Whether you are interested in truly bizarre USB drives or secure professional USB flash drives, unless you've been living under a rock, it's likely that you own at least one USB drive. USBs are great, but they represent a huge security vulnerability. Malware seems to be everywhere! Here are a few ironic USB security blunders, facts and free encryption software.
McAfee reported a rapid growth of malware for the first half of 2010. After cataloging 10 million new pieces of malware, McAfee said that the first six months of 2010 was most active growth for malware production in the history of malware. One of the nastiest types of malware included AutoRun attacks, when malware is spread from USB or other portable storage devices.
Malware spreading from USB sticks has been a constant thorn in the side of IT departments. There have been some uniquely odd approaches to USB security. Way back in 2006, Los Alamos National Labs glued the USB ports shut after a drug raid at a contractor's home turned up a USB filled with classified nuclear weapons data. The Pentagon went as far as banning USBs in 2008, before lifting the thumb-drive ban for U.S. military troops in 2009.
Due to the popularity of USB drives, IT departments struggle with security to reduce data corruption, the loss of the media and confidentially, and virus transmissions. Some of the most ironic security blunders involving USB sticks actually happened within the security community.
In 2008, at AusCERT security conference, Telstra handed out free USBs with AutoRun malware. Also in 2008, Hewlett-Packard Security Response Team issued a warning to AusCert after HP shipped a batch of USBs loaded with malware that could allow an attacker to take over Proliant servers. In May of 2010, IBM had to own up to all AusCERT security conference attendees that IBM's complimentary USB drives had also included two free extras in the form of malware. IBM pulled a similar accidental stunt in 2002 when its USB drives contained a rare boot sector virus, but at least it wasn't aimed at the AusCERT security conference this time.
In another security related USB oops, a Panda Security employee plugged her newly received Vodafone HTC Magic to her PC via USB only to discover it distributed a Mariposa malware botnet. While Panda Security researched Vodafone's HTC Magic phone, it also discovered a Conficker worm and a Lineage password stealing piece of malware.
To be fair, there have been many incidents of malware-infected products being shipped to consumers. Malware has been sent with products like cameras, battery chargers, digital photo frames, webcams, printers, cell phones, motherboards or system boards, and hard drives.
According to a Gartner forecast, shipments of USB flash drives were projected to start dropping in 2009. The same prediction stated that there would be 222 million USB units on the market. This means the threat of virus-loaded USBs is not going away anytime soon.
A quick search at DataLossdb shows that USBs are commonly lost or stolen, putting thousands of sensitive records with personal information in the hands of whoever finds it or whoever stole it. In 2009, Durham Region Health Department lost a USB containing personal health information for 83,524 people. To date, that is the largest U.S. report of records compromised due to a lost USB.
Encryption may seem like an obvious choice to protect USB flash drives. But even encrypted USBs do not guarantee company or personal data protection. In 2009, USB vendor SanDisk discovered a potential vulnerability in its password-handling Enterprise USBs and issued a security alert.
You should disable AutoPlay if you intend to plug in USBs. It is suggested to password protect and encrypt your USB. Truecrypt is the most popular free open-source encryption software. A few other free encrypted versions are Rohos Mini Drive, Comodo Disk Encryption, DiskCryptor, and USB Safeguard. Depending where you weigh in on USB security, there are also USBs that can self-destruct.