Don't Let Thumb Drives Be an Achilles' Heel


Human nature is funny. People go to great lengths to protect their desktops and laptops -- then go on the road with poorly or unprotected thumb drives. This long PC Magazine feature looks at the issue and reviews products that address it.


The most basic step is to use strong encryption. Two products that fit the bill, according to the reviewer, are MXI Security's Stealth MXP and IronKey Personal. In addition to Advanced Encryption Standard (AES) encryption, both destroy data on the drive if a set number of unsuccessful attempts are made to access it. IronKey and SignupShield from Protecteer save user names and passwords for automatic use. Emsi Emergency USB sticks check computers into which they are embedded for malware. The story offers detailed reviews of these product families.


This IT Wales story reports upon and links to a report from the EU Agency for European Network and Information Security (ENISA) on the security status of USB flash drives. It is not a pretty picture. Though it is unclear whether the figures cited cover just Europe or include other areas, it is reasonable to assume that the percentages are similar around the world. The organization says that 80 percent to 90 percent of flash drives sold to businesses are not encrypted and that the devices are not stored or used carefully. Insiders seeking to steal data generally look for flash drives, the report says, because their loss often is not reported because they are small and cheap.


This Small Business Computing piece, which takes a snapshot of the broader area of the insider threat through the eyes of Microsoft, provides some interesting background on thumb drive security. The earliest sign that thumb drives were going to be a security headache came when they were arriving on the scene. Vendors gave them out for free at trade shows and conferences. These often were infected with viruses and keystroke loggers. More recently, the piece says, thumb drives are used by criminals to introduce malware onto laptops by quickly inserting them into machines in public places when the owner is distracted.


A number of the suggestions on customizing thumb drives posted at Varun Kashyap's TechCrazy Blog are cosmetic, such as adding icons. Several, however, deal with security. The blogger suggests write-protecting the drive cuts the danger of importing malware from the host machine. Installing a customer autorun.inf file also helps in this regard. Holding down the shift key while scanning will keep an infected thumb drive from running. The writer suggests using Truecrypt encryption, backing up the drive, and making the drive independently bootable by installing Linux.


This list of security steps at TechMalaya covers some of the same ground, but is worth a look because much of the information is not duplicative. Among the suggestions, the writer counsels users to disable autorun; install a USB firewall; buy a drive with a read-only switch (and, if a drive without such a switch already is owned, hack the registry to prevent write access); install and regularly update ClamWin portable antivirus and USBVirusScan; and make sure that the antivirus automatically scans all locally connected drives.