USB – Unidentified Security Breach!

November 1, 2004

“Burn Your Briefcase!”

“Burn Your Briefcase!” trumpeted a recent cover of Computer Shopper magazine. USB storage devices have arrived and are in the mainstream. 256Mb memory sticks are now available for as little as £25 and 1Gb disks are now available for only £60. That’s the equivalent in storage of nearly 700 floppy disks contained in a tiny solid-state pen drive! Mass plug and play storage is readily available and affordable.

Carrying something the size of a disposable lighter, users can move large data files between office and home, or move them to and from client sites. Or they may simply be used to backup work locally when not connected to the network. With increased homeworking, these devices signify a great opportunity to add to flexible work patterns. No longer is carrying a laptop the only option for those wanting to work outside the office.

Mobile Power

MP3 players, PDAs, digital cameras and smart phones – these devices have also become mainstream as their power and storage capacities increase and their prices drop. They are also very useful and easy to use. E-mail and data transfer on the move is now a reality. Portable personal entertainment is also accepted as part of everyday life.

People can connect these devices to your network using USB – and also using wireless networking, Bluetooth, infra-red and so on. Many devices are ‘Plug and Play’ while some of the more complex may require their own drivers to be installed.

The effect of this revolution is twofold. Firstly, it increases the number of ways people can carry and use mobile data beyond the perimeter of the network. It means an increase in the flexibility and productivity of the workforce. However, it also means a reduction in the effective control of network firewalls and other perimeter defences against the introduction or removal of files – so called “deperimeterisation”. It is no longer accepted that simply battening down the perimeter hatches is enough to protect your network – either from the introduction of malicious (or unlicensed) code or to prevent sensitive data leaking out. The threat is real and well documented.

Plug and Play

Windows XP and 2000 provide native support for USB devices – making them “Plug and Play”. Users can simply plug in the device and the operating system provides native support for it – no need to install device drivers to get access to your device.

If properly managed, this offers a substantial benefit to users. The ability to copy and carry substantial amounts of data legitimately can free up the workforce. Doing so without worrying about installing drivers to make the devices usable provides an easy portable back-up solution. The big question is how to manage the devices.

Easy to Use and Easy to Lose!

There are two main security problems with portable devices. One involves their legitimate use by staff. Being so small, their very convenience means that they are easily lost or stolen.

To quote the sales pitch for one leading USB memory stick – It’s the future of personal storage. Your own portable hard drive right in your hands. Small, powerful and easier to use than your house keys. Alternative, one could say “.easier to lose than your house keys!

I found a memory stick on the floor whilst queuing at a bank in the City recently. I chose to hand it in at the counter – but someone else could equally easily have taken it home and looked at the information on it. The fact that memory sticks are plug and play means examining the data on them is as easy as pie.

In a high profile example, cancer patient records belonging to Greater Manchester Health Trust were leaked last year when a memory stick containing their details was accidentally sold on as new to a third party. The device had been used to back-up a PC during off-site maintenance. The contractor later sold it on as a new device, although quite how this came to happen was not uncovered by a subsequent investigation. Staff were cleared of any intentional breach – but that would be cold comfort had the highly sensitive information been passed to someone with malicious intent. In any event it was a highly embarrassing and time-consuming incident for the hospital.

Mobile phones are now the most common “lost and found” item on public transport. Laptop theft is widespread. Muggers already target mobile phone users and people with portable music players. It is common sense that confidential data is at risk on memory sticks and other mobile devices when taken out of the office.

Data Theft

The other main security issue with these devices is deliberate data theft. You know a problem is getting serious when you see it misrepresented on a prime time BBC drama. Data stolen using a USB drive from a laptop in a pub was central in an episode of Hustle on primetime BBC1, even if the thieves were rather helpfully able to copy the entire hard disk in a matter of moments! The detail may have been wrong but the serious point is that a major threat to your data is now widely known. If a drama scriptwriter knows about it, so will people who want to steal your data!

Both workers and visitors to your office can easily bring in a device that can be used to take large quantities of confidential information. The very flexibility of plug and play USB means portable devices can easily be connected to your network without any protection from your operating system. In fact that plug and play functionality makes life easier for the thieves just as much as it does for legitimate users. Add to that the possible unregulated use of Bluetooth and WiFi connections and you get the picture of the scale of the problem for administrators.

What is more the fact that mobile devices such as MP3 players, PDAs and smartphones are so commonly accepted means that it is just not practical to deny access to your offices to people (including staff) carrying them. It would cause uproar if an employer banned these – and pity the lawyer who had to explain to a client that he has to leave his smartphone at the door!

Besides – a determined thief could easily smuggle in a tiny memory stick to steal data. They could even use the latest James Bond style USB wristwatch – 256 MB of plug and play storage in a normal looking timepiece for around £50! Interestingly the watch is marketed to legitimate homeworkers by saying Transport your files between home and work and never lose a USB key again.” – confirming that lost memory sticks are enough of an issue to make it the watch’s main selling point.

It is also worth noting that programs and data can equally easily be brought into the organisation. So malicious code, spyware and unlicensed software can all elude your perimeter defences. Equally photo, video and music files can all be loaded onto the system – again without any effective control.

Possible Solutions

First the good news – Microsoft has recognised that this is a major security issue and plan to release a solution. Now the bad news – it forms part of Longhorn, the operating system planned to replace XP at the end of 2006! So if you want to rely on Microsoft shipping dates, believe that it won’t drop the feature during development and plan to install the new OS as soon as it is available – then you only have a little over two years of data theft to worry about!

Moreover the solution outlined so far plans to deal with unauthorised use of the parts but I have not seen anything indicating that it will give protection to legitimately used devices that are lost or stolen.

I understand that it is already possible to disable a USB port in XP by altering a .dll file. However it has to be done locally on each machine and involves a crude “on/off” switch; this is simply not practical in a network of any size or in one where USB keyboards, mice, printers or other devices are used. A search of likely topics on the Microsoft Web site fails to reveal any information or advice on how to do it. It would be a brave network administrator who took this one on!

So Microsoft realises that USB access is a big problem and may have a partial solution in a few years. Leading analysts Gartner agree – a report published in July 2004 highlighted the threat posed by portable storage devices.

Gartner advocates adopting suitable software to manage USB ports: “Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB ‘keychain’ drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation,” the report stated.

USB Port Control

As we have already seen, there is currently no viable solution native in Microsoft’s operating system. So we have to look for a third-party solution. Products giving administrators direct control over the ports are surprisingly few and far between.

The longest established product that does this is Reflex Disknet Pro ( – produced by London based Reflex Magnetics – a long-standing supplier of security software to the UK military. Reflex Disknet Pro is managed centrally over the network and provides user profiles to define privileges at the desktop level. Its Port Guard and Removable Media Manager features give administrators highly flexible and powerful controls over what users can and cannot do with removable devices. It allows authorisation of devices down to the individual item thus foiling attempts to fool it with an identical product type. It also provides e-mail alerts if particular activities are attempted. The default profile is also carried on laptops – preventing breaches when the machine is away from the network.

A more recent entrant to the market is SecureWave ( Luxembourg-based, their Sanctuary Device Control offering allows the administrator to determine what I/O devices are allowed and who can use them. It also allows you to define the rules and authorise access, but this time on a less secure device-type basis.

Lost Data

How to control the loss of data when devices being used legitimately are lost or stolen is the second problem. There are significantly more suppliers with solutions in this market space.

Both Reflex Magnetics’ Reflex Disknet Pro ( and SecureWave’s Sanctuary Device Control ( provide USB media encryption. There are some differences in detailed features – eg only the Reflex product provides for decryption remotely without needing a software download. However both products deal with this major issue very successfully.

There are products and hardware solutions focusing only on encryption of removable media. The DESlock+ ( solution is a market leader in secure USB devices. Based on the DESkey USB Token, it also provides a layer of system software that is written to present the token and cryptographic functions as part of the host operating system.

One provider of PDA encryption is Swedish company Pointsec ( Pointsec for Pocket PC provides real-time encryption of all data on both PDAs and all removable media e.g. media cards. All data is stored automatically encrypted without user intervention. Securing increasingly powerful removable media such as PDAs really is a must for any lawyers using them to work on client matters.


Portable devices and removable media are a real boon for flexible working. They also pose obvious and significant security issues. This is a real problem and many security breaches are already happening, unknown to network administrators.

There is no automatic way of dealing with the problem without deploying specialist solutions. With devices getting ever more pervasive and powerful, waiting another two years or more for a fix from Microsoft is just not good enough. Furthermore a solution offering encryption alone is only a partial solution. To provide a complete answer you need to get in control of your ports as well as securing the data on authorised devices.

Jim Davies is Director of GPM – Professional IT Security:

USB watch