Gallery

Protection...in a flash

Posted on 15 Jun 2007 at 11:13

Davey Winder gives portable security a thumbs up, bemoans Web 2.0 creationists and considers sex online.

My professional interest in IT security overlaps rather neatly with my geeky personal interest in gadgetry, so when I recently gave a keynote speech to a select group of high-level security directors, my theme was the way hackers are using gadgets to further their social-engineering traps. They infect a cheap USB flash drive with a remote access trojan or similar malware, then drop it outside a target office, in the reception area or even at a bar or café known to be frequented by target staff. The trick is called, for obvious reasons, USB seeding. Hackers can afford to seed multiple drives because they've become dirt-cheap, and they can be reasonably confident that one will be picked up and plugged in thanks to human greed and curiosity. One security consultancy assessed a client company by dropping 20 infected thumb drives - 15 of them were picked up by staff and plugged into the network and the trojan activated.

Properly patched PCs and a policy to prevent unauthorised device connection could combat this threat, but such savvy firms are still few and far between. That's why I'm always pleased to hear about a USB flash drive that turns the tables by making security better rather than worse. The only thing I wear around my neck is a Netac OnlyDisk U220, a minuscule slice of black-and-silver loveliness measuring just 53 x 13.5 x 5.5mm and weighing only 13g (it's no thicker than the USB connector itself).

As well as providing 1GB of storage, the Netac keeps my data safe from prying eyes thanks to hardwired 128-bit AES encryption - not just some third-party software solution stuffed onto the drive as an afterthought. If I forget my password my data is gone, at least if I forget it enough times: the default password attempt lockout is set at 255, but I reduce this to a more practical 12 attempts. If the lockout ever did get activated, the entire drive would become unusable, and I'd have to send it back to the Netac R&D team in China to have it reset and reformatted - my data would be lost forever, as it can't be restored during this process. As far as I'm concerned, this is the only way if you really don't want anyone else accessing your data, although for corporate use it might pose the risk of a rogue employee changing the password.

That's why the Stealth MXP USB flash drive I saw at the recent Infosecurity Europe show grabbed my attention. It is, I'm told, the first RSA SecurID Ready portable three-factor authentication device. Yes, that's "three-factor" as in biometric access control, fingerprint and authenticated ownership of the physical device itself. With up to 4GB of 256-bit AES encrypted storage it's pretty impregnable, although unlike my Netac it's huge as a consequence of the amount of hardware packed into it. There's an onboard CPU to do the hardware encryption, which means it has a zero memory and processor footprint when plugged into a remote host PC. Access software provides full control over security policy, deployment and field usage for admins, while the end user gets straightforward "plug in and it's secure" encryption - remove it from the USB connector or reboot the host PC and the stick automatically locks itself down. Each device is bound to its individual user by hardware-based biometric and password authentication, in addition to the RSA SecurID Ready software authenticator, so the business can rest easy if it's lost or stolen.

I'm also intrigued by the imminent release of another flash drive, the Yoggie Pico, which is designed to be a self-contained and portable internet protection device. With 13 security applications pre-installed, it claims to provide full 360-degree security for the consumer market in a rather revolutionary hands-off manner. The Yoggie itself manages the 13 security applications, including handling updates, and is activated simply by plugging into a spare USB port. I'll be sure to report back once I've put this anti-virus, anti-spam, anti-hacker, URL-filtering wonder-stick through its paces.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site