Schneier on Security
A blog covering security and security technology.
« Skype Call Traced |
| Stephen Colbert Computer Security Tips »
August 25, 2006
USBDumper (article is in French; here's the software) is a cute little utility that silently copies the contents of an inserted USB drive onto the PC. The idea is that you install this piece of software on your computer, or on a public PC, and then you collect the files -- some of them personal and confidential -- from anyone who plugs their USB drive into that computer. (This blog post talks about a version that downloads a disk image, allowing someone to recover deleted files as well.)
No big deal to anyone who worries about computer security for a living, but probably a rude shock to salespeople, conference presenters, file sharers, and many others who regularly plug their USB drives into strange PCs.
EDITED TO ADD (10/24): USBDumper 2.2 has been released. The webpage includes a number of other useful utilities.
Posted on August 25, 2006 at 6:47 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Anybody concerned with that should look into TrueCrypt (http://www.truecrypt.org and http://www.schneier.com/blog/archives/2006/05/...
I have an encrypted container/file that takes half of the drive space. It is convenient to only carry one USB drive. I have plenty of space for "public" data and I am not worried about lost/theft of sensitive data.
ps: Never use "True Crypt's Traveler mode" on a untrusted computer !
They'd need a keylogger for mine too, since all my portable storage devices house nothing but a big truecrypt volume and the drivers.
Of course, with a bit of a tweak they could copy the mounted truecrypt volume.
But I find it hard to imagine that I wouldn't notice if I plugged my thumb drive in and the access light came on for a couple of minutes.
You should know that there is apparently a vulnerability for TrueCrypt and PGPDisk discussed (a little incoherently) at http://www.safehack.com/Advisory/pgp/... Opinions seem to vary, but the vector looks open to me.
Never touch the keys on an untrusted computer! Purell won't help you when the bird flu comes calling!
I don't know about PGP products, but backing up (and later replacing) an header is a documented feature of TrueCrypt.
The secret is your password. Everything else, including headers, is useless without it. If you think the password was compromised, create a new TC volume and move your data over there.
"Anybody concerned with that should look into TrueCrypt".
I did. But either it must already be installed or you need to have admin privileges on the PC concerned. In the context of this particular post it is therefore of virtually no use (nor, unfortunately, of any use for the purpose I wished to use it).
Can anyone recommend a method for encrypting USB sticks where no admin privilege is required?
Of course, this is why the truly paranoid among us carry two USB drives - one for ourselves, and one for file transport.
Sometimes, the best solutions are the low-tech solutions.
A bootable USB device with TOR, encryption, and other needed utilities, still seems to be a safe option.
How "TOR & Stuff" would protect your USB device from a malicious code installed on the computer you plug it in ??
What's about with USBDumper is the ability for someone to transparently put or get files on or from a USB device while pluggins it, as far as I understood the demo made at the french SSTIC conference late June.
"I did. But either it must already be installed or you need to have admin privileges on the PC concerned. In the context of this particular post it is therefore of virtually no use (nor, unfortunately, of any use for the purpose I wished to use it)."
You're missing the point. Unless you want to use sensitive information on strange PCs, I can't imagine the problem. It isn't relevant that Truecrypt has to be installed or requires administrator privileges, because opening the drive will expose your sensitive data to the host PC anyway. You'd only access the data on computers you trust.
Truecrypt _will_ allow you to use non-sensitive data on vulnerable machines while still protecting your sensitive data, thus allowing you to avoid carrying multiple USB drives as another poster suggested.
Stephen, how about an encrypted zip file? Can be browsed directly, multi-platform, easy to keep an unzipper on the stick just in case.
I believe the first versions of encryption in PKZip and/or Winzip were defective, but I am under the impression that this has been fixed in later versions. I'm sure someone here will correct me if I'm wrong about this.
DECRYPTING sensitive data on an untrusted machine opens you up to the same sort of snooping (of both the decrypted data & your pass phrase).
So it doesn't really matter how you encrypt it.
Note that GPG and other encryption products can be run from a usb drive. For the paranoid, this means you can encrypt stuff you get on one untrusted machine before you take it to another (but you should use a disposable key/pass phrase for this).
My (somewhat extreme) solution is Knoppix + USB pendrive.
Forget the OS and all of the malware that is installed on the strange computer. Boot your OS from your trusty read-only CDROM. Then read and write your own files on the (optionally encrypted) pen drive.
I tried this tactic when I went on vacation last year, and it worked like a charm. I did not worry about booking hotel rooms using my credit card. All of my browser bookmarks travelled with me. My email client faithfully checked all of my email accounts. Any applications I needed were pre-installed on the CDROM or manually installed on my pendrive.
It's surprisingly well integrated and easy to use.
Kingston has an encrypted USB drive that uses a non-admin tool to access the drive. However, that matters not if you log into the drive. Once the access is opened, whatever software is on the PC can access the secure section of the drive. That's the intended functionality of the USB drive - encrypted or not.
The reverse of this software also exists. There is a bootable USB drive for sale that mounts the hard drive of the PC, mounts any other USB drives (like a 60 GB iPod), and has data recovery tools installed. Since the PC's host OS isn't booted, there is no record of you recovering all of the deleted files and downloading the entire HD of the PC to the iPod.
You should encrypt the data in your sticks not to protect against rogue computers (that's impossible), but to protect your data if the stick is lost or stolen.
USBDumper is nothing new, my employer had a program like this written up a couple years ago - which has been diligently working ever since. Written for auditing USB drive usage, it not only copies the contents of drives, it syncs future changes, and emails all file sync/copy activity to a central mailbox.
USBDumper is a neat little tool though - if only it would copy, plus sync, the data into a folder name which matches the USB drive's volume name (instead of the current day/month/year), and also log activity somewhere on the machine so that it can be reported - then we'd be set. Hmm... there's source code here...
I hate this fact, but the catch is, our company policies (as likely many others) already permit such activity through our "personal belongings brought onto company property are subject to search" policy. One wonders if and when the TSA will try the same thing, as a data-mining and profiling technique, veiled as "protecting" us from terrorists.
Drive imaging, searching for deleted data, is kinda like swabbing for drugs or explosive dust in an employee's bag; searching for what was there before. So I guess even that activity is justified...
I'm not so much missing the point, as looking at it from a slightly different angle. I'm thinking of the situation where I'm carrying data relevant to four or five different companies, each in its own (encrypted) volume, and I want to just open the relevant volume when I'm at a company.
Anyone else able to comment on Winzip/PKzip encryption?
> Anyone else able to comment on Winzip/PKzip encryption?
Early versions were weak and could often be cryptanalysed from ciphertext alone . More recent versions  seem to be quite strong (they use AES in a respectable way); for a while, there were file compatibility issues between the various implementations (WinZip, PowerArchiver etc.) but if you have a recent version and choose a compatible encryption mode (an unfortunate point of confusion), you should do ok. Of course, under the scenario you outline you will need a different password for each file, and of course the passwords themselves must be strong.
One thing you may want to test is Windows Explorer compatibility. Because Windows XP includes Zip file support built into Explorer, many sites no longer install a Zip management utility. Explorer can handle some encrypted zip files, but I'm not sure which types. It can also encrypt existing Zip files, but doesn't tell you which of the half dozen available methods is used.
1. Technically, it's actually a known plaintext attack. However, an encrypted Zip file still reveals the names and types of files inside it, and this can often be sufficient to deduce the file headers. This tiny amount of known plaintext is often sufficient to complete the cryptanlysis of the early versions of pkzip encryption.
2. In the case of WinZip, since version 9.0, c. 2003.
I get the feeling that there are no photographers reading this list...
IF you go and have a look at some of the small hand held devices for photograpers that will rip the contents of a USB camera or memory card/stick onto their local hard drive you might be a little supprised. They run of batteries and fit quite comftably in your jacket pocket.
These devices have been designed to quickly pull off (and in some cases display) all the photos from USB cameras, the ones I have seen appear to quite happily pull all the files on a USB Stick as well (some do all the digital cards as well).
So what's the beef about a program, you just loan somebody your keys to park your car etc and they can rip the contents of your USB stick on your key ring...
So if you are a "Door Hop" at a hotel or valet service then you could just rip on spec all the USB devices you get and scan them when you get home. What's the betting you will find some quite interesting stuff from senior sales/marketing/accountants/directors of companies?
"So what's the beef about a program, you just loan somebody your keys to park your car etc and they can rip the contents of your USB stick on your key ring..."
The phrase "two wrongs doesn't make a right" springs to mind here. Both the software Bruces describes, and the devices you describe consitute a threat to unsecured sensitive data on a memory stick.
The real solution, as others have observed, is to select some appropriate encryption scheme for sensitive data on memory sticks, and also to be careful about the environments where that data is accessed.
As for the business of handing over one's entire keyring to a valet/garage mechanic etc, just don't do it, as it's bad security practice in itself anyway - it takes me about five seconds to detach my car key from my keyring, on the occasions when I need to allow someone else to access my car. If they don't need my other keys etc, then they don't get them, period.
Getting a bit off topic now, forgive me ...
You mention the possibility of data theft from USB sticks and camera storage devices.
What might be less obvious is that the file system on these devices tends to be FAT based.
It is pretty easy to recover deleted file from FAT file systems if they have not been overwritten e.g.
You have *properly* deleted all the file on your memory stick/Secure Digital/Compact Flash or whatever? Yes?
Do not rely upon consumer devices to properly erase file for you - mount the storage device as a disk drive and overwrite the file system yourself if you want real security.
So, stupid question - where's the uninstall?
I'd rather not manually delete the 10 registry keys and 47 registry values it set.
I'm not a complete idiot; I attempted to install the program onto a virtual layer (which worked) then I stupidly double clicked the EXE, installing it OUTSIDE of my virtual layer.
Any good ideas?
This is only a poor counter-attack:
Keep some old, well-known MS-viruses on your stick.
When the program catches your data it should trigger the Anti-virus-Software.
1) Unfortunately it depends on an virus-scanner to be running and I don't even know how they usually behave (do they audit every disk read?).
2) On Linux-clients, where normally no AV is running, and the program might be emulated with a small shell script, this won't work too.
3) Don't know about MACs.
It's not a replacement for protection.
It might only be useful to catch an 'as-if geek'.
I don't use a windows AV couple. Might somebody try out and confirm, whether this idea works at all?
The Zeroth law of information storage devices- Anything that can be read will be.
" You should know that there is apparently a vulnerability for TrueCrypt and PGPDisk discussed (a little incoherently) at http://www.safehack.com/Advisory/pgp/... Opinions seem to vary, but the vector looks open to me. "
Roy, the guy is an incompetent and his theory is spurious and based on a number of major misunderstandings about crypto. Take a look at this from his site:
"PGP Virtual Disk can be mounted without the knowledge of the passphrase. If the volume is EMPTY this will work just just by changing some bytes inside the .pgd file. If the volume is NOT EMPTY, it can be mounted without the passphrase knowledge after patching the passphrase location BUT WHEN YOU CLICK THE DISK IT WILL SAY IT NEED TO BE FORMATTED. "
What he's saying is that you can get access to the disk with any password you like... and funnily enough, it comes up with garbage when you decrypt it, because you used the wrong key, and all he's shown how to do with a debugger is bypass the verification that you used the valid key to decrypt the disk.
He thinks that this is just a minor problem that he'll be able to solve in the future, but it kind of misses the point: he hasn't decrypted anything, he's still actually at square 1.
I think his complaint that "a respected company like PGP Inc. do not use ANTI-DEBUGGING in their Encryption Products. Irony?. An encryption software that use a fixed location and reveal it is operation by using a simple debugger... Irony?." also demonstrates complete ignorance of cryptology. The core pgp encryption code is open source, what on earth kind of ridiculous idea is this to try and prevent debugging? The whole point of encryption is that all the security resides in the secrecy of the key, not the algorithm or code.
How about the other way?
Is there a program I can install on my USB key to, ahem, copy (without displaying on the screen) all the useful files from the host computer, such as cookies, index.dat, etc. when i plug in the usb key?
Re: Never use "True Crypt's Traveler mode" on a untrusted computer !
Could someone expand on this please. What exactly is the security flaw in doing this? I use the latest version of TC 4.2 .
Hi, I recently purchased one of those computers on a stick for using on other computers. It is a Fingergear. It is pretty cool. I can securely use a computer at work and keep my bookmarks and projects on it. Anyway, I am afraid I will trash it. It came with a CD as well. The CD was easy to duplicate and I use the copy with my stick and save the original. My question finally is how can I make a backup of my stick to protect my investment. It uses a form of unix/linux.
anyone know of a good truecrypt equivelant for Mac OSX?
I'm using a little tool called dsCrypt.. It's only 25 KiB and it's stand-alone.. It can encrypt/decrypt single files but if you have more you can use zip or 7zip to bundle them..
It's Windows only as far as I can tell..
I would like to drop these two tools into this discussion:
1) ccrypt: http://ccrypt.sourceforge.net
2) Remora USB Disk Guard: http://www.richskills.com/products/7/...
Both tools use AES, allow for folderwise en/decryption of files and don't require admin privs.
I would really like to know what you think about it. From my point of view I am a little bit worried if a bunch of files is encrypted using the same password for each file. However, I am not an expert ...
I need to manage a usb hub with 12 memory sticks inserted. These are used to distribute educational materials. Does anyone know of a utility I can use to automate copy, delete etc?
Cal, still need a solution? Depending on your needs ... can be done pretty cheap ...
I am using another container-based encryption tool Rohos Mini.
What I like, and TrueCrypt doesnt have it:
* Where possible on the guset PC it mounts virtual drive ;
* Or opens disk in the offilen Disk Browser (readonly) when no Admin rights:
- Double-click and it temporary decrypts file into USB drive (but not into Windows temp folder) and opens it.
- it has a internal file viewer. helps to very-very safely take a look on the password file.
- Better intergates with the USB drive & home PC in general.
i think a lot of ppl here understand nothing to the treat :
when you unlocked your device (hardware, software...any kind) YOU ARE DEAD !!!
Because when the OS can use the files, USB dumper can read them !!!
So the ONLY protection against dumpers is NEVER plugging a USB device on an untrusted computer
Truecrypt, harware protection...can do NOTHING against that !!!
Because when you entered your password and get access to your files, dumpers can do the same "faking" being YOU !!!
Sorry ppl, but you CAN'T be secure when using your files anywere...
how do i open encrypted usb drive on my new laptop...i dont have the keys...
when you unlocked your device (hardware, software...any kind) YOU ARE DEAD !!!
Because when the OS can use the files, USB dumper can read them !!!
I think I understand this, although I am not a security expert. I just want a further clarification. If I use a software that decrypts only to RAM, and not to disk, then I should be safe, right? For example, if I use a tool like KeePass Password Safe to store passwords, which I believe only decrypts to RAM, I should be able to use it on a public computer running USBDumper, and still be safe. Is my understanding correct?
What is "USB drive"? Please help, I no understand amigos!
So where could I download USBdumper (a realy copy of it anyway)? Also, in reply to this post (GB at August 25, 2006 01:17 PM), do you know anything about the code this program was written in? Thanks for your help guys.
Is there software/hardware to remotely interecpt data transmitted to a USB device mounted in the drive-thru of ... say ... a financial institution? Example: the financial institution has a drive-up USB device that allows the customer to swipe their ID Card (Bank ID, debit Card, etc.) and the info pops up on a PC to the teller inside. This would save the customer having to send their card through the vacuum tube to the teller. I have heard hackers can somehow "intercept" the info being transmitted and then go away and use it however they please. Am I crazy??
thanks for the this great piece of software Bruce. it seems it doesn't work in UTF-8 character set. when i insert a usb stick that have folders with Persian name on them it cannot copy them correctly. please fix this problem. cheers :)
I have tried Roho (to encrypt my USB memory). But if you open a file from you encrypted files USBdumper can copy them. So no so usefull.
But if you open a file from your encrypted files USBdumper can copy them.
That is true for all encryption/decryption software that works through the foreign/untrusted/insecure computers OS at lower than the application layer.
If you want to open encrypted files from removable media on a foreign/untrusted/insecure systems then the first thing you need to do is make it secure in some way, which is extreamly difficult within that systems OS. And even if you do you won't be able to use the file with any other applications that are already on that computer, because you would be transporting the unencrypted file contents out of the secure area you've created.
Which is why some people take their own OS with them and boot the foreign/untrusted/insecure computer with that and then work inside of their own OS that is now running on the computer.
The problem with that is that sysadmins etc see such behaviour as suspicious and thus try and stop the computer booting into another OS...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.