Welcome!

Big Data Journal Authors: Liz McMillan, Pat Romanski, Elizabeth White, Dana Gardner, Jason Bloomberg

News Feed Item

SPYRUS(R) Announces Its Encrypting and Bootable Windows To Go Drives Are Invulnerable to "BadUSB" Attacks

Proven SPYRUS Design and Manufacturing Solution to Signed Firmware Update Process Has Been Successfully Implemented for Decades

SAN JOSE, CA -- (Marketwired) -- 08/13/14 -- SPYRUS today announced that all SPYRUS bootable Windows To Go and Encrypting Storage Drives, including the Secured by SPYRUS™ Kingston® DT5000, DT6000, and PNY "Secured by SPYRUS™" drives are invulnerable to "BadUSB" attacks.

BadUSB attacks were publicized at the recent presentation from the 2014 Black Hat Conference entitled "BadUSB: On accessories that turn evil," by Karsten Nohl and Jacob Lell of the SRLabs, Berlin. This lab study publicizes a latent, but understood vulnerability, that potentially could affect any unprotected USB or microcontroller network connected device on the market today.

"This is not a previously unknown vulnerability. SPYRUS has been protecting our encrypted drives since our first product design that was used to protect the DoD Defense Message System with a cryptographically secure design that integrates signed firmware updates into the manufacturing process along with selective hardware disabling of update processes," said Tom Dickens, COO, SPYRUS. "This completely defeats USB hack attacks. If the firmware is somehow tampered with after signing, signature verification will fail and the unauthenticated update terminates. Contrary to the presentation's description of the 'limitations' or difficulty of applying the use of code-signing for firmware updates to microcontrollers as an effective deterrent because of the difficulty of implementation, SPYRUS has implemented cryptographic code signing in all our security products as a core competency since the release of our first product."

In essence, this attack can convert benign, normally secure USB peripherals or any vulnerable device controllers into "BadUSBs" or "bad controllers" for purposes determined by an attacker. Conventional malware scanners and antivirus programs cannot detect the tampering after-the-fact. By the time it's detected, it may be too late to reverse the results because of device or system operational failures. The only way to prevent this attack is to understand how to prevent it in the initial design and implementation of the firmware architecture.

The firmware hack attack described in the Nohl-Lell presentation can change, in whole or in part, original unprotected controller firmware code and replace it with new code, indistinguishable from a vendor firmware update. However, unlike a legitimate firmware update from a device vendor, it morphs the controller into whatever new behavior and set of characteristics the attacker desires. This is true whether the memory controller is a USB storage device, automated CNC machine, medical device, energy grid component, or any device controller connected to the "Internet of Things." And from there, these controllers can act as covert vehicles of attack that extract sensitive information, distribute viruses or take over the control of devices and machines even on protected networks.

The SPYRUS manufacturing process embeds cryptographic parameters into the device controller and protects the private digital signing key from theft or cloning. The critical aspects of using digital signatures to verify the authenticity and integrity of a firmware update and its source demand quality creation of a public key pair and private signing key and secure storage and key access. At SPYRUS, these functions are carried out in a U.S. secure facility by U.S. personnel and an access policy that requires two or more authenticated personnel to access the key in a physically locked vaulted room. These standards and procedures are audited regularly and must be maintained continuously, a product lifetime investment that many other controller and device manufacturers are hesitant to make.

The use of code-signed firmware updates, as properly implemented by SPYRUS, has and will continue to mitigate the dangers from these attacks while enabling our devices to be feature enhanced to meet new customer requirements and prolong the lifetime of the device. Other industry-leading security features of SPYRUS encrypting storage and bootable drives include:

  • XTS-AES hardware encrypted compartments
  • Read-Only settings that can be enabled to prevent permanent writes to memory compartments
  • Advanced Elliptic Curve Cryptography support in addition to the older RSA cryptographic algorithm support
  • FIPS 140-2 Level 3 SPYCOS® hardware security module
  • Made In USA security technology
  • Passwords that are never stored on the device in any form
  • Optional use of secure secondary/tertiary DataVault compartments
  • Embedded smartcard capabilities for two-factor authentication
  • New ruggedized tamper-evident water-resistant aluminum case design with tethered end-cap
  • SPYRUS Enterprise Management System to centrally manage access to devices and destroy, enable/disable and audit devices

For a full list of product specific features and for more information regarding the advantages of using SPYRUS products, please visit our website at www.spyrus.com or contact us at [email protected].

Related Links
Windows To Go Video http://technet.microsoft.com/en-us/windows/jj737992
Windows 8.1 Enterprise http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/enterprise-edition.aspx

About SPYRUS, Inc.

SPYRUS delivers innovative encryption solutions that offer the strongest protection for data in motion, data at rest and data at work. For over 20 years, SPYRUS has delivered leading hardware-based encryption, authentication, and digital content security products to government, financial, and health care enterprises. To prevent the insertion of untrusted components, patented Secured by SPYRUS™ security technology is proudly designed, engineered, and manufactured in the USA to meet FIPS 140-2 Level 3 standards. SPYRUS has collaborated closely with Microsoft to deliver the first certified hardware encrypted portable platform for Windows 7, Windows 8 and Window 8.1. SPYRUS is headquartered in San Jose, California. See www.spyruswtg.com for more information.

SPYRUS, the SPYRUS logo, Secured by SPYRUS, and SPYCOS are either registered trademarks or trademarks of SPYRUS, Inc., in the U.S. and/or other jurisdictions. All other company, organization, and product names are trademarks of their respective organizations.

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

@BigDataExpo Stories
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series dat...
Things are being built upon cloud foundations to transform organizations. This CEO Power Panel at 15th Cloud Expo, moderated by Roger Strukhoff, Cloud Expo and @ThingsExpo conference chair, addressed the big issues involving these technologies and, more important, the results they will achieve. Rodney Rogers, chairman and CEO of Virtustream; Brendan O'Brien, co-founder of Aria Systems, Bart Copeland, president and CEO of ActiveState Software; Jim Cowie, chief scientist at Dyn; Dave Wagstaff, VP ...
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by minin...
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial C...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happe...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. ...
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science f...
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness,...
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, ...
MapR Technologies on Tuesday announced the availability of free Hadoop On-Demand Training for developers, analysts and administrators which represents a $50M in-kind contribution* to the broad Hadoop community. The Hadoop training program is a multi-course curriculum designed to expand worldwide adoption of Hadoop technology. The curriculum provides engaging and interactive video lessons, hands-on exercises, labs and quizzes, enabling professionals to acquire valuable Hadoop skills and knowledge...
“We help people build clusters, in the classical sense of the cluster. We help people put a full stack on top of every single one of those machines. We do the full bare metal install," explained Greg Bruno, Vice President of Engineering and co-founder of StackIQ, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
In this demo at 15th Cloud Expo, John Meza, Product Engineer at Esri, showed how Esri products hook into Hadoop cluster to allow you to do spatial analysis on the spatial data within your cluster, and he demonstrated rendering from a data center with ArcGIS Pro, a new product that has a brand new rendering engine.
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your onlin...
Hardware will never be more valuable than on the day it hits your loading dock. Each day new servers are not deployed to production the business is losing money. While Moore's Law is typically cited to explain the exponential density growth of chips, a critical consequence of this is rapid depreciation of servers. The hardware for clustered systems (e.g., Hadoop, OpenStack) tends to be significant capital expenses. In his session at Big Data Expo, Mason Katz, CTO and co-founder of StackIQ, disc...
The 4th International DevOps Summit, co-located with16th International Cloud Expo – being held June 9-11, 2015, at the Javits Center in New York City, NY – announces that its Call for Papers is now open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's large...
Software Defined Storage provides many benefits for customers including agility, flexibility, faster adoption of new technology and cost effectiveness. However, for IT organizations it can be challenging and complex to build your Enterprise Grade Storage from software. In his session at Cloud Expo, Paul Turner, CMO at Cloudian, looked at the new Original Design Manufacturer (ODM) market and how it is changing the storage world. Now Software Defined Storage companies can build Enterprise grade ...
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the tec...