Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2006
05:42 AM
50%
50%

Lexar Locks Down USB Storage

Touts new method for avoiding storage snafus and keeping USB data in safe hands

Digital media specialist Lexar has stepped into the storage arena with a USB device it claims will help enterprises and government agencies lock down critical data. (See Lexar Ships SAFE PSD.)

Lexar today introduced the enterprise SAFE PSD 1100 to its range of personal Flash drives. The device is designed to address growing user concern about removable media. (See VA Reports Massive Data Theft, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Houston, We've Got a Storage Problem.)

Akil Houston, Lexar's senior product marketing manager, told Byte & Switch that his firm is taking a significantly different security approach to the competition, which incldues established USB players such as Kingston Technology and SanDisk, which recently acquired msystems. (See Kingston Intros Drives and SanDisk Buys msystems.)

Other USB vendors, says Houston, typically use software within their devices to access a feature within Windows called "autorun". This enables the device to automatically access the operating system when it is plugged into a laptop or a PC, although there is concern that autorun could be used by a crafty hacker to slip malware and viruses into an organization. (See Social Engineering, the USB Way.)

Lexar's 1100, on the other hand, does not rely on pre-loaded autorun software. "In order to use the device, it needs a device driver that is downloaded through Windows update via the Internet," says Houston. "Once the driver is installed, you have to provide a password."

SanDisk did not respond to Byte and Switch's request for comment and Kingston Technology's security expert was unavailable when we tried to contact him today.

Analysts agree that users are looking for new ways to lock down vulnerable storage media. "I think it's a good idea, we definitely need more granular control on PCs," says John Pescatore, vice president at Gartner.

"Autorun can certainly be used in a social engineering-type attack when someone loads malicious software onto a USB stick -- it can happen," adds Jonathan Singer, an analyst at Yankee Group.

The problem is that end-users cannot always be trusted to use their common sense, warns Russ Cooper, director of managed security services specialist CyberTrust. "We have heard stories about people dropping thumb drives in the parking lot outside of sensitive facilities to see if people will download them," he explains.

The 1100 device uses 256-bit encryption to lock down its data, and Lexar has also integrated the product with SecureWave's Sanctuary Device Control software, which monitors and audits USB devices. See Healthcare Firm Secures USB, A-Listing Your Apps, and Software Secures Against USB Slurpers.)

At the moment, though, the 1100 is lagging well behind its rivals in the capacity stakes. The device is only available in 1-Gbyte and 2-Gbyte versions, priced at $64 and $115, unlike Kingston Technology and SanDisk, which also offer 4-Gbyte enterprise products.

Undeterred, Lexar's Houston told Byte & Switch that many firms are wary of putting too much data into their employees' hands. "It's not necessarily the case that the enterprise would want their employees to have 4 or 8 Gbytes of removable storage," he says, adding that this is deemed too much of a risk by many firms.

Sadly, Byte & Switch was unable to pin down any 1100 early adopters to ask them about this. Houston, for his part, did not know how many end-users have so far deployed the 1100, which is being sold via resellers.

At least one analyst told Byte and Switch that the real portable media challenge for CIOs and IT managers is more about people than technology. "You still need policies," says John Blossom, president of analyst firm Shore Communications, highlighting the need for passwords to be carefully monitored. "If you have a secure legal document going from point A to point on this device, it doesn't prevent the information from leaking out."

Clearly, many firms still have little understanding of how their portable storage media is being used. Earlier this year, for example, nearly half of the respondents to a survey by Byte & Switch's sister publication, Dark Reading revealed that they have no clearly-stated policy for the use of portable storage devices.

Analyst firm Input says that spending on portable storage security is on the rise following a slew of high-profile snafus at organizations such as the Department of Veterans' Affairs. (See Portable Problems Prompt IT Spending and The Portable Puzzle.)

— James Rogers, Senior Editor, Byte and Switch

  • Cybertrust
  • Gartner Inc.
  • Kingston Technology Co. Inc.
  • Lexar Media Inc.
  • msystems
  • SanDisk Corp. (Nasdaq: SNDK)
  • SecureWave S.A.
  • Yankee Group Research Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25595
    PUBLISHED: 2020-09-23
    An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be ...
    CVE-2020-5783
    PUBLISHED: 2020-09-23
    In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
    CVE-2020-11031
    PUBLISHED: 2020-09-23
    In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
    CVE-2020-5781
    PUBLISHED: 2020-09-23
    In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
    CVE-2020-5782
    PUBLISHED: 2020-09-23
    In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.