USB Secure Flash Drive Product Review

A vast majority of today’s workforce use USB memory sticks, they offer unequalled convenience for transferring data. In most situations, if the data is not confidential, a standard USB stick quite acceptable, but what do you use if your data is sensitive?

There are many different types of secure portable devices on the market, with different target certain security levels and users. Finding an acceptable level of security - choosing the appropriate device - will depend on your needs: a government organisation or high security business will be looking for sophisticated levels of protection, while the average user may simply want to be more secure transferring data via a USB device.

This review deals with products more suitable for the average user, someone who doesn’t want to leave their personal data vulnerable. But it is still relevant to IT departments and managers who issue USB devices to employees - we’ve all had occasion to borrow a colleague’s memory stick to transfer our files.

In this review, we look at six secure USB memory sticks to discover how suitable they are for an office environment, and some of the typical risks they should address.

Standards
Some USB sticks ship with built in security policies, but these policies are not always validated by a recognised authority. They level of security may be quite acceptable, but it is probably a better option to prioritise products that comply with any of the more widely accepted standards. FIPS (Federal Information Processing Standard - USA) and AES (Advanced Encryption Standard) are two of the main ones. A product with security compliance to these standards will meet your needs. All the products discussed here comply with one of these encryption methods.

Security
Obviously, security is the most important factor in choosing a secure USB stick. So you’d be forgiven for assuming that files (stored or deleted) on a secure device were indeed secure. We undertook some very basic tests using just one freely available open source file recovery product to discover that secure is not always what we assume. The testing revealed some important weaknesses for some devices, while others provide a robust level of file protection.

How we tested
It is important to consider how these devices would be used in an office or home environment. In most offices it is common behaviour to lend USB sticks to colleagues. To interrogate weaknesses related to this behaviour we set up three simple tests.

Firstly, we created two MS Word documents - one that we opened from its location within the device under test (if possible), the second document was copied to the device without being opened. Both files were then deleted and the device’s password was changed. This mimic’s the possible behaviour of someone who has given their USB stick to another party. We then plugged the device in to a separate computer and scanned it without logging in to the device’s security/password system. No trace of the deleted files should be detected.  We wanted to see if files stored in or even deleted from the secure area of the device could be seen by anyone if they were to just pick up the device if for instance it had been dropped in the street.  The obvious hopeful outcome of this test was that no files would be found ensuring privacy.

For the second test we logged in (using the new password) and rescanned the device to see if we could recover the deleted files.  Our aim here was to find out if deleting files from the secure area of the device really did delete them in a secure manner or in the same way as a normal file is deleted and thus easily recoverable once logged in.

The third and final test was to reset or format the device using the options provided in the device menu, and then rescan one last time. This should also remove any trace of the files. If you were planning on giving away your USB stick to a colleague, this method would be commonly used to ensure no data is left behind.

Page Break

Overview
Verbatim’s Secure ‘n’ Go USB stick feels really solid. Its rugged plastic casing gives the impression of being highly resistant to damage. The interface connection is also partly protected by a retractable cover but the socket opening is still uncovered and so is still plausibly prone to foreign debris intrusion.

Installation
When you first plug in the device it takes a while to come to life. We actually had to check to see if it had been inserted correctly. This delay was probably due to the slower initial detection speeds of secured devices, compared with the speed of standard USB sticks that we’re more used to. On subsequent attempts it was detected straight away.

Setup is easy, you only have to enter a password, apply and finish. It then asks you to log in using your new password and the process is complete.

Password Strength
There is no password policy enforced on this device. There are also no password restrictions or warnings about weak passwords. The device allowed the simple and weak password “test” to be used. This could pose a problem if it is lost.

Encryption space
Like most of the other devices in this review, its advertised capacity is 4GB, although the actual available space for storage is 3.71GB.

Files
Add, Remove, Delete
Once you access the device, the mounted drive presents you with a standard Windows Explorer feature set. Navigating is familiar and easy.

Editing files
The device uses Windows Explorer, so editing files stored in the secure area is quick and easy. Changes can be made and saved without fuss.

Access
The device is fully encrypted so cannot be accessed without using the log-in application. Once logged-in the device mounts the storage area as a separate drive. To access this drive you have to navigate back to My Computer, select the F:  drive (as it presented on the test PC). It would have been preferable to see the storage area automatically launch on login.
Once logged-in, you stay logged in to the secure area until you either exit using the system tray icon or remove the drive. Closing the window on this device does not lock the secure area.

Security
This device is fully encrypted. Our first test did not detect any files while the device was logged-out.
Once logged-in the second test successfully located the deleted files (in exactly the same way as any other storage device).
Using the ‘reset to factory defaults’ function, the recovery software could not find any files.

Page Break

Overview
This is a slim device and, unlike others in this review, would be possible to use in closely located USB slots. This is a requirement that USB vendors and PC manufactures often forget.
It could also be quite easy to lose the end-cap on this device, because it doesn’t seem very secure.

Installation
As with most of these devices, installation is simple and straight forward. Windows installs the necessary drivers and you are in business.

Password Strength
The Safe Stick has one of the best password policies of the devices tested. It requires at least eight characters which must be a combination of upper and lower case, and include at least one digit. It won’t allow you confirm the password until the rule is met. Test1234 or Testing1 are examples of the minimum level complexity. It also allows special characters (such as Testing1!) to make passwords more secure, but they are not mandatory.

Encryption space
This is one of the smallest devices under review at just 2GB. With the preloaded documents and vault area you have just 1.80GB storage area.

Files
Add, Remove, Delete
Like the other devices, the Safe Stick opens up in a standard Windows Explorer browser and allows you all the functionality you’d expect from Windows.

Edit
Because you are using the Windows environment, editing files on the device is straight forward. It’s exactly the same as editing any other file on your PC.

Access
A great advantage of the Safe Stick is that once you enter your password, the secure file space is automatically opened so that you don’t have to navigate back to my computer to find it.
If you close the window you can still access it by clicking the icon in the system tray, this reopens the secure space but does not ask for any security details - it is treated as a normal drive once you are logged in. To secure the drive you have to choose the lock option in the device menu or remove the device from the port.

Security
This is a mountable device, so like the others in this review, our first test didn’t detect any files.

Test two correctly revealed the deleted files.

The devices has an easy to use ‘reset to factory defaults’ function, so test three was also unable to detect the files.

Page Break

Overview
This is the smallest (physically) device in the review. Fashionable people wouldn’t mind being seen with this on their key ring.
The Sandisk Cruizer is the first of two products in this review that offer both secure and non-secure storage.

Installation
This is simple, Windows installs the necessary drivers and you running.

Password Strength
The security policy on this device requires that you have at least six characters containing both letters and numbers. You are not forced to mix upper and lower cases, and it happily let us use test12 as a password.

Encryption space
The encrypted area does not show up in My Computer, it has its own application interface. The whole drive space is 4GB, you are offered 3.73GB storage shared between secure and non-secure areas.

Files
Add, Remove, Delete
The Sandisk Cruiser interface gives you all the drag and drop, copy/paste features you’d expect, and it also has an add files button that allows you to browse your PC to select the required file locations.
We did notice that dragging a file from the non-secure area to the vault area would only copy. The original is left in the non-secure area and has to be deleted as a separate action.

Edit
Opening files in the vault area gives you read-only access. To edit files you must copy them back to your PC or the unsecure area of the memory stick. This could be a little annoying if you are in a rush.

Access
Access to the device is the same as any USB memory stick. This device allows both secure and non-secure storage. To access the secure functionality you have to select the dedicated application and log in.
If you close the vault window you can still access it using the icon in the system tray or the application icon from the non-secure folder. You will have to re-enter the password to gain access.

Security
This device looked good under test until we noted a minor flaw. During the scanning for first test one we found the deleted file open in a folder called “to remove”. We were able to recover this file and read its whole content. We repeated this test a further two times, and on these occasions we were not able to find any deleted files, so we have to conclude that it is a secure drive but may not be efficient with its garbage collection. No other files in the secure area were visible.

There is no obvious way to reset the device back to its default settings once it has been set up. It is easy to change the password, but if you were to upgrade and want to pass it on to another user, we would want to reformat it first.

Page Break

Overview
The first thing we found with this product was that it felt like it should be inserted upside down. The device has a swivel cover with the company logo on one side. Counter-intuitively, when you insert the device the logo has to face down. On some products this wouldn’t be an issue, the case would not allow this to happen, but this one doesn’t really prevent it. Still, it will only fit one way.
It is another product that offers both secure and non-secure storage.

Installation
Again simple and straight forward, Windows installs the necessary drivers.

Password Strength
The device only requires that the password is six characters long. It does not enforce any combinations of upper or lower case letters or numbers, but it does support combinations of these and it also supports special characters.

Encryption space
The device is roomy 8GB and shares this space between secure and non-secure areas. The actual space offered by the device was 7.45GB due to the software and user manuals onboard.

Files
Add, Remove, Delete
For the non-secure area you have the standard Windows Explorer functionalities. For the secure area the application launches its own interface. You can use this in a number of ways, it has a tree structure on the left side of the screen and the secure folder on the right. You can drag and drop from your PC or from the application itself. Dragging files from the secure area copies files but does not move them. To delete files you can either right click and use the menu option or select and press the delete key - all quite standard.

Edit
Double clicking on a file in the secure area opens it and allows you to edit in situ. The updated file automatically saves as it would in a non-secure location.

Access
Because this is a dual purpose drive, you can access it as soon as it is inserted to the PC. The secure area is accessed via the application.
If you choose to close the application window you will have to log in again via the application to view it - it locks each time on closure.

Security
We thought that this device might be interesting because of its dual functionality.
The first test was the most telling. As you would expect, a device that had just been inserted to a fresh PC reveals no secrets. But after running the recovery software we were able to recover files that had been opened and deleted from the secure area. These files had been stored in the launch bin and there they stayed, fully intact. We were not able to recover files that had not been opened from the secure area. This could be an area of concern if you were to lend the device to someone thinking they had no access your files.

The second test successfully found both files, as you would expect, and the reset function formatted the drive destroying all data.

Page Break

Overview
This device is different to the others under review, it uses two separate login accounts. These can be very useful if the user is not available or leaves the company. It allows a designated person to access the device in the user’s absence.
The device is a suitable size, it doesn’t impact too much on nearby ports and its rubber casing gives it a robust feel.

Installation
Windows easily installs all required drivers and three drives appear in My Computer, the storage space waiting to be mounted and the user and master applications. Once the device is set up you only have the one login drive shown.

Password Strength
The master password requirements were the best of the review. The password required 8-16 characters and had to be a mixture of upper and lower case letters, numbers and special characters.
You were also asked to create a user password for the disk that you chose to open. This must be of a similar strength but different to the master password.

Encryption space
The device is 4GB, and it makes 3.67GB available for storage.

Files
Add, Remove, Delete
Just like many of the others, it uses Windows Explorer for its interface. It offers all the same file features and functions.

Edit
Editing files is simple and straight forward, just like in Windows Explorer.

Access
The device gives you the option to login as the master user or a standard user. The secure area window stays available through Windows until you lock the device using the application or remove the drive.

Security
It was particularly impressive against test one, the device wouldn’t even let us select it let alone scan it. This equates to peace of mind if you were to misplace it. Tests two and three produced satisfactory results much like any of the other devices. If you are logged in you can recover the device and formatting it successfully removes all data.

Page Break

Overview
Our immediate impression of this product is that it is bulky and substantial. Unlike some memory sticks this one is unlikely to be lost, it really feels quite robust. The casing certainly is strong with a firm fitting cap, however, its bulkiness intrudes on other plug-in devices.
All data on this product is stored in the secure area.

Installation
Installation was easy - simply plug the stick in to a USB port and following the prompts. There is a slight time lapse the first time the device is loaded (but no worse than any other product). Re-loading was much faster.

Password Strength
The password strength of this device is at the top end of good practice. It requires a password of between 6 and 16 characters, including characters, numerals and special characters, and it will not allow a weak password to be used.

Encryption space
The device tested was 2GB, including the embedded software and user manual. There is no unsecure partition so all of the available storage (1.87GB) is secure.

Files
Add, Remove, Delete
The embedded software and other functions on the device appear as one drive, while the secure area appears as another drive. Access is only achieved after entering the correct password.
Adding, removing and deleting files is easy using Windows Explorer, with all the functionality you would expect.

Edit
Double clicking on a file in the secure area opens it and allows you to edit in situ. The updated file saves normally.

Access
Access to files in the secure partition is only achieved after entering the correct password.
If you choose to close the application window or remove the memory stick from the USB port, you will have to log in via the application again to view it.

Security
This product gives the illusion of security.
Despite deleting the test file in Explorer, it was fully recoverable and fully intact. We were also able to recover files that had been opened in the secure area and deleted, even after the password had been changed. Obviously this is poor. Anyone borrowing this device could potentially access sensitive data thought to be removed from the stick.
The final test was to format the secure drive and try to recover files. Thankfully, it was not possible to do this.

Page Break