USB devices are getting smaller. That also makes them easier to lose, yet most still have no decent encryption.
Moore's law, the idea that every 18 months computers double in capacity and halve in price, is one of the most often quoted "laws" of computing. It's also proved remarkably accurate, although there's a certain degree of self-selection here, as people seldom remember those "laws" that turned out to be false.
Indeed, on the high street, progress appears even faster. Over the years I've acquired an eclectic collection of USB storage devices of all shapes and sizes. Currently I have a tiny 2GB stick in my wallet that's jam-packed with patches, and a 2GB keyring model that includes a set of security tools and portable applications.
Noticeably absent from any of them is sensitive data. There seems to be an inverse relationship between the size (and therefore chance of accidental loss) of devices and their inherent security. Sure, there are all sorts of encryption options for USB devices, but many of them require administrator rights on the host PC and their security varies greatly.
In fact the USB device on my keyring includes "built-in" encryption, but any attempts to find technical details or evaluation from the Chinese vendor have been unsuccessful. Why is it so difficult to find portable hardware with decent encryption?
Late last year I received an Ironkey device for evaluation. Ironkey is a relatively new player in the market, and has a refreshingly paranoid attitude towards security. The Ironkey USB device comes in sizes up to 4GB and is built like a tank, both physically and logically.
Ironkey's encryption is built-in and unavoidable; everything on the device is encrypted with AES, implemented in hardware. Ten bad password attempts turn the device into a rather attractive paperweight.
On the physical side, the Ironkey is waterproof (genuinely; mine survived a trip through the weekly wash quite happily) and pretty much indestructible (it also makes a fairly entertaining toy for cats, although such use is probably not covered by the warranty).
Pre-installed is a software suite with a portable version of Firefox and an account with Ironkey's anonymising proxy for web access, plus a handy tool for storing website account details securely (in the custom hardware, not the USB file system). There's also the online "my Ironkey" account that allows password resets, backups and remote locking of lost devices.
The Ironkey will not be perfect for everyone. Windows XP is the minimum requirement, so Windows 2000 users are going to be disappointed. The "ten goes and you're out" security block is hardwired and cannot be reset, so there's a clear denial of service issue, although there are plans to introduce a corporate version with more conventional password reset channels. The cost, while not excessive, is significantly higher than a standard device of the same capacity. However, on balance, for the security conscious user, it ticks all the right boxes.
Good encryption should not be limited to a small range of USB devices. The desktop world does reasonably; Windows has included encryption (if somewhat complicated to implement) since Windows 2000, and there is a mature range of third-party full-disk encryption options. But for mobile phones, easier to lose and more likely to be stolen than laptops, encryption is absent from off-the-shelf models and difficult to implement well with third party software.
Likewise, finding a PDA with decent encryption is pretty much impossible. There are some options available, but who decided that plaintext should be the default storage method for valuable items that are attractive to opportunistic thieves? Even a simple PIN-protected encryption key would remove much of the risk.
It's all very well to complain when a government agency loses CDs filled with personal data in the post, but it would be interesting to compare how much sensitive commercial data is currently sat on USB devices loitering in wallets and on keyrings. I'm now happy to carry much of my sensitive data with me on my Ironkey. My biggest concern if it gets lost or stolen will now be how to explain to the cat where his new toy has gone.
- Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.