Slashdot Mirror

← Back to Stories (view on slashdot.org)

7 Secure USB Drives Reviewed

Posted by CmdrTaco on from the i-feel-safer-already dept.

jcatcw writes "Computerworld has reviewed seven USB drives that use either encryption or a physical keypad to protect stored data, and found big differences in I/O speeds, ease of use and strength of security. In the case of the drive using a key pad, the editors were able to break open the device and access the data, bypassing the PIN security. They also state that there is little difference between 128-bit and 256-bit AES encryption because neither has been broken yet. The drives reviewed were the SanDisk Cruzer, the Lexar JumpDrive, the Kingston DataTraveler, the Imation Pivot Plus, the Corsair Survivor, the Corsair Padlock and the IronKey Secure USB Drive. The editors chose the IronKey as the most secure."

6 of 146 comments (clear)

  1. For the... by Creepy+Crawler · · Score: 4, Informative

    For the love of /root, use the print link.

    We dont want to see a little bit of content over 9 pages!

    --
  2. Another analysis (similiar vein) by th0mas.sixbit.org · · Score: 5, Informative

    Another analysis of some of the ICs used in popular secure USB tokens (not usb storage devices) can be found here:

    http://www.flylogic.net/blog/

    They often de-cap the ICs and reverse engineer from a microscope. Really interesting stuff!

    --
    twitter.com/gravitronic
  3. Truecrypt: Linux, OS X, and Windows. Free. by Futurepower(R) · · Score: 5, Informative

    For the love of convenience, sanity, and saving money, just use any flash memory drive and TrueCrypt.

    "Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux"

  4. Short summary by Cheesey · · Score: 5, Informative

    Corsair Flash Padlock - physical security only: crack it by breaking open the case.

    The Corsair Survivor - no security, so TrueCrypt is needed, but setup instructions for TrueCrypt are included.

    The Imation Pivot Plus Flash Drive - uses AES-256, but in the insecure ECB mode. Hey, I suppose it's better than ROT13 at least.

    The IronKey Secure Flash Drive - "To use the IronKey flash drive, you need to activate an online account." Well, that sounds like a great idea.

    The Kingston DataTraveler Secure -- Privacy Edition - "Kingston refused to say what encryption mode the device runs in, citing that it was proprietary information." So that would be ECB again, then. Or maybe something even more pathetic.

    The Lexar JumpDrive Secure II Plus - Special proprietary software is required to use this one.

    The SanDisk Cruzer Professional - ECB again.

    Really short summary: buy a conventional USB stick and do the encryption yourself using free software that you can trust. Because customers cannot tell the difference between a well secured device and some snake oil junk, there is no incentive to make these things work properly.

    --
    >north
    You're an immobile computer, remember?
    1. Re:Short summary by chappel · · Score: 3, Informative

      Note that the online activation is completely optional for the IronKey. I've had one for a while, and am satisfied with it, other than the time it's taking them to release Linux support (beta should be coming out shortly).

      The anonymous browsing works well. I haven't had as much luck with the password-keeper feature. Note that so far only basic file access works on OSX, but it works easily.

      I opted for the online activation, and used the password recovery successfully - and am glad I got to test that instead of the '10 guesses and the drive dies' feature.

      In general, IronKey seems to have a healthy philosophy toward security; I've recommended it often (not that any one has listened). They are still a fairly new organization and I think they still have a few internal growth issues to work out, but they seem to be coming along nicely.

  5. Re:A false sense of security is actually worse by mlts · · Score: 3, Informative

    That is true, because by default Windows Server 2003 and XP keep a LAN Manager password hash. This can be fixed by going into Group Policy, enable the "Do not set LAN manager hash on next password change" option, then changing all passwords.

    Thankfully this is set differently by default in both Windows Vista and Windows Server 2008, so the LAN Manager hash is worthless. Of course, this doesn't mean that one can ignore physical security completely, but it raises the bar for password cracking.

    To be safe, blincoln has the right idea -- minimum 15 characters, so even if the LAN Manager compatibility gets enabled for some $DEITY-forsaken reason, the passwords are immune to rainbow table cracking.

    Long term, unless done already, MS needs to take a page from TrueCrypt's playbook [1], and perhaps offer the ability for passwords to be encoded with a varying number of rounds, (for example, SHA-512 hashing a password with a random salt, repeating a million times.) This will slow down brute forcing as an attack vector significantly.