Threats

New Security Risks from USB Flash Drives

By Michelle V. Rafter

The latest craze in computer storage, the thumb-sized USB drive, is so convenient and small that it’s become a fashionable accessory. The drives come on key fobs and in such novelty designs as Lego bricks or sushi. They’re given out at conventions and trade shows on lanyards complete with promotional materials you can download later.

But to Internet security experts this fashion trend is a disaster in the making.

USB drives are reusable memory storage devices no more than a few inches long that plug into a computer’s USB port and are commonly referred to as flash drives or memory sticks. They’ve gotten so small and cheap and can store so much data -- up to 20 gigabytes for some models -- they’re literally everywhere. And that’s the problem, according to security experts. The more ubiquitous they’ve become, the greater the chances they’ll get lost or stolen or be used to spread malicious programs.

Their fears aren’t unfounded. USB storage devices have gotten so popular, cyber criminals are starting to write viruses and worms that specifically target them, says Brett Scudder, owner at The IT Security Suite Network, a New York City computer security consultant. That’s dangerous, according to Scudder, because if someone plugs an infected USB drive into their home computer they could inadvertently upload the bug and potentially cripple the machine. “And if they connect to their office network the worm can upload and replicate itself on the network,” he says.

Malware isn’t the only problem. USB drives are so small they’re easy to lose. In 2008, for example, British dry cleaners found an estimated 9,000 forgotten USB memory sticks in people’s pants pockets, according to a recent survey from Credant Technologies, a Texas data security company. In a separate survey, Credant found that more than 12,500 handheld devices, including USB drives, get left behind in taxi cabs in London and New York every six months.

If a lost or stolen USB drive contains sensitive personal information that’s not encrypted or secure -- and a lot of data on USB devices isn’t, according to security experts -- it opens the door for identity theft and other types of cyber crime.

Even though people realize that, they still don’t take the proper steps to keep USB devices safe, says Robert Siciliano, CEO of IDTheftSecurity, a Boston Internet security consulting firm. Either they don’t think it will happen to them or they aren’t willing or able to pay for extra security. “That’s insane in this day and age when data is becoming the new currency for the criminal hacker,” Siciliano says.

Safety Precautions
Protecting USB devices doesn’t have to take a lot of time or money. In many cases, all it takes is some good old-fashioned common sense. Here are security experts’ suggestions for what you can do to minimize the risk that comes with using USB drives:

• Protect your data. Avoid copying sensitive personal data such as your Social Security, credit card or bank account information on a USB device.

• Use encryption. If you absolutely must put sensitive information on a USB device, encrypt it first. Well-known encryption programs like PGP can be downloaded from reliable websites and used to encode information so it can’t be viewed without being decoded first, according to Siciliano, the Boston security expert.

• Use secure devices. Some newer model USB drives have safety features such as fingerprint authentication that protect data from would-be hackers. Other devices have built-in encryption which eliminates the need to use a separate software program to scramble your information, according to Siciliano.

• Pick a storage spot. Because USB drives are so small they’re easy to misplace. Pick a spot on your kitchen counter, dresser or desk and make it your designated USB drive drop spot so you’ll always know where to look for them. Or use the lanyards that come on some devices to hang them up with your car keys.

• Keep home, office devices separate. Don’t use the same flash drives for home and work to avoid accidentally introducing a virus you picked up from an infected device into your company’s office network. Most businesses have policies about what can be plugged into the company network, so if you ever do work from home, it’s advisable to acquaint yourself with your company’s rules, says Scudder, the New York security consultant.

To avoid problems in the first place, be careful where you get your USB drives, Scudder says. Also, make sure to keep the anti-virus software on your computer up to date so if you wind up using a device that attempts to load a virus on your computer, you’re protected. “The threats are out there,” Scudder says, and educating yourself about them is the best safety net.