Data protection on USB drives?

mrsinbad

Enlightened
Joined
May 30, 2003
Messages
201
Location
Nassau County, NY
I try not to put anything that is really important on a USB drive because I can't lock specific folders or files, but sometimes I have to. What do you guys do or recommend for me to lock access to files or folders? Should I encrypt instead? Thanks.
 
Last edited:

Apollo Cree

Enlightened
Joined
Nov 23, 2009
Messages
451
Location
United States of America
I try not to put anything that is really important on a USB drive because I can't lock specific folders or files, but sometimes I have to. What do you guys do or recommend for me to lock access to files or folders? Should I encrypt instead? Thanks.

TrueCrypt is really good if it fits your needs.

You'll need to install TrueCrypt on all machines you want to be able to read the encrypted data off of. You create a file that is an encrypted container. When you start TrueCrypt and enter the password, the files in the encrypted container appear as another hard disk.

You can use the same USB drive to carry unencrypted files as well as encrypted files.

Free and open source.

http://www.truecrypt.org/
 

brett09

Newly Enlightened
Joined
Oct 15, 2009
Messages
41
Location
Topeka, KS
Lexars drives that come loaded with Secure II work for me. Its self-contained so there is no need to install programs anywhere.
 

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
I'm not sure I understand your question. If the idea is to protect confidential data from unauthorized users, then yes, encrypt it. If the idea is to prevent accidental erasure, then some USB drives have a hardware write protection switch. SD/SDHC cards all also have that switch, so you could get an SDHC card with a USB card reader adapter and use it as a USB drive. It will be larger than a typical pen drive but cost about the same. For hard drives, there are forensic enclosure that prevent writing to the drive. They are on the expensive side so may not be worth it to you.
 

Joe Talmadge

Flashlight Enthusiast
Joined
Aug 30, 2000
Messages
2,200
Location
Silicon Valley, CA
Lexars drives that come loaded with Secure II work for me. Its self-contained so there is no need to install programs anywhere.

In the past, there have been a number of these types of programs that were pre-installed on the USB drive that had the flaw of saving the key in plain text on the drive, and other such rookie type mistakes. You wouldn't think anyone could make such a mistake, but they did. 'course, most people wouldn't know to look for it or what to do with it, but I'd advise making sure that any program I used was at least road-tested by a security organization that knows how to crack these things.

For all I know these issues have all been resolved, but I'd want to make sure. I feel good about TrueCrypt, advise you do a little legwork on Secure II just to be sure.
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
This is an interesting problem.

I would bite the bullet and encrypt the whole drive. The security challenges associated with removing clear text from conventional magnetic media are nothing compared to what it takes to remove it from modern USB flash drives.

AFAIK Wear Leveling schemes are built into all of these drives and have the effect of scattering your data and any attempted overwrites all over the drive. Conventional data wiping programs like Eraser will be fooled into wiping clean areas of the flash drive by the Wear Leveling. Locking a folder would seem to be of limited value when the data in a deleted file can bounce around in a multi GB drive almost indefinitely. Of course, file slacks will continue to pose problems involving the secure deletion on flash media just as they always have on magnetic media. There is also the problem of the rate of bad sectors, which show up at a higher rate on flash drives than on magnetic media. Data may still often be read from bad flash media that may no longer be written to.

I'm only aware of two ways of even having a chance of securely deleting data on a flash drive. The first would be to delete the file(s) and then use a utility like dd to write a pseudo-random string as one big file that fills up the whole drive. There will be nearly no slack space and the deleted data will have the highest probability of being overwritten. Then just delete that big file.

The other method is cleaner, much faster and easier on the flash drive. Encrypt the whole drive with transparent, on the fly encryption like TrueCrypt or DriveCrypt. The data will never be written to the drive in clear text in the first place, the Wear Leveling won't make it any easier for your attacker after deletion as the data, slack space and unused space all look pretty random. Any bad sectors will just look like noise, also.

It's still kind of a crap shoot. Kingston, one of my two favorite memory companies, is just now recalling their prestigious Data Traveler line of flash drives because it took them a while to figure out that they were not, in fact, secure. This is a complicated issue.

The safest course is to encrypt the entire drive.
 
Last edited:

LuxLuthor

Flashaholic
Joined
Nov 5, 2005
Messages
10,653
Location
MS
TrueCrypt is really good if it fits your needs.

You'll need to install TrueCrypt on all machines you want to be able to read the encrypted data off of. You create a file that is an encrypted container. When you start TrueCrypt and enter the password, the files in the encrypted container appear as another hard disk.

You can use the same USB drive to carry unencrypted files as well as encrypted files.

Free and open source.

http://www.truecrypt.org/

+1
 

ElectronGuru

Flashaholic
Joined
Aug 18, 2007
Messages
6,055
Location
Oregon
If the data is that valuable, it's worth investing in a secure flashdrive. There are models with built in protection that can even self destruct data when the wrong passkey is entered to many times.
 

get-lit

Flashlight Enthusiast
Joined
Jan 22, 2007
Messages
1,216
Location
Amherst, NY
TrueCrypt!!! As a programmer working with online banking systems by trade, I use my Patriot 128GB flash drive with TrueCrypt for all of my programs so I can work from any machine anywhere I happen to be. TrueCrypt does NOT have to be installed, it can run as a stand-alone program from the USB drive.

I created a program that automatically prompts for the TrueCrypt password when inserting the flash drive, and then when I'm logged in, my program automatically starts up all of my default working programs, calendar, sticky notes, KeePass, and of course PStart for a program start menu. My program then monitors for when the TrueCrypt volume is dismounted, and it closes any of my open programs, TrueCrypt, and itself so nothing stays resident in memory. It couldn't be any more easier or secure.

A secure flash drive is simply a drive with embedded security software, no more secure than TrueCrypt. I prefer non-embedded security so that I can transfer and use my encrypted data from any drive, independent of embedded programs that would otherwise be required to use the encrypted data on a particular drive.

Self-destruction is not a helpful feature if the security can't be broken anyway. If you follow the security procedures when setting up your TrueCrypt volume, the only vulnerability is the strength of your password, or if someone forces you to tell your password.

For your password, use a keyboard pattern that you memorize without knowing the characters on screen. My password is over 20 characters of garbage that I can enter in 3 seconds.

Then in case someone like rouge foreign authorities or aliens force you to give the password, TrueCrypt has an awesome and very important hidden volume feature, where the same encrypted volume has multiple encrypted data with different passwords; so you just give them the password to the data on that volume that just has things you don't care if anyone sees.

I also feel safer in knowing that TrueCrypt was developed by top industry insiders, rather than some company working from a business model to promote their product. For me, it's a no-brainer.. TrueCrypt!
 
Last edited:

Vesper

Enlightened
Joined
Jul 22, 2009
Messages
803
Location
Puget Sound, WA
Another vote for Truecrypt. No only lock it but encrypt it in case it goes missing. You can also mount the encrypted container as read-only.
 

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
TrueCrypt!!! As a programmer working with online banking systems by trade, I use my Patriot 128GB flash drive with TrueCrypt for all of my programs so I can work from any machine anywhere I happen to be. TrueCrypt does NOT have to be installed, it can run as a stand-alone program from the USB drive.

I created a program that automatically prompts for the TrueCrypt password when inserting the flash drive, and then when I'm logged in, my program automatically starts up all of my default working programs, calendar, sticky notes, KeePass, and of course PStart for a program start menu. My program then monitors for when the TrueCrypt volume is dismounted, and it closes any of my open programs, TrueCrypt, and itself so nothing stays resident in memory. It couldn't be any more easier or secure.

That approach sounds very scary to me. You're going to plug your flash drive into a dubious PC that might have a hardware or bios-level keystroke logger installed, and then type your decryption password into it? And of course any work that you subsequently do on that machine would also be logged. Really, it's not safe to do any work at all on a potentially compromised computer. Drive encryption is great if the drive itself is lost somehow and contains only encrypted data. But once the plaintext has been exposed, all bets are off.
 

get-lit

Flashlight Enthusiast
Joined
Jan 22, 2007
Messages
1,216
Location
Amherst, NY
I did mean trusted computers. That is a a great point to remember!

EDIT: You could just reset your password after having used an untrusted computer. If you have to use untrusted computers frequently, it would be really nice if TrueCrypt had a single use password feature, maybe where you could define your own incrementation pattern that you memorize and use for when entering your passwords. It is always best to not ever use untrusted computers however because the computer could save a copy of the encrypted file in it's initial state before you changed the password and then all the fun is over.
 
Last edited:

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
I did mean trusted computers. That is a a great point to remember!
If you trust the computer, why not boot it normally with the OS that's already on it? If you have concerns about doing that, it sounds like you don't really trust the computer, so you're back to square one.

EDIT: You could just reset your password after having used an untrusted computer.
No that's no good. You have to expect the untrusted computer to suck out the entire contents of the flash drive as soon as you plug the drive in, along with capturing your password. (It will of course also install malicious software onto the flash drive itself, if the drive isn't hardware-write protected; so any machine that you plug the flash drive into after plugging it into the untrusted machine should also be considered compromised and untrustworthy). I suppose 128gb at USB2 speeds will take a while to copy, but USB3 will fix that ;)
 
Last edited:

LuxLuthor

Flashaholic
Joined
Nov 5, 2005
Messages
10,653
Location
MS
No that's no good. You have to expect the untrusted computer to suck out the entire contents of the flash drive as soon as you plug the drive in, along with capturing your password. (It will of course also install malicious software onto the flash drive itself, if the drive isn't hardware-write protected; so any machine that you plug the flash drive into after plugging it into the untrusted machine should also be considered compromised and untrustworthy). I suppose 128gb at USB2 speeds will take a while to copy, but USB3 will fix that ;)

While I don't dispute the validity of your points, in essence one's only choice in confronting any possibly compromised host is first performing a low level format which isn't practical. The likelihood of the average person running into that aggressive of a virus to do all those functions is quite rare....but indeed, keeping essential/private data on a roving USB flash drive is stupid.

Perhaps another strategy is to keep the TrueCrypt data file encrypted, and use the rest of the unencrypted drive for utilities, and only enter decryption password once you are 100% certain you don't have an infection on host machine?
 

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
While I don't dispute the validity of your points, in essence one's only choice in confronting any possibly compromised host is first performing a low level format which isn't practical.
But sometimes it is the only choice. Something like that happened to a machine where I used to work, and the response was to physically replace the attacked machine's hard drive with a new one (even low level formatting wasn't considered good enough).
The likelihood of the average person running into that aggressive of a virus to do all those functions is quite rare....
We're not talking about an average person, we're talking about a programmer of online banking systems who carries confidential data on a flash drive. Such a person and the machines they use (PC's inside the bank) would be much likelier-than-average targets of a custom tailored virus or other such attack.
but indeed, keeping essential/private data on a roving USB flash drive is stupid.

Perhaps another strategy is to keep the TrueCrypt data file encrypted, and use the rest of the unencrypted drive for utilities, and only enter decryption password once you are 100% certain you don't have an infection on host machine?

I think the basic idea is that sensitive data and untrusted computers should never be allowed to come in contact. TrueCrypt is a good precaution for the average person but highly sensitive data should only be used on specially secured computers. Even for lower sensitivity stuff, it really makes more sense to use your own laptop than to go around mounting sensitive file systems on potentially compromised hosts.
 

get-lit

Flashlight Enthusiast
Joined
Jan 22, 2007
Messages
1,216
Location
Amherst, NY
If you trust the computer, why not boot it normally with the OS that's already on it? If you have concerns about doing that, it sounds like you don't really trust the computer, so you're back to square one.

Drive encryption is not to ensure that the computer your are using the drive on can't get the data. USB drive encryption so for ensuring that the data is inaccessible to others if the drive is lost of stolen.

No that's no good. You have to expect the untrusted computer to suck out the entire contents of the flash drive as soon as you plug the drive in, along with capturing your password. (It will of course also install malicious software onto the flash drive itself, if the drive isn't hardware-write protected; so any machine that you plug the flash drive into after plugging it into the untrusted machine should also be considered compromised and untrustworthy). I suppose 128gb at USB2 speeds will take a while to copy, but USB3 will fix that ;)

From my post.. "It is always best to not ever use untrusted computers however because the computer could save a copy of the encrypted file in it's initial state before you changed the password and then all the fun is over."

It's a matter of leveraging assessed risk with other computers. If you are at friend or relative's house on vacation, you can leverage the amount of trust you have in the owners and other users of the computers to how important your data is.

Such a person and the machines they use (PC's inside the bank) would be much likelier-than-average targets of a custom tailored virus or other such attack.

I think the basic idea is that sensitive data and untrusted computers should never be allowed to come in contact.

Precisely.
 
Last edited:

get-lit

Flashlight Enthusiast
Joined
Jan 22, 2007
Messages
1,216
Location
Amherst, NY
Perhaps another strategy is to keep the TrueCrypt data file encrypted, and use the rest of the unencrypted drive for utilities, and only enter decryption password once you are 100% certain you don't have an infection on host machine?

If your unencrypted utlities refer to files in the encryted volume, such as recently opened files, etc, that can be used to assist in decrpyting the volume. Nothing about the contents within the encrypted volume can be known outside of the encrypted volume. Utilities that work with files within an encrypted volume should also be encrypted.
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
If your unencrypted utlities refer to files in the encryted volume, such as recently opened files, etc, that can be used to assist in decrpyting the volume. Nothing about the contents within the encrypted volume can be known outside of the encrypted volume. Utilities that work with files within an encrypted volume should also be encrypted.
Emphasis mine.

Unless an application runs short of memory and the data you are working on is written in the clear to swap...
 

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
It's a matter of leveraging assessed risk with other computers. If you are at friend or relative's house on vacation, you can leverage the amount of trust you have in the owners and other users of the computers to how important your data is.
I can trust my friends and relatives to not attack my data on purpose. But to secure their computers to professional financial standards? I don't think so. I don't even do that with my own computers, and I'm pretty paranoid. As for my friends' and relatives' computers, I'm sure they are all seething with viruses, so I treat them that way. I would never type a sensitive password on my mom's computer. :(
 

lostinwv

Newly Enlightened
Joined
Jan 31, 2009
Messages
95
This is my first post in ages. TrueCrypt cannot be beat in my opinion, and it is very easy to use.
 
Top