A flaw has been found in competing products to SafeStick. SafeStick does not contain this flaw.
The flaw exposed by the independent penetration testing firm SySS enables any user to access the unencrypted data quickly on all shipped drives from select competitors without the required password.

BlockMaster issues this statement to clearly inform customers and partners that this is not a flaw found in any version of SafeStick.

This is in short how SafeStick works in this aspect (in contrary to the flawed drives)

• The user password is verified within the SafeStick hardware device.
• The password set by the user is what gives access to information stored on SafeStick.

SafeStick password and key procedure in more detail

• Password verification is performed onboard the SafeStick device.
• The SafeStick brute-force protection is also operated within the hardware controller.
• The password entered by the user is hashed in the SafeStick computer host software using MD5.
• The unique password string enters the SafeStick BM9930 hardware controller through a private channel over USB.
• The hashed password string is hashed ones more (SHA256) in firmware onboard the SafeStick device.
• The dually hashed password is used to access the hardware encrypted cryptographic keys created with the random number generator (ANSI X9.31 RNG) onboard SafeStick.
• The unique cryptographic keys are used to encrypt all user stored information with AES256-CBC.
• The SafeStick hardware is fully epoxy encapsulated.

1. Delete Does Not Mean What You Think When it Comes to USB Flash Drives.

When it comes to erasing files the Delete button should really read Hide. This is what we call the FAT recovery issue. You “delete” a file from your USB flash drive or perform a Quick Format to “delete” all files. What this actually does is comparable to placing a sheet of white paper, as an only safeguard, over the stack of sensitive documents left on your desk. It just erases the reference to the file in the FAT, the file allocation table that each drive has. The file itself is still there, just in temporary hiding, since standard USB flash drives have no reset feature. Using FAT data recovery or repair tools anyone can bring your “deleted” secrets into the daylight again. This could mean embarrassment or catastrophe depending on the data stored.

2. Misplacing a USB Flash Drive For Any Amount of Time is a Real Risk.

When a drive is misplaced, or left out of sight, your data might be tampered with. New USB malware threaths spreads this way and even worse is that your stored stuff might have been copied of. You never know, because there is no way telling what has happened when you where off guard. Even if you encrypt your files with a security software the encrypted files could be copied off to perform a what is called a parallel off-line attack with rainbow tables and software tampering software. Even script kiddies can pull things like this off. The files are simply there in the open, available for anyone to fiddle around with given the shortest moment of opportunity.

3. Budget USB Flash Drives Puts Your Data at Risk.

If the USB flash drive was to cheap then the flash component part of your USB flash drive is probably fading away at an alarming speed. 8GB can rapidly tare down to only actually store 7GB and the 6GB, 5GB, 4GB, 3GB. You see the pattern. This will risk the stored files and folders. On the actual flash is where your data is stored. Think of flash circuits like little boards with millions of little miniature switches on them. Each switch tells the computer a story about the data stored on the USB flash drive. Good flash have perfect switches, built to last through a life-time of heavy usage. Low-cost bargain USB flash drives can be equipped with switches that are already broken or will fall off and break after even just one use. This means that the storage capacity of the USB flash drive will die of quickly and that the data stored by the faulty switch will become corrupted. This will mean that the files stored are not secure against data loss. Losing work this way can be costly and very annoying.

4. Your Unsecure USB Flash Drive Can Set of a Computer Catastrophe.

The autorun feature that easily can be copied onto any standard USB drive is like a crazy friend that invites thugs with baseball bats to your house warming party. It has no built in judgment what so ever. Windows Autorun consists of two files. One autorun.inf that is a pointer file directed towards the second, the target executable/program that is to run. And it will run anything, and I mean anything, even Conficker which was the malware that highlighted this security flaw. A malicious Autorun configuration can seriously mess up any computer you stick the drive into. The problem is actually so bad that Microsoft removed the autorun completely for removable storage in the upcoming Windows 7 release.

5. Standard USB Flash Drives Have NO Built in Security Features.

There is no password protection or encryption of the data stored on a standard USB flash drive. This might be OK for the family photos but not for your work related data. If you misplace the unsecure USB flash drive you can cause a breach that sets your company back quite a bit of money. Globally over 20 000 000 USB flash drives where lost just last year so you would, sad to say, be in good company. Of course your organization do not want  to end up becoming a headline for something as easy to lose as a USB stick.

What Should One do to Safeguard Data Stored on a USB Flash Drive?

The easiest and by far most cost-efficient solution is to use a high quality secure USB flash drive. Simply make the switch to SafeStick and instantly it will safeguard your portable data. The NHS, the National Health Service, in the UK  choose to protect its data with over 100.000 SafeStick secure USB flash drives. BlockMaster’s proven solution with SafeStick and SafeConsole (central management software) will solve all of the 5 above problems and furthermore help you increase your productivity with secure portable applications and two-factor authentication.

Policies are left in the drawer to gather dust

Over two-thirds of the agencies in the study had policies in place regarding portable storage security and procedures when transferring records to external parties. 58% had experienced a breach of a agency issued device the past 12 months only half of these featured any security precautions.
The full report can be downloaded here

What has lead to the action from the Privacy Commisioner are concerns after multiple incidents in the UK regarding lack of security for USB storage. The breaches are ranging over the full spectrum of goverment organizations. The UK is well known for having an attitude of publishing and high-lighting breaches, more so than many countries.

Some of the latest high-profile USB breach incidents in UK

UK police lose USB stick with terrorist intelligence data
Council loses data on children on USB key lacking password protection and encryption
Data on 5000 prisoners are lost on unsecure USB flash drive

This post will briefly touch on some of the most common challenges for an IT administrator. The answers explain how our SafeStick secure USB flash drives with SafeConsole the central management console can assist corporations with portable storage.

1. Can we enforce password and storage policies with these secure USB flash drives?

SafeStick will ensure that your decided policy is upheld. The user is prompted on first usage to select a password. The password rules for the policy can easily be set up in SafeConsole. Using the FileBlocker feature in SafeConsole it is possible to ban storage of unauthorized executables and other file formats such as MP3.

2. Security is fine. But is it easy to use and will it always work?

Usability is always in the focus of BlockMaster development. This means that SafeStick has unique support for handling network drives and requires no installations or admin rights. Network drives are known to case trouble with USB devices that have multiple drives (often presented as CD-rom drive and storage drive). The problem presents itself as a conflict between drives which means that the secure drive is unable to mount to the system. SafeStick secure usb flash drives will always work if a standard single USB flash drive works. It only requires two drive letters to be available from A-Z. The SafeStick technology to solving the network drive conflicts is unique.

3. What if my users forget the password to SafeStick and they have critical data stored?

Users will forget their password. Three options are available.
1. Either you first enable Password Recovery in the SafeConsole then you will be able to perform a remote password reset without losing data through a secure challenge response procedure that is unique for your organization.

2. The ZoneBuilder in SafeConsole can be configured to automatically unlock the user SafeStick drive once he is authenticated to his Windows User Account using certificate security. ZoneBuilder is normally used to setup trusted workgroups (zones) which enable a project team to share data without sharing the private password. If ZoneBuilder is activated for automatic unlock on the user account it can prompt the user to change his forgotten password. No data will be lost and the procedure is completely self-service once setup.

3. If SafeConsole has not been deployed the user has the option to Reset the device, meaning that SafeStick will factory reset and all stored data will be wiped and the encryption keys renewed.

It is often a good idea to have SafeConsole deployed in a enterprise setting.

4. Will these secure usb flash drives cause a lot of support cases?

No. It is very low in support and there is a very low error rate on the SafeStick hardware since it uses the highest quality components. With SafeStick the security is always on, there is no way of misusing the product. The usage of SafeStick secure usb flash drives is basically self explanatory and there is no need for end-user training. A instructional card (credit card size) is included and this is normally all that is needed. The software is contained on the device itself and seldom causes problems. This should be compared with software encryption solution that are usually support intense and not easy to work with.

5. Can the solution be updated (patched) and is there ongoing development?

Yes the SafeStick drives can be updated in the field using a self-contained executable. There is also the option of updating SafeStick drives in a enterprise setting with an msi. BlockMaster is continuous developing both SafeStick and SafeConsole, the roadmap is extensive and we always strive to be positioned as an innovator. We work with our technology partners to ensure that our customers are always provided with the best product possible.

Next Steps

Learn More By Downloading Our White Paper on Secure USB Flash Drives
Request a Free Evaluation SafeStick

Prevent conficker autorun, malware infection. viruses and trojans from spreading over USB into your networks with SafeStick features Authorized Autorun and File Blocker.

Problem

Conficker has highlighted the danger of standard removable USB sticks. Conficker implants a malicious autorun.inf on removable media as one modus operandum. Any software encryption or protection of the drive will go lost in the process as the Conficker infection lurks at the host and has the upper hand over the open USB flash drive. Given the unfortunate success for Conficker this is likely something that will be the target for copycat virus hackers and repeated over and over again.

Further more standard devices with or without only software encryption are not able to guarantee data integrity since data can be tampered with, copied, replaced or infected with viruses without user misbehaviour, it only takes one infected host to load up a removable drive with viruses and trojans.

Solution

The onboard anti-malware that SafeStick provides with Authorized Autorun and File Blocker further strenghtens the onboard security beyond automatic AES256 hardware encryption. The unique technology aids the user in protecting the device from becoming a liabillity. Rogues files can simply not be copied onto the SafeStick as File Blocker feature defends it automatically. The File Blocker can also be configured in SafeConsole to put in place data storage policies such as banning certain file formats for storage and disabling installation of unauthorized applications. Applications deployed using the SafeConsole feature Publisher is automatically white-listed.

Authorized Autorun has been implemented since SafeStick 3.1.0 and File Blocker will be part of SafeConsole 3.3 presented at this years InfoSecurity 2009 in London at the end of April (requires SafeStick 3.3.0 or later). Visit BlockMaster at stand P75 for a demonstration. All present SafeConsole customers are eligíble for the update.

Organisations using SafeStick with SafeConsole saves costs on password resets. SafeConsole features ZoneBuilder and Remote Password Recovery streamlines password management. If ZoneBuilder is deployed through SafeConsole to users they are able to reset their own passwords in the most efficient manner ever seen. Once the user is authenticated to the user account ZoneBuilder can be configured to reset the SafeStick password if it detects that the user has previously entered faulty passwords. Just plug the SafeStick in and no further user action is needed, only to choose a new password. For Remote Password Resets the SafeConsole features a simplistic IT staff interface that is protected against social engineering. The end-user can call, e-mail or SMS a request and perform a quick challenge-response procedure typically below two minutes including user verification. No data is lost during the SafeStick password resets and the highest level of productivity and security is maintained.

Offering a simplistic yet secure password reset option is paramount when offering a secure USB drive. According to a Gartner study password resets can cost companies up to up to $18 (£12.35) per call, costs that quickly add up in a large organisation. The cost for not getting access to data is of course more significant as it is also often time critical. The BlockMaster solution will combat costs and give access to mission critical data on time by aiding IT staff to offer a swift self-service option and a secure remote password reset.

Östner continued:
“This USB problem is one of the most urgent matters for IT departments. That is a statement of fact as 33% of IT staff place it at the top of their agenda.

Losing intellectual property on an open, unsecured USB flash drive could be disastrous for any organisation. There are good reasons to protect trade secrets, aggregated data or other sensitive records, as doing so ensures shareholder value, public confidence, and internal productivity.”

Read more directly from the news sources:

BBC report on the Edinburgh incident
SC Magazine full article
Computer weekly full article

Choose a secure enterprise USB

By using the secure enterprise USB SafeStick from BlockMaster you can counter this threat today.

Read more on msnbc.com