11

What is a convenient write once media to use with a Computer, preferably via the USB interface.

I often see this use-case in several ways:

  1. I have a server whose logs need to be on a medium that cannot later be erased or changed by an adversary to hide his tracks
  2. There's photos or other media that need to be dumped for long term archival use without the risk of e.g. the recent "ransomware" trojans that encrypt data and then blackmail the user for money to give him the decryption key

Traditionally a CD / DVD would have catered to at least some of these use cases but now they are somewhat limiting in terms of size / usability etc.

I know SanDisk offers a MemoryVault Product with what they call their "preserve only" mode.

http://www.sandisk.com/memoryvault

But I'm not sure if this is a software protection or at the level of the hardware. What is even more confusing is that their Chronoprotect technology seems to actually allow a certain number of writes and then goes into a Read Only mode which seems weird.

Another option is this Magneto Optical Disk from HP:

http://www8.hp.com/us/en/products/storage-media/product-detail.html?oid=62378#!tab=specs

But that seems a little too specialized and possibly expensive. And I'm not sure how it is better than, say, a DVD.

The ideal combination seems a USB-stick / flash drive with write disabled internally at the controller level on the stick itself so that one doesn't have to depend on any host computer specifics to protect the data and yet the data itself is readable on any generic host / OS so long as standard USB access is allowed.

SD Cards often come with a write protect tab, but unfortunately that seems not mandatory and depends on the host controller obeying the "Read Only" suggestion. e.g. This StackExchange Question: Is the SD card write protection hard-wired or optional?

Also, a write protect tab seems iffy in some cases because it is still subject to a very likely human error. Otherwise I could use something like this USB stick: http://www.amazon.com/Kanguru-Solutions-Flash-Write-Protect-KF3WP-32G/dp/B008OGNMEI/ref=pd_sim_147_2?ie=UTF8&refRID=166NN5XXCH7FBCHNJTXW

PS. I'm assuming my adversaries are only software based. i.e. Let's ignore an adversary who might have physical access to the medium to insert into his dedicated hardware rig.

curious_cat
  • 1,013
  • 1
  • 11
  • 18
  • Can off site storage work? Remote backup for photos is pretty secure against ransom ware. Something like https://crashplan.com – Neil Smithline Aug 07 '15 at 20:27
  • Yes, off site storage is an option. But I was hoping there was an on-site option. Off siting media can be expensive. And consumes a lot of bandwidth too. – curious_cat Aug 07 '15 at 20:49
  • Your use cases are quite different -- one requires append-only access, the other requires only read. – Ben Voigt Aug 08 '15 at 05:30
  • @BenVoigt : How so? Both logs & a media dump are ongoing appends (or alternatively writes) with any number or reads for retrieval, audits etc. – curious_cat Aug 08 '15 at 09:15
  • One can put it in git and save the hashes. Then you also get a full history in-order – Natanael Aug 09 '15 at 10:25
  • @Natanael Assuming your adversary is smart enough he could modify the git file could he not? Worst case, brute force replay all the git history, replicate the transactions in another git instance (all transactions except the one you want to hide) and then swap the modified git file for the original? – curious_cat Aug 09 '15 at 17:07
  • @curious_cat write down the git hashes. He can't fake those – Natanael Aug 16 '15 at 10:45
  • @Natanael Yes, that works. Essentially you are recommending paper as the write-once medium. :) In a logging application you'd need a person standing by to write down hashes how often? – curious_cat Aug 16 '15 at 17:48
  • @curious_cat or you get a receipt printer to do that hourly? Same effect. – Natanael Aug 18 '15 at 14:25

1 Answers1

5

These WORM (write once read many) devices are by definition inconvenient and that's why there are very few of them and rather expensive. The expensive part is because it has to have hardware support.

You could try doing it on the same system with read-only rights for certain users and harden it with the immutable attribute. Even root cannot delete those files, but an attacker with full access can stop setting the immutable attribute for future files. But in the end, low level writes to the disk could change anything, so software can't be tamper proof.

Even forensics teams that deal with very sensitive electronic evidence use normal drives combined with other physical security measures like storing offsite and using fireproof safes. Keeping multiple copies of evidence and using hashes to prove they were not tampered with is another method they employ. This has the obvious downside that the data being protected is static.

Full disk encryption (FDE) serves the same purpose and that might give you some more flexibility. Although some FDE software offers read-only options on mounted volumes, in certain use cases the whole encrypted volume can be deleted.

My best advice is to send the data over a network to a different device.

  • If you care about logs, Synology offers syslog servers on their NAS devices.
  • Build your own NAS with FreeNAS that speaks syslog.
  • Get a cheap Raspberry PI and hook a hard-disk to it then sftp any files to it.
  • It can also be done more elegantly with network file systems.

To actually answer your USB requirement, I found a company that sells USB drives with WORM capabilities.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Cristian Dobre
  • 9,837
  • 1
  • 31
  • 51
  • Why is disabling the write functionality on a USB flash stick controller so hard? Just curious. Is there no easy way of separating the reads from the writes? I guess the writes are OK its just the re-writes that are the problem. So you need a hardware controller that never allows you to readdress a location previously addressed, eh? – curious_cat Aug 07 '15 at 20:45
  • `immutable` seems iffy. Just like root can set that bit he can unset it too. If we assume root is secure then in theory even the need for a log store device that cannot be tampered is pretty moot too. – curious_cat Aug 07 '15 at 20:48
  • That's right, you need something smart that manages writes, not some dumb hardware switch that turns writes off like the one on SD cards. – Cristian Dobre Aug 07 '15 at 20:49
  • @curious_cat: `immutable` implementation greatly varies depending on the OS. On BSD systems running at the proper level root will not be able to tamper with `immutable` or `sappend` flags without restarting the server to a lower level. – WhiteWinterWolf Aug 08 '15 at 09:05
  • @CristianDobre: In SD Card, while the switch itself if hardware, it's position is only taken into account at the software level (ie. the OS' driver), so it remains a software protection. [USB write protection](https://security.stackexchange.com/q/4248/32746) on the contrary being handled by the USB key firmware, it doesn't rely on the OS for its protection and is therefore safer. – WhiteWinterWolf Aug 08 '15 at 09:08
  • @WhiteWinterWolf : From what I remember from Linux (CentOS / Fedora) root could set / unset the `immutable` bit from any file at will, any number of times. In practice it only served as one more layer of protection against accidental deletion. i.e. A runaway script by root couldn't damage the file unless it explicitly unset the bit which was hard to do "accidentally". – curious_cat Aug 08 '15 at 09:18
  • @WhiteWinterWolf : Does this work differently in BSD? – curious_cat Aug 08 '15 at 09:18
  • @curious_cat: Yes, on stock Linux (if no SELinux, etc.) root can disable the flag as you said. In BSD systems running at runlevel 1 or higher, such flag just cannot be turned off anymore ([runlevels in BSD](https://www.freebsd.org/cgi/man.cgi?query=securelevel&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html) are completely different than Linux ones). – WhiteWinterWolf Aug 08 '15 at 09:31
  • @WhiteWinterWolf Very interesting! Thanks! Never enabled SELinux. Was always a pain in the ass. – curious_cat Aug 08 '15 at 09:41