Privacy and Identity Theft

When you die, what will happen to your digital assets? Importantly, what will happen to your passwords and online accounts? Some of these need to be handed over to work colleagues. Some of these need to be handed over to spouses and children. Some may be needed to be handed over to your estate attorneys. And some maybe just die with you.

There are many complex issues regarding data privacy, disclosure, data privacy, rights management and the crypto and business systems that need to align underneath.

The day after the Internet Identity Workshop, Phil Windley is hosting “Digital Death Day”, a workshop that is going to examine these questions, and discuss proposed solutions and technical and legal hurdles.

In November 2008, the US Department of Defense banned the use of USB flash drives and other removable medial on all Defense Department networks, after a DoD network was infected by a USB flash drive that had an autorun malware on it.

Today, Navy Vice Admiral Carl Mauney, deputy commander of the United States Strategic Command said: “After extensive testing of mitigation measures, DoD decided to make this technology available again on a strictly controlled basis on DoD computers. Since the order restricting use of removable media, DoD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

An article at Government Info Security lists the requirements for using removable storage devices in the Department of Defense:

• Employing approved procedures and hardware that prevent unauthorized use, and scan, clean and wipe the devices removing malicious software.
• Restricting use to operational mission requirements
• Allowing only properly inventoried, government-procured and -owned devices for use in Defense Department information systems.
• Prohibiting personally owned devices on all military networks and computers.
• Banning use of DoD-procured and owned devices on non-government networks or computers without authorization from an approval authority.
• Using flash media only as a last resort to transfer data from one location to another and only when other authorized network resources are not available.
• Subjecting randomly selected users and drives to periodic audits.
• Requiring combatant commands, cervices, and agencies to establish their own approval authorities for determining whether selected flash media may be used within their individual organizations.

In an interview published by the Armed Forces Press Service today, Navy Vice Admiral Mauney said active operations in Afghanistan, Iraq and elsewhere will get priority in implementation of the new guidelines. “In terms of the mechanics, we’ve put together several small kits of the equipment that’s needed and we’ll be transitioning those to people out in the theater – in Afghanistan in particular – to help certain groups facilitate their use,” he said. The kits will contain hardware and software to ensure the safe use of removable media, including the required anti-malware scanning capabilities.

InsideDefense.com and Wired.com today reported that U.S. Strategic Command (STRATCOM) has lifted last year’s ban on the use of removable storage devices inside the Department of Defense.

USB flash drives and other removable storage devices were banned by the DoD in November 2008 after a military network was infected by the Agent.btz worm, which was introduced into the network from a USB flash drive.

The Wired.com article is incorrect in its assertion that STRATCOM has not addressed the problem of spreading viruses from removable media devices. IronKey and other vendors of hardware encrypted secure storage have been working with Joint Task Force – Global Network Operations (JTF-GNO) at STRATCOM to develop technical and operational requirements for preventing malware from infecting removable storage devices, and from migrating from devices onto networks.

IronKey partnered with Tresys who has a File Sanitization Tool designed to clean devices from malware when moved between different government networks.

IronKey Enterprise devices also feature an anti-malware scanner, to ensure that files stored on IronKeys do not have malware. IronKey devices also have active anti-malware capabilities preventing tampering with the autorun.inf on the device, which prevents malware from spreading from devices onto host computers.

This week there have been a flurry of reports and research papers that illustrate serious security vulnerabilities in numerous supposedly “secure” hardware-encrypted USB flash drives. The vulnerability, discovered by German security firm SySS, is that passwords on the affected devices are actually verified in software on the host. SySS researchers wrote a trivial tool to patch out the password verification code. This tool can instantly unlock any “secure” USB flash drive with this vulnerability.

IronKey security analysts have carefully reviewed the details of the security vulnerability, and we have determined that IronKey customers are safe. All data on IronKey devices is protected from this vulnerability.

The affected devices include:

SanDisk Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB, SanDisk Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
SanDisk Cruzer® Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
SanDisk Cruzer® Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
Kingston DataTraveler BlackBox (DTBB)
Kingston DataTraveler Secure – Privacy Edition (DTSP)
Kingston DataTraveler Elite – Privacy Edition (DTEP)
Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB

This vulnerability is essentially that there is a common backdoor password that can unlock any of the above affected devices, without knowing the user’s password to the device. It means that millions of supposedly “secure” storage devices are basically compromised.

The concerning thing to many people is that several of these “secure” USB thumb drives have received FIPS 140-2 Level 2 security validation from NIST, meaning that government agencies can use them.

IronKey has posted a detailed questions and answers page on our website. We discuss the details of the security vulnerability, and how IronKey customers are protected from it. We also discuss how the affected products could have achieved FIPS 140-2 Level 2 validation, yet have such a fatal, disastrous security flaw.

Enterprises and government agencies that protect sensitive data using products from companies that primarily produce consumer memory sticks for cameras and MP3 players, should perhaps consider buying products from firms that specialize on security.

Graham Cluley at Sophos wrote an insightful blog posting about this vulnerability, calling it “shameful”.

NACHA, the American Banker’s Association, and the FBI are advising businesses to conduct commercial online banking transactions only from a dedicated PC that has a hardened operating system and is unable to do web browsing or email.

You can read more about it in this USA Today article.

I think this is an unreasonable security model, because firstly, if a computer is unable to do Web browsing, how will the finance manager access the bank’s corporate banking website?

Second, NACHA and the ABA recommend customers receive out of bank confirmation of payments (eg. email confirmations). If the banking terminal cannot receive these emails, is it likely that finance professionals will be doing this reconciliation?

Thirdly, this model breaks the finance workflow. Finance professionals routinely need to have an excel spreadsheet or other document open in order to know which payments to initiate.

At IronKey we have been working on virtualized operating system solutions that run off the IronKey devices, and leverage the on-board two-factor authentication and other security services, in order to create a secure and cost-effective solution. Look for more information later this month.

Today Dan Raywood at SC Magazine published an article about USB memory stick security challenges, and future security trends for these portable devices.

In 2009 we saw a continued escalation in reports of data loss and data theft of portable storage devices. We also saw an explosion in malware that used removable storage and Windows autorun to spread between computers and disconnected networks.

In 2009 the major vendors of secure hardware encrypted USB flash drives have added a variety of active on-board anti-malware capabilities combined with remote management software and services.

In my interview with Dan, we discussed the future of secure removable storage. Where we see these going is toward bootable and virtualized environments running from these increasingly intelligent devices.

Listen to my interview with Dan Misener of the Canadian Broadcasting Corp (CBC) from this Saturday December 13, 2009. We discuss holiday e-greeting card email scams, malware, phishing and Internet fraud.

http://www.cbc.ca/spark/2009/12/spark-95-december-13-15-2009/

A survey by InformationWeek Analytics on the state of encryption inside enterprises yields a surprising and scary result. Only 38% of the companies encrypt data on mobile devices like USB flash drives and smartphones. 31% say that the extent, or lack thereof, of encryption is because they are doing the bare minimum to meet regulatory compliance.

This highlights a couple of very critical industry issues.

1. Encryption of data is not adequately understood.
2. The risks of data loss are not correctly being analyzed
3. Encryption systems are disjointed and not broadly interoperable

So, as usual, its a combination of product issues and educational awareness.

The UK Information Commissioner reports that there were 356 data loss incidents reported to its organization compared to 190 for the previous 12 months. It’s amazing that the UK still has a long way to go to standardize on hardware encrypted memory sticks and encrypted laptops.

MWR Labs has published some information about research that they’ve been doing into USB driver vulnerabilities on various operating systems. For example, they have been using USB enumeration commands, which occur whenever you plug a device into a computer’s USB port, to try and cause buffer overflows on the host computer. So far it looks like they’ve been able to crash a Linux computer by exploiting a buffer overflow in it’s Linux driver. They theorize that such attacks might be able to actually modify code or insert code into a computer to allow an attacker to get onto the host.

Proof that you should only use tested and secure USB devices from major vendors like IronKey. A generic USB device could actually be an attack device. Also, it shows that drivers need to have some security reviews on them!