Secure USB Drive

The personal health records of over 83,000 Canadians have been lost on an unencrypted USB memory stick.

The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on. Read More »

This article at leading security portal Help Net Security summarizes 2009 from the point of view of the malware that was found in the wild.

As the piece points out, it was a year in which nobody that uses the Internet could ignore the dangers of malware, whether received by email, from Google’s search results, on social networks like FaceBook or Twitter, or even by direct injection from USB memory sticks, as was the case with Conficker and its variants. Read More »

Another UK council has had to sign an undertaking with the UK Information Commissioner’s Office (ICO) to better safeguard its data after an unencrypted USB memory stick was lost in the post.

The device, lost by Shropshire Council in England, contained personal and health details of vulnerable members of the public, and of members of the council’s own staff who were working in the sensitive adult social care department. It was being sent by post from the council to a contractor in Cardiff.

The ICO said the loss breached the Data Protection Act, and the undertaking the council has signed requires education of staff on data security, and encryption of portable and mobile devices used to store and transmit personal data.

These incidents show the need for always-on, mandatory protection of data written to removable media: protection which is delivered from use of our Cruzer Enterprise range of secure USB flash drives.

It’s been a high-profile year for USB memory sticks: they have been the subject of many headlines thanks to a series of losses and theft incidents, and have been exploited as a new vector for spreading malware across networks (thanks to Conficker and related Autorun-exploiting worms). Read More »

If your car is stolen because you left the keys in the ignition, your insurer would not cover you for the theft because you hadn’t taken reasonable precautions.

Unfortunately, the UK Ministry of Defence has just had a laptop containing defense secrets stolen from its London headquarters, together with the equivalent of the ignition key. The encryption key was taken along with the computer, apparently giving the thief access to the laptop’s files.

This highlights a vital issue in IT security practice, but one that is often overlooked: never, ever leave an encryption key, security token or any indication of a password near the computer it protects. Even if that computer is inside a highly secure building like the Ministry of Defence HQ, there’s still a risk that a curious, or disgruntled, colleague could access the PC and data.

Your safest bet is to probably keep your most valuable data on a secure usb drive - just don’t keep the password laying around.

The UK Government’s former Information Commissioner, Richard Thomas, was recently interviewed by SC Magazine. It makes a very interesting read, especially on what Thomas describes as “politicians, senior civil servants and managers … not understanding the technologies and the risks.”

It also gives an insight into plans to introduce stronger powers for the Information Commissioner’s Office, such as increased notification fees for data breaches for larger organisations, new powers of inspection and much stronger sanctions against companies that have experienced breaches.

New sanctions are also planned to be introduced from next year when ‘a company or government department deliberately or recklessly ignore data protection requirements, and cause serious harm, then they will face a civil penalty’. Thomas explains that this will affect anyone who is a data controller, and there are over 300,000 of them in the UK.

All the more reason for organizations to evaluate their approach to portable data security – and take appropriate action to secure critical information.

A recent survey of London taxi drivers shows that December is the worst time of year for losing mobile phones, laptops and memory sticks.

Apparently some 10,000 mobiles are left behind in taxis every month, and over 1,000 laptops, flash drives and other removable devices too. It’s believed that most of these losses happen because they slip out of peoples’ pockets, or are simply forgotten as passengers rush to their next meeting or destination.

The good news is that London cabbies are more honest than their counterparts in New York:
80% of taxi drivers in London claimed that they had reunited owners with their devices once they were found, compared to just 66% in New York.

Even so, it’s all the more reason to secure any data on these portable devices with encryption – just in case you’re one of the 20% whose device isn’t found.

The Royal Navy has begun an investigation into how a memory stick containing restricted information on Royal Navy manoeuvres and personnel was found in a public car park, close to the mooring of the Navy warship HMS Hurworth in Belfast, Northern Ireland.

Although the device was handed in to police, an attempt had been made to sell the flash drive and its contents to an Irish newspaper – which suggests the contents of the drive were not protected.  The Navy investigation will focus on trying to establish if the data on the drive has been copied.

Incidents such as this highlight the wisdom of the approach being taken by the US military on the re-introduction of flash drives – including measures such as authorised staff being issued with centrally procured, approved, secure USB flash drives, a ban on all personally owned flash media.  This way, users can enjoy the flexibility of flash drive use without the security risks, as the protection is delivered and managed transparently.