This information might be about a week old now, but seeing as I have been going over the Enterprise and Personal offerings from Ironkey, I thought I would briefly touch on this newly found vulnerability, and what devices are currently known to be vulnerable.
So late Dec 2009 SySS produced a couple of papers detailing how they have managed to bypass the security on Sandisk and Kingston Secure USB storage devices. Basically they have designed a tool that produces a static unlock code to always unlock the affected devices. Its my understanding that this is possible due to a flaw in how the users passcode is verified on the PC and signaled to the device.
This is obviously a significant issue, and I know personally of many organisations that have deployed these devices in their organisations, and this will also include Government organisations as most of the devices are classified as FIPS 140-2 compliant.
So should you be worried, well yes if your using one of the following devices:
SanDisk Cruzer Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
SanDisk Cruzer Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
As I was looking at Ironkey devices at the time of all these, I have had confirmation from Ironkey that as far as they are aware they are not susceptible to this type of vulnerability due to the architecture used in their devices, and the fact that all verification occurs at the onboard hardware level.
I don’t wont to go over to much of what has already been covered by the Enterprise Review from last week. The main focus of this review is to demonstrate that you don’t have to be part of a large organisation to benefit from what the Ironkey has to offer, as the personal versions are great to. As I previously said I have been using Ironkeys for a while myself and these are personal devices.
Below will be a brief recap of what the Ironkey Personal is all about and how you go from opening the box, to secure storage and browsing.
Personal Version Specs:
Rugged Metal Casing
Waterproof
Tamper-Resistant
AES 256BIT Hardware Encryption
FIPS Validated 140-2 Level 3
Strong Authentication
Secure Browser / Portable Apps
Secure Password Management
Self Service Password Recovery
So you have just got your hands on your nice new shiny S200 Ironkey personal, you have popped open the nicely designed black box and popped it into your USB slot. The first step is to initialise your key.
Its important to give your Ironkey an appropriate name, so that you can easily identify it in your personal online console, because your going to want more than one at some point. The next one is to obviously select a strong passphrase. It might be AES256 bit encrypted, but using the password “password” isnt going to be that secure.
The part it to read through and accept or reject the T’s and C’s.
Once thats all out of the way the Ironkey will start doing its thing, encryption, configuring and installing.
As with the enterprise version, you need somewhere to keep track of your keys, backup your password for recovery, etc etc. So now you need to create online account, or if like me add your Ironkey to your existing account.
Now your account is setup, Ironkey will send you an email with an activation code. You will need to enter this into your online account, to setup and confirm association with your account and your Ironkey.
Now your good to go. You should find that the Ironkey control panel has also launched, and this gives you access to the various pre-installed application and services. Secure Firefox browser, password managers, update manager and more.
You will also notice there is an option to fill in some Lost and Found information. This is then displayed to anyone who inserts and attempts to activate the Ironkey. They can then contact you to make you aware of how foolish you were to lose your precious key
So thats pretty much you good to go. However I will add one thing, that seems to be very unclear when your looking around online. People seem to think for some reason you are unable to install new applications onto your Personal Ironkey. Well of course you can. I will quickly go through how to install Pidgin, and other applications should be the same.
First off head along to Portable Apps, and get yourself a copy of Pidgin.
You then simply install this to the secure files location on your Ironkey. Then from your Ironkey control panel right click on the applications screen and select add application.
Now select the Pidgin Executable in your secure storage location. Then Bob’s your uncle you have Pidgin good to go.
I hope this review was information and helpful to a few of you. For more information on Ironkey and where to buy one check out their website.
I am a probably a little biased, as I have been using a personal Ironkey 1GB S100 for some time now, and have recently got myself an 8GB S200 thanks to Don at The Ethical Hacker Network, so its clear I think they rock, and in my opinion I really do think they are the best secure USB Pen Drive on the market.
However I have never had any exposure to their enterprise offering, and with lots of companies now looking to adopt secure portable / removable media I think if Ironkey could be a good solution from a device perspective to help with data loss prevention. Ironkey have been kind enough to set me up with a temporary enterprise account, and sent me a couple of enterprise S200 1GB sticks to have a look how it all hangs together.
Before I get started, if you have never heard of Ironkey, let me just give you a little bit of info on what they are all about, and why in my opinion they are the 007 secure usb stick of choice, did I mention they look the business to
Enterprise Version Specs:
Rugged Metal Casing
Waterproof
Tamper-Resistant
AES 256BIT Hardware Encryption
FIPS Validated 140-2 Level 3
Strong Authentication
RSA SecureID / Verisign ID Protection
Secure Browser / Portable Apps
Self Destruction
Anti-Malware Protection
So on with the review. First we need an Ironkey Enterprise Account, and an Enterprise Ironkey, I was provided with both of these. When you get an Ironkey it comes in a little black box, once you have opened it up and plugged in the Enterprise Ironkey and the launcher is run, you are informed that you need to activate your Ironkey. (*Setup on a Mac)
To progress past this stage you will need an activation code that your Ironkey Enterprise would have setup for you through the console. This will result in you having received an email with your activation code.
So with that in mind we will go to the Enterprise Web Interface and get things setup (policies, preferences and accounts).
First we log in with our Enterprise Account number.
Now as its our first login we need to go through the 10 steps of getting our configuration setup that we are going to apply to all the Ironkeys in our enterprise.
Step 1 – Make sure we are the right man for the job…. Check
Step 2 – Now we need to define how many failed password attempts before the Ironkey self destructs. (Default is 10)
Its important to remember once destruction occurs, thats it. No undo or try again.
Step 3 – Now we define our password settings, complexity, and recovery settings.
Step 4 – Now we setup the default applications available from the Ironkeys, Firefox, RSA, etc
Step 5 – Its all about the Lost & Found. We can configure a message that will seen by anyone who inserts the Ironkey
Step 6 – Now we setup the Enterprise Administrator Account, with a strong password.
Step 7 – Time for some challenge response info, for when we forget ourselves.
Step 8 – Now to create your secret identification image to ensure your at the REAL Ironkey admin page.
Step 9 – Creating your backup sys admin account.
Step 10 – Confirming everything is just how you wanted it.
So now we have our admin account setup and our admin Ironkey associated. So lets take a look at what we can do at the web interface. Its important to understand that logging into your management interface requires two factor authentication, so not only your username and password, but your Ironkey also. If you dont have your Ironkey you just get into the Safe Mode option.
So when we login with the Ironkey we get all the good stuff, user management, policy creation alteration, alerts, log information and more. Things are pretty self explanatory, so here is a screen shot montage.
Now we can continue to activate our Ironkey, as we have created an account, and associate policy.
Now we setup a name for our Ironkey and a strong passphrase.
The key is then initialised and encrypted.
Then then if the user doesnt already have an online account, they are prompted to create one.
Now the user is good to go, the policy will have been applied, applications made available and secure storage created.
If the user is also an administrator they get access to admin tools from their Ironkey also, allowing them to recover data from other Ironkey, reauthorise, etc.
Below are also some screen shots of an Ironkey that has been assigned a Silver Bullet Policy meaning it cannot be used unless it is connected to the Internet for authentication, and a device that has been disabled.
Here is the control panel a user see’s on a Mac and PC, do control panel is currently available to Linux users.
Its pretty clear that PC users currently get better percs from the Ironkey, but regardless of the plaform your getting some awesome secure storage. I am really impressed with the simple yet appropriate level of control the Ironkey Enterprise solution gives, and I dont think I would hesitate to recommend this to a customer. I will say that I had one device get stuck in some sort of authentication loop, but Ironkey support where extremely helpful, and the few things we tried didn’t work so they sent out a replacement by Fedex.
Ironkey also offer pretty much the same offering but for personal users, and I will be putting up a similar mini review of this offering later in the month.
For more information on the Ironkey offerings, and to locate your local reseller visit the Ironkey website.
I will leave you with a short video clip I made, testing the waterproof theory of the Ironkey S200.
Tuesday night in the Fountains Abbey in London at 7:30PM the first official RSA Security Bloggers Meet Up in the UK kicked off, and it was a great success.
The event was sponsored by Qualys, IronKey and ISACA, and it was thanks to them that we were able to provide an excellent buffet, an open bar, T-Shirt and USB key for every registered attendee. Over 30 people attended the event, everyone comment to me on what a success they thought the event was, the great opportunity to meet with new people and those they had only spoken to online. They also appreciated the relaxed atmosphere, and good discussions.
I am really pleased how the event panned out, and we had people there until 11PM when we had to pack up and head off.
I would like to thanks Kevin Riggins, Mel Johnson and I think it was Tomasz Miklas (sorry I am rubbish with new names) for helping to get everything setup before the official kick off.
I also want to thank Mel again from eclat marketing and Neil Stinchcombe from Eskenzi for all their help with organising sponsorship for the event.
I like others had a really great time, and will be more than happy to set this type of event up again in the future, so watch this space. A quick pointless stat, Stella and Guinness where the most drunk beverages of the evening
Registered Attendes got a bag with a T-Shirt, Sticker, and 1GB USB Memory Stick.
Below are a few pictures from the event taken by Xavier Mertens who blogs at Rootshell, thanks for taking these.
Links to some of the peoples blogs who attended the event below:
This is just a quick reminder that this coming Tuesday the 20th October 2009 at 7:30PM the first official Security Bloggers Meet Up will be happening in London.
The Security Bloggers Meet Up is an ideal place to meet with fellow Security Bloggers, Podcasters and Journalists. There is still a short amount of time to RSVP to bloggermeetup [at] securityactive.co.uk if you are interested in attending.
The event is kindly being sponsored by Qualys, IronKey and ISACA, and its thanks to these guys we will have all food and drink provided (within reason ) and possibly a door prize or two.
Please take some time out of your busy schedule to visit our sponsors site and find out about their latest product offerings and services.
I look forward to seeing you all there, and lets hope its the first of many to come in the future.
