When Data Goes Missing Will You Even Know?

Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

data has walked out the door before.

[yagu]

From the slashdot post:

The problem is USB flash drives

While there is truth to this, it is not a new truth and it is not the complete truth. It's one more mechanism for "losing" data but it's not the first and it won't be the last.

It's an effective mechanism for moving large volumes of data, but it's not the only mechanism.

Corporate espionage and theft has and will continue to exist. USB drives are just one more aspect. While there may be some "exposure" and scandal soon about some USB drive falling into the wrong hands I doubt it will surpass any of the recent scandals (lost tapes and customer data).

Unfortunately, I'm guessing the article is correct in its prediction: "It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices". That would be a knee jerk reaction and counter productive but I'm already seeing it on so many other levels, e.g.,

• restricted e-mail (filtered to death)
• blocked IM
• key logging

among many others. I still think the greatest exposures are social engineering... and the paranoia around security policies don't address that. Sigh

(And, besides, isn't the RIAA is working on a solution to apply DRM to USB drives too? ) ;-)

Re:data has walked out the door before.

My company already has a policy banning them. Using a USB drive at work w/o permission will get your ass fired.

Re:data has walked out the door before.

[xiphoris]

"It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices"

No need for "afterward". Most companies that are extremely interested in protecting data (such as a large .com in Seattle for which I have worked) have banned such devices for years. No media may be used to transport company data except that which is explicitly allowed. In addition, no computer wireless devices of any sort (keyboard, mouse) may be used on company machines for security reasons. I'm sure that there are a lot of other similar rules, too, and all for good reason.

It doesn't take a smart company to figure out that you don't want Billing.mdb on a floppy. USB is really no different. :)

Re:data has walked out the door before.

What about the rest of your body?

Re:data has walked out the door before.

[Forbman]

...and your computer doesn't have a CDRW/DVDRW on it of some form or another? You haven't secretly set up an ssh tunnel to an outside computer?

You religiously put all your sensitive docs into the to-be-shredded container instead of the usual recycle bin (but people will still inadvertently put critical info in the regular recycle bins from time to time)?

Re:data has walked out the door before.

[freedom_india]

Hell No! None of my employer's 2,50,000+ systems (PCs) have any CD drives.

Everyday i register my iPod at the gate.

Re:data has walked out the door before.

That's weird... I work for "The Company"
Using a USB drive at work without permission won't only get your ass fired, but incarcerated also.

Re:data has walked out the door before.

[Debiant]

I think the major concern is that how easy it is to store information to USB memory stick and as easy to retrieve. But it has absolutely no protection against unatuhorize retrieving, at majority of cases.

It can even happen that if you go to shower or do something else, somebody takes your USB stick and copies it's data to laptop. How do you know it hasn't happen already? It easier than doing photocopy and you can that way copy masses of sensitive information without trace.

At work I for a while copied php pages with database passwords and loginst to my USB stick and did some job functions at home. But I stopped doing it after a while as I became concerned what would happen if somebody steal the device or I'd lose it.

What I'd like to see is OS plug in that would automatically encrypt whatever is moved to portable USB stick.

Re:data has walked out the door before.

[qray]

So they ripped out all USB ports on their computers and/or perform a full body search when leaving the building and/or have a video camera trained on every system in the building.

Such bans give one a false sense of security. Such bans often just hamper the 99% of people trying to get their job done while not doing much about the 1% that is seeking to do harm.
--
Q

Re:data has walked out the door before.

It doesn't take a smart company to figure out that you don't want Billing.mdb on a floppy. USB is really no different. :)

Really? I was under the impression that USB drives are the only devices capable of storing data or transferring it from one machine to another.

Re:data has walked out the door before.

What a maroon [ Bugs Bunny quote ;-) ] Key logging??? Even if someone (it takes a real person...the "corporation" can't do anything since it is a non-entity) did key logging, who the flip do you think is going to go through all those logs to look for suspicious activity? Isn't there enough crap to worry about without inventing more?

Re:data has walked out the door before.

[Gilmoure]

My 'company' is similarly strict. No personal electronic devices or media allowed. Miss my iPod. :(

Re:data has walked out the door before.

[Glasswire]

If you ban USB flash drives, are you going to ban CD Writers, cameras with removable flash, iPods, FM radios (whoops has MP3 player in it) and, of course, ANY internet connection at all (even if you ban attachments, you could take files and UUENCODE or more modern binary-to-text encoding and stick it in the message, and you'd have to ban pictures too to prevent Steganography)
It's hopeless if you don't trust your people.

Re:data has walked out the door before.

[poot_rootbeer]

...and your computer doesn't have a CDRW/DVDRW on it of some form or another? You haven't secretly set up an ssh tunnel to an outside computer?

*I* could find a way to move sensitive data off my workstation, sure. But the data I work with isn't exactly top secret.

In the case that it were, I would hope the IT directors at the company would be smart enough to lock my terminal down. No writable or bootable removable media. A secured OS and a user account with no permissions to install any software. Krazy glue in the USB ports.

It's possible to take reasonable precautions against sensitive data being compromised, and companies that fail to do so deserve full culpability.

Re:data has walked out the door before.

Couldn't agree more on the comment about social engineering and developing policies that reflect that. Companies don't often spend the time thinking about what 'Confidential' or 'Proprietary' means when they classify and protect their documents. Often, they believe that any device (USB drive, PC, Smart phone, etc.,) that accesses 'Confidential' documents must also be locked down. Hence things like email filtering, key logging, etc.,.

Hardening devices is akin to hardening a perimeter. So much effort is used into protecting access to the documents that the documents themselves are not protected. Hence, if anyone figures out how to electronically get a document out of the network, it's free.

DRM is a possible solution to the USB problem because it should distinguish what a 'Proprietary' document is, no matter how it is accessed. Even if I download to my home PC via that USB drive, the content should still be activated back to a central key server. That activation request should be an auditable event that says, "Tom Jones who was fired 10 months ago is trying to open secretchipdocs.qxf"

When a DRM protected file isn't in use, users should be able to use their PCs and devices just like they normally would.

Indeed, there may be many legitimate reasons to share proprietary information and not hamper users access to it via email filtering, key-logging, etc.,
If I am apple computer who checks out Intel's latest product roadmap, I haven't 'stolen' the files. If the Apple - Intel relationship should ever go south (or change its terms), how are access to those files repudiated and/or changed? Do you think that Intel can convince Apple to install a key logger on their network? (save the TCG 'discussion' for later)

Corporate DRM will be tricky to get right for mass adoption because it has to both protect the data without penalizing the user. Again, to the point about social engineering, there will be tradeoffs in usability and security. The more focus that is put on security of the documents themselves, the smaller the usability penalty will be for all other 'normal' activities.

Re:data has walked out the door before.

So the great game begins. Now we will have to body cavity search all employees entering and leaving the facilities at least twice a day and maybe more for lunches. And how about putting faraday cages around all factory buildings to please the RIAA? ....and now how about all the surrepititious RFID tags spies will leave everywhere....now howwww smallll can they get? could they be hidden in a false tooth?.....
    Face it, the spies will always win! RIAA is lost before it begins. Years ago they caught a unique saboteur on a base in Georgia. She...yes...SHE...had managed to put her 'package' on a B-52 on the alert pad at a Strategic Air Command base. She had all kinds of clearances and exceptions to search. She was the base commander's DARLING DAUGHTER!!

Re:data has walked out the door before.

[MyNymWasTaken]

You religiously put all your sensitive docs into the to-be-shredded container instead of the usual recycle bin (but people will still inadvertently put critical info in the regular recycle bins from time to time)?

The last financial services company I worked at didn't have a "regular recycle" bin. Everything went into the shred container - internal company docs & take-out restaurant menus alike. Posted above it was a news article about dumpster diving and company's losing invaluable data because of it.

As for the topic of the article...

If you don't trust your employees to not walk off with company data, no level of "security measures" will prevent it & give you peace of mind. If they want to, they will.

Re:data has walked out the door before.

There is a simple solution to the posited problem. Require that the seminal copy of data which must be retained be kept on the server volume (which per standard practice is backed up regularly and in triplicate with at least one copy maintained off-site). Then the user can copy to their hearts' content onto a USB key drive/floppy disk/Zip disk/CD-R(W)/DVD-(+)R(W)/external hard drive/internal hard drive/etc. Work at home must be done over VPN to the on-site computer with the server copy again being seminal.

Re:data has walked out the door before.

[default+luser]

Right, I think it is stupid as well, but here is the reason why my company prohibits USB thumbdrives:

According to them, Windows with logging enabled will log all disk transactions, including floppy, CD, Zip. Anytime you copy a file to the disk, it will be logged. But they claim that for USB devices such as flash drives, transactions are not logged.

Is this correct? I'm not certain. Is this overkill, considering that they have to trust the employees anyway? Sure. But if it is correct, I can understand why USB devices would be such a great concern.

It is hard to justify completely turning off USB or hot-gluing the ports closed now that vendors are starting to support USB exclusively. This is probably the best solution available to them.

Re:data has walked out the door before.

..and your computer doesn't have a CDRW/DVDRW on it of some form or another?

Correct.

You haven't secretly set up an ssh tunnel to an outside computer?

Ssh to external networks is also blocked.

Wow!

[Bobdoer]

To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?

Re:Wow!

[slashdotnickname]

To think that malicious employees waited until flash drives to steal data!

malicious employees come from...
    disgruntled employees which are made so by...
        tyranical/unrealistic upper-management decisions designed to componsate for...
            poor/unsatisfactory performances from certain employees that basically...
                have lazy and/or minimal work ethics.

So yes, because lazy employees ultimately beget malicious ones, it would make sense if malicious employees are falicitated into their malicious ways by their original lazy ways.

Re:Wow!

[meringuoid]

To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?

Heh. Flash drives are old hat anyway. The modern data thief uses a palmtop and a Bluetooth-enabled rock, almost certainly prepared by Q.

That reminds me

[TheAxeMaster]

Dang, that reminds me, I need to figure out where my USB flash drive is....

Re:That reminds me

[rcpitt]

Hmmm... about the size of a suppository. Could be "anywhere"

got your rubber goves handy?

Re:That reminds me

This week on Appalachian Emergency Room:

Doctor: So Cletus let me guess, you accidentally sat on this 512 MB Mini Cruzer USB key?

Cletus: How'd you know doc?

Doctor: Well in the past you've accidentally sat on, among other things, a lightbulb, a beer bottle, a kielbasa, a cordless telephone, a raised-fist "Black-Power" sculpture, and a GI-Joe action figure. After all that the idea that you somehow sat on this relatively small USB data storage device doesn't surprise me in the least.

Doctor: *laughs*

Cletus: *laughs*

Re:That reminds me

[yanw]

I stole it to replace the one I had stolen. Anyhow, thanks for the lovely pr0n that was on it.....

Re:That reminds me

[pimpimpim]

Well, in real life, loosing your flash drive may not be so funny, for example if it's a memorystick with secret Defense information that has been lost (link in dutch). Happened in the Netherlands a few weeks ago.

Watch the log files!

[rcpitt]

When I see the fact that a USB storage device has been inserted into a workstation or server, I question what (and who) did what.

The log files don't lie!

Of course if you can't find them, then it doesn't matter, does it? Does WinXX create a log file of USB insertion - damned if I know!

Re:Watch the log files!

[utlemming]

The log question may be legitimate. With all the questions about trusted computing, etc., from the business perspective, what about trusted components.

As I am sitting here, I have come up a scheme that might work. 1) Each USB device has a unique key. 2.) Each key has to be registered at a central USB key server. 3.) When a USB device is plugged into a computer, the client machine queries the server to seek for authorization for the USB device to work, if the device is not authorized. 4.) Denied devices trigger security. The scheme would work in an environment where data theft is a concern since most users would not have administrative privelages anyway. Further-more devices like mice could care a unique key where they wouldn't have to be authorized unless they had memory on them.

Re:Watch the log files!

[rcpitt]

OK - so you've invented DRM - Digital Rights Management - and it mandates that each portable digital container has a unique signature.

My personal hacker (12 years old, immune from prosecution) just duplicated your key-fob's ID. What are you going to do about it?

Check - and Mate!

Re:Watch the log files!

[Lehk228]

you could also just remove the USB mass storage device drivers from your standard disk image and have certain workstations with USB storage enabled which require a sogin as well as monitor which files are being sent to a USB drive.

Re:Watch the log files!

[Talez]

Easy. I don't hold the key in plaintext.

It gets held in a tamper proof SIM card.

The key never actually gets transported nor is it known to anyone outside the USB key and the server.

Re:Watch the log files!

And then someone using a machine without DRM (Linux, likely) performs a man-in-the-middle attack on the key. It's only USB, not some highly proprietary interface like the digital audio laser/optical connection port.

Re:Watch the log files!

[ObsessiveMathsFreak]

Does WinXX create a log file of USB insertion - damned if I know!

Even if it did, which I doubt, perhaps 0.0001% of Windows domain controllers would know where to look for it, and I very much doubt that it would have any kind of really useful data.

It's a moot point in any case. Most data on windows servers is on a shared network drive. Do those have log files?

Re:Watch the log files!

[Jussi+K.+Kojootti]

"tamper proof SIM card

That'll work. Just like all the other consumer devices that were marketed as secure -- and were cracked in two days after release. If the key is in the device, it will be known.

Re:Watch the log files!

[PriceIke]

Here's another idea .. instead of USB drives, give each employee one of these to move their software to and from work. They're USB .. a little bit bigger than your standard jump drive, but smaller than most external HDs.

I'm surprised no one's made a Sandy Berger joke yet .. not even the closet conservatives.

Re:Watch the log files!

Win2K and WinXP both keep a log of every insertion of a USB "Portable media" device. It comes with a date/time stamp. Unfortunately it doesn't say what exactly was transferred.

Since our shop is perpetually paranoid about data walking off we have no floppy drives, the CD-RW is disabled both via password protected BIOS and internally. The USB/Firewire ports are all also disabled. A bit of overkill since the logs are auditted weekly, and they are set to send a note to the sys admin if any pre-designated events occur.

YMMV

Re:Watch the log files!

[keydet89]

> Does WinXX create a log file of USB insertion - damned if I know! If by WinXX you mean WinXP (or WinNT+), then the answer is yes. When a USB removable storage device is plugged into a WinNT+ (includes 2000, XP, 2003) system, that fact is recorded in the file system (the first time, anyway) as well as within the Registry. Give me an unaltered image of a system and I can tell you how many USB removable storage devices were plugged into it, when each was first plugged in, and the last time they were plugged in. I may even be able to tell you which drive they were mapped to. I may even be able to tie it to a unique device. H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com/ http://windowsir.blogspot.com/

Re:Watch the log files!

[Karma+Farmer]

When I see the fact that a USB storage device has been inserted into a workstation or server, I question what (and who) did what.

Well, if you had configured your operating system to keep decent log files, you wouldn't have to question who did what. The log files would tell you.

Re:Watch the log files!

[keydet89]

> Even if it did, which I doubt,

Why do you say that? Do you have any basis in fact?

> ...perhaps 0.0001% of Windows domain controllers would know where to look for it,

Perhaps...if by "domain controller" you mean sysadmin. But these folks can be educated, as can law enforcement, etc. I started presenting on this at GMU2005, and have published articles and blogs on it.

H. Carvey

"Windows Forensics and Incident Recovery"

http://www.windows-ir.com/

http://windowsir.blogspot.com/

Re:Watch the log files!

Does WinXX create a log file of USB insertion - damned if I know!

Windows 2000 and up log an entry in the Event Log, the first place I thought to look for it. Following are entries in my computer when I inserted and removed a USB drive (in this case an iPod Shuffle):

Event Type: Information
Event Source: Removable Storage Service
Event Category: None
Event ID: 134
Date: 11/20/2005
Time: 2:33:05 AM
User: N/A
Computer: DESKTOP
Description:
Received a device interface ARRIVAL notification for device:
    \\?\USBSTOR#Disk&Ven_Apple&Prod_iPod&Rev_2.70#000A 27001004CD87&0#{53f56307-b6bf-11d0-94f2-00a0c91efb 8b}

Event Type: Information
Event Source: Removable Storage Service
Event Category: None
Event ID: 135
Date: 11/20/2005
Time: 2:33:18 AM
User: N/A
Computer: DESTOP
Description:
Received a device interface REMOVAL notification for device:
    \\?\USBSTOR#Disk&Ven_Apple&Prod_iPod&Rev_2.70#000A 27001004CD87&0#{53f56307-b6bf-11d0-94f2-00a0c91efb 8b}

It doesn't seem to report the user who was logged-in when the event happened, but that may be because I always run as Administrator. Anyway, that's what gets put in the Event Log under Windows 2000 when inserting and removing an iPod Shuffle. So if someone puts in a USB drive then you can know when (and possibly whom). If you need more I bet somebody makes software to monitor USB drive transactions.

Re:Watch the log files!

[ckaminski]

Most data on windows servers is on a shared network drive. Do those have log files?

Absofrackin'lutely. It's called Auditing, and it's been a feature of WindowsNT/NTFS since 3.1.

Re:Watch the log files!

There aren't any log files for device connections, but it is stored in the registry. There's a product that you can integrate with active dir that will limit who can connect what devices to your systems. The next version will also tell you what was transferred if you allow the connection. It's called Safend and it has a free trial and an auditor that will scan your systems and tell you what has been connected and/or is currently connected. very cool software and not too expensive. [no, I don't work for them.]

Might not want to admit that...

[Red+Flayer]

"I had to invade the owner's privacy to see what I could discover from the content of the files."

Wouldn't this be accessing files that you were not granted access to? Isn't this a crime in several US states, and is it really a good idea to admit to it in a column with your picture and name at the top?

Just curious if the 'Good Samaritan' is putting himself at risk (and if it was curiosity or a desire to return the property that was the motivation).

Re:Might not want to admit that...

[ZiakII]

Wouldn't this be accessing files that you were not granted access to? Isn't this a crime in several US states, and is it really a good idea to admit to it in a column with your picture and name at the top?

What do you think that message banner and the form you signed to get your account said? You consent to all monitoring and your data on that machine is theirs including your USB drive that you just inserted.

Re:Might not want to admit that...

[Red+Flayer]

"What do you think that message banner and the form you signed to get your account said? You consent to all monitoring and your data on that machine is theirs including your USB drive that you just inserted."

Huh? What does that have to do with picking up a stray flash drive and attempting to read the contents? What account are you talking about, and what message banner?

Re:Might not want to admit that...

[ZiakII]

Excuse me if I misspoke before I'm in the military so when ever I log on a computer I get this, (listed below) As far as I know most companies do this as well and have a similar banner, basically it's the same when you call a help phone number and get that your phone call is being recorded for quality and training purposes.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy.

If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action.

Re:Might not want to admit that...

[Red+Flayer]

"As far as I know most companies do this as well and have a similar banner"

Not at all, which is one of the problems. Besides which, such a banner does not absolve the user from liability for using the computer to commit illegal activities, nor does it make those actions legal.

All it means is that that user should have zero expectation of privacy, that the computer is for business use only (which most companies issue an annual memo about), and that any evidence of illegal activity will be forwarded to law enforcement.

Nowhere does it confer ownership of any material (like the 'stray' flash drive) tothe user, who is the one who is potentially guilty of accessing unauthorized material.

Re:Might not want to admit that...

"I had to invade the owner's anus to see what I could discover from the content of the poop."

Wouldn't this be accessing anuses that you were not granted access to? Isn't this a crime in several US states, and is it really a good idea to admit to it in a column with your goatse picture and name at the top?

Just curious if the 'Good Nigerian' is putting himself at risk (and if it was curiosity or a desire to return the poop that was the motivation).
--
"Gay niggers they were, but filled with the cum of their master: a black race..." -- G.N.A.A. on Poop-hai

Re:Might not want to admit that...

[ZiakII]

"I had to invade the owner's privacy to see what I could discover from the content of the files."

He never said 'stray flash' but as long as its connected to a computer that is on MY network that I am administrating it is open game for me to look at.

Re:Might not want to admit that...

[Red+Flayer]

Sure, you've got legal access, as an admin. But the guy who inserted the flash drive... not at all (remember, he found it underneath a table). He's the one who committed the illegal act, according to many states.

Re:Might not want to admit that...

[pintomp3]

i guess it's like going through a lost wallet to try to identify the owner.

Re:Might not want to admit that...

[poot_rootbeer]

Wouldn't this be accessing files that you were not granted access to?

I think "possession is 9/10ths of the law" applies here, as does "finders keepers".

dumb approach.

[Vellmont]

Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

Which will solve exactly nothing. What are you going to do, search everyone as they enter and leave the building? If you want to limit data theft, limit access to huge amount of data in the first place. That eliminates the risk to any new technology to get the data offsite.

Re:dumb approach.

[Descalzo]

So if they do end up banning these things, what will they use instead. We use them because they are so handy. What other good options do we have?

Re:dumb approach.

[jonwil]

At the place where I work, I have access to confdential data (and I need that access to do my job). If I wanted to (and wanted to get fired) which I dont (because I would get fired), I could steal this confidential information and post it to the internet. Fact is, large amounts of corporate data theft comes when dishonest people deliberatly copy data they have access to for their jobs and distribute it or when honest people copy data to e.g. work on it at home and then that data goes missing.

What I (and I am sure many companies) would like to see is a range of computers from a big name OEM like DELL that use PS2 for mouse and keyboard and then have a jumper on the motherboard or a software switch hidden in the BIOS behind a BIOS password that will completly disable all use of USB. If you then combine that with a read-only optical drive and no floppy drive it makes it very hard to get data out of the machine without going over the network somehow. Which then gives a chance for it to be inspected or blocked (e.g. firewalls, email scanning etc). With this, there is no need to ban USB devices from work because even if someone does bring a flash drive to work, they cant use it. (they would need to open the machine or get past the BIOS password and re-enable USB and then they would need to install the windows XP USB drivers or somehow boot an alternative OS (e.g. a Live CD) that would be able to read whatever sensative data they wanted (if they were going to do that, they could probobly set up an encrypted tunnel and send the data out that way)

Obviously, all of this only applies if you have dishonest employees :)

Re:dumb approach.

[fredklein]

...computers ... that use PS2 for mouse and keyboard and then have a jumper on the motherboard or a software switch hidden in the BIOS behind a BIOS password that will completly disable all use of USB. If you then combine that with a read-only optical drive and no floppy drive it makes it very hard to get data out of the machine without going over the network somehow.

Um, pull the HD?
Unplug the CD-rom and temporarily plug in another HD?
COM1 --> Portable Device (Sync to a PDA, etc)
COM2 --> Portable Device
Parallel port --> Portable Device
Parallel port --> Printer (hardcopy!)
Unplug network cable, plug in crossover cable going to laptop.

None of these are "very hard".

And I haven't even mentioned weird stuff, like using a sound card to 'play' a file into a tape recorder....

Re:dumb approach.

[anagama]

What I (and I am sure many companies) would like to see is a range of computers from a big name OEM like DELL that use PS2 for mouse and keyboard and then have a jumper on the motherboard or a software switch hidden in the BIOS behind a BIOS password that will completly disable all use of USB.

Well I don't know about Dell and I'm not about to go search their website as I already wrecked my uptime by rebooting, checking my BIOS, and seeing that under "integrated peripherals" one can disable USB 1.1 and 2.0. Gigabyte K7 Triton, KT600 motherboard. As for PS2 mouse/kbd -- are you saying Dells don't have those ports? Even my mini-itx board has both.

Re:dumb approach.

[anagama]

So actually I did check Dell's site because I couldn't really believe there were no PS2 ports ... it looks to be true amazingly enough, although on some systems you can get them as an option. I don't see a serial port or par. port either on this cheapish model.

Re:dumb approach.

[Vellmont]

(they would need to open the machine or get past the BIOS password and re-enable USB and then they would need to install the windows XP USB drivers or somehow boot an alternative OS (e.g. a Live CD) that would be able to read whatever sensative data they wanted

And this is something that's particularly difficult? You don't have to even have very specialized knowledge to open up a computer, jumper the BIOS reset jumper, and boot a Live CD to get USB support. An interface jockey can do all of that.

What you SHOULD be doing is limiting the access to this data, and auditing who accesses what, when, and how much. When you can't explain why you've copied 10 gigs of the database records and there's been a recent leak, odds are you're going to be at least fired, and maybe even raided by the police in search of evidence. Trying to limit how people take the data out of the building is like putting metal detectors at all the exits as your only means to protect Fort Knox. Once someone can get at the data there's always going to be a way to get it out.

Re:dumb approach.

[jonwil]

Well the jumper or BIOS setting could disable COM and LPT ports too. (especially since, like the USB ports, they arent used normally)
As for pulling the HD or CDROM, that would mean opening the case (and there are ways to prevent/detect/monitor that, the simplest of which is to use a padlock on the case). Also, someone sitting in a cubicle and opening the case of their machine might arouse suspicions.
As for Laptops, its much easier to prevent employees taking in laptops than it is to prevent employees taking in USB drives.
As for the wierd stuff, you could ban tape recorders.
Point is that if the LPT, COM and USB ports are disabled, laptops & PDAs are restricted or banned and opening the case is made difficult enough that its possible to detect when it has happened or it looks very suspcious when its being done, of all the remaining methods left, sending it over the network and out onto the internet becomes the easiest option for any would-be data thief.

Re:dumb approach.

"So if they do end up banning these things, what will they use instead."

Submit a tech support request to ask a manager for permission to authorise the supervised transfer of data via a special networked PC with a USB port from the development machine to the testing machine (or wherever you're moving data to which isn't on the same network). Repeat hourly.

Re:dumb approach.

[jonwil]

The problem is, limiting access to the data wont stop people who need to get to it from stealing it. For example, if you are software engineer working on big software project, you need access to the entire codebase to build the software, even if you are only working on one bit.

As for stopping someone opening the computer up, there are ways to stop people getting inside a computer or notify when it has happened (for example, you can use a lock on the case. Or you can have a chassis intrusion detection sensor wired to a network send so that the machine tells a network server that it was opened). Plus, if your company is one where employees are trained to look for suspicious events (like the place where I work), someone sitting next to you opening up their computer and walking off with the hard drive would probobly count as suspicious and would be something you would report.

Re:dumb approach.

If you have unstrustworthy people in positions of responsibility, you are boned. Nothing you can do will stop the problem. You are limited to making sure that those people who need the data can get at it. That is it.

Or don't let anyone access the data.

Re:dumb approach.

[sckeener]

If you want to limit data theft, limit access to huge amount of data in the first place. That eliminates the risk to any new technology to get the data offsite.

Agreed. Blank CDs and DVDs create as much risk as USB Keys.

The best way to prevent data lose is to restrict the data in the first place.

Also I think it would be a good policy to have everyone return unused company USB drives to a central person whose job would be to wipe them clean for redeployment.

Re:dumb approach.

[pjbgravely]

Why not just remove all unnecessary drivers from the OS? You can't use a USB drive if you can't mount it. Have CD-RW drives mounted as read only to prevent burning, and remove all burning programs to be even more safe. IT can create an Image or push out a script to make the boxes safe. If someone is going to crack the root password, you have bigger problems anyway.

Re:dumb approach.

[j0eshm0e]

Speaking of dumb approaches...

I worked at a company that printed currency so security was pretty tight. Inter-office memos and emails with new corporate policies from the CSO came regularly. One day we got a corporate email saying that USB drives were not allowed on the premise and employees found with one were subject to dismissal. I was dumbfounded...

You see the group I worked with developed lottery terminals. Inside each lottery terminal was one card flash and one USB thumb drive. Software was stored on the card flash, updates and dynamic data on the thumb drives. We were swapping those in and out all the time. I had twenty of them on my desk at any given moment.

Policy can only go as far as reality.

Re:dumb approach.

[fredklein]

if the LPT, COM and USB ports are disabled, laptops & PDAs are restricted or banned and opening the case is made difficult

Just saying it's a tad bit more than "disable all use of USB and no floppy drive".

Lost is the wrong word

[A+nonymous+Coward]

Geez. It isn't lost, it is copied. Maybe you don't want it copied, great, but it is not lost, not misplaced, not missing. Some people will quibble about it being stolen or pirated, but it is not lost.

Re:Lost is the wrong word

[Jeremi]

I think the proper word would be "escaped".

Re:Lost is the wrong word

[EnsilZah]

I believe that correct term would be 'Compromised'.

Re:Lost is the wrong word

I believe that the proper term is "gang raped by a whole shitload of gay niggers"

Re:Lost is the wrong word

[BrynM]

It isn't lost, it is copied.

Typical conundrum of the business world - when something propagates beyond your consent, you must show loss to justify demands for more control. It may be a freudian slip for "loss of control". For further reading, see "Content Industry".

Re:Lost is the wrong word

[pintomp3]

if the flash drive is misplaced, the data is lost in the sense that you can't account for that copy. it's not that you no longer have the data, but another copy of it out there somewhere.

A little epoxy will fix that right up.

[LurkerXXX]

I know of several companies which have filled in all the USB/firewire ports on most of the computers with epoxy. Only people who actually have a real need for devices using those ports have working USB/firewire (there are no floppies or CD/DVD burners in 'regular' staff machines either)

Re:A little epoxy will fix that right up.

i was thinking the same thing... why even bother with having the ports in the first place... make the computers even cheaper...

Re:A little epoxy will fix that right up.

[networkBoy]

Funny,
As a dev (and with tons of confidential and privlidged info on my computer) I am specifically instructed to take my notebook home every night. It is considered part of our business continuity plan. Not only that but this is a large multinational corp, not a mom and pop shop. That said, the drive is encrypted, and security policies are in place for communication back to the office when I'm away (2048 bit RSA VPN).

What it boils down to is this:
My employer knows that if I want to steal data I can do it. Even if it comes down to hand transcription of one memorized line of code per day. So they trust me and provide me a hardened notebook to do my work on. Even if it is lost the data will not be compromized till it's likely to be useless anyway.
-nB

Re:A little epoxy will fix that right up.

[mh101]

It's been a while since I've peeked into a PC's BIOS... Can't you disable USB in the BIOS setup? Or is that dependant on the particular BIOS? Then you can just set a password to prevent access to the BIOS setup menus.

Re:A little epoxy will fix that right up.

[spooky_nerd]

Better hope your computer isn't "legacy free" or a Mac. You won't have any place left to plug in your keyboard and mouse. Also, don't forget to plug up the parrallel port. I still have a ZIP drive!

Re:A little epoxy will fix that right up.

[LurkerXXX]

Also, don't forget to plug up the parrallel port. I still have a ZIP drive!

That wouldn't worry me. Odds are your disk will probably suffer from the 'click of death' by the time you get home. ;)

Re:A little epoxy will fix that right up.

[LurkerXXX]

Someone just has to move a jumper on the motherboard, then put it back to reset the password. Making them chisel out the USB port leaves a little more physical evidence of what went on. ;) Do both.

Re:A little epoxy will fix that right up.

[hazem]

Of course, many motherboards have a USB connection where you can plug a slot-based set of USB outlets. If you're already opening the case, that's all you need.

And USB, I think, is only 4 wires... if the plug is epoxied, just open the case and hotwire your own outlet.

Somone else already mentioned installing a 2nd harddrive to copy data. And one could also install a $20 USB/Firewire card in one of the PCI slots.

That leaves filling the whole computer with epoxy. Great, you've turned your PC into a commodore 64. I hope you don't have to fix it!

People just have to accept that if a person has physical access to the machine, they can compromise it.

Re:A little epoxy will fix that right up.

[dubl-u]

My employer knows that if I want to steal data I can do it. Even if it comes down to hand transcription of one memorized line of code per day. So they trust me and provide me a hardened notebook to do my work on. Even if it is lost the data will not be compromized till it's likely to be useless anyway.

This is such the smarter policy for most companies and most data. I've seen some large corporate shops where they went to absurd, productivity-sapping lengths to lock down developer machines. And then they gave developers access to an internet connection and things like C compilers and Perl interpreters. Any decent developer could have shipped out vast quantities of information hidden in DNS queries or HTTP activity.

Now that I think about it, they were kind of light on decent developers. I always thought that was just because ultra-corporate shops were sucky places to work, but perhaps it's part of their security policies: a developer with a small brain doesn't have room to steal much in the way of secrets.

Re:A little epoxy will fix that right up.

[TallMatthew]

rm -rf /lib/modules/2.6.n/kernel/drivers/usb/storage should do it.

Oh, right. Windows.

Re:A little epoxy will fix that right up.

[serialdogma]

You can disable drivers in windows also, you know. It only requires you to be an administrator and know how to use regedit.

Re:A little epoxy will fix that right up.

[sedgy]

am concerned they may be coming for my briefcase and rucksack next what can I do? ;) walk to work naked .... nah that could get worse sedgy

Re:A little epoxy will fix that right up.

[welshie]

and the serial port.. Even Windows still comes with something that can do x/y/z modem and Kermit.

Re:A little epoxy will fix that right up.

[v1]

My manager at the last place I worked at used to work at a bank, and he was rather against my taking my laptop to work. But this was not a well funded IT department, and about once a month we'd need to do something that we didn't have the capability to do. (like clone a 20mb proprietary formatted SCSI-2 HD from the phone switch) Then I'd bring back in the laptop and I'd be good for hassel-free laptop use for about another month before he'd start grumbling again. And then something else would come up and reset the clock again.

Not that we had anything that critical or sensitive where I worked, but I always found it silly to bar someone from bringing in their laptop. Common sense tells you not to put anything sensitive on the computer, since the only reason for that is probably to work at home, and I don't get paid to work at home so why should I. And getting back to parent's point, if it's an issue of trust, why would you have someone working in a position of trust that you do not trust? If someone has access to very sensitive information, either you are going to have to body cavity search them every day or they are going to find a way to sneak out your data if they have a mind to do it. Data security in the workplace is a bit like a padalock - it keeps honest people honest and stops casual theft, and is absolutely worthless against a dedicated thief, and has to be taken to a great extreme to approach 100% effectiveness.

Strangely, at the time I had a 512mb flash drive, (huge for the time) and he never said a word about it. Guessing he didn't realize what it was or how it could be used, or he would have badgered me about that also.

Although I do see their point. They're paying you for your time, and if the pointy haired boss makes silly rules that reduce your efficiency and result in you accomplishing less work per day, they are paying you for that unproductive time so I suppose they are the ones being negatively impacted by their actions rather than you, so let them go for it. As long as they don't combine that with harping about your poor productivity, or pay you based on productivity.

Re:A little epoxy will fix that right up.

[v1]

/System/Library/Extensions/IOUSBMassStorageClass.k ext /System/Library/Extensions/AppleStorageDrivers.kex t/Contents/PlugIns/initioFWBridge.kext

Rename those two on a mac. External USB and firewire storage devices, such as hard drives, digital cameras, USB flash drives, etc will no longer attach. CD ROM drive still works though, but that's easily locked out via the system preferences.

But then you just get into a technology war. Someone can bring in an external hard drive.

So then you enable an open firmware password and lock the boot device.

And then they can shuffle memory and reset the OF password.

So then you padalock the cases.

And so it never really ends. Summarizing grandparent, physical access = 0WN3D

My point here would be, if you are having to take several levels of action to stop your employees from doing something you don't want them from doing, why did you hire them?

Re:A little epoxy will fix that right up.

[jimicus]

Not that we had anything that critical or sensitive where I worked, but I always found it silly to bar someone from bringing in their laptop.

There is logic in it, if you think about it from a "corporate IT putting out a blanket rule" perspective.

That rule that applies to you also applies to Sharon, a blonde hairdresser by trade who's just taken a second job in the bank to supplement her income.

Sharon has a laptop of her own, and wants to bring it on so she can get on the Internet in her lunch hour - after all, she's not allowed to use company computers for personal web surfing.

Unlike yourself, Sharon's never heard of virus scanning (well, she has, but she was checked by her doctor when she started seeing her new boyfriend, so that's all right). She thinks spyware is the name of the next James Bond film.

Now the bank has a number of business critical systems running Windows. Perhaps unsurprisingly, Auto Update is disabled. This is because, despite Microsoft's best efforts, such updates occasionally break things. Instead, updates are trialled on a test network and then, following a change control procedure, are applied. This procedure takes a while, so at any one time most of the critical Windows systems can be a good few weeks behind on patches. This rises when testing reveals problems, and it rises even further when the system in question was built and maintained by an outside company - their update, assuming they provide one in a reasonable timescale, is subject to the same test requirements and change control as a Microsoft update.

Meanwhile, Sharon's PC, which is swimming in spyware, trojans and viruses, is merrily scanning the network for vulnerabilities.

I don't think I need to spell out the rest...

Re:A little epoxy will fix that right up.

[LurkerXXX]

True. I don't know if they went so far as to epoxy the serial and parallel ports or not. However, I think one of the other reasons they sealed off the USB/firewire was to prevent uploads of stuff as well as downloads of sensitive data. I think with USB ports sitting around they thought people might be too tempted to upload their MP3 collection, favorite game, etc, and of course whatever accompanying trojan/virus/spyware they were infected with at home and didn't know about (or worse, were trying to hit the company with, sneaking around the firwall/email-filter). Someone would have to be seriously bored out of their minds to try to upload their games/MP3's using Kermit. ;)

Re:A little epoxy will fix that right up.

[xMilkmanDanx]

Lock the case so that it takes bolt cutters or some equally destructive method to get inside. That and some cameras so the person who broke the case is on disk. Intrusion detection can also work though has a whole set of its own problems.

Re:A little epoxy will fix that right up.

Even if every USB orifice is unusable, a Compact Flash/IDE adapter will plug in easily. Boot from it, 0wn the hard disk without running the OS, remove it, clear any case intrusion messages/clear CMOS, and you are off to the races.

Re:A little epoxy will fix that right up.

[xMilkmanDanx]

Summarizing grandparent, physical access = 0WN3D

Unfettered access yes, but barriers have to be looked at like static defenses. A wall doesn't stop people, it just slows them down. You have to have active defense to compliment the wall. Intrusion detection, cameras, security personnel such that the slowed access is enough to allow response from people.

My point here would be, if you are having to take several levels of action to stop your employees from doing something you don't want them from doing, why did you hire them?

Because IT personnel, with the notable exception of the BOFH, don't usually have a say in who gets hired/fired?

Re:A little epoxy will fix that right up.

My manager at the last place I worked at used to work at a bank, and he was rather against my taking my laptop to work.

And he should be against it, unless it's not going to be connected to the network or exchange data with company computers in any way. The bank undoubtedly uses virus scanning and other security measures on their machines, and your personal laptop may bring in unexpected problems. Stop thinking like a loose cannon and look at the bigger picture.

Re:A little epoxy will fix that right up.

[bitslinger_42]

In addition to what jimicus said, there are lots of issues that lead to such a policy.

For example, there's the support issues. If my company has selected Word Perfect as the standard word processing application and I decide to write all my documents in MS Word, then there are going to be problems getting a clean translation from one format to another. Additionally, large companies in particular have standard desktop loads that include diagnostic software. If I call the help desk about a supported application but the help desk doesn't have access to the diagnostic software, then the cost of diagnostics goes up and my productivity goes down.

Also consider licensing considerations. Most software licenses, even site and enterprise licenses, do not include provisions to install such software on computers not owned by the licensee. While such agreements do exist, they are invariably much more expensive than the standard. Furthermore, I'm sure that the Business Software Alliance (BSA) would love to include that downloaded version of Doom III in the software audit, just the same way that the RIAA would love to sue Big Company X for music piracy since they have so much more money than Joe User.

Privacy laws might also come into play. Many companies, particularly American ones, have policies that explicitly state the company can read anything on their assets. In the US, privacy of employee-owned laptops probably isn't a problem given the complete lack of regard individual privacy has here, but in Europe, it may not even be possible for the company to review log files on the company-owned laptop without the employee's permission. This gets even worse for the company if they do not own the asset at all.

In the end, there is such a myriad of issues associated with non-company computer systems, that it is significantly better to have a policy that outright forbids them than it is to try and come up with enforcable rules that make every employee happy all the time.

Oh, yeah. I forgot that most employment in the US is at-will. If you don't like the rules that your employer has, convince them to change the rules, find another job, or get over it. Believe it or not, it isn't up to the employees to decide which rules to follow.

Re:A little epoxy will fix that right up.

[ckaminski]

HP and others are starting to get into remote desktops, where the computers are stored in a secured area, and keyboard mouse and video are projected over cat5 to a break-out box on the users desk. No physical access to the hardware anymore. It's only a matter of time where this becomes more prevalent. For an extra $150-200 per head, this isn't all that bad a cost in the right environment. You could use Belkin KVM extenders today to perform the same task.

Re:A little epoxy will fix that right up.

Also, on Server 2003 you can extend Group Policy with an ADM that will let you disable USB.

Microsoft's How-To: http://support.microsoft.com/default.aspx?kbid=555 324

Re:A little epoxy will fix that right up.

Hmmmm, you mean like terminals? No? This must be some krazy new idea?

We already hear about it

[TheAxeMaster]

The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand) and may or may not have been properly protected. I think that qualifies as pretty serious data loss, and it didn't need a flash drive to happen.

Will it be more prevalent? Maybe. But it already happens. Now, the question is, is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something? I think that will be the most logical step to protect small drives like these.

Re:We already hear about it

[networkBoy]

That is data loss (the notebook), assuming no backup. The idea of removing a _copy_ of the data is not loss, it is theft. A bit of distinction but important. I will notice data loss, not likely to notice the theft though.
-nB

Re:We already hear about it

[anagama]

I see it not so much as "loss" or "theft". Both terms imply that the data no longer exists where it is supposed to be. Loss means it's gone completely, theft that it has been taken in a "move" like scenario rather than merely copied. It seems a more appropriate term for this type of situation would imply the existence of the data in it's original location, and an unauthorized copy in an unknown location. This is much harder to detect because obviously, the original is still in tact -- absence of the data is a big clue something is amiss. Maybe the best term is simply "unathorized copy". In any case, the title mislead me -- I was thinking about HD corruption of small areas leaving me unaware that some of my data may go missing.

Re:We already hear about it

[RMH101]

1) "juristically"?
2) "deprave"?
3) Stealing data is still stealing. If someone's IP is contained within some electronic files, and you take a copy of it and infringe their IP: that's stealing. If you take a copy of someone's payroll info and use that to do ID theft on those people: that's stealing.

Re:We already hear about it

[rhsanborn]

In the usual slashdot montra...no, it's just copying, because you aren't actually having something taken from you, they are just making a copy...

I think the tone of a 6 year old would make it far more clear that the above, is parody btw.

Re:We already hear about it

[johnw]

The idea of removing a _copy_ of the data is not loss, it is theft.

Taking a copy of someone's data (even without their permission) is not theft. Theft has a very precise definition and the fact that you've only taken a copy means it can't be theft. You'd have to take the owner's only copy (or copy the data and then erase the original) for it to be theft.

This incidentally is why F.A.C.T. and F.A.S.T. are both very badly named.

Re:We already hear about it

[Ditiris]

Most laptops have an option in the BIOS to encrypt the disk with a password that must be entered on boot-up.

Most Operating Systems have a way to encrypt any folder on a disk so that the contents are, well, encrypted.

Not a whole lot of reasons why your laptop shouldn't have already been protected.

Re:We already hear about it

I'm sick of people mixing this up. When you copy something that you don't own, it's Copy Right Infringement, not THEFT! To be theft, you have to physically steal a CD.

Re:We already hear about it

The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand)

What was personnel info of 10K people was doing on a laptop in the first place? It's not a PPT presentation or PDF product broshures you take with you on the road.

Re:We already hear about it

[Cromac]

The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand) and may or may not have been properly protected. I think that qualifies as pretty serious data loss, and it didn't need a flash drive to happen.

Do you work for Boeing (rhetorical, it doesn't really matter)? They recently had a laptop stolen with information on 161,000 employees on it. I think you're right, mandatory encryption of corporate drives will proably be the next big step. Not perfect, but better than nothing.

Re:We already hear about it

[Proteus]

is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something?

TrueCrypt is a Free/OpenSource project for Windows and Linux that allows you to encrypt removable devices (and create files as encrypted volumes) easily, and with your choice of open and well-tested algorithms (including AES).

I use this with great success, and would recommend it for Enterprise use in a heartbeat. I have no association with the project, I'm just a thrilled user.

Re:We already hear about it

[winwar]

"I see it not so much as "loss" or "theft"."

Actually theft might be a good term in this case. Because if the person removing it didn't have authorization to do so it would be theft. Considering the value, possible felony theft.

This isn't like downloading something for free that you could have bought. It wasn't for sale at all....

Re:We already hear about it

[HiThere]

Are we talking about the protable computer? Then, yes, it's theft. Otherwise?? Copyright violation? (Remember now all the stuff that gets created is automatically under copyright, even if you don't do anything at all to protect it.)

I'm even uncomfortable with the term "data loss" since that also seems to imply that the original version has been removed...as in a system that crashes without a backup experiences data loss.

Ron Goulart uses the term "siphoning" for this kind of action, but nobody else seems to have picked up on this, and I don't KNOW of any generally accepted term that hasn't been chosen for spin value. (Pirating? Nahh. Too much spin. Theft? That implies the original isn't there any more. Copying? Good, but doesn't imply the lack of permission.) OK. Lets pick a neutral term that has an analogous meaning...but is clearly not used in this context. Siphoning sounds good.

def: siphon v. to remove a copy of something without alerting the apparent owner. (ref: Ron Goulart, esp. his "Odd Jobs" series e.g., "Steranko the Siphoner")

Re:We already hear about it

[anagama]

Siphoning isn't terrible, but it isn't perfect either. For (awful car) example, if I siphon gas, I get some and the owner has some but neither of us has all of it. With a data copy, the original owner has all of it and the person who copied it has it all too (appropriate assumptions of course). What about spy words -- what is it called when a James Bond type uses a microcamera to snap pictures of secret government plans? That's what this is like -- without the bow ties, martinis, hot chicks, and microfilm. Just a geek and a flash drive ... still, the spy world should supply the right term ... I just don't know what it would be.

Uh, you can turn off USB drive access in Windows..

[EvilMagnus]

It's been present ever since Windows 2000 - if a company is worried about data loss via USB drives and the like, it's possible to disable access to USB drives using regular Windows security templates.

What the article probably meant to say is that sloppy security practices, combined with increasing personal storage, increases the risk of unknown data loss.

You can lock down a Windows box just fine against casual and accidental leaks if you know what you're doing, and you have a corporate policy to enforce. You can even prevent deliberate attempts at data theft, if you really want to be a hardass.

Is TFA confused?

[karmaflux]

Does the author think "data loss" is a synonym for "unauthorized copying"? These companies had better hire some data recovery experts!

What about laptops?

[Geekonomical]

Giving employees laptops is very normal now considering it helps them to work from home / while in travel.

Can't they move huge amounts of data with these things?

What else can you ban? Enforcing policy != banning stuff.

Re:It's not the theft they're worried about

[halcyon1234]

To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?

It isn't the theft of data that TFA is really concerend about.

The real threat comes from actual LOST data. With portable storage media getting bigger and bigger, more and more data can be put on it. Including massive amounts of spread sheets and even databases. (I worked for one company that insisted on keeping a sensitive database on USB keys, to be sneaker-netted around to whoever needed it).

Top that off with more and more USB keys floating around the office. Sure, right now, not every employee has one. Or, at best, every employee has just one. But it is becoming more and more prevellant to have "unowned" keys. In other words, a company buys a crapload, and people just grab whichever key is available at the moment to use.

Soon, people will treat USB keys like they treat floppy disks; there'll be a big pile of them, and employees will just grab one as they need it.

Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.

There's no guarentee that the employee will blank out the key. There's no way of tracking which data is on which key. So an employee might check out a key that has data on it that isn't theirs. There might be hundred of files on the key. Who knows. They don't. They won't care, either. They'll just copy thier files over, work on them, copy them back.

So, each key has tons of data on it. If someone were to ask the CFO "Show me all copies of Sensitive Spread Sheet 5", they couldn't.

Now, one employee checks out a key. They treat it just as casually as they would a floppy disk. They lose it somewhere. (Falls out of their pocket, gets left on the bus, etc). Now, a floppy disk might have just a tiny amount of information on it. A few documents. A couple spreadsheets. A USB key could have an entire database! Someone picks it up, and suddenly has the bank information for all the company's employees...

That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it.

"What other data has been lost?"

I have far more concern about data theft and misuse, by corporations, than I do about data being "lost".

The article seems to be another component in the wave of misdirection of attention away from corporate misdeeds and crimes towards an unfortunate, short-sighted, and inapropriate focus on what appears to be minor transgressions of a few individuals.

When a few credit-card billing agencies, colleges, and others routinely lose millions of records at a pop, I am comparatively unconcerned about Joe or Sally copying a CIF. And those "few", above? They're only the publicised ones, Chtulu knows how many cases are kept quiet.

I suspect however that the irreversible damage has been done hwoever, that the association has been made in the minds of the public and law-makers, and soon enough the use of such drives will be made illegal. And when USB flash drives are criminalised, only criminals, no, wait, I mean, you can have USB flash drive when you pry it from my cold, dead...

Encryption

[nolife]

Of course getting the users to actually use encryption is another story...

TrueCrypt works pretty good for these situations and it comes with an open source license. The forums contain a lot of tips and tricks for using the application in odd ball situations.

Not affiliated at all, just a satisfied user.

Re:Encryption

[William+Robinson]

Encryption can not be solution to this, because, (I understand) the discussion is about employees themselves copying data 'they have legitimate access to'.

Securing data against piracy or stealing data by authorized users is much more difficult than securing against unauthorized users.

Re:Encryption

[Computeradam]

I thought that when you move an encrypted file in to a FAT file system, it becomes decrypted ..because FAT doesn't support encryption. is that true?

Re:Encryption

[jilles]

Most encryption solutions suffer from obscurity and severe usability issues. Educating users who don't know nor care about encryption has always been the primary obstacle for getting people to use encryption (which is why most users have never ever heard of pgp and would be clueless if you send them your public key). So harddisk encryption works because it works transparently (if you set it up for your users), email encryption doesn't work because the user has to mess with keys, which he/she won't do. Encrypted usb sticks will work if you can guarantee they work everywhere and that no unencrypted sticks are used. Both of which are pretty much very hard to guarantee or enforce.

USB sticks are just plugged in and are pretty much guaranteed to be not encrypted. Mobile phones present similar difficulty. Most phones have poor customizability and security. In fact users are quite creative in finding workarounds for security obstacles. The primary use case for usb sticks is getting to your data outside the company when disconnected from the intranet/workstation for whatever reason (at home, at a customer, a conference, ...). So precisely when security is most important, security measures force users to resort insecure means of getting to their data. Because you set up some unusable vpn, the user will just use the usb stick instead of spending five minutes of presentation time to get the vpn going. Much easier.

So the solution is to reduce the need for transmitting data insecurely: make sure the user can get to his/her files securely in an easy fashion anywhere, anytime. The consequence of not doing so is the risk of users using hotmail, a usb stick or other insecure means to get the data where they need it (and they decide where that is, not you). Security can actually be counter productive if your users have to work around it and do so routinely.

Re:Encryption

[jridley]

Uh, are you joking? I'm guessing you are. Data is data.

If that were true, the NSA wouldn't have to spend billions on decryption hardware, they could just copy the encrypted files to a FAT volume.

Re:Encryption

[jridley]

Yup, I deal with live tax returns by the thousands per day. Both my data hard drive and my GB thumb drive are just a big truecrypt volume. The only thing in the root of the thumb drive is a TC vol, and truecrypt software.

When I buy a thumb drive, if it comes with encryption software, first thing I do is erase it and replace it with TrueCrypt. It's unlikely that whatever proprietary crud they give you has been looked at by as many eyeballs as the TC source. Also I can give it away, and use it on other machines without fear of license breach or infesting someone else's machine with crap.

not just USBs..

[dotpavan]

I remember a similar article here discussing the usage of portable gadgets at workplace, like iPod, camera cell phones, etc and many stated that their workplace does not allow such gadgets in "certain" areas, and they had to actually check them out before entering the premises..

sneaker net

[opencity]

IMNAProfessional IT guy but ... My prediction is more and more companies will physically segregate their networks, from the interweb and from their internal systems. Of course the Peter Principle implies that a lot of stupid stuff will happen before during and after.

Re:Obligatory Re:data has walked out the door befo

[1u3hr]

The first few posts on Slashdot are so mind numbing.

Well, the whole topic is. "People can steal data with USB drives!" News? Ten years ago I was stealing data with floppies. Copied a whole mailing list. (Didn't use the parts I wasn't supposed to, it just simplified things to have the whole thing.) Most "secret" data is basically text, you can fit hundreds of pages onto a floppy.

Anyway, it's impossible to prevent people bringing in floppies, let alone USB dongles. If it bothers you, just open the cases and disconnect any USB sockets. (Use AT keyboards and mice, still easy to get.)

And in Soviet Russia

And in Soviet Russia...
When you go missing, will your data even know?

Re:And in Soviet Russia

[Darth_brooks]

Ask any of the servers I manage. My data definatly knows when I go missing.

They know when I leave, and they definatly know when I go on vaction. Or when I want to leave early......

Re:And in Soviet Russia

[TubeSteak]

Now that they know, that you know... be prepared for a shift in tactics.

Limit access

[Xiroth]

When it comes to valuable databases and such, it's best to keep them on a remote-access-only server, and only allow the data to be accessed in controlled ways. Then, typically, it's trivial to disable mass-export for everyone except those who might need it (usually just sysadmins). While, technically, this doesn't stop someone from going through by hand and recording everything, this does make it much more time-consuming and more obvious in logs.

auditing

[BrynM]

Auditing of a filesystem is the best way to go here, IMHO. Drives are getting bigger, so capacity for log storage grows too. Currently you can set most filesystems that have granular security to audit file access, writing, creation and deletion. Perhaps there is some way to adit target actions ("copied to removable drive X", "opened by Microsoft Word") that will be developed eventually. Personally, I log access to important files as a matter of habit (mostly with NTFS). I've also found that the bigwig execs love it when you tell them you can see who tried to look in their directory.

Re:auditing

[paulhar]

Try turning logging on in Windows for all files when you've got a few million of them. You won't have a storage logging space problem - you'll have a maxed out server problem.

Re:auditing

[BrynM]

Try turning logging on in Windows for all files when you've got a few million of them. You won't have a storage logging space problem - you'll have a maxed out server problem.

I wasn't endorsing blanket logging. Selective logging is the way to go, but it's not foolproof. The thing is, someone needs to really consider what needs to be logged and log storage for any real security to work. In the mainframe world, some companies even have a person dedicated to this and monitoring the logs.

With the use of a log server, I've seen auditing tunred on for the whole $SYSROOT$. It can be helpful for a server that is very important, but must be done with care. There are Windows remote logging applications available even though MS doesn't implement it fully to my knowledge. Under *nix, it's a no brainer because remote logging is thought of from the earliest days.

Re:auditing

[Archtech]

But there are tradeoffs here, as always.

Shortly after the ACL mechanism in the VMS filesystem was enhanced, giving much greater (optional) granularity, I was sent to diagnose a server that was grinding to a halt. The problem was due to the disks filling up rapidly, because the company's security folks had gone to town and set ACLs on just about everything. What with the extra header space, and the logfiles, they increased their disk space requirement by about 50 percent.

That wouldn't happen nowadays, unless someone was foolishly mean about buying disk space, because it is so cheap. But massive security checks also consume lots of processor cycles, which are less cheap. Worst of all, the more elaborate anything gets - including a security scheme - the more likely it is to contain mistakes and inconsistencies itself.

It'll be okay...

[flashfiasco]

we're all planning to have RFID embedded in every device by 2010 anyway, right? The 'end of theft' should include thumb drives as well.

Re:It'll be okay...

[rcpitt]

Yours might be in your thumb, butt some are in other places - are you going looking?

Personally I'd rather know that it's been used and let the experts go looking for it :)

Minox Baby!!!

[RexRhino]

No one is gonna stop us from taking pictures of our computer screens with little East German cameras! Old school style!

Re:Minox Baby!!!

[Kjella]

No one is gonna stop us from taking pictures of our computer screens with little East German cameras! Old school style!

You can bet the MPAA will try. Haven't they already been experimenting with cameras that'll refuse to record video with embedded markers?

Espionage?

[typical]

I read an interesting article that pointed out that data secrecy isn't really worth all that much. It might have been Paul Graham or Joel Spolsky -- not sure. Basically, startups are always running around having people sign NDAs left and right -- but, honestly, their idea is probably nothing that crucial -- that'll buy them some market lead, but it's not going to make them stunningly rich. What matters is whether or not they can manage to compete after their competitors introduce competing products.

I'm sure that we can all thing of worst-case scenarios that are pretty scary, but honestly, does your company pay you to engage in data espionage against other companies? How likely do you think it is that your counterparts at another company are being paid to engage in data espionage?

Re:Espionage?

[shmlco]

Yeah, client and mailing lists that often have cost millions of dollars to build are worth nothing. Databases full of personal information, SSNs, and credit card numbers are worth nothing. Server and application passwords are worth nothing. Medical patient data is worth nothing. Engineering and research data is worth nothing. Corporate documents discussing contracts, bids, and potential mergers is worth nothing.

While your NDA regarding an online pet food store promoted by a sock puppet may be worth little (or nothing), there's plenty of data out there that is. Heck, tell me that if you had a personal USB thumb drive with text files containing your bank account numbers, passwords, and other data, and it went missing YOU wouldn't be just a little worried about what someone might do with it?

No, most of the posters here are confused.

[mh101]

TFA is about losing or misplacing data because the USB drive it's stored on gets lost, not users stealing data as half the commenters (who obviously didn't RTFA) are talking about.

Re:No, most of the posters here are confused.

[EzInKy]

TFA is about losing or misplacing data because the USB drive it's stored on gets lost, not users stealing data as half the commenters (who obviously didn't RTFA) are talking about.


Are you saying that the data is lost when it is copied to a usb device? Why don't they just deny write priviledges to the source device to prevent deleting?

Re:No, most of the posters here are confused.

[Rakishi]

Yes, the COPY of the data on the usb device is LOST as in the company doesn't know where it is (or that it even existed in the first place). Let's say it contains people's credit card information, I hope you get why you wish to avoid "losing" such data.

Re:No, most of the posters here are confused.

[EzInKy]

Yes, the COPY of the data on the usb device is LOST as in the company doesn't know where it is (or that it even existed in the first place). Let's say it contains people's credit card information, I hope you get why you wish to avoid "losing" such data.


No, I still don't get it. If a company still has the data then they have not lost it and they only need to look on their hard drive to find it unless they were stupid enough to delete the files when they were copied.

Re:No, most of the posters here are confused.

[lachlan76]

The problem is people who save stuff onto USB but don't leave a copy anywhere else. User Problem(tm).

Security through Stupidity

[Detritus]

Let's ban the automobile, 9 out of 10 bank robbers use them to escape from the scene of the crime.

Re:Security through Stupidity

[dpilot]

More than that, for a moment...

Remember the old days, when companies earned the loyalty of their employees?

Re:Security through Stupidity

[Idarubicin]

Let's ban the automobile, 9 out of 10 bank robbers use them to escape from the scene of the crime.

Better yet, let's ban the use of bad analogies in Slashdot posts....

Since 3/4 of you aren't going to RTFA...

[mh101]

From reading the comments, it's obvious that most of the posters haven't RTFAed. But what's new - this is Slashdot after all...

So to clue you all in:

The article is not about people stealing sensitive data from their workplace using their USB drives. The article is about people losing data, because they've lost the USB drive they had it stored on.

Re:Since 3/4 of you aren't going to RTFA...

[MichaelSmith]

The article is not about people stealing sensitive data from their workplace using their USB drives. The article is about people losing data, because they've lost the USB drive they had it stored on.

I don't think the author of the article understands the difference. In all the environments I have worked in people keep their data primarily on servers with regular backups.

Is there another world where important data is kept only on individual USB drives? Maybe, but that's news to me.

Re:Since 3/4 of you aren't going to RTFA...

I know I have had to teach our employees to put stuff on the server, and not on a floppydisk. Of course floppydisk is a lot more vulnerable, and after the disk got ruined they learned very fast not to store stuff on a floppydisk.

Re:Since 3/4 of you aren't going to RTFA...

[v1]

Do you mean to focus on the issue of the data being lost and causing problems for the company because they no longer have the data, or to focus on the possibility that the data has fallen into the wrong hands, or the uncertainly of such an event having occurred?

If the only place your important file exists is on a flash drive, you are being very careless. I can see how a person could lose a flash drive though - easy enough to set it on a desk somewhere or forget to pull it before leaving to work on another machine.

As for data falling into the wrong hands, there are biometric usb drives available with thumb scanners built into their cases, for people that are paranoid about losing or having stolen their thumb drive with sensitive information on it.

Also it's not very common to have a floppy go through the wash due to its size, but I have heard of several people laundering their flash drives. They're hard to dry out, and can fry if you try to use them while still damp.

U.S. Military Rules.

[Irvu]

No, Nope, Nada.

The U.S. Military has pretty direct rules for dealing with these things, don't bring them. While I would never want to see that enforced everywhere the simple fact of the matter is, that is the only foolproof policy (and even it isn't perfect). Unless companies are willing to be draconian, and can find people who'll a) put up with that and b) obey, then they will lose some data.

While I fully expect some companies to try it I expect that some of them (the smaller, nimbler more sensible ones) will discover what many have about filtering e-mail/web access in the office. In general it costs more than it saves in sick days and general wasted money.

Re:U.S. Military Rules.

[Lehk228]

that is a terrible policy, it solves the problem by assuming rules will be followed. except the problem comes from people not following the rules and therefore solves nothing.

Re:U.S. Military Rules.

[Hunter-Killer]

While I can't claim to be an InfoSec expert, I do work in the military (Army). I hope you're not inferring that flash drives are taboo because they might get lost. If this is true then CDs, floppy disks, and even paper printouts should be banned as well. This is not the case.

For MSE at least, we maintain the concept of least privilege. Simply put, everything has a classification level, from unclassified/FOUO, confidential, secret, top secret, and up. You do not mix and match equipment with varying security levels. If a laptop is rated unclassified, it will not go on the SIPRNET (secure network). In addition, a device carrying sensitive information is classified at the highest level of the information (i.e., a CD-R burnt with a Secret and Unclassified documents is now rated Secret, and will be handled as such.)This is how we protect data: determine the security rating, ensure that the boundary safeguards are respected, and treat all data in accordance with preexisting regulations.

From my experience, flash drives are the most viable portable media aside from paper. When my unit deployed to Iraq in 2003, we discovered that: 1) floppy disks were rendered unreadable by heat/dust within two months, and that CDROM drives usually died after 6-9 months of exposure. The second time we deployed, key leaders (and friends of the supply sergeant :))were issued flash drives. We had a few go bad, but the majority were damaged by abuse (donning body armor was main culprit). Storage is cheap, and we had a secure network to transfer files. (sneakernet discouraged) Our biggest problem was the people interpreting the data. :)

Re:U.S. Military Rules.

[Irvu]

By my commentary I meant private flash drives being brought into a secure environment. I didn't say that the military does not use such drives. They are, as you noted quite useful. Rather I meant that one cannot, by default, bring their own flash drive, iPod, etc. into a secure area (that is to say almost all military bases).

A little epoxy buttplug will fix that right up.

It's been a while since I've peeked into a white man's ANUS... Can't you disable diarrhea in the ANUS setup? Or is that dependant on the particular ANUS? Then you can just set an assplug to prevent access to the ANUS sphincter menus.

The real issue leading to confused reporters

[MikShapi]

Is the issue called trust. Specifically, towards people on the inside of your organization.

It all boils down to "Do you trust your employees"?

There are businesses that do, and there are those that don't.

Those that do work on the assumption an employee will not do anything to harm the business intentionally - take a file he is exposed to during work and transfer it somewhere outside the organization.

Hence, it will not take all measures required to prevent him from doing so.

A business that does worry about such things will - What you carry will be checked at the door. Your PC will be locked (the case, physically locked). No Floppy, CD-R, USB, no means to connect media you bring from home. Internet access will be so restricted you wouldn't even be able to encapsulate an SSH tunnel over DNS packets you kindly ask your DNS server/proxy to send for you. And so forth.

Pointing at a business where everyone has web access and a dell sitting on his desk with 2 USB ports looking at him and saying "Hey, this guy can copy a confidential word document on the USB key" is hardly news, doesn't bother anyone in the first type of organization, and usually a non-issue in the second (which would have taken excessive measures to prevent exactly this kind of thing).

Nothing to see here, move along.

Re:The real issue leading to confused reporters

[gorim]

[Is the issue called trust. Specifically, towards people on the [inside of your organization.
[
[It all boils down to "Do you trust your employees"?
[
[There are businesses that do, and there are those that don't.

And then there are the smarter ones that recognize reality - that regardless of how much trust one gives, statistically speaking, someone will abuse that trust and walk off with data. The smarter businesses put appropriate mechanisms in place that both recognize and attempt appropriately minimize the occurance and resulting damage of these eventualities.

I think its called "trust without being stupid about it."

Re:The real issue leading to confused reporters

[16K+Ram+Pack]

As far as I'm concerned, there is no way to realistically block people from doing bad things with the data without creating a massive encumberance on people and their work.

The better policy is to deal with who has access to what data, and keep it to what they need for their job. For more sensitive data, limit it to a small number of highly trusted people.

Re:The real issue leading to confused reporters

[MikShapi]

You're right of course. Trust within reason. No need to email the root passwords to your servers to the company's main mailing list.

My point is like there's no point building a house with one wall missing yet locking the door, in the same manner there is no point preventing users from one avenue of connecting portable media to their office PC's without shutting down the rest of the avenues too - one method is enough for a person with malevolent intentions to swipe data away.

It only makes sense if you do the whole shabang across the board, plus you don't mind boldly proclaiming to your employees that you don't trust them - quite an acceptable policy for a bank or financial institution, yet one that can seriously compromise the way employees look upon you as an employer in other, more relaxes environments, such as a hitech company owned/run by geeks who value it's atmosphere and it being a fun place to work.

Most businesses weigh in the pros and cons of the mistrust approach and conclude it's plain not worth the hassle (and those that think it is worth the hassle typically have a good reason to think so.)

What the article does is proclaims, in quite an infantile way that "Your car can't carry 10 tons of cargo". The obvious answer to that is "Of course it can't - buying a TRUCK was not financially justifiable, I didn't need one, which is why I bought a CAR".

If I may quote Homer Simpson,

DOH!

Re:The real issue leading to confused reporters

[mce]

There's trust and trust.

Maybe you really can trust someone that he'll not conciously steal data. But in addition you need to trust him that he'll always have a copy of all important data on a disk that is backed up, coz' that USB stick of his might easily get lost. OK, so you know the guy and trust that he's competent enough to know why that matters. But then, do you also trust the IT staff that they will always acommodate his needs for storage space and will never force him to fall back to (permanent) emergency solutions?

If you think the above cannot happen, try again. I actually know someone that I trust to the extent described above (and beyond). But I also know the bureacracy of our IT staff and know first hand how much money they "charge" for providing 1GB of storage per year. It's ridiculous and it drives even the most competent people to the point where they store vital data on non-backuped disks and hope for the best. Even our the vast majority of our IT staff themselves know that this policy is crazy, but there's nothing they can do, coz' they don't run the shop either. Even their boss, who invented it, knows it. But he doesn't have any direct income from projects and still has to get all the money that he needs to run IT aproved somewhere.

In the end, unless you're a 2 or 3 persons operation where you really know everybody (but even then), you have to (also) base the amount of trust you're willing to give on the assumption that there is always going to be someone somewhere who isn't worthy of more trust, for whatever reason.

After all, there's a good reason why one should never attribute to malice that which can be adequatly explained by stupidity, as they saying goes.

Re:It's not the theft they're worried about

[Artie+Dent]

Companies will simply have to adopt extremely stringent policies for sensitive information. Now granted that employees can and will be careless regardless of policy, a strict policy of limited and catalogued copying of sensitive material (much like the government handles classified material) and severe enforcement of said policy would greatly reduce the risk to the company. While its certainly much more dangerous with huge amounts of data, proper policy and education can manage the risk.

Re:It's not the theft they're worried about

There's no guarentee that the employee will blank out the key.

1) Make it Company Policy. Enforce it by randon checks.

2) Make whoever is responsible for the 'pile of USB keys' (I.T., or the supply clerk, or whoever) wipe the incoming keys before making them available.

No, it's the right word.

[mh101]

Didn't RTFA, I assume?

The article's about people having critical and/or sensitive files on their USB drive, and then losing it. As such, the files are lost as well. TFA is not about copying/stolen/pirated files.

Good idea.

[deep44]

Hmm, interesting. I've always used my USB flash drive for sharing and copying music from major record labels; maybe I should pick up another one.

keywords: P2P music napster free music

Where I work

[ishmaelflood]

Your ideas make sense

Where I work:

They are removing cd drives and floppies from the leased PCs.

No cameras are permitted on site

No cameras in phones permitted.

Users are users, not admins, generally. No access to bios menus.

You can still email small files out, but those are traceable.

Not allowed to use personal email (eg gmail) at work.

They haven't figured out memory sticks yet

Biggest problem I see is the theft of laptops from cars.

Re:Where I work

[hummassa]

> They haven't figured out memory sticks yet

This means that if any employee wants to run with their data, (s)he already did it, no?

Re:Where I work

[pnutjam]

Securewave

DRM is the solution

[czmax]

Look, I don't like DRM as much as the next geek. I wish I could put my legally purchased music onto a USB drive/MP3 player and listen to it without restrictions.

But that isn't the point here. In this situation you have a corporation which owns the data and has a vested interest in controlling exactly which devices and equipment the files can be viewed/played/copied/edited/etc on. DRM is the appropriate solution.

Re:DRM is the solution

[rcpitt]

You're the CTO - got the data and the key - problem?

TFA is talking about the potential for loss given loss of a USB drive (thumb or whatever) that might or might not have been authorized to copy the original info. If authorized then chances are that DRM might have saved the info from exposure. If not (and today this is the most likely scenario) then whatever is on the USB drive is now public info.

DRM is not yet widely used or even liked. And none of my customers use it for anything (and some are publishers)

Re:DRM is the solution

[czmax]

DRM, when done right, would imply that the key material isn't stored alongside the encrypted/protected data.

If implemented by the corporate entity it would be possible to use DRM to both protect accidental exposure due to lost USB drives and 'leaks' from disgruntled employees.

Yes, manual encryption etc would go a long way; but how many employees could really be expected to pay attention to rules like that? And especially CTO's would be expected to ignore such things. .

Devices

[gmuslera]

Ok, could be banned to bring an (very hard to see) USB drive... what about cell phones? banned too? PDAs? MP3/CD players? 10 years is a lot of time and even whatever will be used to carry what could be your "personal id" could potentially used to copy sensitive data i bet.

Also, the network is everything, there are not so much totally isolated computers with critical data, and most networks have some or several points of touch with internet, encripted traffic and then hard to trace what is happening with the information.

Re:Devices

[kbielefe]

I used to have unsupervised access to a classified area where non-camera cell phones were allowed, but two-way radios were not, which was inconvenient sometimes when I brought my handheld ham radio (HT) to work for some reason and wanted to leave straight from the lab. The kicker? There was a powerful military transceiver in the lab that had a wide frequency coverage, including being able to communicate unencrypted on the same frequencies as my HT.

Re:It's not the theft they're worried about

[Nikker]

As a company I think it would be no less then a wise investment to have a manufacturer make up a whack of keys that are write once - read once. The data can be verrfied (read) once within the same time frame as the write via onboard logic. After the next read logic kills the memory to garbage and start again.

As well you could hardwire each employees biometric sig/reader into each key and have a couple boxes made up that only they can use. Let them use them as needed and let them know that each one is pooched once coppied or opened. Have a read/write lock to prevent a mis-hap. Mass produced each may cost as much as $40 each for "small" quantities but as a VP would you rather your employees that have to transport data use this or something else?

Easy fix

[caller9]

emphsize the importance of backup through normal or artificial means and outlaw "extraneous storage." Once they lose a file in "my documents" that hasn't been remapped to their H: drive. Kaboom, they are an unfit employee. If they use flash drives / other removable storage, woe be it unto them if you have reasoanble auditing in place.

what happens? Some dumb bastard stores 1.2 GB of christain rock (no shit) mp3s on his personal H: drive. When those disappear you cannot imagine the silence at the helpdesk end of the phone.

Re:Easy fix

[Green+Salad]

If they didn't want me to put my Christian Rock there, then why is there a folder labeled "My Music" in "My Documents" (emphasis on "My") Answer me that!

Furthermore, I don't even *have* an H: drive, you silly man. I *only* store stuff in my documents folder, which I always keep stored on the upper left part of my screen and nowhere else!

Re:Easy fix

[caller9]

Hilarious. I think that covers the user viewpoint precisely. Good 1

Re:Uh, you can turn off USB drive access in Window

Then your mouse and keyboard wouldn't work ;)

seriously tho most new computers only have usb.

The Rest © 1997-2005 OSTG.

Looks like someone doesn't know what to do to keep from having to update copyright. Hint: it's 2006.

Re:Obligatory Re:data has walked out the door befo

[Trepalium]

There's always the old fashioned way of stealing data, too. Printing it out.

Why does mr. Jack Gold assume...

...that we don't have any policy ? The same police that covered floppy disks, magnetic tape, rewiteable CD's and punched cards or paper tape do also cover ANY other removable media.
This is not a new problem the only difference is the capacity of the media.

Heh...

[Cyno01]

Funny, a few hours ago my Fiance called me upset cuz she broke the USB drive i gave her for her b-day while she was vaccuming. Brushrollers caught the strap and yanked it right out, destroyed the usb port and smashing the drive itself. I guess it took out the vaccum to and that managed to set off the smoke alarm. Wish i coulda seen that, it sounded spectacular...

Re:Heh...

Spectacular is your spelling.

Data loss (no backup) or data theft (stolen disk)?

[paultwang]

For the first problem (Data loss due to lost or corrupted disks), which seems to occupy the majority of the article, the solution is easy. Back up your data from your portable storage as soon as you can easily access the mainframe. How long does a differential/incremental backup take? 10 seconds? 2 minutes? A piece of data existing in the portable disk, the mainframe, and the backup tapes, is much harder to be lost.

For the second problem (Data theft due to lost disks), encryption works well. To discourage data theft due to lost disks, a simple, easy-to-use on-the-fly encryption on the portable storage device can help tremendously. The solution has to be simple because if it is a few mouse clicks too many, employees will try to circumvent the hassle.

Details

[bitspotter]

Data goes "missing" when it gets deleted. What we're talking about here is when it gets copied, right? Captain obvious says hello!

Re:It's not the theft they're worried about

[karmatic]

It would most likely require some specialized software on the client PC. For one thing, the FAT, last modified times, etc. would have to be in an area set as "safe".

Also, windows likes to build thumbnails, summaries, etc. for files it sees. This is done by reading the file in question (or at least parts) - if you had, for example, a .jpg file, the second you opened that folder, Windows would read it to make a thumbnail (and it would be deleted instantly). That would make it a write once, read never device.

Not particularly useful without the software to back it up.

So the issue is about data theft.

[Z00L00K]

One can always consider that the data shared may also soon be obsolete. Stolen sourcecode is soon outdated, business plans change day by day etc.

The amount of critical data in a company is often very limited and can be kept under control. If more energy is put into research and less into legal battles any data loss will soon be rendered useless.

Of course - this does not apply to all data.
Movie and music copying is a more direct impact where the data is the product. However - it all comes down to the issue of additional value. If downloadable files exists but lacks certain features, like the sound in mono, missing scenes etc. and a more full-featured version is available with full surround audio, better picture quality addition etc. will be paid for by the part of the audience that really want that.

Too late!

[burne]

The Dutch 'Secret' Service (AIVD) recenlty lost a memorystick containing 'secret' documents:

in Dutch: http://www.webwereld.nl/articles/39418
from an Italian newspaper: ( http://www.intesatrade.it/IntesaTrade/News/Dettagl ioNotizieOggi/1,3243,2@1332658,00.html )

The report comes a day after the Defense Ministry said it had lost a computer memory stick containing confidential Military Intelligence Agency data. In December, a Dutch district court sentenced a former AIVD translator to four and a half years imprisonment for passing on state secrets to alleged terrorists. Last year, a secret service employee left several CD-ROMs of confidential intelligence in the trunk of a rental car.

Re:It's not the theft they're worried about

[Crayon+Kid]

The real threat comes from actual LOST data. With portable storage media getting bigger and bigger, more and more data can be put on it. Including massive amounts of spread sheets and even databases. (I worked for one company that insisted on keeping a sensitive database on USB keys, to be sneaker-netted around to whoever needed it).

Was it their ONLY copy? Because if it was, they were dumber than a ton of bricks, end of story. And it was no fault of the media itself (flash or otherwise), it was human stupidity. Always make a backup. I think it's in the Bible too (well it ought to be). Digital information goes both ways: it's very easy to duplicate, but it's equally easy to lose. Not taking advantage of the first to cover the second is just plain moronic.

Irresponsible

[fizzyabbo]

It's 12:11 am, do you know where your data is?

For shame...

It's already started...

[PiEpster]

Only last week it was in the news here in Holland that the Dutch Military Intelligence Service (MIVD) officially reported that a USB stick with classified information was missing. Makes you wonder if they've even encrypted the data...

Re:It's already started...

Of course not. If they did, there would not be such a fuss about it.
All those years we were led to believe that those intelligence agencies were kind of like James Bond and always used the latest gadgets for security and encryption, but now it more and more appears they are just a bunch of losers with laptops from the local shop, and no security protocol whatsoever...

We've discussed this

[sconeu]

And when I posted this as an Ask Slashdot, I was told not to worry about it.

the bad guys....

...have been around for a while now. What has happened is their took their smallish loot, and invested in "legitimate" companies and corporations. See, this goes way back. Those "bad guy run" places, now headed by "respectable" businessmen in dark suits, bought up other corporations,and now we have some really, very very large corporations, still run by "the bad guys". Along the way they had some spare change so they bought "governments". And then you have "blends" where bad guy "government" group a.b.c forms what is called a "front company", where they can go do bad guy stuff, and even if caught, nothing happens! They dissolve, and form another front company!

When they want your stuff, if it is valuable enough, they just buy your company. If they can't get it, they'll buy some piece of the "law" to destroy you. Or, they are "the law", or a reasonable facsimile thereof.

See how that all works out nice and neat? They don't have to bother with penny ante little stuff like a smuggled USB drive. And what they do is keep you fixated on the little USB drive, so you don't look up and see the LARGE badguys. You might even be working for one, and not know it! Or, you might suspect, but need the job, so you go "oh well, I need the job". Or, you might suspect, but to say anything is "dangerous", because you have seen what happens to others who saw. so you be quiet, and keep your job.

It works for them, so I imagine it will continue, and the bad guy companies will get much larger, until they are larger than even their governments they own now, and will become what are called "global" in scope.

Non-story

[Kris_J]

Your workplace is either a secure location, in which case this has already been addressed, like every technology before it, or it isn't a secure location, in which case a little USB Flash drive is only one of many ways for data to leak offsite.

Disable USB Ports

[irishkev]

I work for an evil Wall Street financial services firm. They disable the USB ports with group policy. Oh, it's a great place to work.

Re:It's not the theft they're worried about

[Nikker]

Maybe have the logic onboard for the biometrics, powered by the port and have X reads per scan(requires the users finger to be in constant contact for large files) this would ensure the user definately knew what happened to the data/disc/key ;)

As a policy using the onboard UC you could deny access to any data on request or completely terminate the circuts(james bond stuff) or even just shutdown the interface.

No Software, enhanced accountability, USB comptibility.

Just another g***amn hype

[loco_pinguino]

This seems to me like just another ridiculous hype to boost new "security" products. Lets face it: There may be a small additional threat to security by USB-devices, but it s marginal at best. If you re concerned about security it all comes down to a good policy, a strict enforcement of the need to know-principle (hey, you do NOT need to buy any additional products, you CAN do it by means of any recent operating system) and last but definitely not the least a good treatment of employees. Treating employees like rubbish -common in almost any company nowadays- is a surefire way to endanger your operation, no matter how many shiny security-products you bought. Extensive use of technology in this case will never work because fixing a human problem by technical means NEVER does.
Just think about the distribution of information, get a good and reasonable security-policy -one which is accepted, understood AND supported by your employees- into action, follow some basic guidelines regarding security-infrastructure (firewalls, network segmentation, segregation of duties, and a buttload of antivirus/antispyware), start treating your employees like human beings instead of suspicious animals and you ll be reasonably safe.

Company Data: theft , copy or backup?

[VincenzoRomano]

Nowadays it is almost impossible to avoid people from copying company data, also because it is becoming a spread practice to bring some work at home.
Not to mention the vast usage of laptops, especially among ICT workers.
Removable media with high capacity is only the "latest" technology to do this.
In the past we have used printers, floppy disks, email and web disks in order to bring data and documents home (or wherever else).
You can lock floppy drives, USB ports, bluetooth features and so on. You can filter web accesses and other publishing media and protocols.
But what about email and printers?
Are you really planning to make work harder and slower?
And I'm pretty sure that in some cases, especially in small companies, the private copy saved the day in more than one case!

Ban cell phones, too? That would be cool.

[Green+Salad]

Am I the only one here think thinks it might be kind of cool to work in a paranoid place requires you to check cell phones at the door? Now if only they could eliminate my pesky desk phone and email (um, in the name of security leaks, of course) I might actually have time to productive!

Would anybody beleive me if I made the case that status meetings and rambling, pointless telecons with 3rd parties are risky security leaks too?

What about my own data?

[Spacejock]

I carry a 100gb external USB drive and three memory sticks everywhere I go. They contain multiple diff backups, HD ghosts, etc. I'm a novelist and programmer, and my data is my livelihood.

If I had a job where they banned me from carrying my own backups around I'd have to resign, because I'm not about to leave them in my car and I'm not going to open a safety deposit box for daily switchover visits.

Surely it's up to the company to manage their hardware so that employees can't simply copy data to removable devices?

Re:Uh, you can turn off USB drive access in Window

[EzInKy]

It's been present ever since Windows 2000 - if a company is worried about data loss via USB drives and the like, it's possible to disable access to USB drives using regular Windows security templates.


Wouldn't it be simpler to deny write access to the source media so that nobody can deprive the owner of the data? Disabling USB would only inhibit copying but what we are talking about here is theft.

Douglas Adams talked about this

[andrewagill]

The higher level supervising program went to consult one of its own look-up tables to find out what the low level supervising program was meant to be supervising.
It couldn't find the look-up table.
Odd.
It looked again. All it got was an error message. It tried to look up the error message in its error message look-up table and couldn't find that either. It allowed a couple of nanoseconds to go by while it went through all this again. Then it woke up its sector function supervisor.
The sector function supervisor hit immediate problems. It called its supervising agent which hit problems too. Within a few millionths of a second virtual circuits that had lain dormant, some for years, some for centuries, were flaring into life throughout the ship. Something, somewhere, had gone terribly wrong, but none of the supervising programs could tell what it was. At every level, vital instructions were missing, and the instructions about what to do in the event of discovering that vital instructions were missing, were also missing.

Re:Douglas Adams talked about this

[andrewagill]

Meant to say, this is from Chapter 1 of Mostly Harmless.

Re:It's not the theft they're worried about

Was it their ONLY copy?

The article title ("data missing") is a misnomer. What they should be concerned about is not actual loss (no copy left), but disclosure (copies left where there shouldn't be, such as in the hand of competitors, spammers, thieves, press ... or whoever else the lucky finder of a stray USB key may be)

Going after the symptoms

[Stan+Vassilev]

I can't care if my data is stolen from:

- a floppy
- A4 / Letter paper
- USB drive
- phone
- CD
- DVD
- HD DVD / Blu Ray
- mobile HDD
- laptop
- backup tape rolls

So instead of just going after the easiest transfer method (USB sticks) and pretending we're doing something that matters, how about just dealing with the actual problem, that people walk around with copies of the data unencrypted?

Many of the modern USB devices support encryption of data. It's enough to be make a policy that you can't copy protected company data without encrypting it with a strong password.

Then losing the medium and someone will ill intents finding it means basically nil.

Re:It's not the theft they're worried about

[meringuoid]

Always make a backup. I think it's in the Bible too

Yep. It's in Genesis. Something about a bloody great boat.

What worries me is how far the lesson has been taken. What happens if Him Upstairs has full backups? What if he decides he doesn't like the direction things are going and rolls back to an earlier saved state? How would we ever know if he did?

Information security

[Exter-C]

Many corporate companies that I have had dealings with have already made these sorts of issues clear in the employment contracts. Most internal systems have USB ports that are disabled and the operating systems are locked down so that files must be stored on a central file server rather than on the local hard drives making it more difficult for the average person to steal the data. However if any employee REALLY wants to get their hands on data they can in most cases with relative ease.

Body cavity ....

Soon it'll be body cavity searches in and out the door at work.

Columnists Rehashing Old Scaremongering

[billstewart]

Ok, Jack Gold's put a slightly more useful spin on it by talking about accidentally lost data as opposed to deliberately stolen data, but it's still the same old hash with scaremongering about USBs.

• Briefcases get lost all the time, and briefcases have been large enough to contain sensitive information for decades now. Keychains also get lost on occasion, and especially for small businesses that's often enough to get in the building at night or steal a company truck.
• Yellow Sticky Notes with your IP address and VPN password fit in your pocket just fine, and DSL means that people can suck up your data even faster than when we used to use Yellow Sticky Notes to carry modem phone numbers and dialup passwords.
• Documents that are actually important are usually 1-100 pages long. You can store them on mashed-up dead trees if you avoid spilling coffee on them. Them newfangled USB thingies hold a lot of data, but back when we carried 3.5" floppy disks 20 miles through the snow uphill both ways , Microsoft Office wasn't as bloated, so a zipfile of The Secret Plans still usually fit in your pocket. That's not the same as carrying out the whole blueprints for your next chip in your pocket, but mini-CDs do pretty well - they're certainly enough to carry the HR personnel database home.
• DVDs and CDROMs fit pretty neatly into briefcases, and most newer PCs have at least a CD burner, so you can still carry the chip blueprints home.
• Laptops are easy to carry, and go missing all the time. The San Francisco Police aren't very good at recovering them even when they've got them in their evidence room and the thief in custody; your mileage may vary :-) And unlike keyrings and regular briefcases, laptops have obvious resale value so they're more attractive to thieves.
  
• RM-05 removable disk packs are a bit big to fit in your briefcase, but magtapes fit just fine, and before magtapes we had ASR-33 paper-tape, which works just fine for carrying the Numerical Control tape that tells the milling machine how to cut your submarine-propeller plans.
• Mainframes with Greenscreen 3270s are much less portable, but back when I worked for The Big Phone Company they were worried about people carrying computer printouts home, and they checked our briefcases on the way out the door of buildings that handled sensitive information.

But yes, within the next couple of years, somebody's going to have a USB keyring/wristwatch/Walkperson/iPod/Pseudopod/somet hing get lost or stolen with sensitive information on it, and the press probably will fly off the handle telling us they told us so, and that we need to take precautions we've never taken before with laptops or CDROMs or whatever, and that's probably going to include silly bureaucrat tricks instead of getting major operating systems to have convenient encrypted file system support (and remember, "major operating systems" includes the OS's for portable music players and not just the computers they plug into.

Re:Columnists Rehashing Old Scaremongering

but back when we carried 3.5" floppy disks 20 miles through the snow uphill both ways

You youngsters... Try that with 8" floppy diskettes through 40 miles of glaze ice.

And don't get my dad started about 80 column cards!

At least you can read them without a computer...

Re:Columnists Rehashing Old Scaremongering

[winwar]

But the ease is increasing greatly. That is a big deal. And not necessarily noticed by management at least. In the end it is easy to not have burners or floppy drives and restrict the internet connections.

But how do you restrict USB connections easily?

It requires thought. Something lacking in lot of management. :)

Re:Columnists Rehashing Old Scaremongering

[billstewart]

I used 5.25 inch floppies extensively as well, but they didn't fit on my shirt pocket, only my jacket pockets :-) I don't remember using 8-inch floppies on CPM, though I did occasionally use them on VAXes (somebody sent us data on one in the late 80s, and we decided we could risk putting it in the boot-floppy drive :-)

If you're *good* with 80-column cards, you can read them straight out of the punch, without the printing along the top. I was never quite that good, though I could read 7-bit ASCII paper tape reasonably well.

Re:Uh, you can turn off USB drive access in Window

[ObsessiveMathsFreak]

What the article probably meant to say is that standard security practices, combined with increasing personal storage, increases the risk of unknown data loss.

There was a small typo in your post. Fixed.

haha

You can't open the boxes, lolz. I wouldn't use jb weld though, it really does have iron in it (crawls all over a magnet).

Do NOT put identification tag on your flashdrives!

[Smuffe]

From TFA: As a result of this experience, I have put a small .txt file on my devices with my name and address, and I figure an address label on the outside can't hurt either.

I know someone placed fairly high up in the security department of a major international company, and this is exactly what their employees have strict orders NOT to do. They even go so far as to recommend you don't have any visible identification tags on your luggage.

Tags mean you can be identified, and if you carry around a flashdrive clearly marked with your name and company in for example an airport, the odds that someone will spot you are quite high. If this someone has been hired from a rival firm, odds are this someone will try to steal it.

This may sound like too much James Bond, but the fact is that corporate espionage is bigger than ever, and it becomes more and more important to protect every ounce of information you might have.

Also, no identification tags means all your pr0n can't be traced back to you.

Re:Uh, you can turn off USB drive access in Window

[MoogMan]

This isn't the answer. There's still floppy disks (ugh!), CD drives (lots of PCs come with CD writers nowadays), printing of documents and {screendumping, emailing} of documents.

The real solution is to restrict documents on a permissions level. This makes restriction of USB drives irrelevant.

Bah!

[Greyfox]

We've already had several documented instances of backup tapes go missing. And the companies that lose them usually say something along the lines of "Although the tapes weren't encrypted, you need specialized equipment to read them so we're not terribly worried." Uh huh. Specialized equipment like a TAPE RECORDER! Sure, you're going to have a hard time finding one of THOSE these days. Ok, it's a little more complex than that, but not by much.

So companies will implement draconian restrictions that inconvenience all their users across the board whether they're handling confidential data or not, but will still ship unencrypted tapes via UPS. Brilliant.

Re:data has walked out the door before. DRM it!!!

[Whiteox]

There will always be that kind of insecurity with any kind of device, whether it's a disk or a USB drive etc etc.
But why not DRM all data?
If you think clearly about it, DRMing all data will prevent (as much as possible) the use of the data, but not the theft or loss of it.

Simple really.............. :)

To executives, concerned about this: guess what?

[Alex+Belits]

For a company to function, many employees of the company have to have access to the company's data. All of them, if they are inclined to do so, can copy it. Heck, many of them can sabotage it, and destroy the company.

Guess what the company can do about it? It can stop treating the employees as shit. Especially stop pretending that the company is some amorphous entity that makes its owners/shareholders entitled to profit, and can impose idiotic demands and shitty conditions and pitiful pay on everyone else in it. Employees do their work, this is why they have access to company's things. Nothing, ever, happened in a company without some employees making it happen, so if any of you wonder, why people can destroy your precious company, keep it in minds -- THIS IS BECAUSE THOSE PEOPLE ARE THE COMPANY.

There is nothing wrong with avoiding overbroad access where it isn't necessary for things to work, however there is no way to make any company "secure" from the very people whose only responsibility is to keep things running. Don't piss them off, and remember that you didn't become Presidents, CEOs and VPs by understanding how to operate anything that makes your company what it is. Every time you eat your lunch, think how many people you have abused today, and what will happen if any of them will press a few buttons.

Re:Security so stiff they checked our wrist watche

[legallyillegal]

what the hell?

This is not a new problem

which he predicts will probably reach 10 GB in capacity in three years,

Huh!?

Three years ago I got an Archos Jukebox with a 10 gig hard drive. Plug it into a PC's USB port and you have a 10 gig portable hard drive. Of course that was battery powered. But then there are all those portable USB hard drives like the Freecom FHD series that are bus-powered just like a USB flash drive. They fit in a shirt pocket quite easily.

This is not a new problem. It has been around for a while.

And don't get me started on Iomega JAZ drives, CD writers and DVD writers.

Re:It's not the theft they're worried about

[killjoe]

"That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it."

I don't see what the big deal is. Huge companies have had really really really important data stolen with no real effect or punishment. I mean things like social security numbers, credit cards, personal information, credit records etc. Do people even remember what happened with choicepoint? Does anybody even know who choicepoint is or what they do?

This is just bullshit. Nobody really cares all that much. There are no consequences to the corporation at all for losing data. Worst comes to worst somebody gets fired. Big whoop.

It's like the old saying

[squoozer]

Information want's to be free!

Great Idea!

[Carrot007]

> Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

Unfortunatly I work for a company that would make such a stupid policy.

I wish companies would actually try and do something about the problem rather than banning things.

The way things are going we're gonna have to work naked leaving everything we have at security, because it's the only way we can be sure things aren't stolen.

Still we do have flash drive security here I guess. Only because we still use NT4 on the whole, mmmm nice USB support ;-).

The 3-second 5-cent permanent fix to USB stealing

[Ancient_Hacker]

It takes about 3 seconds to squirt enough airplane glue into a USB port to permanently disable it. End of problem.

Doom and gloom...

[HermanAB]

There are two kinds of computer users: Those that have lost data and those that will. Any CEO knows that from first hand experience. Companies have dealt with information loss ever since the first person scratched something on a rock. The important thing to remember is that most data is useless anyway, so it doesn't matter if you lose it. Most stuff is saved because it is convenient, not because it is essential to save it.

business case

[RMH101]

if you have a business need that's not being met by your IT dept, submit a business case and let your manager sort it out. easy. ban stuff on a business, case, reinstate it on one too.

Re:Uh, you can turn off USB drive access in Window

[RMH101]

so deny users access to usbstor.sys via an AD policy. USB peripherals will work fine, APART from USB bulk storage. sheesh, this isn't rocket science.

Re:Uh, you can turn off USB drive access in Window

[Yaruar]

A company i worked for previously had us remove all the cd drives and floppy drives from all installed machines, this made a lot more work for all of us in the support team, but it certainly made the company secure. Combined with the fact the only WAN connection was for email and back office stuff (no interweb for the employees, such bliss!) meant that we were a reasonably secure shop. + THe fact we used ZenWorks Desktop to lock everyone in the company down to the Nth degree. Sure, someone could walk out of the office with a pile of paper stuffed down their pants, but it would have been quite obvious. AFAIR nothing got stolen from that office apart from pens and paperclips (which were kept under lock and key and needed authorisation to remove ;) )

Re:It's not the theft they're worried about

Soon, people will treat USB keys like they treat floppy disks; there'll be a big pile of them, and employees will just grab one as they need it.

So, tell me, would you put anything essential on a floppy disk? Sure, you might transport it home or shuffle it over to another PC... But if there's only one copy of an absolutely crucial email document, are you going to put it on floppy? Without any backups?

Likening USB keys to floppy disks is actually not a horrible idea. Neither of them are terribly safe/secure media. I certainly wouldn't trust anything essential to either of them, regardless of capacity or portability. It's just plain common sense, and anyone who's losing vital data because of these things is sorely lacking in it.

We don't need new security practices. We don't need new policies. We don't need paranoia and reviews and whatever else. We just need common sense. It's a small, fragile device that can easily be lost, stolen, or destroyed...how about we don't put the only copy of our most vital assets on it.

Re:The 3-second 5-cent - PERFECT!

[ScrewTivo]

Trying to "outlaw" and "enforce" usb devices is an option only for the dim whitted. I will probably use your suggestion.

I have heard all this before and business keeps on ticking....
1980's style - no floppy drives in computers
1970's - photo copiers lead to loss of sensitive data
1960's - Beware of employees with Kodak cameras
1950's - Don't through carbon paper into trash cans
That's as far back as I go...:)

Drowning in data, its too easy to lose things

[Andrew+Ford]

USB drives are just yet another obscure place that data can lurk, but even when you have a backup plan in place it is all to easy to lose data.

We found this out the hard way last week. Four years ago I published my wife's cookery book, which included about 80 commissioned paintings. All the text was stored in subversion but the image data took up about 40GB in its various forms. It was all backed up and we had multiple copies on different disks, but having just sold the rights to the book I discovered that I had reused the 250GB disk that held the images, putting it into a Windows XP system my wife used for her printing business. We had changed our tape drives a couple of years ago and didn't have any of the old tapes -- we just didn't notice when we lost the files. Fortunately we were lucky: only 10% of the disk had been reused, so I made a low-level copy of the disk, used scandrive to find undamaged superblocks and then e2fsck recovered the about half the contents of the disk. As we had the files in multiple formats we actually ended up only losing three of the images, which was miraculous.

Re:Security so stiff they checked our wrist watche

[legallyillegal]

intriguing

Re:It's not the theft they're worried about

[anum]

Might I recommend Disk Net Pro:
http://www.reflex-magnetics.co.uk/products/disknet pro/

No affiliation, we just did an eval of the product.

Using good, sensible policies with such a product would stop the sort of misplaced data that TFA is talking about. It does require a client side driver/software and reduces the portablity of your data but that's how it solves the problem.

By default it treats your users like the enemy, which I hate, but that's corporate policy around here already so what's one more layer?

Well, it's my business

[contrapunctus]

I teach at a college. In a world where we are getting sick of big brother, I'm getting sick of IT people filling that role. So what if the school won't know if I lost a bit of data on my usb drive. I can live with that. It's better than them centralizing all the drives so that if one networth thing goes wrong everybody can't work.

Re:It's not the theft they're worried about

[sckeener]

Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.

Here at Chevron we wipe every hard drive we get rid of. I can remember a huge stack of hard drives back in 1999 and there was one person whose job it was to wipe all of them before getting rid of them.

Just do that with the USB keys. Make a process where the USB keys are returned to the supply clerk and have that supply clerk wipe them before giving them out again.

I think blank CDs are worse than USB keys for data loss. Burned CDs are not expected to be returned to a supply clerk. It is usually up to every individual to make sure they do not compromise critical and sensitive data. Not a very effective process relying on every employee to follow the process for data retention.

A little epoxy will fix that right up forever

[digitaldc]

Wouldn't it just be easier to disable the USB via the BIOS or open up the case and disable or remove the USB?
Seems like physically ruining a device with Epoxy is a lazy way to disable something.

Re:A little epoxy will fix that right up forever

[TubeSteak]

If someone has the time and energy, none of the precautions are going to work.

They can reboot the computer & turn USB on in the BIOS. Boot up from a CD & plug in their disk/drive and have at it.

If I had to choose between epoxy & tearing off the USB headers, I'd go with epoxy. Either way, someone could clip their own USB header onto the stubs of the usb connection and then rock and roll your data right out of the building.

If someone wants it, they can get it. High powered encryption is the only secure way to store your data. And if you're smart, you'll be using more than one type of encryption to layer your protection.

Most other precautions are there just to make stealing data harder.

a new Porsche Carrera, which is better than 99.9%

[dpilot]

Unless you live outside the US, or in Montana, that Carrera is wasted. Everywhere back East, the speed limit is 65 or less, where that beast isn't even trotting. Maybe in the West you get a 75 speed limit - a little better. But in Montana, if I've heard correctly, it's "Reasonable and Proper" again. Or maybe you live in Europe, and can open it up a bit on the Autobahn. But since you say "pub" I might presume you're in the UK? What are speed limits like, there?

Or is it carbon city for your engine's guts?

I just brought in a new flash drive, today. There's no policy against it. My plans for it? Primarily pdf's of various documents and manuals that I end up getting here and there on the net, in the course of doing my job. I also plan to put executable and data file for pwsafe (encrypted password storage/generation) on it. If I ever put sensitive data on, it will be in an encrypted container file, and the primary copy will be on backed-up media at work.

And oh yes, I have a job... and a wife... and kids... and a house... and 2 cars, though less exotic ones.

There's a difference of scale though.

[rdunnell]

Sure, there have always been problems with copiers and cameras and the like. But how easy was it to walk off with, say, an entire customer or HR database from a Fortune 500 company using just photocopies or pictures? That would take a while. Walking off using an iPod could only take a work day (copying the data might take a little bit of time).

Not that disabling the port entirely is the solution, but the problem is definitely increased in magnitude these days.

Re:There's a difference of scale though.

[Ancient_Hacker]

>But how easy was it to walk off with, say, an entire customer or HR database from a Fortune 500 company?

About ten yrs ago I was poking through a dumpster of a minor disk drive OEM'er company. Lots of nice external SCSI cases in there!

Among the junk was a 2 inch thick printout-- of all their products, cost of production, markups, dealer names, discounts, volumes, etc.

They went belly-up three months later. Coincidence?

Re:It's not the theft they're worried about

[Kadin2048]

I was following you throughout most of your post, but what I don't get is how USB keys change the situation from how it is with a big pile of floppy disks.

You say that the problem would occur when there's a big bin of USB keys, and employees just start using them and not wiping them afterwards. Well, there'd be that same problem with any other kind of rewritable media, including floppy disks. I don't think the situation is new or unique at all. The only thing that's changed is the capacity of the media, but with the corresponding increase in the size of files (write a 10p formatted document in Word, save a few versions, maybe do some track-changes, and look at how big it's gotten) I don't think that people are apt to have much more sensitive data on a USB key than they did 10 years ago on a 3.5" HD-DS floppy.

The problem here isn't technological, it's behavioral. If you can't trust your employees with sensitive data, then it doesn't matter what kind of media you use, you're going to have security problems. Likewise, if you do trust your employees with sensitive data, and provided they're trained in the right procedures, you shouldn't have problems. I.e., if you leave a bin of USB keys sitting around, people need to know not to throw a key back in the bin after they're done with it, without erasing it first. In my opinion, anyone with two brain cells to rub together ought to realize this without being told.

If you can't trust your employees to do something that elementary, then they probably can't be allowed any removable media at all -- whether floppies, USB keys, CD-R/Ws, iPods, or anything else. Probably they shouldn't even have pencils and notebooks, unless you're going to look through them as they enter and exit the building.

I've worked in positions where I've been exposed to a lot of sensitive information, and I've never been patted down at the door for USB keys or floppy disks, or had my iPod inspected. My issued computer had a CD-R/W drive, and there were stacks of blank CD-Rs in the supply room for making backups. There wasn't any attempt made to limit access to things like that, because to do so always has some impact in another area -- people do use USB keys and CD-Rs for useful stuff (taking a powerpoint presentation to a un-networked kiosk, for instance). However everyone was trained in how to deal with sensitive/confidential information. Everyone knew that if you disclosed or leaked info, that you'd be fired, and depending on the information might end up answering some really pointed questions in an uncomfortably well-lit room. In the time I was there, I never heard of an inadvertent loss or disclosure of confidential material, aside from one laptop that was stolen. (And in that case the employee wasn't to blame, he was mugged, or so I heard.)

These sort of kneejerk responses to information-security, like banning USB keys and whatnot, seem symptomatic of institutions that for some reason, have decided that their employees cannot be trusted. And if that's the case, they need to rethink their hiring, firing, and compensation processes, and figure out how to recruit people that are actually trustworthy and can deal with the responsibility of accessing the type of information that their job requires. If you can't trust someone to not copy the Confidential HR Spreadsheet to a USB key and not delete it, then they shouldn't be looking at that spreadsheet in the first place. (Because that's exactly the sort of person that's going to accidentally CC it to the whole company, or something else equally embarassing, given enough time.)

Re:a new Porsche Carrera, which is better than 99.

[calethix]

"And oh yes, I have a job... and a wife... and kids... and a house... and 2 cars, though less exotic ones."

But what percentage of slashdot is all of that better than? That's the important thing ;)

"Gold predicts at least one"

[l3v1]

//OT.

Yup, that sounds about right. And I predict at least one playboy bunny in every household next year. About the same amount of people would realistically care about both those predictions. But I predict more people would be disappointed if my prediction would go the highway :P

I also predict at least one more prediction in the next dozen articles :P
 

Obligatory

[master_p]

When Data Goes Missing Will You Even Know?

Usually the computer can locate him and beam him back. In case the computer can not find him, we use Spot (the cat).

[/joke]

No, it's not.

[Carl+T]

From TFA, just to show what this Jack Gold means by "lost":

Is the data protected from loss? Probably not, even though there are many devices now available that include encryption capability (which is rarely used). And what if a competitor picks it up?

So his concern is your company's dirty secrets (or legitimate secrets) leaking to the public, not the actual loss of data. Which is also pretty clear from the "Will you even know?" part of TFA's title.

The problem is not tech, its access control

[KDN]

The real problem here is not technology. People have been using cameras, copiers, photographic memories, for years. The problem is authentication and then access. Authentication verfies who you are. Once you have that, then there should be rules on whatyou can access. Access to critical or sensitive data should be restricted to those who need it. If you can't get to the data, you can't copy it. From there you need to hire people you trust. So pay them well and treat them well. If you can't do that, it does not matter what technology you have, it will be copied. Larger devices just mean that more data can be copied at a time.

"missing"? "lost"?

[theStorminMormon]

Why do we say data is lost or has gone missing? Data is lost when your USB drive gets stolen, or when your hard drive dies. Data is missing when someone copies over data, deletes the source file, and wanders off with it.

Data isn't "missing" or "lost" if someone makes a copy of it.

-stormin

This is not even a problem

[4Dmonkey]

Is it so difficult to disable the USB ports ?

Its a standard policy to disable floppy, CD-RW, USB, COM, LPT etc on a machine having sensitive information.

Re:It's not the theft they're worried about

[advocate_one]

What happens if Him Upstairs has full backups? What if he decides he doesn't like the direction things are going and rolls back to an earlier saved state? How would we ever know if he did?

Deja vu...

Re:Uh, you can turn off USB drive access in Window

[mgpeter]

You can implement read-only usb drive access with a policy using either Group Policy Objects or the Windows System Policy Editor. The registry key is:

HKLM\System\CurrentControlSet\Control\StorageDevic ePolicies

Value is:

WriteProtect - REG_DWORD of 1 or 0 (1 = read-only)

I am going to update my policy template for the NT4 System Policy editor soon (in a few days) - You can download it at

http://www.pcc-services.com/custom_poliedit.html

copyright infringment?

[walt-sjc]

When talking about copying data against the data owners permission... If it's corporate data, such as peoples social security or credit card info from corporate records, it's theft. When copying music, it's copyright infringment - not theft.

Maybe it's because we (including myself) view the RIAA / MPAA as thugs and therefore not deserving of the same protections.

Of course there is also a difference of published versus unpublished information, so it's not quite the same, but still...

Just making an observation (devil's advocate style).

Re:copyright infringment?

[paeanblack]

...there is also a difference of published versus unpublished information...

There is a massive difference there. Once information is published, natural ownership of the content is transferred from the author to the public. Consider US law...if authors still had natural ownership to published content, then A) granting a copyright would not be possible, since the public would lack the necessary rights to grant one, and B) expiring a copyright would violate the 4th Amendment.

Once you publish your thoughts and ideas, they don't belong to you anymore. Society naturally owns them and can do what it wants with them. However, most civilized societies find it reasonable to return some rights of ownership back to you, but certainly not ownership of the actual content.

Taking unpublished content
= taking something solely owned by the author
= infringing the property rights of the author
= theft

Taking published content not under copyright
= taking something owned by society, of which you are a member
= fair game

Taking published content under copyright
= taking something owned by society, but for which society has agreed to forgo some rights of ownership, giving those rights to the author
= infringing the copyrights of the author
= violating copyright

Workaround on top of Workaround.

[twitter]

Did this guy cry about floppies five years ago? People did the same thing with them then as they are doing with USB devices now. They made coppies of their work because they DID NOT TRUST THEIR DESKTOP COMPUTER TO KEEP IT FOR THEM. They trusted their network shares even less because Microsoft makes shitty software. It's rare that a person will write as much text as can fill a floppy. The only reason they need UBS fobs now is because of bloated file formats like Power Point's. The same number of hours of work will be carried around on USB as was carried on floppies and the loss will represent the same loss it did five years ago.

The same issues were hashed around then and the floppy carriers won. The USB carriers might not be so lucky. If you are working in a Microsoft shop, your luck is already bad and you should expect more of the same.

Re:Workaround on top of Workaround.

Did this guy cry about floppies five years ago?

Probably not, because the average USB key drive fits about 120 floppies and is about 40x as fast.

Let's hear a really big DUH for Mr. "M$" here.

Beer - 2 Me - 0

Wearing usb drives on the lanyard that comes with it can be hazardous to your data.

I've actually lost 2 USB Drives during close encounters with Beer.

Score:
 
    Beer - 2

    Me - 0 (luser)

Check out eCryptfs

[omnirealm]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Lam1969 wrote:
> the possibility of companies breaking laws, whether for data-loss
> disclosure or regulatory compliance, is growing dramatically.

This is exactly the sort of scenario I had in mind when I designed
eCryptfs:

http://ecryptfs.sf.net/

Admins in the IT department can deploy an eCryptfs policy on employee
workstations that indicates, for instance, that any data written to
external storage devices is automatically and transparently encrypted
according to a certain cryptographic context. We are working on
implementing full policy support by the end of the summer, but in the
meantime, eCryptfs will at least provide mount-wide passphrase
protection today. For instance, eCryptfs will be able to be told, via
IT policy, that ``any data written to /mnt/usbdrive must be encrypted
with a public key with a certain ID, which is dynamically retrieved
from the corporate PKI at the time that the file is created.'' For a
preview of how we will go about doing this, check out the
``experimental'' branch from the CVS repository. In the meantime, if
you want something functional today with only mount-wide passphrase
support, get the ``testing'' branch. The tarball and the main branch
will work too, but the ``testing'' is where I keep what I consider to
be the most interesting version (it usually takes a week or so for
changes in ``testing'' to migrate to the main branch).

Oh, and it's Linux only. Of course. ;-)

Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUBQ9YyvdtAhTFtyodpAQN44QgAlr2+8KF5kIu5b4b+E9 uvLMmCyjRJNmzP
NTZ3Mz/Sq06gCzC7KddWWO6J5ivlW59EOV0qxPaNEFGnAgatFW BjkMIfoUxoXWXU
N7b5Un/g/Ag5Et2kLKze8X+b1eAJlbtcl6kJXkc5SF/GDxsU74 tcuDaquRL8KYRh
K4Nx7+3CelIUVJ9c2/QPbooxb0yOfQnvncfA75RqLG8GwemSGB 8fDscdCJeLMw9g
K/Y3l1U6FANWrxeH/PCwgZ+4AoLjRBWQBPD3TefhIV05m4kiye IhOXmQqUGDbKNy
qqWEcD8T+M0bOOdkEB2ZiwgRPI1sqwR1wh0RxOTbWnDGuJMUEP K7aw==
=gtQd
-----END PGP SIGNATURE-----

NSA policy

[CustomDesigned]

I liked the policy of the NSA when I worked on a project there. You could bring in all the portable media, diskettes, etc, you want. But you can't take anything out. All media and active devices had to be preapproved. So whatever software upgrades you needed to install for them, you made copies of first. There were no outside network connections, and the building was wrapped in copper foil. So planting tiny embedded computers as spies wouldn't help you (unless your goal was simply destruction, and the device could carry out that goal autonomously).

They didn't have USB thumb drives then, and I don't know whether they would count as "active" or "passive". I never saw what they did to ensure that the trash, both computers and media, was data wiped before leaving the building. Could have been interesting.

Re:NSA policy

[HardCase]

I worked on a data analysis project in the Navy. The computer system was a couple of VAX minicomputers in a cluster with terminals throughout the building. There were six Sun Sparcstations (yeah, it was a few years back) with no floppy drives. The building was divided into two sections - low security and high security. If you brought a briefcase, backpack, anything like that, it stayed in the low security area. All that you brought into the high security area was yourself. Anything else that you needed, the Navy got for you. And if it wasn't a consumable, it was tracked. The only way that anything left that secure area was in a burn bag or packaged and tracked.

We only had a staff of about 20, so it was relatively easy to manage.

Oh, and the building was an old torpedo training facility. Solid concrete walls, but the roof was designed so that if there was an explosion, it would all go straight up. So it wasn't exactly safe to walk on - there was always the danger of falling through. Right into the secure area. Go figure.

-h-

Whats the difference?

[Lord+Byron+II]

Between using a USB drive and a high-speed internet connection? Or ten years ago when file sizes were still reasonable, using a floppy?

IT shops have no problem...

[csoto]

because this isn't an IT problem. This is a personnel problem, and possibly a policy problem. This belongs on a management website, not an IT context.

Captain Picard would know if Data was missing

[elrous0]

After all, they NEED that guy.

-Eric

He's mixing two different things

[Ernesto+Alvarez]

There are two different things mentioned in the article that I think make the article less than what it should have been.

The first one is data being compromised. There's a clear example when the author found a USB drive in an airport. (He could read it without problems). The second one is data loss, also mentioned. The author mixes both concepts when he compares the loss of a USB drive (assuming it's not backed up) with the loss of records by a big company (that would probably be compromise).

Even though they look like the same problem (if I put all my important data in a standard USB drive, if I lose it the data gets lost and compromised at the same time), they're not. These risks are mitigated with different methods. When you start taking steps against either data loss or compromise, it is shown that the author's definition of "data loss" is not that clear.

Imagine I had all my important data on a USB drive, encrypted (but without backups). If I lost said drive, I would be left without some important data, but it would have not been compromised.

The opposite would have happened if I had backups, but no encryption.

If both encryption and backups were available, if would be (under most circumstances) a non-issue (except for the loss of a USD 20 drive).

All of that assuming the drive owner is honest, and not using it to smuggle data out of a secured area.

The author seems to treat data as a physical object, which is not.

So, disable the USB port

[Zerbey]

We had a client at one of my previous jobs who explicity banned USB jump drives from the workstations they would be using. So, after a few seconds of head scratching on how to do this I:

* Disconnected the USB ports and,
* Disabled them in the OS and,
* Removed the USB flash device .inf file that Windows provides and,
* Padlocked the case shut.

It takes a few moments per machine and should be part of the standard build for any business that cares about their data.

Re:So, disable the USB port

[adolf]

Er. Uh.

How are you to use your USB printer?

Or:

Your USB keyboard and mouse?

PS/2 and parallel ports seem to be disappearing in a hurry. Your supposed fix for the USB key problem is, well, somewhat flawed if it makes the whole rest of the workstation unusable at the same time...

Re:So, disable the USB port

[Zerbey]

Well, most big organisations will be using a network printer.

USB mouse and keyboard, well...:

* You can selectively disable which ports you want to disable, eg leaving the ones in the rear enabled but disabling the front panel.
* Deleting the drives (one of my original suggestions) will deter all but the most determined users.

Encryption

[raptorjb007]

There is always encryption programs that can be used if implimented properly. Truecrypt(http://www.truecrypt.org/) axcrypt, bitht from sourcefordge. Plus I am quite sure there are a few commercial alternatives that offer support as well. Point is, its not USB drives that are the problem, its the lack of a proper usage policy to control how they are used. Requiring all USB drives to be fully encrypted and/or haveing all data they contained backed up elseware would be a good start. Its all about policy and educating your employees on your companies acceptable use policy for such devices.

Re:People think too highly of useless data

[vertinox]

Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.

The problem is that 99% of the data you speak of is either public knowledge or rather useless. Unless we are talking about the DoD projects, information sensitive to stock trading, or HIPAA restricted patient information then internal memos and performance reviews aren't exactly critical to loose or even fall into the wrong hands.

If you do have something with the aforemention security related issues then you need systems that prevent such data loss with encryption or other security schemes.

I'd say in what I do for a living, the majority of the information I assist with is actually useless Excel spreadsheets that only results in being put into powerpoints to prove to upper management they deserve not to be fired. It wouldn't kill anyone to loose that information.

Re:Uh, you can turn off USB drive access in Window

[kawika]

If you want to turn off USB drive access on XP, this command will do it:

sc config usbstor start= disabled

To turn them back on, use this:

sc config usbstor start= demand

Be sure to include the space after the equal sign. You can get sc.exe from the Windows 2000 Resource Kit as well.

http://support.microsoft.com/?kbid=166819

We have a policy against USB drives...

[bignobody]

which is why I always terminate the monitoring software before using mine =) I love local admin rights...

Re:People here don't read TFA

[ReidMaynard]

...and driver a new Porsche Carrera

I bet it's leased, or at minimum you make payments.

No policy?

[The+Spoonman]

My company's had a policy for almost a year on those: you can't use 'em. They've used the feature in XPSP2 to disable flash drives and that's that. Out of 13k users, there's a very slim minority that need flash drives, and they're given the ability via a GPO. It took about 15 minutes to figure out how to do, and 20 minutes to replicate across the whole domain. Done. Next earth-shaking disaster, please.

wow-- a whole new virus vector

[way2trivial]

imagine it, a whole new vector for virii and trojanware.. drop USB keys on the bus- wherever..
with autorun.inf-- install whatever....

do you know how cheaply you can pick up 1000+ 16mb usb keys?

This guy know nothing about IT security

[denisbergeron]

I don't believe a guy like that can write in a newspaper! Just shut it !
People have to read before writing! All IT security procedure adress this thing since before y2k !

Hmmm...

[TheLink]

In the future if videographic (photographic+audio) memory becomes a "default install" in humans, what are organizations going to do?

Only hire humans without videographic memory? Such organizations will be at a greater disadvantage then.

Install DRM into such humans to prevent them using their memories in certain cases? Ugh. Solution seems a lot worse than the problem.

Anyway, the article is _crap_. There are quite different issues, by mixing them all together the author just confuses the matter. Maybe the author has an agenda and is just scaremongering people for some strategic/tactical purpose but perhaps I'm being too cynical (but hey he apparently is Principal Analyst with 35+ years experience blahblahblah).

In contrast, I'm just some slashdotter, but here's my 2 cents worth:

The issues are:
1) Data loss
Solution = backups, backups, backups.

2) Unauthorized access to data
Solution = Only allow trusted AND competent personnel access to critical data, and use encryption accordingly.

3) How do you know who can be trusted (and is competent[1])?
Solution = only time and proper testing/observation can tell.

If you still can't figure it out then perhaps you yourself aren't competent enough to run your organization. If someone can't be trusted with little you can't trust them with a lot.

Y'know even if someone nefarious sneaks into your organization behaving like a model member for 15 years, gradually gaining increasing amounts of trust, only to betray you in the last year, you'd have got 15 very good years from that person ;). And you must be quite a special case for all that effort eh?

4) "Will you even know?"
Solution = Watermark data, and maybe even generate fake databases.

Even better if you can give different employees different distinctive data. This way if data leaks, there's a chance you'd know that it's from your organization, and perhaps who it came from.

For example the To and CC fields in most SMTP based email don't count for anything, so you can actually send each group[2] a different email, and there are ways to mark the email without changing the meaning too much (or even at all). I'm not sure of any email client that does this, but it sure is possible. You may also use different key phrases when composing your messages.

[1] A person may have a higher than average level of integrity, but they could just be incompetent/weak in some areas, so you still can't trust them for some stuff.

For example, though your Aunt May might be a genuinely trustworthy person, she might be incapable of locking down her computer securely so that the messages you send to her will never be leaked, and she might be incompentent at judging her competence in such things. So it may be wise to just not send messages to her via her computer, and just pass information via other means.

[2] Say you start with 3 groups, and then you "rotate" people around through those groups. That way you might eventually find out who's the leaky untrustworthy/incompetent person. There are other ways too, go figure it out yourself.

the problem is...losing data

[hachete]

the answer is...Version Control on independant machines, which is important, as MS Word has a form of VC but that's in the document on the machine. If you're data is that fscking important, make access to this data only through a Version Control system. Simple. Data will always be lost somewhere. People are, well, people. It's just how it is. Banning stuff is silly. You might as well learn to cope with it.

Additional medium

[ro_coyote]

...mini-CDs do pretty well - they're certainly enough to carry the HR personnel database home.

And this would probably be even sneakier. Just slide it right into a card sleeve in your wallet.

Re:It's not the theft they're worried about

[KlomDark]

Remember, it's all in fun until someone loses a finger!

Other ways to steal data

There are plenty of other mechanisms to steal data. My phone is bluetooth enabled. I wonder if I wandered around if I might find something to connect to. Or if I put a Bluetooth USB key in the right machine, what might I find? I can add 512MB of microSD memory to this phone, and send Emails from it. It might take a little time, but I could probably get a LARGE amount of data in an average week.
Or what about wi-fi? How secure are most places who use that? Or how about more old fashioned ways like the people hacks or just printing the stuff out and putting it in your briefcase (or your socks)?
I think the bottom line is that employers should treat their employees decently and hire trustworthy people. I can think of all these malicious things to do, but I don't really have a desire to kill the goose who is laying my golden eggs so I can't see myself doing any of them. I'm also pretty happy with my employment overall. There's no bulletproof security, but treating people like crap goes a long way towards asking to be screwed back.

Thin Clients

[HighOrbit]

If a business division is working with especially sensitive data, perhaps they should not be working on PC's at all. That might be a job for a thin-client/dumb terminal with no drives or ports (other than ethernet, video, and ps-2 keyboard/mouse).

Sun has been pushing thin clients for years and some of their major selling points have been security both from the data sensitive aspect and security from the user-can't-break-it aspect.

Re:It's not the theft they're worried about

[zen611]

Earth From Wikipedia, the free encyclopedia. Revision history Jump to: navigation, search (Latest | Earliest) View (previous 50) (next 50) (20 | 50 | 100 | 250 | 500). Legend: (cur) = difference with current version, (last) = difference with preceding version, m = minor edit * (cur) (last) 15:54, 24 January 2006 god01 (reverted vandalism from satan666) * (cur) (last) 15:53, 24 January 2006 satan666 (c'mon let's be mature) * (cur) (last) 09:36, 24 January 2006 god01 (rv edit by satan666) * (cur) (last) 09:33, 24 January 2006 satan666 (pestilence) * (cur) (last) 01:03, 24 January 2006 god01 m (Reverted edits by satan666 (talk) to last version by god01) * (cur) (last) 01:03, 24 January 2006 satan666 (famine)

Carelessness and personal drives are the problems

[markdj]

Where I work we have no policy concerning flash drives. Many use their own personal drives because they have one attached to their keychain and it is easier than going to the boss and getting the company to buy one. Perhaps what is needed is a policy that mandates company-owned drives that are only used at work for company business and disallow the use of personal drives. We already disallow personally-owned computers at work so why do we allow personally-owned flash drives?

Re:It's not the theft they're worried about

[ModMeFlamebait]

How about supporting not one read() but one session? I.e. lock after unplugging, not reading the data? Top it off with encryption (not neccessarily hardware assisted but it'd be nice for OS compatibility). Off to the patent office you go! :)

Still, it'd be a solution looking for a problem. You want to steal data, you will.

Lack of Policies?

Only a bureaucrat would think a policy would change anything. Most places they don't even get read. My employer has a mechanism to force us to read policies, through logged online training. Still does absolutely nothing to ensure compliance.

The issue is lack of policing, not lack of policies. And specifically whether and how to police.

Selective logging by an expert system.

[jlseagull]

My girlfriend and I were recently at a conference in Europe (she spoke, I puttered around the city for a week drawing cathedrals), where I got the chance to read some of the posters. One was particularly interesting, but I don't have the proceedings in hand so I can't find the title.

In any case, it was basically proposing the need for people that had access to large sensitive databases to be granted access to everything, but they had a daemon watching over them that detected aberrations in the pattern of access and notified a supervisor or locked them out of the database.

For example, you could have someone doing single-user lookups all day as they service customers, then their terminal starts generating lookups for huge ranges of people with full information. The daemon would recognize this and slow down their query rate, lock them out, or call a supervisor. This daemon also logged access, but it only logged what it termed to be unusual patterns of access. It also was able to watch who worked on a file or directory, and it had figured out something as unusual if a person accessed a file at a time outside the ordinary, or (especially cool) if someone accessed a file when other members of the team weren't logged in.

I have no idea how they trained something like this daemon, but it was a neat use of an expert system.

If it really important use a thin client.

[devfsadm]

If you have data that can not be compromised use a thin client or store your "data" on a remote share like SAMBA that people need to log into. Or you can have your admin go to each PC let say all 3000 of them and password protect the Bios and disable any USB devices and then listen to all the users whine and cry. I vote for a remote share or a thin client.

define the issue before you make a policy

[DennisInDallas]

Tivoli (and other products) has mechanisms to enforce policies.
The hard part is making the policies... some PHB reads on glossy paper that if you buy this product or that product it will solve these problems. So he gets out the company check book, buys the product, tells dilbert to install it, and considers the issue resolved, without ever attempting to define what the issue was. We have lots of technology that can be made to enforce the policies. The tricky bit is defining what rules should be chiseled into the shifting sands. Heck, the few of us that read the article can't even form a concensus here about what the issue is, the original owner not having the data anymore or somebody else having. Storing master copies on a server rather than a watchfob would solve the former and strong encryption would go a long way to resolving the later.

The fundemental root of the problem is that the descision makers and policy setters frequently don't understand all of the ramifications of the issues.

Re:It's not the theft they're worried about

[winwar]

"I don't see what the big deal is. Huge companies have had really really really important data stolen with no real effect or punishment."

YET. Considering things like Sarbane-Oxley and new rules for medical records losing or misplacing data matters. It costs money to comply with those rules. And if you lose data you shouldn't, it can cost more money. You also might say that some expensive rules come in to being BECAUSE other companies have mishandled data.

Re:It's not the theft they're worried about

[winwar]

"In the time I was there, I never heard of an inadvertent loss or disclosure of confidential material, aside from one laptop that was stolen. (And in that case the employee wasn't to blame, he was mugged, or so I heard.)"

Actually you did hear about it. The laptop was stolen.

There are two issues here. First is the deliberate taking of information. Second is the inadvertant loss of info or the loss of the ability to track info. Either one can be very bad. The first is easier to deal with.

Lots of organizations have trouble tracking data which can be a serious issue. How many organizations can say with certainly that we have X copies of this in Y locations. Imagine a lawsuit....

It will only get worse when there are simpler ways to cart information around.

nothing ever 'goes missing'

your keys did not 'go missing'; you lost them

HIPPA-Compliance

[STratoHAKster]

One word, HIPPA.

Re:Uh, you can turn off USB drive access in Window

[EvilMagnus]

This isn't the answer. There's still floppy disks (ugh!), CD drives (lots of PCs come with CD writers nowadays), printing of documents and {screendumping, emailing} of documents.

You're right, it's not. The original article raised the wrong problem - teh 3vil USB, instead of focusing on the actual problem - tracking and controlling access to important data.

The tools to do this have existed for a long time. But to deal with it you need to be aware of the problem (or at least to have done a risk-assessment of the problem), and have the necessary will (management backing, legal necessity, etc) to do something about it.

Or, to put it another way, "Not knowing what you're doing may cause you problems later on."

Re:a new Porsche Carrera, which is better than 99.

Nope, still 75 on Interstate, 65-70 on state highways.

Data loss cannot be prevented

[johannuhrmann]

Unless your company is not a prison with letters and phone calls prohibited and all
employees are prisoners, it is impossible to prevent that data leaves Your company.

Examples:

- e-mail (encrypted, hidden in other "meaningless" data)
- paper sheets (carried away, not shreddered)
- disks, laptops, USB sticks
- peoples memory(!)

It is a mistake to believe that the amount of data (e.g. the 10GB mentioned in the article)
is equivalent to the importance of the data.

Leaking out a single number can be fatal for the whole company:
  "What will be the price your company is going to tell the customer?"
  "1.500.000"

The next day, the customer receives a similar offer stating 1.420.000 from a competitor.
About 10 Byte of data can change the direction of one and a half million dollars.

see also: http://www.heise.de/ct/english/99/04/174/

What about back ups?

[olddotter]

As others have pointed out it is not an issue of "usb drives." Before high capacity flash drives there were USB harddrives, ipods, DVD burners, CD-Burners, http file upload, e-mail, ftp, and does anyone remember floppies. Sure a floppy only holds 1.4MB, but have you tried zipping your oracle database? Those compress REALLY well.

If companies try to crack down on this too much it will cause problems with performing backups of data on PC's. Most companies have no, or bad plans for backing up data on PC's and laptops. If they spend too much time trying to keep information from walking out the door, they might find themselves the victim of data loss from harddrive failures.

Re:It's not the theft they're worried about

[Mark-Allen]

Important Theological Questions That are Answered If We Think of God as a Computer Programmer.

Q: Does God control everything that happens in my life?
A: He could if he used the debugger, but it's tedious to step through all those variables.

Q: Why does God allow evil to happen?
A: God thought He eliminated evil in one of the earlier versions.

Q: Does God know everything?
A: He likes to think so, but He is often amazed to find out what goes on in the daemon scripts.

Q: What causes God to intervene in earthly affairs?
A: If a critical error occurs, the system pages Him automatically and He logs on from home to try to bring it up. Otherwise things can wait until tomorrow.

Q: Did God really create the world in seven days?
A: He did it in six days and nights while living on Jolt and candy bars. On the seventh day He went home and found out His girlfriend had left Him.

Q: How come the Age of Miracles Ended?
A: That was the development phase of the project; now we are in the maintenance phase.

Q: Will there be another Universe after the Big Bang?
A: A lot of people are drawing things on the white board, but personally, God doubts that it will ever be implemented.

Q: Who is Satan?
A: Satan is an MIS director who takes credit for more powers than he actually possesses, so non-technical people are scared of him. God thinks of him as irritating but irrelevant.

Q: What is the role of sinners?
A: Sinners are the people who find new and imaginative ways to mess up the system when God has made it idiot-proof.

Q: Where will I go after I die?
A: Onto a DAT tape.

Q: Will I be reincarnated?
A: Not unless there is a special need to recreate you. And searching those .tar files is a major hassle, so if there is a request for you, God will just say that the tape has been lost.

Q: Am I unique and special in the universe?
A: There are over 10,000 major university and corporate sites running exact duplicates of you in the present release version.

Q: What is the purpose of the universe?
A: God created it because He values elegance and simplicity, but then the users and managers demanded He tack all this senseless stuff onto it, and now everything is more complicated and expensive than ever.

Q: If I pray to God, will He listen?
A: You can waste His time telling Him what to do, or you can just get off His back and let Him code.

Q: What is the one true religion?
A: All systems have their advantages and disadvantages, so just pick the one that best suits your needs and don't let anyone put you down.

Q: Is God angry that Jesus was crucified?
A: Let's just say He's not going to any more meetings if He can help it, because that last one with the twelve managers and the food turned out to be murder.

Q: How can I protect myself from evil?
A: Change your password every month and don't make it a name, a common word, or a date like your birthday.

Q: Some people claim they hear the voice of God. Is this true?
A: They are much more likely to receive email.

Q: How can we interpret the Heisenberg Uncertainty Constant?
A: A manifestation of our machine's precision limit.

Q: What was Aramaic?
A: The original Higher Order MACRO Language.

Q: What does that make Ancient Hebrew?
A: Aramaic++

Q: Why don't we see God at work?
A: God works at interrupt level. When He wants to do something, He suspends our processes, saves our registers and status, and swaps us out. Then He works His will on the world. Then He swaps us back in, restores our registers and status, and resumes our execution. To us, things appear to change by magic.


With thanks for the anonymous person who posted this on the 'net many, many years ago.

I thought that...

[GWBasic]

I thought that all of the new contraversial features in MS Office were supposed to mitigate this problem? Heck, even a very simple encryption algorithm that's transparent to the user will reduce the impact of this problem because it greatly reduces the likelihood that a lost disk/key will be read.

Re:Uh, you can turn off USB drive access in Window

[Uncle+Kadigan]

Turning off drivers won't do much good if your users retain the ability to boot from a liveCD such as Knoppix. Of course, you might very well remove CD/DVD drives or restrict boot devices in the (password-protected) BIOS, but those are additional steps.

Re:Ban cell phones, too? That would be cool.

[Mark-Allen]

I worked in a couple of Swiss banks for a few years building Windows trading systems. Yeah, yeah. I know. But the new trading app was Windows-based. Anyway...

The company policy on the trading floor (about the size of a football field) was anyone caught with a Natel (read: mobile phone) powered-on was immediately sacked. And immediately meant security locked down the system, locked the desk, telephoned the police, etc. Not a pretty sight I bet, but I never heard of anything like this happening while I was there. Only told about it before we started working on the floor.

All trading goes through the bank's special trading phone system, which is recorded for security and banking reasons.

Since the two of us, who built this system, sometimes needed to go onto the floor, we were exempt from this rule.

Of course, before taking this job, I sold out of all my stocks just to be on the safe side. Ok, maybe I made a bit of money but Apple was then at about USD 15.00. Oh, well.

SOX and your BOX

[Syberghost]

Yet another reason I think SOX considerations will lead to a resurgence in Thin Client computing. How thin, and what form, still to be decided.

Something on the fat side, running Linux, with the local storage being used only for caching, paging, etc. would be my preference. However, even if you returned to PS/2 user interface connections and left off USB, this would only result in somebody developing PS/2 thumb drives.

Ultimately it comes down to hiring good people, treating them well so they're less likely to rip you off, and prosecuting the holy crap out of them if they do. Some of them will still rip you off.

After all, what's cheaper; paying 20 people to develop an innovative concept, or paying one of those 20 to steal it from his employer and give it to you already-developed?

Interesting data

[The+Bastard]

Of course, the words of Asok the Intern (from Dilbert a few years back) pretty much sums the whole thing up:

"If I spent my whole life looking, do you think I'd find anyone who cared about this document marked 'Proprietary'?"

Re:Uh, you can turn off USB drive access in Window

[EvilMagnus]

Quite!
It's all about risk assessments. The 'average' office worker knows nothing of liveCDs, or even anything about the typical Windows boot process; therefore, the largest risk comes from regular users plugging their iPods into Windows boxes, and copying stuff across. The easiest fix for that is to switch off the USB ports (either in BIOS or using System Policies). It's a small action with the largest potential gain.

Smarter users might try to gain local disk access with a bootCD of some description. There's ways to prevent that, too - removing the CD drive and floppy from the machine, for example, disabling IDE channels and USB ports in the BIOS, and physically securing the case. It's possible, but is a lot more effort to guard against a much smaller risk.

Security is hardly ever absolute. All you can do is decide how much time and effort you want to spend on it. The first step is a risk assessment by knowledgeable professionals. From the article, it seems that most companies haven't even done that. It's hard to address a problem you don't know about!

Can it tell you what they did?

[cmdrbuzz]

Can windows auditing tell the difference between opening the file in Excel, and copying it somewhere else with explorer?

OpenVMS auditing showing the image that generated the request, and if I dig through SMF I can usually tell how the dataset was accessed under MVS (ala z/OS)

not for long

first some companies already ban them. I have read that the new windows will have the ability to lock out usb drives,

Data Loss vs. Data Theft

Does the term "data loss" seem to anyone else to represent losing your only copy of important data? It's not being lost, it's being stolen or copied. It's "data theft" or "data misuse", you're either stealing it or misusing it.

Re:It's not the theft they're worried about

[Kadin2048]

I see your point, but the physical loss of laptops was anticipated. The most sensitive data on the hard drives was encrypted fairly well, and based on the circumstances of the theft it apparently didn't seem targeted. As I said, it was a mugging. Could it have been a targeted setup, made to look like a random mugging? Possible, but what was on there wasn't worth that much.

Obviously, an organization needs to weigh the increased flexibility that portable computers give, versus their tendency to be targets of theft (and more often than that, their tendency to get damaged, requiring more robust backup strategies than desktops). In our case, I can only assume that the determination had been made that, equipped with encryption as they were, that the laptops were worth the risk.

Could the organization, today, say conclusively with 100% certainty that the information was never recovered from the lost laptop (provided it was never recovered -- I don't know what happened)? No. But I think it would be equally untrue for them to say that about any piece of information that was sent over the Internet in encrypted form: you can't prove that someone with a lot of computer power wasn't monitoring everyone's communications and intercepted it. It's just a extremely low probability. Eventually, someone just decides that the chances are low enough, and both as individuals and as an organization, you stake your reputation on that.

Re:It's not the theft they're worried about

[killjoe]

"YET. Considering things like Sarbane-Oxley and new rules for medical records losing or misplacing data matters. It costs money to comply with those rules. And if you lose data you shouldn't, it can cost more money. You also might say that some expensive rules come in to being BECAUSE other companies have mishandled data."

Lets be real companies just give lip service to complying with regulations. If they get caught with their pants down the govt slaps their hand with a wet noodle and goes about their way. Again see choicepoint for an example.

external hard drives

[cahrichak]

I used to be in IT (boy do I miss it) and now I'm in accounting (you know, what I actually studied in college haha). Anyway, I had to report some strange goings-on to the IT dept here at my company and they blamed it on my external hard drive... now I know that my harddrive (which uses basic windows drivers) isn't crashing Adobe, but THEY think it is... (the problem is actually TrackIT) my point is, my harddrive is against company policy. Nice of them to tell me over 6 months after I started here instead of the first time they noticed the device (about 5 months earlier). I just want to listen to my music while I work, and since the CD-ROM drive = crap I can't do it that way lol. *sigh* Information theft/loss is going to happen with or without USB devices, so maybe proper security would be something companies should invest time/money into? Just a thought :-P

Re:a new Porsche Carrera, which is better than 99.

[tabbser]

I'm actually in the west. I do originate from the UK though (10 years ago I moved here).
What's worse is that I've had a fair amount of engine, intake and exhaust system mods done, not to mention new lumpier software for the ECU.
In traffic around town it's a bit digital ... you know the type it's either not moving or it's moving too quickly.
Out on the freeways I usually stick to about 80, I have aq good radar detector that has kept me in good stead.

I forget what the original topic was that I was ranting away at, but hey, I get back from the pub at 2am and see some dufus talking before thinking and decide to take a potshot.

Yours was one of the first that actually didn't take offense to my rantings. :-)

Re:People here don't read TFA

[tabbser]

Actually, nope.
I paid cash.
Like I said, I own my own business and make more an hour than most do in a day.
This is not my first sports car, I don't recall when I last had something more average.

I really like the CGT, but really cannot justify the $440k (without dealer hike) ticket on those, but 205mph does sound great to me.
The best I ever managed was 196mph (obviously not in my current ride, they're good for 175-180), I'd like to break the 200 at some point.

Re:People here don't read TFA

[ReidMaynard]

I was half joking about the loan ;-) I bet you have fun zooming around on track day. I use to do that at Wakins Glen years ago.