Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/26/2013
12:44 PM
George Crump
George Crump
Commentary
50%
50%

Flash Storage Has Special Security Needs

Over-provisioning and bad-block marking can leave flash storage devices vulnerable to data theft. Here are workarounds.

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
At some point, almost every storage system will be used for a role different than what it was purchased for. This could mean assigning it to a new department within the organization, transporting it to another office, or decommissioning the unit all together. In any of these scenarios the first step is typically going to be erasing the data to make sure that nothing sensitive on that storage system remains. Interestingly, when it comes to solid state disk (SSD) or flash arrays, erase might not always mean erase.

When flash is erased the process is actually a write. A block of data is read from flash, the block on the flash is cleared by writing zeros to it, then new data, if there is any, is written to that block. The flash controller knows that any block regions with zeros are eligible for new data.

Formatting an SSD, even repeatedly, might not actually erase the drive like it will a hard disk drive. There are two functions of flash that can cause a problem. The first is the very common technique of over-provisioning. Over-provisioning allows the flash to extend its life expectancy by reserving a certain percentage of flash capacity and hiding it from the operating system. It allows the flash drive to leverage wear leveling to distribute the write workload over a higher number of flash NANDs. In some drives this over-provisioning can be as much as 25% of the capacity.

[ How did thumb drives betray the National Security Agency? Read Thumb Drive Security: Snowden 1, NSA 0. ]

The problem is that a straightforward format utility won't know about these extra cells and data could still exist on them after formatting. Some flash vendors have created special utilities that are able to address these hidden areas as well as perform a destructive series of writes that includes a mixture of ones and zeros. These utilities are perfect except for one other problem: bad-block marking.

The flash system technique of bad-block marking might also trip up your attempt to destroy data. Everyone knows by now that flash storage wears out eventually. The problem is that some memory areas wear out much sooner than others. When that happens, that block area can no longer accept writes. And if it can't accept writes, you can't write to it in order to perform an erase. You can, however, still read from it and the data is still there. That means that someone with the right motivation could get to your data.

The good news is that in both of these situations, systems can be taken into a lab and read. For most organizations most of the data isn't valuable enough to be considered worth the effort. But the chance of an organization having some data that is of value to outside interests is increasingly likely.

In either case, getting to the data requires some work and some lab equipment. The problem is technology is driving the price of the equipment required to do this forensic work just like it is driving everything else down. In short, you should do something to protect the organization and its data in case it falls into the wrong hands.

At a minimum, you should make sure your SSD or flash-array vendor has some sort of erase function that allows you to get to both visible and hidden areas of flash storage. Ideally, this will also perform some sort of "one then zero" erase on the data.

For many environments, though, the answer might be always-on -- not optional -- encryption, so that the moment the flash storage is removed from the system or the key is destroyed, the data is useless. The problem with always-on encryption is that it might hurt performance, so your vendor might need to increase the system's processing power so it can perform encryption at line rate.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...