This past January, the health organization Kaiser Permanente reported a theft of an external hard drive from an employee's car. The hard drive contained data on about 15,500 Northern California patients, including their full names, medical record numbers, and, in some cases, gender, dates of birth, and other info on treatment and care received at Kaiser (but not patients' social security numbers or financial data).
In February 2009, the Obama Administration ushered in the HITECH Act, which, among other things, requires reporting healthcare-related data breaches to the Department of Health and Human Services. Kaiser informed local, state, and federal authorities on December 8, but the employee who lost the drive waited one week to tell her employer. Although the employee was authorized to access the data at work, and was doing work for the company at home, the employee was fired for putting sensitive company information on a personal storage device without permission or proper encryption.
And the Password Is...
Coincidentally, about the same time as the Kaiser Permanente breach, a number of USB drive manufacturers started reporting flaws in the way some of their encrypted drives authenticated passwords. Researchers from the German penetration-testing firm SySS GmBH discovered a weakness in how the passwords for several encrypted USB drives are stored on the host system. The flaw is not in the AES-256 encryption used, but in the way the devices authenticate the passwords.
When a user types a password for an encrypted USB drive, that password is first authenticated on the host computer. If validated, an unlock code is then sent from the host computer to the USB drive. The German researchers found that they could create a script that bypassed the host system and simply send the unlock code to the device, no matter what password the legitimate user had chosen.
USB Drive Recalls
After the SySS white paper on Kingston drives appeared, Kingston announced a recall of three of its encrypted USB drives: DataTraveler BlackBox, DataTraveler Secure-Privacy Edition, and DataTraveler Elite-Privacy Edition. Users of these devices should contact Kingston for more details.
Shortly after Kingston's announcement, two other manufacturers followed suit. Verbatim announced its 1GB, 2GB, 4GB, and 8GB Verbatim Corporate Secure and Verbatim Corporate Secure FIPS Edition USB flash drives were vulnerable without a new firmware update. Sandisk also said its 1G, 2GB, 4GB, and 8GB versions of Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46 drives were also affected and required a new firmware download. The recalls were serious enough that the National Institute of Science and Technology launched an investigation.
Not All Drives Affected
One USB manufacturer, Ironkey, reported that its drives were unaffected. Ironkey stores its passwords within the device hardware, not on the host PC, as other hard-drive brands do. "Every IronKey device has unique random AES encryption keys that are generated on the device when a user initializes it," the company said in a press release.
Some of the recalled Kingston, Verbatim, and Sandisk drives were certified by the U.S. government as cryptographically secure. But as with any other security standard, certification means only that the product fulfills the minimum requirements, and doesn't guarantee that the product is secure. Level 2 FIPS 140 certification covers only the encryption used, not necessarily the means of authenticating the user.
Encrypting an external drive, no matter how small, makes sense. In 2009 British security company Credant published its annual USB survey and found that 4500 USB drives (encrypted and not) are left in pockets at dry cleaners in the UK. That's actually good news: The figure is down from 9000 the previous year. The decrease comes from the growing use of mobile devices. However, Credent conducted an earlier study in London and New York that found 12,500 laptops, iPods, and memory sticks are left in taxis every six months.
Unencrypted laptops are more of a problem. A few years ago, an unencrypted laptop and external hard drive containing sensitive personal information for 26.5 million veterans and military personnel from the Department of Veterans Affairs was lost. The equipment was recovered, and a subsequent forensic investigation showed that the records were not accessed--but the potential for data loss still had to be taken seriously.
The VA incident prompted the Office of Management and Budget to require the U.S. government to deploy encryption on laptops and strong authentication on all remote access.
Encryption is becoming mandatory outside the government. In Nevada, businesses may not transfer the "personal information of a customer" without "encryption to ensure the security of the electronic transmission." And in Massachusetts, a new law requires monitoring and encryption of all portable devices for "all persons that own, license, store or maintain personal information about a resident of the Commonwealth."
But if sensitive data must be encrypted, and some encrypted drives are suspect, what choices do you have? Microsoft's BitLocker to Go protection in Windows 7 extends drive encryption to external storage devices, encrypting the entire drive. BitLocker to Go is available only in the Ultimate and Enterprise versions of Windows 7, though the encrypted files can be read (but not written) with Windows Vista and XP.
Another solution is to encrypt any USB drive using the open-source encryption program TrueCrypt. The free program doesn't encrypt the entire drive; rather, it lets you create an encrypted folder on a USB drive, or an external or internal hard drive. Simply drag the sensitive documents to that folder.
For data stored on a mobile phone, one option is Lookout Mobile Security; it's currently in beta and free for personal use. While it doesn't encrypt the data on a phone, if the phone is lost or stolen, it will allow the owner to locate the device from any Web connection, sound an alarm (much like a car alarm, for a mobile), or remotely wipe the personal information from most popular mobile devices. It also offers some antivirus, firewall, and backup features, according to the Lookout site.