General: Security Implications of USB Memory

Bottom of Page

1 to 16 of 16

  1.  
    •  
      CommentAuthorSpode
    • CommentTimeNov 9th 2008
     

    I wrote a feature last week for IT Pro, taking a look at USB sticks and the possibly security risks associated with them. Considering how easy it is to carry 8 or 16GB of data around in our pockets - what are the implications of this? What are the best practices? What do they experts say?

    8GB is more storage space than a fair amount of netbooks on the market today – some of which only have 2GB of internal memory. That said, they still manage to cram in a full operating system with the features you'd need from most desktop computers. 8GB is enough to house an Ubuntu install, a fairly decent MP3 collection, a selection of films, and every article every IT PRO writer has written for the past 10 years - with room to spare. This is as superb as it is alarming – especially when you consider that you can fit all this onto something you could comfortably swallow without even realising it.

    So if you use USB storage or flash memory, give my article a read and it might change your approach.

    •  
      CommentAuthorKrazyIvan
    • CommentTimeNov 10th 2008
     

    For about two years now, you cannot connect any USB device to computers where I work. It is restricted by the security software in place. It was restricted by our code of conduct before that, and you could be terminated if you were caught.

    Being part of technical support, I was approached many times to "clear" a USB drive for use on company workstations. People would get really ticked when we would not allow it. That did not stop some people and I caught a couple of people with drives plugged into workstations that should not have been. Since the new security software was installed, I don't have to worry about it any more. :)

    •  
      CommentAuthorLolly
    • CommentTimeNov 10th 2008
     

    Gluegun works...

    •  
      CommentAuthorSpode
    • CommentTimeNov 10th 2008
     

    Is that some software Lolly, or do you mean an actual gluegun?

    Ivan - this is one of the problems of OS familiarity at work and at home - people start fiddling! Turning off firewalls, wanting to install iTunes etc...

    •  
      CommentAuthorcoyote
    • CommentTimeNov 10th 2008
     

    I think Lolly actually means a hot melt glue gun to block up the USB ports. Yes, that would do the trick! Nice one Lolly, that made I chuckle. :D

    •  
      CommentAuthorSpode
    • CommentTimeNov 10th 2008
     

    I saw a terminal at a library the other day, with a mouse. And I was thinking - hmmm, I bet that's a USB mouse. Cut the cable, join it to a USB hub and plug in a keyboard and USB flash disk... HAVOC! Could be done with a pen knife quite easily :)

    •  
      CommentAuthorcoyote
    • CommentTimeNov 10th 2008
     

    I wonder if anyone has done this yet? Maybe they will now you have planted the seed. :D

    •  
      CommentAuthorSpode
    • CommentTimeNov 10th 2008 edited
     

    I can only imagine it's been done. The biggest issue is being spotted. But you wouldn't think anything out of the ordinary was happening if you saw someone at a terminal with a keyboard and mouse, would you? And if you had to leg it - leaving £10 of equipment behind isn't the end of the world :)

    I'd like to add - I don't do anything like this. But it's interesting to think of ways you *could* :P

    •  
      CommentAuthorKrazyIvan
    • CommentTimeNov 10th 2008
     
    Posted By: Spode

    Is that some software Lolly, or do you mean an actual gluegun?

    Ivan - this is one of the problems of OS familiarity at work and at home - people start fiddling! Turning off firewalls, wanting to install iTunes etc...

    That's why no one has admin accounts except for the people that really need it. :)

    •  
      CommentAuthorcoyote
    • CommentTimeNov 10th 2008
     
    Posted By: Spode

    I'd like to add - I don't do anything like this. But it's interesting to think of ways you *could*:P

    I cannot imagine you doing anything like that Spode, but I suppose you have to say it. Have you ever thought of doing some IT security work? After all you did spot that one and I bet there are many more easy break ins around.

    •  
      CommentAuthorLolly
    • CommentTimeNov 11th 2008
     
    Posted By: coyote

    I think Lolly actually means a hot melt glue gun to block up the USB ports. Yes, that would do the trick! Nice one Lolly, that made I chuckle.:D

    Precisely. Although it would be a good name for a program which blocked off access to the USB ports nonetheless.

    •  
      CommentAuthorSpode
    • CommentTimeNov 11th 2008
     

    It would Lolly! Go and do it! Or perhaps get Beanz working on it as his first year project. I have a feeling he's underworked right now ;) ;)

    And coyote, I've got plenty of revenue streams right now - let's not add another one! There are people out there who know much more about security than I...

    •  
      CommentAuthorcoyote
    • CommentTimeNov 11th 2008
     

    I'm glad you have enough to do, not that I thought otherwise. It was only an idea. :D

    • CommentAuthorBeanz
    • CommentTimeNov 11th 2008
     

    eep - me work? - I'm at university; who heard of anyone working at university?

    •  
      CommentAuthorSpode
    • CommentTimeNov 11th 2008 edited
     
    Posted By: Beanz

    eep - me work? - I'm at university; who heard of anyone working at university?

    I did! I ditched my electronics class to cover CeBit. lol.

  16.  

    If you lose the USB drive with your data that can be quite an issue in itself. Several of my customers put a copy of R10Cipher on the USB drive and use it to encrypt / decrypt their data. As R10Cipher runs on Mac, Linux and Windows and requires no installation it is simple to work with in the scenario where you move between computers regularly, even running different operating systems.

    If anybody is interested version 2 of R10Cipher is currently in Beta and I am looking for suggestions for additional functionality.

    http://www.artenscience.co.uk/artenscience/Blog/files/r10cipherbeta195.html

    I already intend to make a 'double click' on the encrypted file launch R10Cipher and prompt for the 'shared secret' and automatically save the file under it's original filename, as well as add drag and drop support for encrypting multiple files.

    Cheers

    Steve Cholerton
    www.artenscience.co.uk

1 to 16 of 16

  1.  
 
Copyright Andrew Miller (Spode), 2008