IronKey

Mobile Data Security Blog

Home  »  2014  »  August

by

Travel Light and Secure

 

Hi, I’m Peter. I’m a Senior IT guy working for a big, growing enterprise.  I set the strategy and I’m responsible for the execution of IT infrastructure in my organization.   I need to worry about cost, security, and keeping my customers happy. We have pretty solid IT processes leveraging Microsoft tools, so I’m not about to set my IT team on some wild new solution that requires years to integrate. Recently, after a big meeting with the execs on cutting costs, I came across Windows to Go from Microsoft. Here is a solution that is secure, can save tons of money, make my customers happy, and fits into my IT workflow – Freakin’ SWEET!  My CISO stood up and applauded when I presented this to senior MGMT.  Needless to say I’ve become a big fan. In fact, they call me Windows To Go Guy around here. There are so many ways to apply this technology across my organization. I don’t get a commission on this stuff – I just love cool technology that makes sense. Here’s my blog entry:

Disclaimer: This blog is based on real Windows To Go ® use cases.  The character is fictitious to protect the names of our customers.  Any resemblance to actual customers is coincidental and not intentional.

I’m a Windows to Go guy. I carry my workspace around with me in my pocket, wherever I go. I don’t have to worry about hiding a laptop under the car seat. I don’t have to worry about it sliding off the seat during a sudden stop and I don’t need to try fit it under my coat during a sudden downpour.

One evening after work I had promised to stop at the local store to pick up some groceries. In line ahead of me were some military personnel dressed in camo. I noticed one person was carrying her laptop.
“Hey folks, I really appreciate what you guys do for our Country, but tell me, what’s with the laptop in the grocery store-are you expecting an email from the president?” I joked.

The corporal replied, “Military rules- laptops can’t leave our side. We even take them into the bathroom”.

“That stinks,” I replied.  “Let me show you something,” I replied. I whipped out my IronKey Workspace W500™, my PC on a Stick™ and explained that this was my laptop, FIPS secured against the worst imaginable attacker. It is virtually indestructible too, and I intentionally dropped it onto the hard tile floor to make my point.

“I have got to get my hands on one of those” she said.

“You are right about that, we can make your next bathroom or grocery stop a much more pleasant experience.” I replied.

by

Day One IT Integration for Mergers Using Windows To Go

 

A good friend of mine heads up IT for a successful Silicon Valley networking company. I met him for a beer recently and he looked as down as I’d seen him when his company was dealing with the Heartbleed issue. His company had just gone through a painful acquisition of a global high tech company and he was responsible for ensuring a smooth day one transition. As you know on the day of the acquisition, all the new employees need to have email access, intranet access, connections to corporate servers, VPN access, corporate wireless etc. They also need to continue accessing their existing services to make sure there is no disruption of the business. It can be an IT project management nightmare and my friend had miraculously pulled it off without a hitch.

“Why so blue, Superman?” I asked. “I hear you are the hero of IT!”

“Yeah, but guess what? We just announced another acquisition with 1000 employees, and this one closes in 6 weeks!” he replied. “Never fear, my friend. Let me buy you another beer and introduce you to my workspace in a pocket, PC on a stick,” I said with confidence.

I proceeded to lay out the following plan. Suppose you configure 1000 Windows To Go devices that provide all the applications, access tools and rules, and even personalized documents welcoming each new employee. Then on day one you welcome everyone to the new company and hand them their Windows to Go devices. They plug these into their existing work computers and, voila, they are fully operational on their new corporate systems. But they still need to access their old systems to do their day job. So, you unplug your PC on a Stick™  device to access your old system and plug it back in to access the new. Now, IT can do a step-wise conversion of groups and departments over the next weeks and months starting with the highest priority groups.

“I’m buying the beers…” he replied as a grin came to his brightened face. “This hero stuff is getting easier all the time!”

by

Standing Room Only: BadUSB at Black Hat

 

Our special guest blogger is Chris Louie, an IronKey sales engineer, who joined the company in 2011. 

As I took my seat in the packed Black Hat ballroom, I could sense the level of concern as everyone anxiously awaited the findings on BadUSB. Attacks against USB flash drives are nothing new, but they’ve always centered on the data being compromised or leaked.  Now we’re about to learn about a radically different type of attack. Suddenly the lights dim and the session title flashes across the screen: “BadUSB – On accessories that turn evil” presented by the authors of the malware.

Immediately, things looked bleak for security-minded professionals everywhere. A new type of threat has emerged! Malware is no longer relegated to only files stored on USB flash drives, but can now reside in the controller firmware inside the USB flash drive. And to make matters worse, it doesn’t just affect USB flash drives, but any USB device that has the ability to update its firmware, such as Android-based phones and tablets. BadUSB also has the ability to trick the computer into thinking a flash drive is a mouse or keyboard. Once a computer is infected, it will attempt to infect every USB device that connects to it in the future.

Now if that’s not enough to keep CIOs and CISOs awake at night, the malware authors state that there is currently no mechanism to detect or remove BadUSB from affected devices and computers. It acts as a launch pad to attack computers with the malware author’s attack of choice. Installation of Remote Access Trojans, key loggers, DNS cache poisoning, botnet creation and ransomeware are just a few of the cyber-criminal tools that can be deployed with the help of BadUSB.

Fortunately, not all is lost! BadUSB takes advantage of a commonly found practice in the flash drive industry: the vast majority of USB devices do not require digitally signed code in order to do a firmware update. Since day one, every IronKey device has followed the best practice of requiring digitally signed code for firmware updates to protect against this exact type of attack vector.

During the Q&A session with the malware authors, someone asked if requiring digitally signed code for firmware updates would protect a USB device from this attack.  The audience were assured that those devices are not vulnerable to this attack.

So get rid of that potentially dangerous flash drive and upgrade to a secure flash drive that cannot get infected with BadUSB.

 

 

by

Perspective on BadUSB

 

We recently learned that security researchers Karsten Nohl and Jakob Lell of Security Research Labs plan to present their research at Black Hat next week which consists of proof-of-concept malicious software called BadUSB. The premise of the BadUSB attack appears to be that you can change the firmware of the USB device. A fundamental feature of IronKey high security products is that changing the customized firmware is not possible. IronKey devices have digitally signed firmware with verification on start-up. If the firmware is tampered with, the device won’t function. This countermeasure has been validated by NIST in IronKey FIPS 140-2 Level 3 devices

Once the research is released we will carefully review to ensure there are no potential risks. We will then issue a statement. In the meantime if you have any questions please email securitysales@imation.com.