Secure and Portable, is the SecureUSB KP the Ticket?

Have you ever found yourself in need of a way to keep some files or data secure while still needing them to be portable? In today’s modern world these two requirements seem to go hand-in-hand more often. Given the damage done to organizations and individuals through data breaches caused by misplaced or stolen data, it’s no wonder that an entire market of secure, easy to use and portable storage devices is developing and growing.

Perhaps, if these devices had been available at the time, my personal data would not have been lost by the Veterans Administration (VA), saving them $20 million, and even more importantly, the unfortunate incident regarding Santa and the “Naughty List” could have been avoided, along with countless similar incidents. 

The Product

I travel, I mean, I travel a LOT. Part of my job is doing talks at security and IT conferences all across the US. When I travel, I carry potentially sensitive information with me, (Scans of my drivers license, passport, some passwords and service recovery passcodes, etc.) just in case I lose a wallet, get locked out of accounts, etc. My paranoid nature keeps me from carrying any of this unencrypted, and my travel schedule keeps me wanting to carry the lightest, smallest devices possible. This is why I chose smaller USB keys over the larger portable drives (which also require another cable to haul along). Your mileage may vary.

Up until now, I’ve been using a USB 2.0 version of the 16GB Ironkey Basic S1000 (<-Amazon.com link) USB drive but have found myself feeling tight on storage and a little limited by it’s implementation. While at the RSA conference this year, I ran across SECUREDATA, Inc., which had some devices that really sparked my interest. While they had a number of different products, I was immediatly drawn to the SecureUSB KP (<-Amazon.com link), which I will refer to as “SecureUSB” from here on out. When they asked me if I would be willing to test it out for a month or so and give them my feedback, I accepted.

** For the record, while I received this as a evaluation drive, I am returning it to them when I’m done with it and they did not not pay me to do this review. They simply asked for my feedback, good or bad.**  

I have to say, there is something really sexy about about the smooth lines and brushed aluminum finish of the Ironkey (Yes, I just called a USB Key “sexy”), but the SecureUSB is no slouch either, it’s just different. Visually the SecureUSB looks larger than the IronKey, but when set side by side, it’s not. I’ve actually done this more than once just because my eyes do trick me. I think it’s the difference between the uninterrrupted case of the IronKey and the obvious PIN keys that are present on the SecureUSB, however even with the cover on the SecureUSB it just looks bigger to me. Maybe it’s black color as well. 

My Testing

Let’s be clear, this review is about the usability or “experience” using the drive and it’s value as compared to some other options, it is not an in-depth security or ruggedness review. For that reason I will not be security testing the FIPS 140-2 Compliant Design or IP 57 dust/water resistance claims. The focus of this review is how well the device works, especially when compared to some other options. The SecureUSB drives are available in several sizes including 8GB for about $79, 32GB for about $129 or 64GB versions for about $159

Build Quality

The first thing I noticed is the that build quality of the drive feels pretty good. The drive is almost all black with a blue o-ring at it’s base and a blue and white logo painted or silkscreened (not just a sticker) on the cover.

On the front of the drive itself are the buttons which are a matte black with white numbers and letters. They feel like they are made from a rubber-like material, but not cheap. On the back end, there is an area where you could attach this to a keychain, lanyard or something similar. I find this is a nice touch so I don’t lose the device. Nearest the USB-A connector is a small semi-transparent window that houses the status LEDs.

The back of the drive has a QR code, serial number and other information that is again, either painted or silk screened on. It doesn’t feel cheap like stickers do.

The USB-A connector us really unremarkable and has the telltale blue insert that tells you that this is a USB 3 device.

Unlocking the Drive

To unlock the drive, you simply press the key button, then enter the PIN number (default is 11223344) using the buttons and press the key button again within 10 seconds. Once unlocked you have 30 seconds to put in a computer or it locks itself again. This process is pretty simple, but I did have to refer to the quickstart guide once when I forgot the process.

The drive does support a “User” PIN and a separate “Admin” PIN. These PINs must be 7-15 digits long, cannot contain only consecutive numbers (e.g. 11111111) and cannot be just consecutive numbers (e.g. 2345678)

To avoid brute-force attacks, if you mess up and enter the wrong PIN ten times in a row, regardless of how much time has passed, the encryption keys are deleted and the data is gone. This is true even if you set an “Admin” PIN, the files are gone, so be careful here.

Admin Mode

Speaking of the “Admin” PIN, the drive has a bunch of features you can use in the “Admin” mode that are nice if you are deploying in an organization. I did not use these features myself, but they are documented in the manual.

The Admin can reset the user password and do some other neat things like adjust timeout to locking and other things as well. In addition, the drive can be opened in a read-only mode by either the user or the admin.

One thing that I find a bit odd is that according to the documentation whenever you unlock the drive with the “Admin” Pin, it resets the “User” PIN to default. NOTE – Secure Data reached out to me and mentioned that the documentation may not be clear here. This is what they said, I have no way to test this, but have no reason to doubt it either – “That sentence is trying to explain that when the Admin PIN is first set up, it will reset the User PIN”. So the key difference is, when the Admin PIN is first set up, the user PIN is reset, not any time the Admin PIN is used. Good to know.

Using the Drive

In my time using the drive, I found it to be pretty easy to use and downright convenient when I wanted to grab something off it quickly. As I mentioned, I have been using an IronKey, but that requires running a small program to connect to the drive, then mount another partition, using 2 drive letters and taking some extra time to get to the files.

IronKey Unlock Software

This can be a bit cumbersome if you just want to grab a file. Similarly, I have used simple USB-3 drives and VeraCrypt with the same issue. You have to run a program first, then unlock the drive. having a PIN on the device is much more convenient. This feature could also allow you create a bootable device that is encrypted when not in use. Unlock the drive, stick in the machine and tell the BIOS to use it as a boot device and you are in business. This simply can’t be done with the other options that require software to unlock them (although you could use them to run a VM).

Conclusion

Ultimately, as I said, this review is about usability, value and the overall experience.

After using the device for a little while, I have to say that I’m impressed. Of the features I used, the device did everything it said it would without complaint. Remembering the process for unlocking and making PIN changes, etc. may take some time to get used, but the basic functionality is great.

While the IronKey still wins the day from a sheer beauty aspect, the SecureUSB is far from ugly. Speed wise, I typically got around 100MBps during sustained file copies, which is something my current IronKey (remember it’s USB 2.0) can’t even come close to. 

SecureUSB Speed
Cheap Microcenter Drive on a Ryzen 7 2700 machine

While I really liked the drive, in the end I felt that at around $129.00 the cost was very reasonable for what you get, especially compared to the IronKey, however for someone that doesn’t use something like this often, or doesn’t need FIPS validation, using a cheap USB 3.1 thumb drive like this Microcenter 32GB version for under $4, encrypted with VeraCrypt might be a viable solution as well although it certainly lacks the “cool factor” that the SecureUSB does and is considerably slower. 

Several options, only two are cool

I’d say if you are in the market for a hardware encrypted USB thumb drive, it would benefit you to give the SecureUSB KP (<-Amazon.com link) a serious look. I really enjoyed my time with it and will be sad to see it go.

Final Note, I linked to items on Amazon with an affiliate link. If you found value in this review and decide to get one I would appreciate you following the link. Any little bit helps. Thanks

Do you know what types of files your mail servers are blocking? Here’s a free tool to help

I’ll start by saying that I don’t think I have ever written a blog post about one of our free tools here at KnowBe4. It’s not that I don’t like the other tools or think that they lack usefulness (quite the opposite actually), it’s just that this new one really sticks out for me. I see this as a very handy tool for email admins or those security folks that want to close some doors in their email system (or even just figure out what’s really happening with the filters).

Having said that, I would like to introduce you to the newest free tool in the KnowBe4 lineup, the Mailserver Security Assessment, or MSA as it is affectionately known around here. This handy (and again, FREE) tool is designed to test your email filters and give you an idea what can pass and what is blocked at that level. This is not a tool designed to test your email servers configuration, other than the filtering parts, but given the proliferation of email attacks through phishing these days, it’s a pretty good idea to know what can get to your users and what can’t. From there you can make some changes, test, lather, rinse, repeat until you have things the way you would like.

The way it works is simple. You sign up for the free tool on the website which generates an email that will take you to the assessment page. This is actually performing one step on its own, confirming that you can indeed receive emails from the test servers in the first place. After all, if you can’t receive the basic email, all of the others are bound to fail.

Once at the assessment page, you can choose which emails you want to test by checking the box next to the email type. Once you have picked your email types, just click, “Start Assessment” and the magic happens. Now, within a few minutes the tool will send you an email from each of the categories you chose. If you receive the email, you know it’s not filtered, if you didn’t and it doesn’t show an error in the tool, you can be pretty confident that it was filtered. It’s really that simple.


Pick your emails or “select all”

Start the assessment

Check for failures in the console

Check your inbox for the messages that made it

In my case, it was interesting to see that although my main mail server did not filter these, when I used Gmail to pull it into my Inbox, Gmail did filter them. Something to keep in mind when you are testing, and if you are using various clients. Check it all the way through.

How handy is that compared to trying to configure your own emails to test this? I encourage you to check the tool and use it to make sure you are blocking the particularly nasty stuff, like the venerable, “Zipped Word Document w/ Macro”. That’s not something I would expect to see as a requirement in most situations. 🙂

Currently, the tool can perform 40 different tests by sending 40 different emails of the following types. Use it in good health!

Transport Encryption Test Excel File  Executable (EICAR Sample)
Email w/ Soft SPF Failure Excel File w/ Macro  Executable (EICAR Sample) (Zipped)
Email w/ Hard SPF Failure Excel File w/ Macro (Zipped)  Executable (EICAR Sample) (Zipped w/ Password)
Email w/ Punycode Domain (IDN Homograph) Excel File w/ Macro (Zipped w/ Password)  HTML (Link)
Spoofed Email (From address) PowerPoint  HTML (Auto-Redirect)
Transport Encryption Test PowerPoint w/ Macro  HTML (Auto-Redirect) (Zipped)
Spoofed Email (Altered domain) PowerPoint w/ Macro (Zipped)  HTML (Auto-Redirect) (Zipped w/ Password)
Spoofed Email (Reply address)  PowerPoint w/ Macro (Zipped w/ Password)  JavaScript
Word Document PDF File  JavaScript (Zipped)
Word Document w/ Macro PDF File w/ Script  JavaScript (Zipped w/ Password)
Word Document w/ Macro (Zipped) PDF File w/ Script (Zipped)  PowerShell Script
Word Document w/ Macro (Zipped w/ Password)  Executable (Dialog Box)  PowerShell Script
 Word Document w/ OLE inserted Executable  Executable (Dialog Box) (Zipped)  PowerShell Script (Zipped)
 Executable (Dialog Box) (Zipped w/ Password)  PowerShell Script (Zipped w/ Password)

 

 

Anytime you are making one of these high profile deals, remember that attackers might also be aware and will use it to target you

from Twitter https://twitter.com/ErichKron