Slashdot Mirror
Protected Memory Stick Easily Cracked
Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"
At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.
At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.
TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.
Most Slashdotters know you should not trust the built in security on these devices.
The solution for real security on these devices is to use TrueCrypt.
It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.
...... Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Yep, traveler mode + solid password + key files = oops I lost the USB stick with my password list on it, oh well.
No self-destruct, but hard enough enryption for all but the most sensitive secret data.
The whole thing is just stupid. Oh where to start ...
....
- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.
- No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.
- So smug in their design they don't even encrypt the data. Outstanding.
- Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?
Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.
Hey, I have a secure self destructing bridge to sell to
The type of people who have got the wherewithal to set up TrueCrpyt are not the market this was aiming for. This seems like a product made for the techno-clueless PHB types who just want to buy something off the shelf they can stick in their magic computer box and have it "just work," and who see that high a price on a simple 1-gig USB stick not as an obvious ripoff, but as a measure of how much good computer magic it must surely contain.
Slashdot Burying Stories About Slashdot Media Owned
http://begthequestion.info/
http://www.glasswings.com/
The developers of the Secustick are looking into the problem and they think that the issue is with their algorithm that encrypts the data into ASCII.
No surprise that the security is non-existant, but a nice surprise that tweakers.net[0] have people skilled enough to do a thorough technical review. Tip-of-the-Hat to the reviewers and keep the good work up. Anyone can run 3D benchmarks and make graphs against the previous generation, but this requires a different level of technical know-how. It's always been my hope that the future would feature this type of review, using reverse-engineering techniques for indepth technical reviews, as a norm not an exception.
[0] No disrespect to the people of tweakers.net, I mean in the sense of 'any popular review site'.
Belief is the currency of delusion.
So French intelligence really IS an oxymoron. Go figure.
Not shipping with debug symbols is important, looks like just that happened here. It also reduces the file size greatly.
Those devs are very clueless.
Tell me again why we as Software Engineers are supposed to use descriptive method and variable names?
So you can maintain the other SE's crappy code.
But maybe we should look to the security through obscurity methodology as an additional layer of protection.
That's what obfuscators are for.
mod -5 absent-the-day-they-covered-fallacies
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Shouldn't stripping the debugger symbols from the executable be sufficient? The problem is that people don't give up that easily. Having everything obviously labeled made the job quicker, but not having those won't stop a sufficiently skilled/bored hacker.
When they are harping on the device's unique technology.
Unique and secure are mutually exclusive.
It is not possible, through a feat of sheer genius, to make something that is both novel and demonstrably secure. It turns out that genius isn't a particularly rare commodity. With 6.5 billion people in the world, there are 6,500 people who are walking around with one-in-a-million levels of intellect. Any one of those people, on a good day, can beat any other person on earth in a battle of wits. Any one of of the millions of people with one-in-a-thousand intellects probably can, too.
Security is the one aspect of technology where state of the art is better than something which advances state of the art. State of the art means nobody has yet, even on the best day they've ever had, been able to beat it. We've seen some recent examples where very narrow vulnerabilities have been found in hashing algorithms, which has forced the state of the art to change slightly to favor drop in replacements. But by in large the state of the art has been remarkably stable over a long, long time. Anybody who claims to have something nobody else has probably has something worthless, if he has anything at all.
This is why product security is so bad. It's not possible to differentiate yourself based on security, without affecting other areas such as usability. There is considerable irony in this fact: a product that is carefully thought out and implemented using widely known techniques would have a good chance of being unique. The problem is selling the product. Lotus Notes is a good example. It has its strengths and weaknesses, but as of the early 90s it was the most secure email system in the world. In fact it still would be. But it wasn't the easiest to use or administer. Unfortunately their attempts to make the system more attractive were failures. It's never been more attractive than Exchange. But it's always been more secure.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I am also curious. . . What does the law in the Netherlands say regarding corporate mandates? Are Dutch corps allowed to put other things ahead of generating profit for shareholders?
-FL
the result is revolutionary, ultra safe and approved by the French intelligence service.
I think that says quite a lot for the French intelligence service. Unless they wanted an insecure device to be marketed as secure.... black helicopters at the ready.
Like other posters, I am at a loss at where to start.
(1) If you don't have encryption, GOOD ENCRYPTION, you can't protect squat.
(2) "Self Destruct" is interesting, but unless you have a custom micro-controller on the ram stick, AND an independent power supply, AND the device potted in epoxy, it is all just a made for TV gimmick.
(3) Password.exe? I didn't see this in the article, but what happens if one plugs it into a Mac, Linux, FreeBSD, etc? Does it just work or does it self destruct?
(4) With reference to #2, since the article showed that one could make the device read-only, would self-destruct no longer work? If so, it MUST be potted in epoxy.
(5) Does the "self destruct" operate on the PC or th ram stick? We all know if it runs on the PC, it is doomed to fail.
If they want to REALLY do this:
(1) before everything, encrypt the data. This buys the device time to operate and basic security.
(2) Install a PIC or something that MUST have an encoded heart beat with some sort of hard to reproduce calculated byte pattern.
(3) Without a valid heart beat, the PIC will simply not enable the flash device.
(4) With a valid heart beat, the system must pass a valid password hash string within a reasonable amount of time to the PIC, or the data will be destroyed.
(5) After a number of failed attempts, the PIC will destroy the data.
(6) When the heart beat stops, the PIC disables the flash. (It is presumed that the software clears he file system cache as well.)
(7) Pot the damned device in epoxy.
Very simply, no. It increases the bar, but it doesn't make it any less readable. I spend my days with assembler code written by someone else, figuring out how it works and how it does what it does. You get an 'eye' for certain things. You start seeing certain things, how functions run, what functions do what, not by reading the code, just by looking at it. You start being able to interpret the return values of functions, you can 'feel' the code.
And those guys rarely leave any clues left in the code, often every single bit of string is encrypted layer after layer. There ain't much you get out of the code. And still it's not really 'hard' to read, despite runtime encryption of code and data.
I doubt that people who display this lack of skill could develop something similar to some of the gems of obfuscation software I had crawling over my desk the last few months. Functions give their meaning away by the way they look, especially when a stock compiler created the assembly. Certain things simply 'look' a certain way when a standard compiler assembled them. You don't need to know that this is going to compare strings, read files, mess with the registry or start a connection to somewhere, when a standard compiler created the code, glancing at it is usually enough to 'feel its vibes' (I'm lacking better words, it's really a matter of experience, IMO).
So no, stripping the symbols is hardly enough to make it any more difficult for experienced disassembly readers. It will certainly throw a few people who just started learning, but it won't matter much to a professional.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
signature pending slashdot approval
It's sexy to have a device that can actually self-destruct. This is the flash drive that James Bond would use.
Duh.
Does that remind anyone else of "Most people don't even know what a rootkit is, so why should they care?"
Oh my god, some people are really projecting their own dumbness at their customers. Such marketroids should really be sacrificed to the war against terror. Or cluebatted.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
Without the correct password, the controller chip will simply refuse to provide further access to the flash memory.
So even if the password control worked (which it doesn't), you could get at the contents by desoldering the flash chip and putting it in a reader. (Something hobbyists have been doing with HD-DVD drives to reverse engineer/modify the firmware.) And this is a supposedly intelligence-service recommended device for government use? Right, go on, pull the other one.
-- Alastair
And this is a great example of why most people shouldn't be allowed near a security product without training. Training which includes getting their head slapped when they say things like this.
Repeat after me:
If the debug symbols in your executable have ANY EFFECT WHATSOEVER on the security of your product, your product is insecure.
Let's say that again:
Debug symbols are a good thing. They allow people to analyze the behavior of your software better. If analyzing the behavior of your software leads them to conclude that it's insecure, then it was insecure WHETHER OR NOT YOU HAD DEBUG SYMBOLS.
A third time:
A secure piece of software is secure whether or not you ship the debug symbols, the source code, and a giant manual explaining the design of the system in excruciating detail. If any of these things affects the security in any way, your design is broken.
The fact is, every time something like this comes up, people start screaming "kill the messenger!" In this case, the messenger was the debug symbols. The message was, "this security product is a laughable toy."
Come on, if they'd shipped you the software in non-compiled python, would you have screamed, "What fools! Only hand coded assembly can be secure!" ? Ridiculous. A secure design can be implemented in any language whatsoever, with or without source code, object code, and symbols.
If you are the least bit worried about supplying all those things with your software, you have no business calling it a security product.
It's a toy.
Case in point: this memory stick. It sure is a good thing they made it so easy to analyze their system with debugging symbols. If they hadn't, people might still be falsely believing it was a security product, and putting their valuable data in it. Now wouldn't that be a terrible thing?