Oh - thats how it works!!
And there was me thinking SanDisk were doing a much needed public service. Only to have all my hopes dashed.....
Over three quarters of American IT workers use memory sticks for work-related purposes, and most corporate heads don't have a clue about the peril they face as a result of the stick love. Or so that's what SanDisk discovered via a survey commissioned to explore the risks of using unsecured USB flash drives in enterprise …
of course this is nothing new....
...i remember the days of MS Word for Windows 2 and Word 6 ( something ate the ones in between, maybe they where left in the park or on a bus) the files where small enough to fit on a 3.5inch disk!
and 1 in 10 people finding usb sticks in public.....
damn, i still have to buy mine!
never have found one!
I did once find a plain brown envelope in the street stashed with a big wad of readies, I was never so glad as to get back to thee safety of the office! (sorry, i meant police station)
the 'corporate' world would grind to a halt!
I have 3 copies of whatever I'm working on.
Main project folder on the network (everyone on the project has access to this)
'My' copy on 'my' HDD (just in case someone overwrites what I've done, it happens)
MY BACKUP on flash.
Not paranoia, just fed up with 'loosing' work already done.
most companies clearly *still* don't have a clue.
Maybe it's because secure USB drives are more expensive, and because if you have the policy *EVERYONE* can think of a business excuse to need a 4Gb edition which may well be conveniently 'lost' at some future point.
(here's betting the percentage of miscreants is significantly higher in IT departments)
At a recent hacker convention, an attendee wagered that he could hack into machines without directly accessing them. He won the bet.
He "lost" several flash drives, people inserted them into their computers, code autoexecuted...
Wanna add nodes to your botnet? The curious/greedy will infect themselves, and there's no chance that you will get caught.
A properly programmed flash drive could transmit business plans, accounting data or source code to a competitor. Call it "Corporate Espionage for Dummies!"
An employee unplugs his flash drive from his rootkit-infected home computer, takes it to work and plugs it into his workstation -- instant infected network.
Things were simpler in the days when floppies presented security threats; just ditch floppy drives.
Disable USB ports in the BIOS and then password protect the BIOS? Ban flash drives?
Ain't gonna happen.
And that means that network security will be gone in a flash!
You have an important 250 page document to get to a certain department for a certain time. It exceeds the limit for attachments in email, and it is unsuitable for you to put in a shared area. You could ask IT to set up a secure folder accessible only to both parties, but when do they ever have time to do that between games of network Doom and rm -r'ing whiney users' folders?
So, you drop it on a USB stick and walk the possibly 15 metres to the guys desk, and save all the hassle and a lot of time. There's your 70%.
As for finding a memory stick and looking at the data, I would just to find out who it belong to so I could return it! If it's confidential, i'd tell them i'd seen watever i'd seen but that it was in the interest of returning their property, and possibly more valuably, their data. If that's a problem, they can consider someone not as altruistic as myself getting hold of it and finding their data on eBay, or in the hands of the press. Obviously I weigh the chance of it having some form of malware up, but i've got a laptop running a Live-CD, dedicated to scanning for malware on untrusted devices anyway.
My other 'arf often has sensitive data unsecured on her USB stick.
Why?
The council she works for
a) Expects she does about 150hrs a week
b) Fails to provide a laptop to work from home, so she uses her own
c) Fails to provide any means of VPN
d) Fails to train on securing data
e) Fails to provide any software to secure the data.
I highly doubt this council is alone.
But don't worry, the ton of paperwork she has to carry round is far more sensitive....
I always take surveys by vendors with a pinch of salt - after all even if done "indepently", it is not beyond imagination that should the results of the survey not support their stance, or the product they are about to launch, the survey would never see the light of day.
Nevertheless, this survey does support my fears about data leakage. My organisation is finally doing something tangible witha corporate solution that encrypts data on USB sticks and also port controls USB to approved memory sticks only. I'm just waiting see which user comes up with the most creative workaround.....
"When asked to pick the three most likely actions they would take if they found a memory stick in public, 55 per cent said they would view the data"
A study was done about this a while back (I perhaps read it on The Register in the first place), where someone deliberately infected a bunch of USB pens with specially crafted malware which simply phoned home when executed. He then threw them over the fence and into the car park of various large companies. Most of them ended up being executed as a result of employees plugging them in. Almost all of them plugged them straight into their work PC too.
Personally I use TrueCrypt on my pen so if I lose it, it just appears to be broken. It's a *little* bit more hassle to use, requiring the TC software to be on each machine that needs it, but it's definitely worth it if you value the security of your data.
As it happens, the last "foreign" computers I has occasion to read a USB drive on were set up so the user couldn't execute programs on such drives. (So a U3 flashdrive is useless.) That's a barrier against some threats.
This was a Windows XP system.
Unfortunately. the corporate IT person was shared between a large number of offices, scattered across the country, which possibly explained why all the machines were still set to a US keyboard layout, even though they had a UK keyboard.
...I once found a memory stick in my uni's computer lab. I did the right thing. Copied the dissertation off it, replaced the name, handed it in as my own then sued the real owner for breach of copyright.
Ok, i didn't, but I thought about it.
I did have to look on CV.doc to find out the owner's name and handed it in at the office. God knows what they did with it, probably still stirring coffee. Check out my high karma!
I'd did a forensic recovery on one of my USB keys. I could recover file names going back 3 years, and file fragments going back 2 years, and recover just about anything from the past year.
Don't take my word for it:
Rich people try it for yourselves with Encase, poor people try it with The Penguin Sleuth Kit.
Gone...but not forgotten.
Step one: Don't run WinDos, so you don't have to worry about Flash virus.
Step two: Only put non-public stuff on external storage after it's been PGPed.
BTW: What if your employee leaves their laptop out in public? How will a purely usb key based security system help you then?
-HJC
"Disable USB ports in the BIOS and then password protect the BIOS? Ban flash drives?"
I'm yet to work somewhere that doesn't password the BIOS, but I wouldn't be surprised if some companies neglect that first line of defence. Admittedly, they usually have a standard password across the company so once an IT guy has let it slip to one employee...
There are many ways to improve the security of flash drive use, all available and all used by any company that has any inkling of data security.
1) Use software to prevent use of anything except your company's drives - several packages available.
2) Use company-issued, registered, encrypted flash drives - they're not that expensive.
3) Keep a log of all file transfers to/from said drives - easily achieved by network admins.
If I were to lose my flash drive, IT have a record of what's on it anyway so a decision can be made as to whether I had lost anything worth worrying about. Assuming the drive's finder can crack the encryption, of course.
I always buy dumb USB sticks and do encryption on them from my PC. I distrust the U3 standard used to flog "secure" USB because it's just another example of Someone Else's Software that I don't control.
I currently use TrueCrypt, originally a Windows product but now available through a Linux GUI as well. There are also the free PGP and GPG encryption solutions. There's also a nice nice LockNote utility from Steganos, but it's limited to Windows.
No matter how carefully you secure your USB media, there are still data trace issues on the PC: when you decrypt, traces can be left in the OS swap space and/or temporary files which even when deleted can leave rescueable data in a filesystem.
There's also the issue of load-levelling on the Flash-based USB drives which may be a problem if the USB drives even momentarily contain cleartext sensitive material, but I don't know how serious the exposure is for lack of technical information.
My current solution is to keep a small harddisk partition to stage cleartext files on, and then wipe or shred the entire staging partition when I'm done with the files.
Of course, all this is whistling in the dark since my personal data is most likely to leak during a bulk theft from a vendor or financial institution, but I'm a bit of a techie and it's interesting to learn about.
I bought a Shuffle as a floppy replacement - CD-R are no better, are they?- I kept slides on it to show when networks are down, and documents to finish at home.
Since then, the company net blocks executable files - Shuffle lost its value, had to buy an honest USB stick. The Office documents keep changing format - it is a struggle to keep one step ahead of admins so I can work like this.
Then, last week, the USB stick died in the washing machine. Reduced to carrying the laptop around.
How many times my stick has saved me when trying to kick start a new server, move drivers from one server to another. I could have gone to stationary, filled out a request for a few blanks CDRs, then found someone willing to share their PC with a CD writer, wasted their time and mine copying the stuff to their machine and then writing it out to a CDR, but I thought no I will get the job done quicker and help my userbase by getting their system up and running in less than a few weeks.
I was working somewhere once where 6 of us had two PCs on a desk, one on a public network and one on a private secure network. Guess how we used to get our source code and scripts from one network to the other? Well it wasn't by filling out forms and and getting six levels of clearance for every file movement request I'll tell you!
Nice of SanDisk to scare us prospective customers in the right direction - toward them. But all the pages I have read so far about encrypted USB sticks say their encryption is crap.
So are SanDisk at this point selling security, which we could no doubt use, or just the false appearance of security, which doesn't really help anyone who wasn't scared to begin with?
My coat is the one with the holes in the pockets.
I'm a firm believer in completely dumb flash sticks, and own several Kingston DataTraveler sticks that come FAT32-formatted with zero software on them. They work on XP, Mac, and Linux. I also own a 4 GB non-encrypted Sandisk stick that came with software. I spent hours trying to delete hidden directories, but they keep popping up. XP sees it as two drives, one that is read-only and auto-launched, and the other where you can put data. Sandisk is trying to lock you into their thing, and I'm ready to throw their stick into the trash.
The reason why a dumb flash stick is important is because sticks are finding all sorts of uses. I have a DVD player from Philips for my digital television. It can play my MP3 tracks through its USB port. It likes my Kingston sticks, but does not recognize the Sandisk stick at all.
If you want encryption, don't fall for any stick that comes with its own software. Get a dumb stick with zero files on it, and put your own encryption software on it.
Once you've got rid of all the junk software i find Sandisk USB drives to be the best. Simple because this 2GB Micro Cruzer has been in the washing machine 3 times now and still works like a dream
My Kingston DataTraveler before that died in a watery, soapy grave on it's first trip round and round the washing machine. Obviously they are about as reliable as their RAM then :P