The dark side of the flash drive (SillyFDC worm

To most people the USB stick is a humble, innocuous device that does nothing more than help them tote around their most important files.

But to the US Department of Defense (DoD), the USB stick has a dark side - one that criminally-minded hackers are only too eager to exploit.

In late November, the US DoD imposed a temporary ban on the use of flash drives and other removable, recordable media such as CDs, DVDs and floppy disks. The ban applied to users of both the classified and unclassified networks the US military operates.

The order was sent out to help the security staff at the DoD combat the spread of a Windows worm - a self-propagating program. In this case the malicious program was a variant of the SillyFDC worm known as Agent.btz.

This lurks unseen on USB drives and only springs to life when an infected flash drive is inserted into an uninfected PC.

Once installed, the worm does not sit dormant. Instead, it downloads code from elsewhere on the net and stays in touch with its creators.

To scupper the chance that criminals could be using its network resources, the DoD slapped a ban on the use of USB sticks.

But, said Tim Ellsmore, chief executive of security firm 3ami, those restrictions could make it harder for people to get their jobs done.

"A USB drive is an important business tool for a lot of people," he said. The fact that they were cheap, portable and spacious helped an increasingly mobile workforce cope, he said.

But, he added, flash drives did represent a management headache for many companies.

Mr Ellsmore said 3ami regularly helped organisations that have tens of thousands of users who use many hundreds of flash drives every day.

Rogue devices

Few companies had any idea what was being done with those drives or any other removable media, he said.

Research by Israeli security firm Insightix showed that organisations can have large numbers of "rogue" devices joining their networks every day.

The network auditing firm said that, on average, 20% of the devices connecting to a large organisation's network could be classed as "rogue".

"Not all of the unknown devices will be bad," said Mr Arkin, "but if someone did plug one of these devices in you may not be aware of it and that could be a problem."

Unless organisations know who is connecting to their network and what they are using, said Mr Arkin, managing what they are doing is impossible.

"Knowledge is the foundation of good security," said Mr Arkin.

Chris Boyd, head of forensics at Detica, said the roominess of USB drives made them dangerous devices to leave unwatched.

"The reality is that you can easily buy a very high capacity drive that will hold an awful lot of intellectual property or government secrets," he said.

But, he acknowledged, finding the right policy for USB use was tricky. Get it wrong, he warned, and users could resist.

"If a security protocol is a hindrance rather than a help then users will try to avoid it," he said.

Despite this, he said, organisations had to get to grips with managing their networks and what people were doing on them - if only to protect themselves from unwarranted leaks.

"On a well-managed network that's policed properly, it's very difficult for members of team A to access team B's data," he said.

At the least, he said, data on USB drives should be encrypted so that if it does go astray there is not much that can be done with it.

For 3ami's Tim Ellsmore, an active policy of watching what users do on a network is the only answer.

Users, he said, should be reminded of their responsibilities and the efforts companies were making to keep data secure.

"Until you reach the stage where you can see what people in the organisation are doing, you do not have a clue," he said.

"And if you do not have a clue then how do you go about stopping bad behaviour or promoting good?"

(BBC)