Slashdot Mirror

← Back to Stories (view on slashdot.org)

7 Secure USB Drives Reviewed

Posted by CmdrTaco on from the i-feel-safer-already dept.

jcatcw writes "Computerworld has reviewed seven USB drives that use either encryption or a physical keypad to protect stored data, and found big differences in I/O speeds, ease of use and strength of security. In the case of the drive using a key pad, the editors were able to break open the device and access the data, bypassing the PIN security. They also state that there is little difference between 128-bit and 256-bit AES encryption because neither has been broken yet. The drives reviewed were the SanDisk Cruzer, the Lexar JumpDrive, the Kingston DataTraveler, the Imation Pivot Plus, the Corsair Survivor, the Corsair Padlock and the IronKey Secure USB Drive. The editors chose the IronKey as the most secure."

11 of 146 comments (clear)

  1. For the... by Creepy+Crawler · · Score: 4, Informative

    For the love of /root, use the print link.

    We dont want to see a little bit of content over 9 pages!

    --
  2. Another analysis (similiar vein) by th0mas.sixbit.org · · Score: 5, Informative

    Another analysis of some of the ICs used in popular secure USB tokens (not usb storage devices) can be found here:

    http://www.flylogic.net/blog/

    They often de-cap the ICs and reverse engineer from a microscope. Really interesting stuff!

    --
    twitter.com/gravitronic
  3. Re:TrueCrypt by CodeBuster · · Score: 2, Informative

    It only requires administrative rights to use if you are trying to use it on another computer besides your own laptop while traveling, but anyone who does that without the dip switch set to write protect and the entire volume encrypted is just asking for trouble anyway. The ideal solution is to simply encrypt the entire volume on the USB thumb drive and then set the dip switch to write protect when it is not plugged into your laptop OR you are not using it for writes. That way if the thumb drive is lost it will be useless, other than as a storage device, to anyone who finds it (i.e. they may format it and use it themselves but your data will be safe). Why would you want to trust the closed source USB thumb drive vendor's encryption software when TrueCrypt is usable, powerful, proven, and open source? In fact, if I were a thumb drive manufacturer then I would simply distribute TrueCrypt with my thumb drives and be done with it.

  4. Truecrypt: Linux, OS X, and Windows. Free. by Futurepower(R) · · Score: 5, Informative

    For the love of convenience, sanity, and saving money, just use any flash memory drive and TrueCrypt.

    "Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux"

  5. Short summary by Cheesey · · Score: 5, Informative

    Corsair Flash Padlock - physical security only: crack it by breaking open the case.

    The Corsair Survivor - no security, so TrueCrypt is needed, but setup instructions for TrueCrypt are included.

    The Imation Pivot Plus Flash Drive - uses AES-256, but in the insecure ECB mode. Hey, I suppose it's better than ROT13 at least.

    The IronKey Secure Flash Drive - "To use the IronKey flash drive, you need to activate an online account." Well, that sounds like a great idea.

    The Kingston DataTraveler Secure -- Privacy Edition - "Kingston refused to say what encryption mode the device runs in, citing that it was proprietary information." So that would be ECB again, then. Or maybe something even more pathetic.

    The Lexar JumpDrive Secure II Plus - Special proprietary software is required to use this one.

    The SanDisk Cruzer Professional - ECB again.

    Really short summary: buy a conventional USB stick and do the encryption yourself using free software that you can trust. Because customers cannot tell the difference between a well secured device and some snake oil junk, there is no incentive to make these things work properly.

    --
    >north
    You're an immobile computer, remember?
    1. Re:Short summary by chappel · · Score: 3, Informative

      Note that the online activation is completely optional for the IronKey. I've had one for a while, and am satisfied with it, other than the time it's taking them to release Linux support (beta should be coming out shortly).

      The anonymous browsing works well. I haven't had as much luck with the password-keeper feature. Note that so far only basic file access works on OSX, but it works easily.

      I opted for the online activation, and used the password recovery successfully - and am glad I got to test that instead of the '10 guesses and the drive dies' feature.

      In general, IronKey seems to have a healthy philosophy toward security; I've recommended it often (not that any one has listened). They are still a fairly new organization and I think they still have a few internal growth issues to work out, but they seem to be coming along nicely.

  6. Re:A false sense of security is actually worse by mlts · · Score: 3, Informative

    That is true, because by default Windows Server 2003 and XP keep a LAN Manager password hash. This can be fixed by going into Group Policy, enable the "Do not set LAN manager hash on next password change" option, then changing all passwords.

    Thankfully this is set differently by default in both Windows Vista and Windows Server 2008, so the LAN Manager hash is worthless. Of course, this doesn't mean that one can ignore physical security completely, but it raises the bar for password cracking.

    To be safe, blincoln has the right idea -- minimum 15 characters, so even if the LAN Manager compatibility gets enabled for some $DEITY-forsaken reason, the passwords are immune to rainbow table cracking.

    Long term, unless done already, MS needs to take a page from TrueCrypt's playbook [1], and perhaps offer the ability for passwords to be encoded with a varying number of rounds, (for example, SHA-512 hashing a password with a random salt, repeating a million times.) This will slow down brute forcing as an attack vector significantly.

  7. Re: Insecure ECB Mode? by wfberg · · Score: 2, Informative

    The Disk encryption theory article on wikipedia lists some modes of operation that are practical for disk encryption, most notably XTS, which is used by truecrypt. Wikipedia also lists different disk encryption apps, and the modes of operation they use.

    --
    SCO employee? Check out the bounty
  8. Re:Confusion between permissions and encryption. by X0563511 · · Score: 2, Informative

    Microsoft's encryption uses some weird public key stuff that is tied to the user hash (i call it a hash - mean that big numbery-string thing that shows when the user isn't in the local systems SAM database)

    Basically, the whole point of it is that you can't take some random encrypted drive somewhere else and read it - kind of defeats the purpose of using it on a flash drive, unless you want it (or the specific paths that are encrypted) locked to the PC.

    Yes, the NTFS encryption is crap, unless you set up windows JUST RIGHT and then encrypt it, or use the 'crypt' command line utility (built in) to update it all.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  9. NTFS encryption tied to OS user name and password! by Futurepower(R) · · Score: 2, Informative

    Yes, the problem with Microsoft's NTFS encryption is that it is tied to the operating system User Name and password. Crazy!

    That means if the user account is damaged, the data is lost forever, unless the user info can be restored from a domain server.

    There are complaints on MS user groups from people who have lost months of hard wok that way.

  10. Re:TrueCrypt by Amiralul · · Score: 2, Informative

    Needing Administrator privileges to see the TrueCrypt encrypted drive, is a huge drawback. I mean, not every Joe have admin rights on his PC (or even knows his admin password) and if I want to use my USB on his computer... Well, I can't.