Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protected Memory Stick Easily Cracked

Posted by kdawson on from the not-that-hard-a-hack dept.

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

11 of 220 comments (clear)

  1. Just put - by ditoa · · Score: 4, Informative

    TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.

    1. Re:Just put - by jawtheshark · · Score: 3, Informative

      Once Truecrypt is installed on a machine (by Administrator) every Limited User can use it without problems. I have it set up that way at home.

      Running Truecrypt requires a driver and inserting that in the operating system requires Admin, once it's there, using it is allowed by everyone

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  2. TrueCrypt by Teckla · · Score: 5, Informative

    Most Slashdotters know you should not trust the built in security on these devices.

    The solution for real security on these devices is to use TrueCrypt.

    It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.

  3. A cheaper alternative that actually works by jrumney · · Score: 4, Informative
    1. 1Gb USB stick - from around $20 (maybe even cheaper)
    2. Truecrypt - free

    No self-destruct, but hard enough enryption for all but the most sensitive secret data.

  4. Re:This RAISES the question...... by Xanni · · Score: 5, Informative

    http://begthequestion.info/

    --
    http://www.glasswings.com/
  5. Re:This begs the question...... by CowTipperGore · · Score: 2, Informative
    First, it doesn't beg the question. Please learn the proper use of the phrase.

    Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out? According to TFA, the product was commissioned by the French government and is approved by the French intelligence service. It also is reportedly used in the defense and banking industries. One would hope that there would be some sort of verification by knowledgeable IT folks prior to approval by all these groups, but it appears that no one gave it a real examination.
  6. Re:Security through obscurity? by am+2k · · Score: 2, Informative

    Not shipping with debug symbols is important, looks like just that happened here. It also reduces the file size greatly.

    Those devs are very clueless.

  7. Re:Security through obscurity? by mark0 · · Score: 2, Informative

    Tell me again why we as Software Engineers are supposed to use descriptive method and variable names?

    So you can maintain the other SE's crappy code.

    But maybe we should look to the security through obscurity methodology as an additional layer of protection.

    That's what obfuscators are for.

  8. English translation of site is still online... by Anonymous Coward · · Score: 1, Informative

    http://www.secustick.nl/engels/

  9. Re:Security through obscurity? by Anonymous Coward · · Score: 1, Informative

    If you read the article, the functions you mention are in the DLL. Now I could be wrong, but when you use a DLL there aren't any automatic obfuscation tools, nor can you simply turn off debug. A DLL must export function names so that the operating system knows what the memory address for them is. I'm not sure about Linux (I imagine it's the exact same thing), but under Windows, C compilers put the function name in the source into the DLL (C++ puts a mangled name in). So the only way they could have hidden that would have been to actually change the source code so the functions were called Function1, Function2, etc. No one wants to maintain code like that. As the article said, it would have been better if the DLL simple provided an abstract layer for the program to communicate with the controller which would perform all the verification, protection, etc. Also, the Flash memory should not have had the ability to be write-protected by a simple wire - everything should have gone through the controller (and encrypted as well)

  10. Re:Well they could have been like other companies by Anonymous Coward · · Score: 2, Informative

    Read the article again - nothing to do with debugging symbols. The function names mentioned are DLL function names. Read up on DLL to figure out why those are not obfuscated.