Slashdot Mirror
Protected Memory Stick Easily Cracked
Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"
At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.
Destroying the contents on a bad password attempt is crazy. Especially when you use very cryptic passwords. People tend to type wrong, hold the shift key down too long, not hold the shift key down when necessary. Sometimes I have to type my passwords two or three times before getting it right. Destroying important sensitive information because I accidentally typed it wrong is just plain stupid. These kind of technologies will only be a pain for people using them legitimately, and anyone who wants to hack to get the information will generally be able to find some way to get it, thus it is only extends the problems and provides no solutions.
...... Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
The whole thing is just stupid. Oh where to start ...
....
- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.
- No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.
- So smug in their design they don't even encrypt the data. Outstanding.
- Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?
Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.
Hey, I have a secure self destructing bridge to sell to
Well, not completely. A spokesperson for the product is reported saying:
This is quite a different statement from the one made near the start of the article.
Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function, and change the return value from 0 to 1. Pretty embarassing. But the article went pretty easy on them after that. Really good read by the way.
They had added it to close a previous security problem I'd pointed out with their product that stored an internal customer id in a cookie to grant access to a web app - problem was, the customer id's were allocated sequentially, so anyone brute-forcing it would get access to all their customer data in minutes, including the adress books of the entire top management team.... base64 "encrypting" the customer id was supposed to prevent anyone from trying that trick again... I left that company pretty much as soon as I could..