Secure USB Drive

A new survey has found that 9,000 USB flash drives were forgotten in people’s pockets in the UK last year, when those people took their clothes to the dry cleaners.

Apart from the risk of USB drives being damaged by the dry-cleaning process - and the potential loss of data — there’s the very real risk of the data being intercepted, or handed over to the wrong person when they come to claim their clothes.

So how do you stop your data being taken to the cleaners?  The first step is to check your pockets before you leave your clothes.

The second is use a secure memory Stick that can be centrally managed, like our Cruzer Enterprise range - they are waterproof, so they are built to survive and keep your data safe in adverse circumstances

But even if the worst should happen, and your secure USB drive is damaged somehow, you can quickly recover the data and provision a new drive via the centralised management software.

The UK Government’s data watchdog, the Information Commissioner’s Office (ICO), has said that the UK Home Office broke data protection laws when a Home Office contractor lost a USB flash drive containing unprotected information on thousands of prisoners. 

The thumb drive was lost in August 2008 by an employee of the contractor.  It contained the names, addresses and expected release dates of 84,000 prisoners in England and Wales. 

The ICO ruled that even though a contractor had lost the data, the data controller (the Home Office) was responsible for the security of the information.

 As a result, the ICO has also insisted the Home Office signs a declaration promising to hold personal data securely in the future - which will mean all portable and mobile storage devices which are used to store and transmit information must be encrypted. 

 It’s likely that other Government and public sector organisations will be made to follow this policy - meaning that secure USB flash drives will be widely adopted in the coming year.  Let’s hope this signals the end of large-scale public data losses.

There seems to be no stopping the Downadup Windows Server worm, which some reports are now saying is the worst malware outbreak for 5 years.

 The number of Windows computers infected with the worm - has more than trebled since last weekend to almost 9 million worldwide, from roughly 2.4 million last Thursday. 

The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October.  The worm also uses social engineering techniques to spread via USB flash drives.  

As mentioned in this blog before, this USB attack vector can be stopped with our Cruzer Enterprise secure USB flash drives with onboard anti-virus scanning.  We also recommend users install the relevant Microsoft patch against the vulnerability that the worm exploits.

A number of reports have emerged in the past couple of days, showing that the Downadup Windows Server worm has been spreading quickly since the start of the year. 

 The worm, also known as Conficker, has apparently caused over 3.5 million infections worldwide, with over one million infections this week alone. 

 As reported earlier, the worm uses social engineering techniques to spread via USB flash drives.  If a user plugs an unprotected USB flash into an infected computer, the malware creates an autorun.inf file on the root of the USB drive, which will then autorun or autoplay to infect any unpatched systems.  It also tries to fool users into thinking they are only opening a folder when they are actually clicking to run the worm’s viral payload.

 This USB attack vector can be stopped with our Cruzer Enterprise secure USB flash drives with onboard anti-virus scanning - helping to reduce incidences of infection.

According to a new report, just 27% of the Ministry of Defence’s IT systems meet the Government’s own data security standards, following a review. 

 The Government developed tough data handling sanctions in summer 2008 following a series of high profile data breaches from public sector organisations. 

 Under the new security measures, any USB flash drive, disk drive or laptop containing sensitive information has to be encrypted if it is to be taken out of Government offices - which is a significant, but achievable task, especially if secure thumb drives are used.

 To highlight just how vulnerable an unsecured flash drive is, in summer 2008, the MoD admitted that it had lost 658 laptops and 121 USB memory sticks since 2004 - with some of those lost drives containing military information classed as “Secret”.  So, securing USB drives is a vital first line of defence against data losses.

Ask an IT security expert how they would define security, and they’ll often reply that it’s a state of mind.  Sometimes organisations will take all the right steps to secure their sensitive data, only to be let down by simple human error. 

Unfortunately, this was the case in a prison in England last week.  A visiting health worker lost a USB flash drive that contained medical information of more than 6,000 prisoners and ex-prisoners from Her Majesty’s Prison, Preston.  

The right approach to data security was taken, as the data being backed up onto the flash drive was encrypted.  However, the encryption password was written on a sticky note that was attached to the drive when it was lost.  

There’s a lesson there for every computer user.  Don’t write passwords down near devices that have encrypted data on them.  User education is a key part of any IT security strategy, so it’s important that everyone is aware of behaviour that’s potentially risky. 

And for IT departments, if you do deploy secure USB flash drives, make sure that they are capable of being centrally managed, with software that can terminate lost or stolen drives when the loss is reported, or after a given time interval.  This way, the drive and data is safe against unauthorised use in any event.

Our Cruzer Enterprise FIPS edition secure USB flash drive has been selected for evaluation for Common Criteria EAL2 certification under the Data Protection schedule of the Defense Signals Directorate, Australian Government Department of Defense.  

The Common Criteria is an internationally recognized ISO standard (ISO/IEC 15408) used by government agencies and other organisations to assess the security and assurance of technology products.  Certifications to the standard are recognized in 25 countries around the world, and show the solutions meet the most rigorous security requirements. 

The Cruzer Enterprise FIPS edition caters to the security requirements of government agencies and financial institutions, featuring FIPS 140-2 level 2 certification for encryption (a standard set by the National Institute of Standards and Technologies (NIST)).  

The encrypted flash drive imposes mandatory access control on all files, which are stored in a secure partition that implements 256-bit hardware-based AES encryption. CMC, the enterprise data management software adds a higher level of control to Cruzer Enterprise FIPS edition by centrally managing the drive’s complete lifecycle.

A new Windows Server worm that can spread via memory is attacking business systems.  The worm, called Downadup, attacks the vulnerability outlined in MS08-067, a Windows Server service flaw for which a patch is available.

 The worm launches a dictionary attack to attempt to crack user passwords, and is able to change itself and modify Access Control Lists to make it hard to disinfect.

The worm also propagates on client machines, via USB.  If a user plugs an unprotected memory stick into an infected computer, the malware creates an autorun.inf file on the root of the USB drive, which will then autorun or autoplay to infect any unpatched systems. 

 This USB attack vector can be stopped with our Cruzer Enterprise secure USB flash drives with onboard anti-virus scanning - helping to reduce incidences of infection.

A new report has confirmed what we already suspected:  2008 was the worst year yet for data losses and breaches. 

 The US-based Identity Theft Resource Center (ITRC) has announced there were 646 data breach incidents reported in 2008, a 47% increase over 2007, which was the previous record for the most breaches in a single year.

 The ITRC believes the increase is partly a result of wider use of unsecured USB drives and other portable storage media.  These were the biggest type of incident, accounting for 135 breaches - more than the 91 hacking incidents, or the 95 cases of accidental distribution of data publicly on the Internet.

 Many of these breaches could have been prevented, simply by using secure memory sticks with mandatory encryption to protect data on the move.  And ‘insider’ breaches - where employees take data for unauthorised use - can be tracked and quickly addressed with the right type of centralised management software.

 Is it too much to hope that 2009 will see a reduction in data breaches, for a change?