“The Most Significant Breach Of U.S. Military Computers Ever”

… was caused by a malware-loaded USB Flash Drive. Plugging the cigarette-lighter-sized flash drive into an American military laptop at a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense.

Many security experts as well as flash drive vendors have known about this event for a long time, but the information was not made public until this week when  Mr. Lynn’s article was published in the  latest issue of the journal Foreign AffairsThis is one of the reasons behind the suspension of removable flash media (not just USB flash drives) by the Department of Defense (DoD) in November 0f 2008.

The DoD discovered that banning the use of removable flash media was pretty painful, since many operations, such as loading of targeting information, depended on them. On February 12, 2010, after a lot of research and implementation of new processes and procedures, U.S. Strategic Command (STRATCOM) issued an all-DOD message allowing “the limited return to use of memory sticks and thumb drives in all DOD NIPRNET, SIPRNET and JWICS computers using Windows operating systems.” The caveat is that the devices must be government “procured and owned,” the command said.

That means no more picking up a flash drive tchotchke at a trade show or running down to Best Buy or your local electronics store to pick up a drive to use within the DoD. Your organization must buy, provision, distribute, and manage the device which must appear on the DoD list of approved devices.

The history of my employer, SPYRUS, is tightly coupled to the US Government. In 1992 SPYRUS partnered with Microsoft and DoD to develop the first secure government email system using our Fortezza hardware encryption device. In 2003, SPYRUS began its crypto modernization program, focusing on building devices using advanced cryptographic algorithms including ECC, AES, and SHA-2. In 2004, NIST announced a set of cryptographic algorithms that were approved to protect all unclassified and most classified information and called it Suite B. The announcement mentioned that SPYRUS has already implemented the suite.

The Hydra Privacy Card Personal Encryption Device is the first and only USB encrypting flash drapproved by the US government to protect tactical data at the SECRET level and below whe used with the approved operational security doctrine.

Hydra PC Personal Encryption Device

Every file is encrypted with a unique key, so even if you did manage to crack one file, you would have to start from scratch to attack the next file. Unlike other USB flash drives, The Personal Encryption Device can be locked down to one or more PCs, prevent the connection of other USB storage devices, is infinitely expandable, and can protect data no matter where it is stored.

You see, the Personal Encryption Device uses replaceable microSD cards. When you run out of space, just pop another card into the device and keep going. Is your file too big to store on a microSD card, or you just want access to it from another location? You can put the encrypted file anywhere you like-including on the Internet, since it cannot be decrypted without the Personal Encryption Device that encrypted it.

Hydra PC Digital Attache

The Hydra Privacy Card™ Digital Attaché does everything that the Personal Encryption Device can do and more. You can partition the memory card and add sharing certificates to files or memory cards for secure sharing. When you encrypt a file or card, you decide who else is allowed to access it and you ask them to send you their sharing certificate to embed within the file. Again, files can securely be stored anywhere because the files can only be decrypted by the device that encrypted the file and the devices with which the file is shared.

Finally and very important are non-repudiation and data containment. The first simply means that the data has not been altered and you can prove who encrypted the file and when they encrypted it. The second is sometimes called DLP or data leakage prevention.

SPYRUS implements non-repudiation by sealing the file when it is encrypted. First the plaintext is hashed, optionally compressed, then encrypted. The device ID and timestamp are embedded and the whole file is hashed again. This means that neither the plaintext nor ciphertext can be altered. What is decrypted must be what was encrypted and the validity of the file can be validated at any time without needing to decrypt the contents.

Data containment is actually pretty amazing. SPYRUS implements a K of N or quorum scheme. Keys are never stored anywhere but are reconstituted as required. To reconstitute a key, you need a specific set of pieces to come together. One of them is the user’s password. Others come from inside the hardware of the device, and one of them can come from an authorized PC. Yes, Hydra Privacy Card devices cannot be unlocked by the user even if they know the password unless the rest of the quorum is present.

For the DoD (remember the DoD? That’s how this article started…), this means that Hydra Privacy Card devices cannot be accessed outside of the approved DoD systems either to read information or put a virus onto it. And that’s pretty darn cool in my opinion!

Hydra Privacy Card devices are available on many government contracts including one that I cannot even talk about, and us civilians can buy one at Amazon.

Post a Comment