Data protection on USB drives?

get-lit · Jan 24, 2010

I really should have explained how I use my flash drive. Most of the time it is connected to my primary work computer, sometimes switching to other computers in the office, and I bring the drive home and work from my home computers as well. I can also use it at our three secured data centers across the country. If I go somewhere else, I connect it to my laptop. The benefit is that I can conveniently and securely bring my data with me for use across all my trusted computers. The other benefit is that if I am working on a PC with my drive connected, and someone unexpectedly breaks in to forcibly access my computer, I can press Ctrl+Shift+D and the encrypted volume is dismounted, and I can also pull the flash drive and hide it. The extra protection is that the secure data is no longer contained within the computer itself. It must be physically located. Even if it is located by a perpetrator, and he forces you to give the password, you can supply the password for the primary encrypted volume with useless files, and your hidden encrypted volume would remain unknown.

RocketTomato · Jan 24, 2010

Is it possible to boot your OS off the USB flash drive? That way, any untrusted computer can be made more trustworthy. You would still have to worry about hardware and BIOS level hacks though.

LuxLuthor · Jan 24, 2010

Yeah, you guys are talking hard core hard core...although taking it to more extremes...if someone REALLY wanted all the information, they would mount a hidden camera to capture your REAL keystrokes, or even worse, threaten your family while you sit at your home computer giving them anything they want.

My point is that no matter what you can think of, there are those that will go beyond your best strategy if they really want your information.

The take home message for a thread at CPF is something like TrueCrypt is more than enough.

Archie Cruz · Jan 24, 2010

Here's what I use and I sent it out to 10 top codebreakers to crack for a $1000 prize. No one succeeded

too bad it has to be so big- I wish it was more like the pocket bit mini
http://gearninja.com/Images/IronKy.jpg

bigdukesix · Jan 24, 2010

get-lit said:
I really should have explained how I use my flash drive. Most of the time it is connected to my primary work computer, sometimes switching to other computers in the office, and I bring the drive home and work from my home computers as well. I can also use it at our three secured data centers across the country. If I go somewhere else, I connect it to my laptop. The benefit is that I can conveniently and securely bring my data with me for use across all my trusted computers. The other benefit is that if I am working on a PC with my drive connected, and someone unexpectedly breaks in to forcibly access my computer, I can press Ctrl+Shift+D and the encrypted volume is dismounted, and I can also pull the flash drive and hide it. The extra protection is that the secure data is no longer contained within the computer itself. It must be physically located. Even if it is located by a perpetrator, and he forces you to give the password, you can supply the password for the primary encrypted volume with useless files, and your hidden encrypted volume would remain unknown.

I am going for the colt - not ctrl shift D - just sayin

upriver · Jan 24, 2010

get-lit said:
TrueCrypt!!! As a programmer working with online banking systems by trade, I use my Patriot 128GB flash drive with TrueCrypt for all of my programs so I can work from any machine anywhere I happen to be. TrueCrypt does NOT have to be installed, it can run as a stand-alone program from the USB drive.

I thought TrueCrypt had to be installed on the computer you are using, or at least that's the conclusion I had come to after reading up on it. I'd love to be wrong of course, so I'll research it further. I use it on my computer already, and was hoping to encrypt at least a folder on my USB drive, strictly for the event that somebody finds it.

Any further explanation is appreciated. I remember reading about a traveler mode, and even that seemed to require an install on the computer being used.

paulr · Jan 24, 2010

RocketTomato said:
Is it possible to boot your OS off the USB flash drive? That way, any untrusted computer can be made more trustworthy. You would still have to worry about hardware and BIOS level hacks though.

Most PC's made since 2004 or so can boot from USB, which certainly beats booting from the PC's presumably virus infested internal hard drive. I think we can all also agree that using Truecrypt is far better than not using anything in the event the USB drive is lost. The Ironkey is also interesting and I've been wanting to evaluate it sometime. As I understand it, encryption in the Ironkey is performed by hardware in the drive itself, using a randomly-generated on-board key that never leaves the drive and is itself encrypted by the user password, so the drive can erase its internal key if you enter too many wrong passwords. That protects the contents from offline dictionary attacks. The computer keyboard should still be considered an insecure path, so some other security devices (including some hard drive enclosures) have a keypad directly on the device, to accept a password or PIN without ever exposing it to the host computer. It would be cool if Ironkey made something like that.

My overall feeling from working in this field is that we're muddling through a rather crappy situation, and really sound solutions are hard to come by (I spend some time thinking about how to build them). Folks interested in this sort of topic should look at the book "Security Engineering" by Ross Anderson (the first edition is readable online for free). It will give you an idea of what we're all up against, so don't blame me if it turns you into a paranoid freak

Empath · Jan 24, 2010

I too endorse TrueCrypt, with one reservation. Portable TrueCrypt has to be used with administrator privileges. If you find yourself on a computer where the owner has wisely held you to a restricted account, TrueCrypt won't work.

Here's an alternative, if you're basically protecting your data in such cases as drive loss, or theft, and your usb drive doesn't have security built in. There is a freeware app that doesn't require installation, and is designed for such a situation. USB SafeGuard is fairly secure encryption and is easy to use.

LuxLuthor · Jan 24, 2010

Archie Cruz said:
Here's what I use and I sent it out to 10 top codebreakers to crack for a $1000 prize. No one succeeded too bad it has to be so big- I wish it was more like the pocket bit mini
http://gearninja.com/Images/IronKy.jpg

Wow, that does look unbelievable. Just watched their demo here. It is much cheaper than I would have thought. I think I'll pick up one of those "Personal" model puppies.

get-lit · Jan 24, 2010

bigdukesix said:
I am going for the colt - not ctrl shift D - just sayin

Of course all those goodies are handy too lol. My favorite lately is the Carbon 15.

LuxLuthor said:
...or even worse, threaten your family while you sit at your home computer giving them anything they want.

Hidden volumes take care of that problem. Put typcial family pics in the primary volume, and your protected files in a hidden volume. There's absoblutely know way to know the hidden volume even exits. When they see a file they suspect is an encrypted volume and they want the password or your life, give them the password to the volume with the family pics and that's all they will see. It's called plausible deniability.

Again, one of the best defenses against dictionary attacks is to use a keyboard pattern. Here's an example of something that is very easy to type, but strong... PL<>:{}"?/'][;.,lp

That can be typed easily in under 3 seconds.

LuxLuthor · Jan 24, 2010

get-lit said:
My favorite lately is the Carbon 15.

You mean the Bushmaster gun? LOL! I'm not seeing any USB Carbon 15 devices on google.

get-lit said:
Again, one of the best defenses against dictionary attacks is to use a keyboard pattern. Here's an example of something that is very easy to type, but strong... PL<>:{}"?/'][;.,lp

That can be typed easily in under 3 seconds.

I would never remember that, but now that you just told us, I'm going to hax0r into your computer. :crackup:

I like to make up a bizarre sentence that like the old dramatic memory image hooks is easy to remember, then use a combination of letters and characters to kind of phonetically spell it. Where symbols like @=at, #=pound, $=money/dollar, %=purchase/purse, ^=carrot, &=and, *=stars, etc.

Then I have a whole other coding system that I devised.

Apollo Cree · Jan 24, 2010

Archie Cruz said:
Here's what I use and I sent it out to 10 top codebreakers to crack for a $1000 prize. No one succeeded too bad it has to be so big- I wish it was more like the pocket bit mini
http://gearninja.com/Images/IronKy.jpg

$1000 is a joke. If you have the skills to crack such encryption, there's more money to be made by attacking other things. Or crack the security of the device, don't collect the reward but hire yourself out cracking them for $10,000 a pop.

watt4 · Jan 25, 2010

get-lit said:
When they see a file they suspect is an encrypted volume and they want the password or your life, give them the password to the volume with the family pics and that's all they will see. It's called plausible deniability.

I can see it now. "You encrypted this? B.S. !"

The encrypted space you 'give up' should have porn in it.

Apollo Cree · Jan 25, 2010

get-lit said:
Again, one of the best defenses against dictionary attacks is to use a keyboard pattern. Here's an example of something that is very easy to type, but strong... PL<>:{}"?/'][;.,lp

That can be typed easily in under 3 seconds.

Keyboard patterns are a really bad way to choose a password. Password cracking programs know to try keyboard patterns.

Archie Cruz · Jan 25, 2010

Apollo Cree said:
$1000 is a joke. If you have the skills to crack such encryption, there's more money to be made by attacking other things. Or crack the security of the device, don't collect the reward but hire yourself out cracking them for $10,000 a pop.

Truth is. It doesn't matter is the reward is $1.00 or $1M. If they can't crack it, they can't crack it and that's that

Foget software encryption - hardware encyption is where it's at.
Besides, if anyone cracks that drive of mine, there's close to 1/4 Million in reward in there

not to mention IP.

paulr · Jan 25, 2010

It is best to use passphrases based on physical or computer-generated randomness, rather than anything you thought up without external entropy or that is based on a keyboard pattern. Several words chosen at random from a dictionary is a good approach. www.diceware.com gives a good word list and explains how to generate the phrases. For encryption you want at least 64 bits of entropy, corresponding to a 5-word phrase using the Diceware 66666 list. Write your phrase on a slip of paper and keep it in your pocket, referring to it when you need to use it. After you have used it a few times you'll find you remember the passphrase and don't need the paper any more, so dispose of it securely. If you really want to follow traditional spy techniques, you're supposed to eat the paper, but that's optional

Apollo Cree · Jan 25, 2010

Archie Cruz said:
Truth is. It doesn't matter is the reward is $1.00 or $1M. If they can't crack it, they can't crack it and that's that
Foget software encryption - hardware encyption is where it's at.
Besides, if anyone cracks that drive of mine, there's close to 1/4 Million in reward in there not to mention IP.

Hacker challenges are a joke. They're pure marketing BS. NO ONE in computer security pays any attention to them other than as a good laugh.

A $1000 hacker challenge isn't even a funny joke.

It's like claiming that you're the world's best boxer because nobody was able to knock you out in a $1000 open challenge at the Kansas state fair.

get-lit · Jan 25, 2010

LuxLuthor said:
You mean the Bushmaster gun? LOL! I'm not seeing any USB Carbon 15 devices on google.

Very similar. My choice for home defense is the Professional Ordnance version before Bushmaster bought them out.

LuxLuthor said:
I would never remember that, but now that you just told us, I'm going to hax0r into your computer.

Actually my password is about twice as many characters, and none of them are any of those.

get-lit · Jan 25, 2010

Apollo Cree said:
A $1000 hacker challenge isn't even a funny joke.

It's like claiming that you're the world's best boxer because nobody was able to knock you out in a $1000 open challenge at the Kansas state fair.

That gave me a laugh! Very true.

get-lit · Jan 25, 2010

Apollo Cree said:
Keyboard patterns are a really bad way to choose a password. Password cracking programs know to try keyboard patterns.

I probably meant to say a memorized random key sequence to not associate your password with any words, not actually a pattern. While generating such a sequence to memorize, when you begin to realize a cyclic sequence, change it up at that point.

Data protection on USB drives?

Flashlight Enthusiast

Enlightened

Flashaholic

Banned

Banned

Newly Enlightened

Flashaholic

Flashaholic

Flashaholic

Flashlight Enthusiast

Flashaholic

Enlightened

Enlightened

Enlightened

Banned

Flashaholic

Enlightened

Flashlight Enthusiast

Flashlight Enthusiast

Flashlight Enthusiast

Similar threads