USB security flaw triggers first FUD laced news cycle of 2010
by Steve Ragan - Jan 12 2010
Now that the cat is out of the bag, and it is known that the authentication method used on certain secure USB devices is broken, there has been a ton of hype and confusion in the news. So much so, that the NIST is now looking into the matter after being dragged into the hype by the press.
Last week, The Tech Herald published a small article on the Kingston announcement that three of their secure USB drives were being recalled after security researchers from SySS discovered a weakness in the method used to authenticate access to the drive. The Kingston drives in question are DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and the DataTraveler Elite - Privacy Edition.
Soon after Kingston’s announcement, SanDisk and Verbatim announced problems with some of their secure USB drives, each of them impacted by the authentication flaw.
SanDisk says that their Cruzer Enterprise USB drives are impacted, which include the 1GB, 2GB, 4GB, and 8GB versions of the Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46. Verbatim reports that their Corporate Secure USB and Corporate Secure FIPS Edition drives are vulnerable, and both companies are offering fixes to the problem. Kingston is offering technical support as well, but you will need to call them to work out the details.
Once the Kingston story broke, the news slanted towards the fact that secure USB drives were busted, and that “hackers” could access the data contained on them at will. This simply isn’t the case, and despite the blogosphere’s and technical trade’s opinions on the matter, this is not an issue of broken encryption. This is an issue of how authentication is implemented, and why trusting a computer is a bad idea.
For those curious, the flaw discovered by SySS centers on how the listed USB drives access the encrypted data. When you go to decrypt the data you enter a password, which must be checked, before you can do anything with the drives. The process of checking the authentication is the heart of the problem.
Each device vulnerable to the methods detailed in the SySS research has software that will reside on the host computer to verify the password used to decrypt the drive. This software will send an unlock code if the password is correct. The problem is that the unlock code is essentially the same, no matter the vendor or device. SySS developed an application that will skip the process used by the host software to check passwords, and simply send an unlock code. As you can tell by the number of USB drives listed, they had a decent amount of success with their work.
This is a design flaw, not a failure in encryption. So when news started to spread that the National Institute of Standards and Technology (NIST) was looking into the matter, more FUD appeared across the wires.
No one thought to ask why NIST is involved, choosing instead to focus on a statement from them that said they are looking into their certification criteria. Most of the recent media reports hinge on the fact that the vendors and products impacted by SySS’s work tout Federal Information Processing Standard (FIPS) 140-2 certification.
Essentially, FIPS is an accreditation standard used to certify encryption algorithms. FIPS 140-2 consists of four levels, most of which deal with the usage of at least one approved encryption algorithm or security function and various degrees of tamper resistance. It is great for a company’s marketing to have a product FIPS certified. At the same time, FIPS is a security guideline, and like other guidelines, such as PCI, FIPS does not mean secure, nor does it promise actual data security.
At no time will FIPS certify that the method used to authenticate the owner of the device is secure. This is up to the manufacturer of the device, and because of that a lot of trust is placed into their hands.
However, scanning the headlines, the larger picture is missing and the focal point of many of the stories online is that three of the larger vendors in the secure USB sector are vulnerable to attack, and as a result, so are their customers. While that is true in a sense, it only skims the surface. Not all of the customers using SanDisk, Verbatim, or Kingston are vulnerable.
Each of the vendors impacted by the SySS research offers other products that can be used for data security. There are other vendors, such as IronKey or SPYRUS, which do not use the vulnerable method of authentication. IronKey for example, never once uses the host system for authentication checks. There is biometric protection as well if you wanted it.
Still, you are better off using TrueCrypt and a regular USB drive if you have to encrypt data. The only problem is, because USB drives are easily lost, stolen, or broken, Enterprise or Government operations ban the use of USB media. Another point missing is that in several of the larger Government agencies, even Enterprise on some levels, they disable USB access completely on the network.
If you have to encrypt something, spend $20.00 on a normal USB drive and use TrueCrypt. If you have to purchase a secure drive, remember that FIPS 140-2 is a great certification for a product to have, but it does not mean proof of data security.
The problems in the authentication processes discovered by SySS are the result of solid research. SySS did a great job, both in how they went about the work and reported it to the public. However, the coverage related to their work is quickly becoming the first FUD-based news cycle for 2010.
SySS Report on Kingston
SySS Report on SanDisk
Read more: http://www.thetechherald.com/article.php/201002/5068/USB-security-flaw-triggers-first-FUD-laced-news-cycle-of-2010#ixzz0cROvFd45
Cyberwarfare
Cyberwarfare raises issues of growing national interest and concern.
Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.
A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.
Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.
Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.
Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.
A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.
Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.
Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.
Tuesday, January 12, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment