Is That Portable Device a Data Hazard?
Robert Siciliano Identity Theft Expert
According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.
Recent reports of identity data including names, addresses, Social Security numbers on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowed. A company spokesperson said the stolen information was on a portable media device. “It was simple, old-fashioned theft, it was not a hacker incident.” Lovely. That’s just ducky spokesboy.
The survey further reached out to 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners they got a figure of approximately 9000 USBs lost and found annually.
Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.
It’s not just lost portable devices that are an issue. Found ones can be scary too.
Dark reading reports an oldie but goodie from Steve Stasiukonis, a social engineering master, he says those thumb drives can turn external threats into internal ones in two easy steps.
When hired to penetrate a network he says “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems”
I did a program recently for a client where I presented in front of other security professionals. I had my laptop set up on the stage with my presentation loaded. The client was introducing me and asked if he could load a quick file onto my laptop to assist in his opening remarks. I inserted the drive for him and my anti-virus went NUTS! Seems his flash drive had a nice little virus on it. His boss, standing right next to him said “that’s why we are phasing out non-military grade security enabled flash drives as soon as we get back.”
I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.
The one I got just plugs in, initializes, then launches a program requiring the user to set up a password. From that point on any time the user has to access the data, a password needs to be entered.
Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.
Disclosures: I have no financial ties to BlockMaster. I just like this thing.
Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.