Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2006
05:42 AM
50%
50%

Lexar Locks Down USB Storage

Touts new method for avoiding storage snafus and keeping USB data in safe hands

Digital media specialist Lexar has stepped into the storage arena with a USB device it claims will help enterprises and government agencies lock down critical data. (See Lexar Ships SAFE PSD.)

Lexar today introduced the enterprise SAFE PSD 1100 to its range of personal Flash drives. The device is designed to address growing user concern about removable media. (See VA Reports Massive Data Theft, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Houston, We've Got a Storage Problem.)

Akil Houston, Lexar's senior product marketing manager, told Byte & Switch that his firm is taking a significantly different security approach to the competition, which incldues established USB players such as Kingston Technology and SanDisk, which recently acquired msystems. (See Kingston Intros Drives and SanDisk Buys msystems.)

Other USB vendors, says Houston, typically use software within their devices to access a feature within Windows called "autorun". This enables the device to automatically access the operating system when it is plugged into a laptop or a PC, although there is concern that autorun could be used by a crafty hacker to slip malware and viruses into an organization. (See Social Engineering, the USB Way.)

Lexar's 1100, on the other hand, does not rely on pre-loaded autorun software. "In order to use the device, it needs a device driver that is downloaded through Windows update via the Internet," says Houston. "Once the driver is installed, you have to provide a password."

SanDisk did not respond to Byte and Switch's request for comment and Kingston Technology's security expert was unavailable when we tried to contact him today.

Analysts agree that users are looking for new ways to lock down vulnerable storage media. "I think it's a good idea, we definitely need more granular control on PCs," says John Pescatore, vice president at Gartner.

"Autorun can certainly be used in a social engineering-type attack when someone loads malicious software onto a USB stick -- it can happen," adds Jonathan Singer, an analyst at Yankee Group.

The problem is that end-users cannot always be trusted to use their common sense, warns Russ Cooper, director of managed security services specialist CyberTrust. "We have heard stories about people dropping thumb drives in the parking lot outside of sensitive facilities to see if people will download them," he explains.

The 1100 device uses 256-bit encryption to lock down its data, and Lexar has also integrated the product with SecureWave's Sanctuary Device Control software, which monitors and audits USB devices. See Healthcare Firm Secures USB, A-Listing Your Apps, and Software Secures Against USB Slurpers.)

At the moment, though, the 1100 is lagging well behind its rivals in the capacity stakes. The device is only available in 1-Gbyte and 2-Gbyte versions, priced at $64 and $115, unlike Kingston Technology and SanDisk, which also offer 4-Gbyte enterprise products.

Undeterred, Lexar's Houston told Byte & Switch that many firms are wary of putting too much data into their employees' hands. "It's not necessarily the case that the enterprise would want their employees to have 4 or 8 Gbytes of removable storage," he says, adding that this is deemed too much of a risk by many firms.

Sadly, Byte & Switch was unable to pin down any 1100 early adopters to ask them about this. Houston, for his part, did not know how many end-users have so far deployed the 1100, which is being sold via resellers.

At least one analyst told Byte and Switch that the real portable media challenge for CIOs and IT managers is more about people than technology. "You still need policies," says John Blossom, president of analyst firm Shore Communications, highlighting the need for passwords to be carefully monitored. "If you have a secure legal document going from point A to point on this device, it doesn't prevent the information from leaking out."

Clearly, many firms still have little understanding of how their portable storage media is being used. Earlier this year, for example, nearly half of the respondents to a survey by Byte & Switch's sister publication, Dark Reading revealed that they have no clearly-stated policy for the use of portable storage devices.

Analyst firm Input says that spending on portable storage security is on the rise following a slew of high-profile snafus at organizations such as the Department of Veterans' Affairs. (See Portable Problems Prompt IT Spending and The Portable Puzzle.)

— James Rogers, Senior Editor, Byte and Switch

  • Cybertrust
  • Gartner Inc.
  • Kingston Technology Co. Inc.
  • Lexar Media Inc.
  • msystems
  • SanDisk Corp. (Nasdaq: SNDK)
  • SecureWave S.A.
  • Yankee Group Research Inc.

     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/6/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15570
    PUBLISHED: 2020-07-06
    The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
    CVE-2020-15569
    PUBLISHED: 2020-07-06
    PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
    CVE-2020-7690
    PUBLISHED: 2020-07-06
    It's possible to inject JavaScript code via the html method.
    CVE-2020-7691
    PUBLISHED: 2020-07-06
    It's possible to use <<script>script> in order to go over the filtering regex.
    CVE-2020-15562
    PUBLISHED: 2020-07-06
    An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.