USB pens – Friend or Foe?

I generally try and avoid any kind of mobile media. The number of floppy disks and cd-roms I’ve lost, broken or accidentally overwritten doesn’t really bear thinking about. Along came USB pens that could be attached to a keyring but then the early ones were big and chunky and I still managed to lose them. The latest USB pens I’ve seen can hold 8GB+ of data and as useful as that sounds I’m still in no hurry to buy one. If I was to load up a USB pen with 8GB of data I’d lose it in a few weeks and apart from the monitary loss for the pen, what about the cost in terms of the data lost? I can copy all my work documents and possibly confidential data onto an 8GB pen and carry it with me. What if my the data on my pen drive was confidential staff reviews or budget spreadsheets. The chances are that it would be picked up by someone who would then have a look at the data to see what was on it. If the data is of no use to the person that finds the pen, it is more than likely going to be formatted off and kept by the person who found it. Does that sound cynical ??? There have been a few times in the past year that I’ve been asked ‘Have you lost your keys?’ or ‘Have you lost a wallet?’ I have never been asked ‘Have you lost a USB pen?’

When I first stared working in IT one of the Golden Rules was that you never put a floppy disk into a networked PC without checking it first for viruses and other security risks. There was always the risk that someone might leave an infected disk around with the hope that another curious user would pick up the disk and have a look at the contents. The disk would then infect the PC and take advantage of any privilges the user had on the network. After reading an article in PC PRO magazine by one of the magazines contributing editors Davy Winder it now seems that USB pens are being purchased by hackers, infected with a trojan or something just as nasty and then dropped outside offices and places of work. You can probably guess what happens next !
As the size of the drives increases users have been installing their own Operating systems systems onto them, their own hacking tools and all kinds of images and other media. It’s quite easy to download a selection of pictures and movies and carry them with you, this makes detection of inappropriate files difficult.

The good news is that USB pen makers are addressing some the the security issues with biometrics , encryption and passwords. The bad new is that as always this new technology is costly. The Stealth MXP drive that Davey Winder talks about in his article is not exaclty cheap. If a CD-ROM or floppy disk is lost the cost to replace them would be less than a pound. With USB pens costing £15 – £200+ they present a much bigger dilema to anyone finding one.
Until these secure drives come down in price I’ll hang off buying one, and I’ll be thinking twice before I plug any USB pen into my computer at work. USB pens are really asy to use, but we must always be aware that USB pens are subject to the same security risks as every other type of media. It’s worth remembering that if you find a USB pen on the floor it may not have been lost, it might have been placed there for someone to pick up.

This entry was posted in General and tagged . Bookmark the permalink.

9 Responses to USB pens – Friend or Foe?

  1. Mike Nolan says:

    I usually have a lot of time for Davy Winder but I wonder how much of this is FUD to make a good story. I can’t imagine scores of trojan writers wandering the streets dropping pen drives…

  2. The problem of trojans on USB pens is probably not widespread but they have to sell magazines somehow. During my helpdesk and techie years I never come across a trojan on a floppy disk or cd-rom, but I have dealt with numerous viruses on disks. We have had students with a grudge trying to take out servers in the past, I have had to deal with this kind of thing when I was a techie. They had downloaded a utility that when run from a PC would attach itself to a netware server and crash it. The utility could be burned to cd-rom and set to autoplay when the cd-rom was loaded, once loaded it would run undetected in the background of windows. We caught them before they could put their plan into action becuase they downloaded the tool to their home directories. Has this had gone undetected there would have been a quite successful DOS attack from within the institution. One CD-ROM would take down one server and then move onto the next.

    What Davey Winder’s article has done is made be think quite hard about security and USB pens in general. With institutions using firewalls, virus checking and spam filtering the hackers will still try to get in somehow.The use of biometrics for authentication is going to become more popular and this will make hacking more and more difficult. Social Engineering is on the increase and you only have to the read ‘The Art of Deception’ by Kevin Mitnick to see how easy social engieering can be. Seeding USB pens seems a fairly easy way to use social engineering to gain access to a system. While EH isn’t as attractive to hackers as a games company or financial institution, we still have to bare in mind that sooner or later we will become a target. A University would make a good starting point for a hack further afield; Super fast connections, excellent kit and predictable patterns where staff are onsite. My experience as a techie has shown me that a hacking should not be our only conerns, and the right DOS utility on a USB drive could be devastating. Apart from that quite dramatic take on things, how long is it before someone at EH loses an unecrypted pen drive with something commercially sensitive on it ? I do know that people do carry around images and documents on unencrypted USB pen drives, it’s only a matter of time before somone loses a usb pen drive with something important on it.

  3. Stuart Gould says:

    USB drives are really just amplifying the risks that used to be associated with floppy disks and then CDROMs. I think the real danger related to the drives comes from the sheer data capacity they are capable of. A disgruntled employee stealing corporate secrets or private data wasn’t much threat armed with a pile of 1.4meg disks but being able to clear out gigs and gigs of network files in only minutes is rather terrifying. The ability to hold an entire operating system on a usb drive and boot to that rather than to our usual locked down desktop also presents a significant danger.

    The dangers from virus and trojan attacks are really no different for those associated with other media as the file sizes are usually insignificant. To me web based viral attacks from seemingly safe sites pose a far greater risk.

    I would say that the biggest problem related to USB pens is down to misplaced or stolen drives. Most users don’t associate using pen drives with a risk and think nothing of wandering around with confidential or sensitive data on them. I’m guilty of this myself, having an unsecured pen drive with a plain text file containing a WEP key on it at one stage. While the key on it’s own might not mean anything if i had left that drive plugged into a PC near the router that used that WEP key it would have been fairly easy to figure out what it was for. Having worked on people’s laptops who have had files on their desktop such as “my_passwords.doc” I shudder to think what you could find on an average lost pen drive.

    From our perspective the issue is a very difficult one. I have heard of a lot of large American companies totally blocking USB devices on all computers. This is probably the safest course of action for large competitive business but not really possible for education institutions who need to be considerate of their students needs.

    The best solution I have seen is for a corporate software solution where all staff computers have a package installed to block USB drives. The staff members have to take any drives they want to use to the IT department to have them authorized for use on the network and can then use them on any computer. Of course this is a very expensive option thanks to pricey software and heavy administrative demands.

    As always in these situations it is finding the balance between security and usability for your end user that is the hard part. In our environment the best we can do is to rely on our antivirus package to keep the nasties away and try to educate our users on the safe practice for using these kind of devices. In the mean time I have become dependent on my usb drive for my day to day work so I guess I’ll have to take my own advice and be careful about how I use it!

  4. I’ve just found USB pen drives with Iris recognition built in at http://www.rehobothtech.com/sub2_2.asp
    I’d still be worried about losing one, but at least the technology is going in the right direction

  5. Alister says:

    I really like the Iris Recognition but it seems many people are afraid of this sort of technology- a fear that their eyes may eventually suffer some damage from it. I believe that if we are careful about securing our flash drives data with either encryption and/or fingerprint biometrics we should be just fine. I own many flash drives and I must say that I have never lost a single one.

    As for companies that don’t want employes using these drives or other devices that store data, there is excellent protection out there such as Drivelock which can be used to designate exactly what devices can be used or not used- even by a device’s serial number.
    My business is not large enough for this yet.

    I will probably take a look at this Stealth MXP.

  6. Davey Winder says:

    As the author of the article in question, I can assure you that the USB Seeding threat is not FUD and certainly real enough. Sure, it is no epidemic, but it does highlight the dangers that USB thumb drives represent – and criminal elements are exploiting them.

    Of course, I would not recommend the approach taken by one large company according to an insider who emailed me – it used superglue to seal up the USB ports on all its desktops!!!

  7. Supergluing the USB ports ?? Now there’s a low-tech and OTT solution to a high-tech problem.

    Does anyone remember the fuss when the Furby toys came out and offices banned them incase they learnt to repeat company secrets, and also when companies first realised that ipods could carry more than just music ?

    A determined user will always find some way to get around internal security measures, even superglue. Wouldn’t companies efforts be better spent on educating users to the risks, security policies are usually put in place for a reason and not just to annoy the users. Although thinking on it some of the calls to that companies IT helpdesk after all the USB ports had been glued up must have be priceless.

  8. Barry Wainwright says:

    Hi – Can anyone help. I used to work on files on my pen drive and then back them up on my laptop. (This was convenient for me so I could switch between computers on my clients site). Recently, for no apparent reason, saving edited files on my pen drive caused the file to crash without being able to retreive it. This never used to happen and I had worked on pens for a couple of years. I had a new hard drive fitted and reloaded all my software but the problem remains so I guess it is a hardware fault (the USB port perhaps?).

    It isn’t the pen drive as I have bought new ones and it still occurs.

    Any ideas?

  9. Hi Barry

    I’ve only just found your comment on the blog, sorry about that.

    I’ve never seen a partly working usb port, they tend to either work or not not work. All I can think is that the pen might still be in use by the OS when you remove it. I’ve had files disappeara dn corrupt when I’ve removed a USB pen without disconnecting it in windows first. Some USB pens seems to be more sensitive to this than others. You could always try another USB port but apart from that you should probably contact the Pen makers for advice. You could also try a quick google for problems with that make of USB pen, maybe other people are having the same problems.

Leave a Reply

Your email address will not be published. Required fields are marked *