Protect data with on-the-go drive encryption

Whether on a USB drive or a mobile phone, data is going out the door--but what if the device is lost?

This past January, the health organization Kaiser Permanente reported a theft of an external hard drive from an em­­ployee's car. The hard drive contained data on about 15,500 Northern California patients, including their full names, medical record numbers, and, in some cases, gender, dates of birth, and other info on treatment and care received at Kaiser (but not patients' social security numbers or financial data).

In February 2009, the Obama Administration ushered in the HITECH Act, which, among other things, requires reporting healthcare-related data breaches to the Department of Health and Human Services. Kaiser informed local, state, and federal authorities on December 8, but the employee who lost the drive waited one week to tell her employer. Although the employee was authorized to access the data at work, and was doing work for the company at home, the employee was fired for putting sensitive company information on a personal storage device without permission or proper encryption.

And the Password Is...

Coincidentally, about the same time as the Kaiser Permanente breach, a number of USB drive manufacturers started reporting flaws in the way some of their encrypted drives authenticated passwords. Researchers from the German penetration-testing firm SySS GmBH discovered a weakness in how the passwords for several en­­crypted USB drives are stored on the host system. The flaw is not in the AES-256 encryption used, but in the way the devices authenticate the passwords.

When a user types a password for an encrypted USB drive, that password is first authenticated on the host computer. If validated, an unlock code is then sent from the host computer to the USB drive. The German researchers found that they could create a script that bypassed the host system and simply send the unlock code to the device, no matter what password the legitimate user had chosen.

USB Drive Recalls

After the SySS white paper on Kingston drives appeared, Kingston announced a recall of three of its encrypted USB drives: DataTraveler BlackBox, DataTraveler Secure-Privacy Edition, and DataTraveler Elite-Privacy Edition. Users of these devices should contact Kingston for more details.

Shortly after Kingston's announcement, two other manufacturers followed suit. Verbatim announced its 1GB, 2GB, 4GB, and 8GB Verbatim Corporate Secure and Verbatim Corporate Secure FIPS Edition USB flash drives were vulnerable without a new firmware update. Sandisk also said its 1G, 2GB, 4GB, and 8GB versions of Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46 drives were also affected and required a new firmware download. The recalls were serious enough that the National Institute of Science and Technology launched an investigation.

Not All Drives Affected

One USB manufacturer, Ironkey, reported that its drives were unaffected. Ironkey stores its passwords within the device hardware, not on the host PC, as other hard-drive brands do. "Every IronKey device has unique random AES encryption keys that are generated on the device when a user initializes it," the company said in a press release.

Some of the recalled Kingston, Verbatim, and Sandisk drives were certified by the U.S. government as cryptographically secure. But as with any other security standard, certification means only that the product fulfills the minimum requirements, and doesn't guarantee that the product is secure. Level 2 FIPS 140 certification covers only the encryption used, not necessarily the means of authenticating the user.

Missing Media

Encrypting an external drive, no matter how small, makes sense. In 2009 British security company Credant published its annual USB survey and found that 4500 USB drives (encrypted and not) are left in pockets at dry cleaners in the UK. That's actually good news: The figure is down from 9000 the previous year. The decrease comes from the growing use of mobile devices. However, Credent conducted an earlier study in London and New York that found 12,500 laptops, iPods, and memory sticks are left in taxis every six months.

Unencrypted laptops are more of a problem. A few years ago, an unencrypted laptop and external hard drive containing sensitive personal information for 26.5 million veterans and military personnel from the Department of Veterans Affairs was lost. The equipment was recovered, and a subsequent forensic investigation showed that the records were not accessed--but the potential for data loss still had to be taken seriously.

New Laws

The VA incident prompted the Office of Management and Budget to require the U.S. government to deploy encryption on laptops and strong authentication on all remote access.

Encryption is becoming mandatory outside the government. In Nevada, businesses may not transfer the "personal information of a customer" without "encryption to ensure the security of the electronic transmission." And in Massachusetts, a new law requires monitoring and encryption of all portable devices for "all persons that own, license, store or maintain personal information about a resident of the Commonwealth."

Encryption Solutions

But if sensitive data must be encrypted, and some encrypted drives are suspect, what choices do you have? Microsoft's BitLocker to Go protection in Windows 7 extends drive encryption to external storage devices, encrypting the entire drive. BitLocker to Go is available only in the Ultimate and Enterprise versions of Windows 7, though the encrypted files can be read (but not written) with Windows Vista and XP.

Another solution is to encrypt any USB drive using the open-source encryption program TrueCrypt. The free program doesn't encrypt the entire drive; rather, it lets you create an encrypted folder on a USB drive, or an external or internal hard drive. Simply drag the sensitive documents to that folder.

For data stored on a mobile phone, one option is Lookout Mobile Security; it's currently in beta and free for personal use. While it doesn't encrypt the data on a phone, if the phone is lost or stolen, it will allow the owner to locate the device from any Web connection, sound an alarm (much like a car alarm, for a mobile), or remotely wipe the personal information from most popular mobile devices. It also offers some antivirus, firewall, and backup features, according to the Lookout site.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags data securitydata encryption

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert Vamosi

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?