It’s a wise precaution to have an amnesty on the use of unauthorized drives, before issuing the appropriate staff with encrypted flash drives – which was the approach taken by healthcare organization NHS Dumfries and Galloway in 2009.

Although the source of the infection has yet to be established, it’s widely suspected that it was introduced via a USB flash drive. It shows that there are still networks which have not had the Microsoft anti-Conficker patches applied: and that USB stick hygiene is still an issue that deserves more attention.

The story, from a leaked MI5 document says that undercover intelligence officers from China’s People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts”. The gifts — such as USB memory sticks and other digital media — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers.

This is yet another example of the use of innocuous-looking devices in an attempt to harvest sensitive or confidential data. The best advice to protect your PC and corporate networks is to use only authorised, secure flash drives, preferably with on-board anti-malware scanning capability, and lock out unauthorised devices. After all, Trojan horses are no longer larger than life and made of wood.

It’s suggested that there are two main reasons for this: the large amounts of identifiable data on patients stored within healthcare organisations, and the sheer number of possible attack vectors, including web-based attacks and attacks from devices (such as infected, unauthorised USB flash drives).

In some territories, such as the UK and Canada, healthcare bodies are rolling out extensive data security measures (such as secure USB drives with onboard anti-virus scanning). This is a sensible and practical response to the increase in data security risks.

The adoption of new regulations is global. For example, Singapore’s banking regulator, the Monetary Authority of Singapore, now requires confidential customer data stored in all types of endpoint devices to be protected with strong encryption – which means banks and related organisations have quickly adopted secure flash drives.

This article looks at the issues driving uptake, showing how companies in heavily regulated sectors have adopted the devices. It covers issues such as the use of software encryption versus hardware encryption, and also quotes SanDisk’s Dror Todress extensively, and our anti-virus partner McAfee on their opinions of the market direction.

This recent attack shows how malicious software has evolved into an advanced weapon that can specifically target companies – even companies as advanced as Google – with the aim of gaining a financial or competitive advantage.

Attackers will try any method available to seed the malware onto a company network, including infecting USB flash drives and distributing them at events, or “losing” them in car parks for unwitting employees to find. That’s why latest-generation secure flash drives, such as our own Cruzer Enterprise range, can also feature onboard anti-malware scanning to nullify this threat.

From April 2010, the ICO will be able to fine companies up to £500,000 (over $800,000) for serious data security breaches. The size of the fine will be linked to size and finances of the organisation at fault, the problems the breach has caused and if it was accidental or deliberate.

This is a significant step up in the ICO’s powers, which were previously limited to public warnings to “name and shame” organisations at fault. Although these were accompanied by signed undertakings that companies would apply new data security measures, such as mandatory encryption of data on removable storage media, the ICO could not previously apply specific penalties.

With impending EU legislation, and many US states adopting versions of the California SB 1386 disclosure laws, organizations found guilty of negligent data handling can expect penalties to increase – so now is a good time to review data security strategies.

In the past few days several news sites have reported on this incident. Most coverage addressed the issue at hand and referred to the SanDisk web site for the resolution. Some reporters and bloggers even approached SanDisk for a response.

However, some of the coverage was simply wrong and has caused confusion in the market.

To reassure SanDisk customers that their existing and future Cruzer Enterprise devices are safe and secure, the following inaccurate claims need to be addressed:

1. “There is an architecture flaw in the Cruzer Enterprise security design which generates  a static unlock code”
There is no architecture flaw in the Cruzer Enterprise security design. As mentioned in previous communications, there was an error in one of the host application algorithms used to generate a random key that is then verified against a derivation of the user password stored in hardware. A fix for this has been made available to customers, and new drives incorporate the updated application.
 
2. “The Cruzer Enterprise relies on a host-side software for verifying the correctness of the user’s password”
Key verification for unlocking the device is done in hardware and not by a software application on the host. The Cruzer Enterprise secure USB drive uses unique random AES encryption keys that are generated on the device during device initialization. These encryption keys are stored in hardware and cannot be extracted from the device.

3. “The Cruzer Enterprise has no measures against Brute Force attacks”
The Cruzer Enterprise secure USB drive is designed to prevent brute-force attacks (“password replay attacks”) by storing the brute-force counter in the hardware cryptographic chip.

Preserving customer security and product reliability continues to be a top priority at SanDisk and SanDisk will continue to work diligently with customers to perform the product update in a timely manner. SanDisk now offers its central management and control system (CMC) free-of-charge for a period of three months to support the updating process in large organizations (for more information please contact ent.support@sandisk.com)

SanDisk is a vertically integrated designer and manufacturer of flash products and has a long standing security practice. This ensures that its security products utilize best-of-breed technologies and hardware as we are not a mere integrator of third-party components.

With offices and manufacturing facilities around the world, SanDisk customers have access to a global distribution and support infrastructure and can be reassured that they are working with the global leader in flash memory cards.

The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on.

Perhaps other Governments could usefully follow the lead taken in the UK, where the Information Commissioner has started issuing warnings to Health bodies about the importance of protecting data, with instructions for them to adhere to the UK Data Protection Act. This includes mandatory encryption of data on removable storage media, which is easily delivered and managed using our secure flash drives and CMC management software.

As the piece points out, it was a year in which nobody that uses the Internet could ignore the dangers of malware, whether received by email, from Google’s search results, on social networks like FaceBook or Twitter, or even by direct injection from USB memory sticks, as was the case with Conficker and its variants.

Although it was sometimes unclear what some of the malware was actually intended to do, it’s certain that the primary motivation was malicious, and aimed at financial gain. All the more reason to protect your PC and data against all types of malware.

So, let’s hope for a less infected 2010. And from everyone here at the SanDisk Enterprise Division, have a safe holiday.