HOT TOPICS >> Q2 Earnings Roundup | Cloud Computing | Tablets | Security Vulnerabilities and Exploits
INDUSTRY >> Healthcare IT | Government IT | Financial Services IT | Biotech IT | Compliance IT
More flash drive firms admit to security flaws
In the wake of last week's news that some of Kingston's secure flash drives have underlying flaws, more manufacturers have stepped forward saying they suffer from similar issues. So far, Verbatim and SanDisk have revealed that similar security flaws exist on some of their secure USB flash drives. Both companies issued online application upgrades to address the problem, though it is unclear how a software update can resolve what appears to be a fundamental design flaw.
What caught the public's interest is the fact that the affected drives were supposed to have been certified by NIST with FIPS 140-2 Level 2 security. However, it has now emerged that getting the NIST certification is as simple as incorporating some form of temper resistance into the hardware. Does this render the FIPS 140-2 standard useless?
David Jevans, CEO of IronKey Corp., who makes high-end secure flash drives, told Computerworld that he disagrees with the assertion that the FIPS certification is not useful. "We don't want people implementing proprietary cryptographic algorithms, which are almost always shown to be flawed," Jevans says. He further explained: "FIPS specifies that you will use well-known cryptographic algorithms, and AES went through a long and detailed public evaluation."
For more on this story:
- check out this article at Computerworld
- check out this blog at IronKey
Related Articles:
Kingston admits to insecure USB drives
Cloud service to hack your WPA network in 20 minutes
Microsoft confirms new Internet Explorer vulnerability
Crippling SSL vulnerability discovered
SHARE WITH:
Comments
By Nate Kanguru | Posted 11:48am | January 15, 2010
There are some key issues that need to be understood along with this article. First, Sandisk manufactures this line of products for Kingston and Verbatim (and markets them under the Sandisk name as well). Second, it is not clear what the "fix" is at this point, and if it is now possible to do the password matching on the hardware chip, or if it is still being done in a "more secure" software setting. Third, FIPS 140-2 is, and will remain, a critical testing process for cryptographic modules. It is extremely important that devices and modules are streamlined through a common and well-defined independent certification program for evaluation of KNOWN best practices. The issue in the Sandisk case is that this security flaw falls outside of the "FIPS scope" so there may need to be additional reviews of security relevant aspects which fall outside of the actual cryptographic module.
Post new comment
Home
| Subscribe | Advertise | RSS |
Privacy
| Site MapTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2010 FierceMarkets. All rights reserved. |
 |