I won’t compromise my organizations network in any way shape or form, so it had to wait.

I know what kind of data is stored on a lot of drives and it ranges from purely innocent filled with someone’s kids photos right on up to deviant sexual and criminal acts. So all the while I was chomping at the bit to see what was on it. If it was something of the more seedy nature, I’d keep the drive, and wipe it for future personal use. If it was of a criminal nature, I’d hand it over to the proper authorities. If it was something else, I’d see if I could track the owner down.

I started to look through the drive and what was MOST disturbing is that there were several files on there with financials for both the person (who happens to own a computer support business) as well as an organizations financials. This really alarmed me and I started to wonder what would have happened if someone else of the ‘less than ethical nature’ would have picked this up.

I started by looking at file properties. Several files had the authors name included with them. I went through some of the Power Point Presentations and found the organization this person belonged to. Together with the name, I was able to do some simple searches and compiled several other pieces of information about this person, the business, the organization and a lot of things that really put this person into a situation that he REALLY doesn’t want to be in.

After putting several of the pieces of information together, finding several phone numbers for this person and decided to do the right thing and give him a call.

I contacted this person and left my name and phone number for him to call me back. Once he did, I was vague on where I’d found it and he pinpointed exactly where he may have dropped it. He also described what the drive looked like as well as some of the information he had on it. We arranged a time to meet up and once I saw him, I realized I was meeting the correct person due to the online photo of him on the organizations web site. I also was able to verify it was him due to the photos of him on the drive.

I gave him the drive and he handed me a business card for his computer business. I did my best not to laugh when he did that.  I don’t know about you, but I’m not interested in doing business with someone who is as flippant as losing a flash drive with a lot of information on it.  Several other reasons I’m not interested in doing business with him is the following;

- He keeps personal, business and organizational information all on the same flash drive.
As cheap as flash drives are these days, you should have several, one for business, one for personal, one for pictures, etc. This way, if you happen to lose one, you don’t lose everything.

- He doesn’t encrypt his files on the flash drive.
Most drives now come with encryption software already loaded and all you have to do it enable it. It’s a simple process and even if you set an easy password on it, you’ve still at least got it encrypted and most people would look at that and end up just wiping it and keeping the drive.

- He wasn’t worried about how I found him or if I saw any of the other information on the device.
This in itself told me that there was something on there that he may not have wanted to know I saw. Maybe it was the organization that he was a part of, maybe it was some of the pictures (no, it wasn’t porno, but he could have been with photographed out with another woman instead of his wife), who knows. All I know is that he wasn’t too concerned with who saw the data or what data was seen.

I let him know that Information Security is my business and that he may want to at least encrypt the device as there aren’t as many people out there that are as willing to let the data go, he didn’t seem too concerned about it. Seeing as how there was financial data on there, that REALLY sent chills up my spine. As an Info Sec professional, I know what’s out there, I’ve seen it and worked through stolen credit card numbers both my own as well as co-workers, parents and associates. I know what havoc it can wreak and what I had to go through to get it straightened out.

What’s the lesson taken away from this? It’s easy.

Encrypt your flash drives. Put a small file on the root of the flash drive (text file is best) that is unencrypted that is titled “PleaseReadIfFound.txt”. In that file, you don’t have to list your name or phone number, but at least list an e-mail that is fairly nondescript and a message stating that if someone finds it to please contact you via e-mail and let you know that they found it. If the flash drive is important enough (or should I say the data), go ahead and offer some type of reward. It’s really up to you.

But for the love of all things that are sacred, PLEASE encrypt your flash drives unless you want to end up in court trying to prove that someone stole your identity or trying to prove that someone stole your credit card numbers and they’re the ones paying $1,000 an hour for those hookers down town. Again, this is the worst case scenario, but it can and has happened before.

My personal drives are all for a specific purpose.  Work, pictures, personal, financial, etc.  I also have an e-mail account set up for each one.  On each one, I have that text file that reads as follows;

“Hello, thank you for reading this before destroying the data on this drive.  I appreciate the time and would request that you please forward an e-mail to [email protected] letting me know that you found it.  I can either come to you, or we can meet somewhere of your choice.  I’ll be more than happy to pay for the gas you use to meet up.  Thank you.”

I’ve been fortunate enough to never have to look for an e-mail in one of these accounts however; I’m fairly confident that if someone does find it, it’ll take them more time than it’s worth to decrypt it.  Yes, nothing is impossible to decrypt, but most people will end up just wiping the drive instead of tying up resources trying to decrypt a drive for days, or weeks on end.

Was this article helpful, entertaining, do you have ideas on encryption or stories to share about a similar incident? Let me know in the comments.

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

30 thoughts on “INFO SECURITY: Thumb Drive Security”

  1. Cool. What is your view on Ironkey thumb drives? Is there a better product?

      (Quote This Comment)

  2. Good stuff! I use Toucan as a portable app to encrypt my drive. What are your thoughts on this program? Are there others you’d recommend?

      (Quote This Comment)

  3. Cool.What is your view on Ironkey thumb drives? Is there a better product?  

    Good stuff!I use Toucan as a portable app to encrypt my drive.What are your thoughts on this program?Are there others you’d recommend?  

    I like Iron Key, but it has it’s place. In my honest opinion, it’s more for the corporate or military environment.

    But with the current USB ban on the DoD, I don’t see this really catching on for the military too soon.

    As far as Toucan goes, it’s a nice little package. Similar to what it offers to others out there.

    I was going to go into a few of the details and what I thought about different drives and encryption packages out there, etc, but what I’ll do is make this into an article itself.

    Watch for an upcoming article on the different types of drives, encryption packages, flash drive apps.

      (Quote This Comment)

  4. Looking forward to it.

      (Quote This Comment)

  5. I always thought it was funny that people lock up their guns when they leave their home but they leave their computer and thumb drives just lying around the house

    ~James G

      (Quote This Comment)

  6. I guess people still think the loss of information and corporate espionage does not exist. Lossing this thing should rings some bells but he probably will drop this again or leave the thumb drive in a public Kinko’s computer too.

      (Quote This Comment)

  7. There is a great free encryption piece of software out there called TrueCrypt. It works on Mac, Windows, and Linux. So if you work in different operating systems (as I do) then you’ll be able to read your data on all of your machines.

    TrueCrypt is a little different in that you create a file with a predetermined size, and that gets encrypted. You then “mount” that file as a drive and then any data that gets put on there becomes encrypted. TrueCrypt also does whole disk encryption (which is what i use).

    I have an 8 gig thumb with 2 gigs partitioned as whole disk encryption, and the other 6 partitioned normally for stuff that really doesn’t need to be encrypted (homework and family photos). It may not be the BEST solution, but TrueCrypt works really well, and for those ultra paranoid, you can create a hidden partition inside a truecrypt drive for plausible deniability. http://www.truecrypt.org/

      (Quote This Comment)

  8. There is a great free encryption piece of software out there called TrueCrypt. It works on Mac, Windows, and Linux. So if you work in different operating systems (as I do) then you’ll be able to read your data on all of your machines. TrueCrypt is a little different in that you create a file with a predetermined size, and that gets encrypted. You then “mount” that file as a drive and then any data that gets put on there becomes encrypted. TrueCrypt also does whole disk encryption (which is what i use). I have an 8 gig thumb with 2 gigs partitioned as whole disk encryption, and the other 6 partitioned normally for stuff that really doesn’t need to be encrypted (homework and family photos). It may not be the BEST solution, but TrueCrypt works really well, and for those ultra paranoid, you can create a hidden partition inside a truecrypt drive for plausible deniability. http://www.truecrypt.org/  (Quote This Comment)

    I also have this on my thumbdrive, but as I understand it, it is not a standalone (portable app)–is that correct? In other words, I have to have Truecrypt on the desktop/laptop that I am using to decrypt stuff, right? So, if I’m traveling and use the hotel computer or an internet cafe, I can’t decrypt it? Or am I wrong? That’s why I’ve been using Toucan. I would prefer TrueCrypt based on what I’ve read but I have not been able to get it to be 100% portable. Help.

      (Quote This Comment)

    1. Though Norm said he will cover this topic in a future article, I thought I’d post up a link for you to read in the mean time.

      http://www.truecrypt.org/docs/?s=truecrypt-portable

      Basically, using sensitive material on a netcafe machine = bad juju.

      I also have this on my thumbdrive, but as I understand it, it is not a standalone (portable app)–is that correct?In other words, I have to have Truecrypt on the desktop/laptop that I am using to decrypt stuff, right?So, if I’m traveling and use the hotel computer or an internet cafe, I can’t decrypt it?Or am I wrong?That’s why I’ve been using Toucan.I would prefer TrueCrypt based on what I’ve read but I have not been able to get it to be 100% portable.Help.  

        (Quote This Comment)

  9. I always thought it was funny that people lock up their guns when they leave their home but they leave their computer and thumb drives just lying around the house~James G  

    I’ve always kept my portable drives either with me or secured at home. My office is also locked as well as all wireless/wired connections to the network. But then again, I’m a bit paranoid. :)

      (Quote This Comment)

  10. I guess people still think the loss of information and corporate espionage does not exist.Lossing this thing should rings some bells but he probably will drop this again or leave the thumb drive in a public Kinko’s computer too.  

    Yeah, he was pretty flip about losing it. That’s what scares me about our society. People can be 100% tactical in just about everything and really situationally aware, but then when it comes to e-security, they’re oblivious.

      (Quote This Comment)

  11. I also have this on my thumbdrive, but as I understand it, it is not a standalone (portable app)–is that correct?In other words, I have to have Truecrypt on the desktop/laptop that I am using to decrypt stuff, right?So, if I’m traveling and use the hotel computer or an internet cafe, I can’t decrypt it?Or am I wrong?That’s why I’ve been using Toucan.I would prefer TrueCrypt based on what I’ve read but I have not been able to get it to be 100% portable.Help.  

    In my future articles, I’ll make sure and include both of these in the review along with several others, may even do a comparison chart.

      (Quote This Comment)

  12. As cheap as flash drives are these days, you should have several, one for business, one for personal, one for pictures, etc. This way, if you happen to lose one, you don’t lose everything.

    Good luck with that one man, that’s like trying to get people to clean out their inbox.

    The new USB STIG draft has been released so thumb drives will be allowed again… sort of. I don’t think we’ll see the ban fully lifted any time soon, encryption or no. The main concept in the new STIG is that a thumb drive can be approved for use by your IAM, but that has to be the ONLY option you have available. With the size of approved “spinning” drives shrinking like Obama’s approval rating, I just carry one of those in my backpack and it gets the job done.

    Here’s an idea for your next article, password managers like KeePass.

      (Quote This Comment)

  13. I read the first sentence in the story, stopped reading and had to go to the PX for a Diet Dew… Yum.

    It sucked when DoD stopped flash drives from being used on their networks (NPIR). Only gripe I have over this whole issue is that they still allow burning data on disc. These are used once, and usually discarded after the data transfer is complete. Most contractors and some .mil guys are not very conscience on proper destruction of the disc.

    At least with a zip drive, you are likely to loose it and it’s reusable. I know I’m lacking in security of my data on my drives and need to fix it. I’m looking forward to your upcoming article. Keep up the good work!

      (Quote This Comment)

  14. I read the first sentence in the story, stopped reading and had to go to the PX for a Diet Dew… Yum.

    The “Diet Dew” part almost made me stop reading – lol – DRINK REAL DEW!!! Man I would kill for a Dew right now, you know they don’t sell them in Southeast Asia

    It sucked when DoD stopped flash drives from being used on their networks (NPIR). Only gripe I have over this whole issue is that they still allow burning data on disc.

    Typical DOD IT policies made by some Colonel that still has his assistant print out his email

    This is probably how the decision was made to ban thumb drives:

    Colonel: So tell me about these Thumb drivers thing

    IT Engineer With 20 Years Experience: They are sort of like a portable hard drive

    Colonel: What?

    IT Engineer With 20 Years Experience: They are sort of like a small floppy disk

    Colonel: So what is the problem?

    IT Engineer With 20 Years Experience: Some people think that a spy or carless user may take sensitive data off-site with one

    Colonel: Good god, I am going to recommend we ban them all together

    IT Engineer With 20 Years Experience: Errrr… Sir that’s really not necessary and it will cause a huge amount of workflow, efficacy and inconvenience issues for the end users. Plus it really wont matter considering that every DOD computer will still have USB ports and anyone with a screwdriver can just remove, replace and steal any hard drive anyway. We should put together a team of our top IT Security personnel and hash out a real multi-tier data security plan.

    Colonel: Great, lets ban thumb drivers

    IT Engineer With 20 Years Experience: Ok

    ~James G

      (Quote This Comment)

  15. James G incoherent rambling…

    You worked way too hard for that joke.

    There were very specific and valid reasons they were banned. While the ban is not the advertised panacea of network security, it did (theoretically) stop the use of thumb drives as a cross-domain solution and slow the spread of infection.

      (Quote This Comment)

  16. You worked way too hard for that joke

    You can never work too hard for a laugh – plus I gots to work hard for something dude

    There were very specific and valid reasons they were banned. While the ban is not the advertised panacea of network security, it did (theoretically) stop the use of thumb drives as a cross-domain solution and slow the spread of infection

    But the benefits didn’t outweigh the inconvenience and loss of efficiency – many would argue (including myself) that it wasn’t anything but a knee-jerk reaction that didn’t do anything at all except annoy end users, take up the time of IT guys that could have been doing something more important than answering calls from every officer on base that “had” to use their thumb drive and make certain high-up folks pat each other on the backs for “doing something”.

    ~James G

      (Quote This Comment)

  17. James G, They got both by the pallet at the PX here in KU. Send me an email and I’ll MPS you a 12pk if your still OCONUS.

      (Quote This Comment)

    1. What by the pallet dude?

      ~James G

        (Quote This Comment)

  18. What by the pallet dude?~James G  

    Mountain Dew, dude. If you’re in theater and hurt’n for some, I can square you away.

      (Quote This Comment)

  19. True

    There are a couple of ways you can do this. If you have the entire flash drive encrypted, you can carry another flash drive that is NOT encrypted with the Truecrypt program on it. When you D/L it just put it on the flash drive instead of on your “C” drive. Then put both flash drives into the computer that you’re using, start the Truecrypt software and open up the file. That will make the encrypted files visible.

    Or you can copy it to the same flash drive and THEN crate a volume (everyone else in the industry calls it a file) that will be encrypted. You can make this as large as you want, in fact, taking up the entire rest of the drive. I suggest NOT making it that large so that you can copy stuff to the drive that you don’t want encrypted.

    Lou

      (Quote This Comment)

  20. I would just like to give a huge recommendation for the IronKey. Yes, it can be a serious PITA to log into it every time you want to access it, but nothing out there can beat it – it has an onboad crypto-chip. It does not get better than that.

    Also, a buddy of mine turned me onto a website last week for sending messages online, uber secure and all. http://www.onetimemessage.com/ or something like that. As I understand it, it’s basically a sup’ed up PGP except internet based.

      (Quote This Comment)

  21. This really is kind of amusing, one of the more successful ways I know of to penetrate IT security from the outside WITH the victims employees assisting the penetration engineer is to intentionally spread several thumbdrives with malware for both windows(U3 capable) and OSX at random places in the victim companies employee parking area.
    Once the hapless employee(s) attempts to look at the directory/files the malware performs the internal penetration/assessment and copies out the results to the net via various means(subliminal DNS being the easiest) and then deletes itself.

    http://www.hak5.org/w/index.php/USB_Switchblade

    lately I have been looking at this site http://www.bunniestudios.com/blog/?p=918 the author who is the principal engineer behind the chumby consumer devices decided to have a VERY close look at counterfeit MicroSD cards.

    As to my qualifications in this area?? just another walter mitty… :)

    fascinating blog..

      (Quote This Comment)

  22. and another couple of comments about (In)”Security”
    the hushmail.com experience taught us the sites like http://www.onetimemessage.com/ either work out a way to intercept the message or the keys when served with a subpoena .
    ONCE it(the plaintext) is on their website and either the key has passed through the website or the message cleartext your message security is HISTORY.

    regards

      (Quote This Comment)

  23. hmm seems this blog auto approves anything after the first posting(which is held for moderation) ..
    here is my first posting submitted for a second time to auto approve itself
    (should get that fixed james).

    This really is kind of amusing, one of the more successful ways I know of to penetrate IT security from the outside WITH the victims employees assisting the penetration engineer is to intentionally spread several thumbdrives with malware for both windows(U3 capable) and OSX at random places in the victim companies employee parking area.
    Once the hapless employee(s) attempts to look at the directory/files the malware performs the internal penetration/assessment and copies out the results to the net via various means(subliminal DNS being the easiest) and then deletes itself.

    http://www.hak5.org/w/index.php/USB_Switchblade

    lately I have been looking at this site http://www.bunniestudios.com/blog/?p=918 the author who is the principal engineer behind the chumby consumer devices decided to have a VERY close look at counterfeit MicroSD cards.

    As to my qualifications in this area?? just another walter mitty…

    fascinating blog..

      (Quote This Comment)

  24. It only holds for moderation if you have more than one link you your comment

    ~James G

      (Quote This Comment)

  25. Yep – Norm writes great stuff

    ~James G

      (Quote This Comment)

  26. other threats…
    malware…www.digicrime.com show examples of how to make your browser misbehave(and is benign and run by a long time security type(been around as long as I have)
    http://www.gnucitizen.org is also somewhat benign and contains a LOT more detailed information about using browsers against their users.
    http://www.packetstormsecurity.nl is a somewhat aged leak archive of various hacks , malware , security tools and pointers to other sources of same.

    RANT MODE ON:
    The Biggest operational IT security tip I can give you is to NOT run Microsoft Windows in any form unless totally isolated in a virtualized environment such as that provided by XEN, VMWARE,Parallels, VirtualBox
    which is configured to NOT let the windows machine have ANY comms with the outside world or comms run via a very carefully configured security proxy that is backed up by Snort/Prelude/ClamAV type IDS system with a current set of signatures from bleeding edge rules or other sources.(more trouble than its worth).
    Ubuntu.com and kubuntu.org are free for the download and contain all of the functionality/security needed (ie SELINUX extensions in ubuntu were developed by the NSA directly for these abilities)
    RANT MODE OFF:

    BTW earlier references “subliminal DNS”… reference to the Iodine package for IPV4 or dan kaminsky’s work in this area.

      (Quote This Comment)

  27. forgot to mention
    http://www.rootkit.com/ this site is frequented by rootkit developers/testers, one of the many tools of a digital spy(and walter mittys also)

    I should mention that once your IT system is infected by malware, OPSEC is a distant memory, this comment includes especially IRONKEY users who think that hardware crypto will protect them from malware :)

      (Quote This Comment)

  28. Thanks ever so for you personally blog post.Really thank you! Want more.

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.