Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protected Memory Stick Easily Cracked

Posted by kdawson on from the not-that-hard-a-hack dept.

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

9 of 220 comments (clear)

  1. Just put - by ditoa · · Score: 4, Informative

    TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.

    1. Re:Just put - by jawtheshark · · Score: 3, Informative

      Once Truecrypt is installed on a machine (by Administrator) every Limited User can use it without problems. I have it set up that way at home.

      Running Truecrypt requires a driver and inserting that in the operating system requires Admin, once it's there, using it is allowed by everyone

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  2. TrueCrypt by Teckla · · Score: 5, Informative

    Most Slashdotters know you should not trust the built in security on these devices.

    The solution for real security on these devices is to use TrueCrypt.

    It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.

  3. A cheaper alternative that actually works by jrumney · · Score: 4, Informative
    1. 1Gb USB stick - from around $20 (maybe even cheaper)
    2. Truecrypt - free

    No self-destruct, but hard enough enryption for all but the most sensitive secret data.

  4. Re:This RAISES the question...... by Xanni · · Score: 5, Informative

    http://begthequestion.info/

    --
    http://www.glasswings.com/
  5. Re:This begs the question...... by CowTipperGore · · Score: 2, Informative
    First, it doesn't beg the question. Please learn the proper use of the phrase.

    Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out? According to TFA, the product was commissioned by the French government and is approved by the French intelligence service. It also is reportedly used in the defense and banking industries. One would hope that there would be some sort of verification by knowledgeable IT folks prior to approval by all these groups, but it appears that no one gave it a real examination.
  6. Re:Security through obscurity? by am+2k · · Score: 2, Informative

    Not shipping with debug symbols is important, looks like just that happened here. It also reduces the file size greatly.

    Those devs are very clueless.

  7. Re:Security through obscurity? by mark0 · · Score: 2, Informative

    Tell me again why we as Software Engineers are supposed to use descriptive method and variable names?

    So you can maintain the other SE's crappy code.

    But maybe we should look to the security through obscurity methodology as an additional layer of protection.

    That's what obfuscators are for.

  8. Re:Well they could have been like other companies by Anonymous Coward · · Score: 2, Informative

    Read the article again - nothing to do with debugging symbols. The function names mentioned are DLL function names. Read up on DLL to figure out why those are not obfuscated.