You probably don’t give much thought to your USB drives. When you need to transfer a file from your computer to a drive, often, you grab the first one you see in a desk, the bottom of a bag you used at a conference or in the kitchen junk drawer. But these useful little devices can deliver big problems when used so carelessly.
As much as we love USB drives for their cheap and convenient storage, cybercriminals love them more. Security consultant Red Team explained why in a blog post: “In a Universal Serial Bus (USB) drop attack, cybercriminals leave USB devices for people to find and plug into their computers. A Good Samaritan hoping to return the drive or a penny pincher hoping to pocket a new device for free inserts the “found” drive into his or her computer’s USB port. Then the trouble begins.”
Attacks come in three types. Most common is a USB drive that contains malicious code in a file on the drive. Once the file is opened, the malware is released and infects the connected computer. A second technique involves social engineering, most often an attempt to lure you to a malicious website that’s designed to trick you into handing over sensitive information such as your credit card number.
The most sophisticated of the three USB attacks is designed to record your keystrokes in an attempt to steal login information and other personal data. In this case, the USB drive is programmed to tell the computer that it’s not a USB drive at all, rather it’s a keyboard, which opens up all kinds of permissions. Once that happens, the malicious code commands the computer to give remote access to the cybercriminal and the keylogging begins. These pre-programmed malicious drives are readily available online for under $50.
So the first lesson is to use only trusted USBs — ones that you have purchased and have never been used by anyone else or left untended in a public place. But that’s only half the problem. What happens if you leave your USB drive behind? If it has sensitive files on it, you run the risk of someone using them for their own gain.
To protect against unintentional data loss, you should use an encrypted USB drive with password protection. If you lose your drive, you can be assured that no one will be able to access your files. There are two ways to accomplish the encryption. You can simply buy an encrypted drive or encrypt it yourself. If you choose to go the quick route, expect to pay between $25 and $50. Prices vary on the drive’s physical protection — you’ll find keypads and fingerprint readers — as well as storage capacity. Do make sure it’s USB 3.0 (not 2.0) to ensure you’re buying current hardware. If you’re an Amazon Prime member, you’ll want to check for deals on these devices on Prime Day, July 15-16, and yes, it’s really two days this year.
For DIYers, the encryption process is pretty simple, but keep in mind that you won’t have the benefits of physical device security as you would with a USB drive that is purpose-built.
BitLocker is Windows’ built-in file encryption software, available in Windows 10 and as far back as Windows Vista. It comes pre-installed on Pro and Enterprise versions, but you can download and install BitLocker for free if you’re running another version of Windows. Go to https://tinyurl.com/y4n8dej8 if you are running a 64-bit system or https://tinyurl.com/y6s2ablb for 32-bit.
Once that’s installed, connect the USB drive you want to encrypt and right-click the USB drive listed under “This Computer.” From the menu, choose “Turn on BitLocker.” It may take some time for BitLocker to analyze the drive depending on its size. On the next screen, choose “Use a password to unlock the drive.” Type in your password twice. Finally, Microsoft will ask you how you’d like to store this password in case you forget it in the future. You can save the recovery file in your Microsoft account, save to a file or print it. Frankly, I’d print it and keep it in a safe place, and take a picture of it with my phone as a backup.