What does USB stands for? Unwanted Security Breach?

usb_skullWhen I started my career in this industry we used to share data between computers by means of the Nike or Adidas network. This means saving data on a floppy disc (all 360 KiloBytes) and run to the next computer.

Although we have sophisticated networks today, the humble USB memory stick still plays an important role. Its attraction is its ease of use, no passwords or logins, it just works.

This ease of use is also its biggest flaw. There are many ways how USB sticks can be used to compromise the security of computers.

Lost in transport…

We have all heard of the high profile leaked confidential data just because some discs were left on the train. Whether it being a disc or a USB stick, the effect can be detrimental and embarrassing. So before taking data outside the office on any media, the main question is, do I really want to do this and what are the risks.

A USB stick gives sometimes more than bargained for…

When receiving a USB stick I am always into two minds whether to plug it in or not. Is the data on the stick clean and free from viruses?! Data may be infected by the supplying party as they may unwittingly have saved infected data. Do not plug in a USB stick of which the source is unknown or not fully trusted. The good thing is that most virus detection software will detect issues but this is a game of cat and mouse… It is suggested that every two out of three USB memory sticks contain virusses and or malware!

I have the ability to plug it into a linux computer to check first as most exploits are targetted at windows machines but not everybody has the skills to do this and it is not a hundred percent flawless.

It gets worse however. There are well documented cases where actually the chips that are used in the USB sticks are manipulated to make computers vulnerable for security breaches. So although the data supplier may have been careful, complete networks are still exposed and whomever gave you the disk may have been used as a trojan horse.

Although many of these manipulated USB sticks are widely sold through the well known auction sites, they also find their way into circulation as trade show “give-aways”. This may be through deliberate targeting or the information supplier is unaware of potential issues and is ‘used’ as well. As mobile phones and MP3 players often act as USB memory when plugged in a PC, troublesome devices have also been found.

What can we do to limit our exposure?

There is a fundamental question on whether USB memory is a necessary tool for business. Within companies that handle confidential or sensitive information, USB ports are often blocking USB memory devices. Other USB devices, such as keyboards and mice can be exploited and often these companies will check each and every USB device used.

There are special charging cables that still allow mobiles and MP3 players to be charged but as the data wires are not connected, devices are unable to communicate with the computer. Note that there are different ones for Apple and different ones for Android.

If you still have the need for the use of USB memory, make sure you stick to the following as a minimum:

  1. Buy branded memory sticks from a reputable source. This also ensures that when buying a 4Gig drive, it is actually 4Gig and not something that says it is but it is not. (see here: https://fakememorysentinel.wordpress.com). Most auction sites have to be used with great care.
  2. When buying virus scanning software, there are some that block USB drive access till a full scan has been completed thus giving that extra level of safety.
  3. Disable autorun from CD and DVD drives or USB ports
  4. Never and I mean Never run an EXE, BAT or COM file from a USB stick (unless you saved it on there in the first place).
  5. Do not allow macros to run when opening files from USB stick (Mainly office files)