It's amusing to see the faces of attendees in my Cyber Self Defense class when I start telling them about the insecurities around USB flash drives and the use of pay-by-the-minute Internet kiosks at hotels. The majority of them have never thought about the possibility that a virus could spread by one of those handy little "memory sticks" they carry around with them. Those who had thought about it did so only because they'd been victims in the past.
And Internet kiosks...forget about it. They don't like being told not to use their company e-mail from those things because who knows what keylogger or malware has been installed on it. We'll save that discussion for another day.
The reason I bring up USB flash drives is because there are some really simple methods of protecting those devices from infection in the first place. The most obvious is to not use them in machines you don't control, but that's not always easy.
The second is to use a "throwaway" flash drive that's not very big and most likely came free at a conference. If you don't want to throw it away after using it in someone else's machine, then use a Linux machine to wipe it and reformat it before using it again. The problem here is users don't have Linux machines just lying around, so they'd have to rely on their IT department to handle it, which may not be that reasonable.
The final solution is the easiest and most practical. Buy a USB flash drive with a write-protect switch and flip it to write-protect mode before sticking it in an untrusted computer. The last few times I've mentioned this to users, you'd think they'd been slapped: Most had never seen a flash drive with that feature, and because the concept was so simple. Heck, it's a throwback to the floppy disk protection days with tabs and switches.
Not sure where to find USB flash drives with write-protect switches? Just do a quick search on Froogle and you'll find plenty of all sizes. They're handy for more than just transferring files (i.e., incident response).
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.