Not everything that costs lots of money and comes in a velvet case is good quality. Sprites mods has a good article about hacking a “secure” USB memory stick. It seems that the manufacturer broke all the rules when attempting to implement security.
“Seemingly, the checking of the password and the unlocking of the stick are two separate processes, both initiated from the PC. From the point of view of the stick, they’re both separate processes and unlocking can happen just fine if no valid password is entered. This is a Big Flaw. As an indication to how big: The best sticks handle all the encryption to/from the flash themselves and don’t keep a password at all: the fact that the data can’t be decrypted without it makes it safe. The mediocre sticks store a password inside the flash-controller and check it against a password sent by the PC before unlocking the flash-memory. This way, the password can’t be found by reading out the flash-chip maually. The bad ones do the same but store the password on flash. The Secustick is even worse than that: it stores the password on flash and lets the PC do the validation, while as soon as the stick gets stolen, the PC it is put into is completely non-trustworthy.”
Thanks Geekabit.
Secure USB Memory Stick Hack
Permalink
Just to clarify, we’re talking about a secure USB “token”, and not a memory stick here? Or, what am I missing?
Permalink
This USB device is just like a standard thumb drive, but you have to enter a password to get at the data.
Permalink
Oh, one of those. It sounded like the iKey I have to insert when I boot my laptop up. It won’t decrypt the hard drive with the OS on it until I enter the correct passphrase.
Permalink
Why would someone want to spend his money in one of this devices when you can encrypt your data with a GPL/multiplatform program like truecrypt?? (http://www.truecrypt.org/)
Permalink
L0rd_D4rk: Because truecrypt is not a sanctioned tool by some companies for one. Think about it. If you allowed users to have portable data in the wild, you could either spend your money on simple hardware that just requires a password to use, or, train them all on truecrypt. Over time, you would still have to train new people on the application if they didn’t know, and spend more and more on that resource. With this, you can just have them enter a password. No training required.
Permalink
There isn’t a secure device when you have a stupid user… you can’t avoid training
Permalink
Yes, but you can control the amount you have to training, if not eliminate it…..The most you would have to do for a device like this is tell the user not to write their password on a piece of paper in the same bag with it.
Permalink
A company that wants it’s data to be safe can not be limited to this. The users can have short passwords, or dictionary-based, or they might not keep the system updated and free of viruses, or they can use the encrypting device in a untrusted computer that might have trojans or keyloggers. With this I mean that there is no hardware or software good enough to put all your expectations of keeping the data safe. The only way get this is to train your people… and I don’t mean to give them 3 or 4 advices in 5 minutes I mean some kind of seminar during 2 or 3 days at less. The weakness point ALWAYS is human… so if you are going to teach them at least you can show them real encryption tools, not some kind of toy to keep your boss calm
Permalink
Im not disagreeing that companies need training…my point was that it may be less of a training issue on this particular item. I think you are just bent on using TrueCrypt. It is not a end all solution, especially in this case. And, if it was implemented without the flaws, I think I would rather use the hardware solution. It takes a lot out of the equation. Dealing with users is always a “lowest common denominator” problem. Just out of curiosity, how much I.T. experience do you have in a corporate environment?
Permalink
Well, actually I have never used TrueCrypt, I have mentioned it because it’s multiplatform, seems easy to use and it’s hardware independent, I don’t need encryption at my work, neither at my home, I have tested some good encryption tools under linux, like loop-aes and I know that they works well. But I don’t need to encrypt anything…
When you really need it, because your job depends on it, you have to think in a solution that at least can resist 5 minutes against a decent attacker and obviously the memory of this article won’t. Some people encrypt the data because they think it’s cool, or something, but if you don’t need it it’s better to do nothing
Tis thing is serious and I think the only way to be safe is to teach the people to do the things the right way. For example, at least 25% people with windows-laptop don’t know they have the administrator account active and with no password… this kind of people can’t be responsible of sensible data even if they have the best encryption device
I suppose I have no real experience in corporate environment, but I have been system administrator for 6 years during my engineering studies and I know that most people lacks of the necessary education in computer security
Sorry for being so annoying 🙁
Permalink
Oh no, not annoying at all! I was just enjoying the discussion with you actually.
In all honesty, I encrypt every portable drive I own. Anything that leaves either the doors of my job, or my home, because, in the end, no matter what is on that device, it is no one’s business but me 🙂 I use TrueCrypt for that, because, well, I have a quick learning curve to pick up something like that. The users I work with on the other hand, not so much 🙂
Permalink
Well, if you want a certain degree of professional security I guess there are no short cuts. TrueCrypt does have a certain learning curve and that goes for all other programs that are halfway secure.
It just doesn’t work like “click OK or cancel” and get 100% security. In other words, security always comes with the price of less user friendlyness and more complications….