Windows Encryption on USB drives

If you are lucky enough to have a version of Windows XP or Vista that supports Encrypting File System (EFS), you might reasonably expect it to provide protection to files you copy to a USB drive. It won't, though. Probably. If you want to know the details, read on...

The encryption built into some versions of Windows is a handy way to add extra protection to your sensitive files. It is incredibly easy to use and all you need to do is right-click a file, choose Properties, click the Advanced button and tick the 'Encrypt contents to secure data' option.

You can also encrypt folders, which will save you from repeating the above instructions every time you want to encrypt a file. Move a file into an encrypted folder and it will become encrypted automatically.

Using this system will protect your files from unwanted attention should your computer be stolen. You might assume that copying these files to a USB flash drive will result in a secure archive of portable files. However, when you copy an encrypted file from your PC's hard disk to an external drive the encryption might be removed. The (slightly) good news is that Windows will warn you that the encryption is being stripped (see below).

EFS relies on the NTFS file system. If you move or copy encrypted files to a hard disk, floppy drive or USB flash drive that is formatted using a different file system then the encryption will be removed. If you format your USB flash drive with NTFS, instead of using the usual default of FAT or FAT32, then Windows encryption will work.

If you lose your drive and it is found and accessed by someone else, they will see an 'Access is denied' message when trying to open encrypted documents (see below). If the drive was formatted with a FAT file system they would be able to read the files without any problems.

If you want to store encrypted data on a USB flash drive that uses FAT or FAT32, you might consider using encryption software such as Pretty Good Privacy, which can encrypt individual files or create an encrypted virtual drive. Once mounted using a passphrase and/or key, it behaves like another local hard disk. When you unmount it, the data contained inside is secure. PGP is commercial software.

GnuPG is a compatible free alternative, although it does have a similar encrypted hard disk feature. For that you could use TrueCrypt, which will let you create encrypted virtual disks or even encrypt an entire drive.

The following versions of Windows support EFS:

• Windows XP Professional


• Windows Vista Business


• Windows Vista Ultimate


• Windows Vista Enterprise

Alternative encryption software includes:

• Pretty Good Privacy (PGP)



• Gnu Privacy Guard (GnuPG)



• TrueCrypt

Remote keystroke logging

Spies no longer have to rely on installing spyware or attaching a hardware keylogger to your computer if they want to monitor what you type. Two Swiss researchers have found a way to do it wirelessly.

If you've heard of Tempest, a technique used to view remotely the contents of someone's computer monitor, then you're already close to understanding how it is possible to read keystrokes over the air. We're not talking about wireless keyboards, though. Some of these have already been reported to be insecure.

In their preliminary report, Martin Vuagnoux and Sylvain Pasini wrote, "Wired keyboards emit electromagnetic waves, because they contain eletronic components. These eletromagnetic radiation could reveal sensitive information such as keystrokes."

You can see the evesdropping in action below.

Hacker forum run by FBI

It's the online fraudster's favourite conspiracy theory. A website dedicated to the theft and exchange of stolen information and criminally-oriented software has turned out to be an FBI sting. According to The Register, the recently defunct DarkMarket.ws carder forum has been exposed as having been run by law enforcement officials.

The news first surfaced when Southwest Germany public radio obtained police reports that detailed the operation behind the arrest of a German credit card forger. This was reported on Wired, which claims that the sting was started in November 2006.

The site's operator, who used the alias Master Splyntr, last month wrote, "It is apparent that this forum… is attracting too much attention from a lot of the world services (agents of FBI, SS, and Interpol). I guess it was only time before this would happen. It is very unfortunate that we have come to this situation, because... we have established DM as the premier English speaking forum for conducting business. Such is life. When you are on top, people try to bring you down."

Master Splyntr was, it turns out, FBI agent J. Keith Mularski.

Infected Asus Eee PCs

The desktop version of the Asus Eee PC has been sold pre-infected with a virus. According to an Asus press release [Japanese], the following models contain malware, which may attempt to steal online games usernames and passwords:

Model number: EEEBOXB202-B; UPC code: 610839761807
Model number: EEEBOXB202-W; UPC code: 610839761814
Model number: EBXB202BLK/VW161D; UPC code: 610839530526
Model number: EBXB202WHT/VW161D-W; UPC code: 610839531202
Model number: EBXB202BLK/VK191T; UPC code: 610839547753

Dancho Danchev has published more details on the Zero Day blog.

Can rootkits ever be useful?

A security company has developed a tool that aims to protect users from fraud, even if their computers are infected with viruses or other threats. According to Technology Review, Verdasys has developed SiteTrust, which it hopes to license to financial institutions. These in turn would provide software to their customers, who would use it alongside existing security products such as anti-virus and firewalls.

There are two interesting points with Verdasys' approach, as far as I can tell from reading Technology Review's report. The first is the idea that we should assume that everyone's systems are infected with malware. This is a depressing thought, but probably very sensible. The second, and possibly most controversial, is that SiteTrust is "essentially a rootkit."

Verdasys chief technology officer Bill Ledingham reportedly acknowledges the controversy surrounding commercial rootkits, but claims that Verdasys' experience in designing them ensures they won't interfere with a computer's normal use. He also admits that criminals may try to dig even deeper into the system, to undermine SiteTrust, but hopes to stay one step ahead of the hackers.

Remember this: he claims that the rootkit won't interfere with a computer's normal use; and hopes to stay one step ahead of the hackers.

THE PROBLEM WITH ROOTKITS

Rootkits are usually malicious, being designed to allow a program to exert maximum control over a system at a very low level in a secretive way. Online criminals sometimes use rootkits to take control of victims' computer systems, but sometimes a legitimate company chooses to use rootkit-like techniques to protect data in one way or another. This rarely ends well.

Sony has tried this a number of times but, in each known case, experts have noted (or even demonstrated) that an attacker could abuse a system with 'legitimate' rootkit technology installed. This is the main problem with commercial rootkits. They can provide an opportunity for an attacker. When users don't know that the software has been installed, as was the case with Sony's CD copy protection system, there are additional issues of personal privacy.

There may be a further issue of the rootkit interfering with the computer's normal use, but we'd take for granted that a commercial rootkit would not cause obvious problems to the system. Legitimate companies should have better quality assurance than online criminals, after all. So the main issue in this case is whether or not the rootkit could be used as an attack vector. And we won't know that until someone starts to play with the product in a lab.

Every technology company that deals with security hopes to stay ahead of the hackers, but few would claim (behind closed doors) that they are managing to do this. This is why malware exists and why no responsible company would ever claim to offer 100 per cent protection.

While it is possible that a company like Verdasys could produce a successful product that provides no opportunity for an attacker and that always stays one step ahead of the hackers, it is worth remembering that this aim might fail. And what a juicy target SiteTrust would be, if it did. After all, it is a product designed to secure important financial transactions.

Inside The Virus Lab (video)

I visited Symantec's Security Response Center in Dublin to make a short film about what happens between the first time a new threat appears on the internet and anti-virus updates appear on a user's computer.

If you want to see the video please visit Inside the Virus Lab, on Computer Shopper's website.