Flash-memory devices cause security concerns

Portable storage devices like Sony's Memory Stick are a greater hazard than the notoriously insecure floppy disk, say security experts

USB storage devices and products like Sony's Memory Stick could be a serious security risk, experts said this week.

Administrators have no control over the information that is transferred between one of these high-capacity devices and a corporate network, unlike email and other network traffic. This creates a serious risk because the devices could be used to copy sensitive corporate data from an intranet or release dangerous or malicious files inside a company's firewall.

Louis Oley, managing director of SecureWave, a company specialising in intrusion prevention software, told ZDNet UK on Thursday that Microsoft fails to provide tools within Windows 2000 and XP to effectively manage and control this type of product. He gave the example of an estate agent in Crewe who bought a "new" Sony Memory Stick, but when he plugged it into his PC, he discovered the device contained confidential medical records of cancer patients at a local hospital.

USB drives and Memory Sticks have been growing in popularity during the past few years and are commonly used in products such as digital cameras and PDAs. They can store anything from around 32MB to over 1GB, and are recognised as a removable hard drive by PCs.

Graham Titterington, a principal analyst at Ovum, warns that smaller companies are more at risk from these products than large enterprises. "It opens up the possibility, especially in a small or medium-sized business, for somebody to steal the entire customer database, which they probably couldn't get on to a floppy," he said.

SecureWave will next week launch an updated version of its SecureEXE software, which is designed to restrict users from copying prohibited files to and from removable storage devices.

Titterington, though, believes enterprises could solve the problem by beefing up their permissions policy: "You can stop users gaining access to a file from the access control system, which has nothing to do with the USB port. Management is not effective when you get to the level where you say to a user, 'you can read and print this file but you can't copy it to your USB port'."

Sony's Memory Stick holds the No. 2 market share position, behind Panasonic's Secure Digital range. Last year, Gartner estimated the worldwide market was worth around $2bn (£1.26bn), but it is expected to grow to almost $5bn by 2007.