Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Protected Memory Stick Easily Cracked

kdawson posted more than 7 years ago | from the not-that-hard-a-hack dept.

Security 220

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

Sorry! There are no comments related to the filter you selected.

Well they could have been like other companies (5, Insightful)

insanemime (985459) | more than 7 years ago | (#18717041)

At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.

Re:Well they could have been like other companies (5, Interesting)

tritonman (998572) | more than 7 years ago | (#18717157)

Destroying the contents on a bad password attempt is crazy. Especially when you use very cryptic passwords. People tend to type wrong, hold the shift key down too long, not hold the shift key down when necessary. Sometimes I have to type my passwords two or three times before getting it right. Destroying important sensitive information because I accidentally typed it wrong is just plain stupid. These kind of technologies will only be a pain for people using them legitimately, and anyone who wants to hack to get the information will generally be able to find some way to get it, thus it is only extends the problems and provides no solutions.

N number of attempts... (1)

Animaether (411575) | more than 7 years ago | (#18717213)

...where N could be set on first initializing the stick. And I assume you could change this later provided you had already given the correct password, but the article doesn't go into that.

So it's not a case of typing it wrong once and *poof* goes the data (note that they didn't find any physical evidence of things in there capable of physical destruction either). If you set it to 3 times, and you get it wrong 3 times yourself - oh well. Maybe you *could* set it to only once, though.. but if you do that, you're an idiot anyway :)

Re:Well they could have been like other companies (2, Interesting)

computational super (740265) | more than 7 years ago | (#18717221)

Depends on how much trouble you'll get in if law enforcement agents manage to get at the data... seeing as how that's the only *possible* use I can imagine these things would ever be put to.

Re:Well they could have been like other companies (1)

jimstapleton (999106) | more than 7 years ago | (#18717425)

I sense a possible lack of imagination here. (is that a good enough flame for you?)

Working from home, but needing to carry sensitive data.

Or consultants that have to travel, and carry sensitive documents.

Lots of legal reasons as well.

Re:Well they could have been like other companies (0)

computational super (740265) | more than 7 years ago | (#18717631)

Working from home, but needing to carry sensitive data that will be erased if I miskey the password even once

consultants that have to travel, and carry sensitive documents that will be erased if I miskey the password even once

I can use my imagination to think of better ways to protect such data.

Re:Well they could have been like other companies (1)

jandrese (485) | more than 7 years ago | (#18717689)

I suspect these things don't self destruct on the first incorrect password. That would be a horrific UI blunder. Rather, I suspect after 5-10 or so incorrect passwords in a row they will self destruct. It's hard to tell because the original site is down.

Re:Well they could have been like other companies (4, Insightful)

TheRaven64 (641858) | more than 7 years ago | (#18717855)

It is unlikely that the only copy of sensitive data would be on the USB stick. If it is destroyed, you still have the original copy somewhere more secure than your pocket. If it's destroyed accidentally, it could be a lot less of a problem than if it fell into the wrong hands.

There are a lot of situations where having a local copy of the data is a convenience, rather than a necessity, and this would allow the convenience without the risk of it being stolen. If it's accidentally destroyed, then it's an inconvenience, not a disaster.

Re:Well they could have been like other companies (1)

cduffy (652) | more than 7 years ago | (#18717857)

It's obviously not "even once" -- if you read the article, it's specified that the counter is user-configured.

Destroying the data on excessive retries is an effective way of preventing a sustained brute-force attack. This implementation is completely useless, to be sure, but the concept is a good one.

Re:Well they could have been like other companies (4, Insightful)

FuzzyDaddy (584528) | more than 7 years ago | (#18717463)

I don't know about you, but I don't keep original copies of data on a USB key. I use it to transfer files from one computer to another, so wiping the data after unsuccessful attempts, in this context, strikes me as a good idea.

Re:Well they could have been like other companies (5, Insightful)

antime (739998) | more than 7 years ago | (#18717217)

What they admitted is that they have no idea what they are doing and have no idea what they are selling. You would have to be an idiot to buy anything security-related from a company like that.

Re:Well they could have been like other companies (2, Insightful)

rucs_hack (784150) | more than 7 years ago | (#18717513)

it's not that silly. They saw a way to make money from the current delusion that data can be unbreakably secured.

The only way to secure data is to make it so absolutely no-one but the authorised people have access to it. You can keep data secure physically if you isolate it from any form of access. However information does not work well if isolated like that, information has to be shareable to be useful, otherwise its just dead data, worthless bits.

I have several pieces of information that are unhackable. That's because they are written to dvds in a non encrypted form, but the dvds themselves are stashed away where no-one can find them.

That is alas also a delusion, because if I died tomorrow no doubt someone could find them. However, so long as I'm around to protect them, they are safe.

That's not a good way to think if you realise that there is money in pseudo security. Paranoia of customers can be a source of income, and a wise businessman will take advantage of that whenever possible.

Re:Well they could have been like other companies (3, Insightful)

@madeus (24818) | more than 7 years ago | (#18717745)

it's not that silly.
I contend it is not only silly, but sufficently bad to warrent legal action, because whoever built it must have known how badly it was designed to start with.

It appears that the system doesn't use a form of encyption unlocked by a key (entered by the user) to store the data - and that instead it simply requires use of a single instruction to the USB device indicate the data ought to be accessible or not. That just sounds ludicrous.

If it had been developed in good faith, and this were a bug (rather than part of the design) and/or the result of a sphosticated exploit that it would have been hard to predict, I would be sympathetic. As I would if they had clearly indicated it's limitations (which they could have, but if they've taken the website down now, I'm guessing not).

What's particularly telling for me is, while the company were quite happy to tout the supposed virtues of the product, they are clearly worried about it now they have been found out. That repesents a staggering failure by the designers of the software, their managers, the marketing and product design teams, the HR department who hired all these people of clearly very dubious virtue and the senior management involved.

Either they are crooks (because they were complicit in touting such a crummy product that didn't really do what it claimed to do in a reasonable way) or are they are all, really, really dumb (and none of them asked pertinent questions of the other parties at any stage of product development).

Re:Well they could have been like other companies (1)

jeffasselin (566598) | more than 7 years ago | (#18717805)

You are as deluded as they are. Nothing, I repeat NOTHING can be 100% secure. As long as a single person can have access, knows where the data is, someone else can gain access. By luck, hacks, reasoning, cracking, torture, etc. It's always a question of TIME required to get access, but it's always possible. Modern forms of encryption almost exclusively repose on such a principle: publick-key cryptography stands on the difficulty of factoring very large numbers with the current computers and algorithms, which doesn't make cracking it impossible, just take incredibly long.

Re:Well they could have been like other companies (4, Funny)

computational super (740265) | more than 7 years ago | (#18717761)

You would have to be an idiot to buy anything security-related from a company like that.

Which is a shame for this company, because idiots are in such short supply these days...

Re:Well they could have been like other companies (5, Interesting)

Lazerf4rt (969888) | more than 7 years ago | (#18717355)

Well, not completely. A spokesperson for the product is reported saying:

Our customers are happy with the level of protection that our product offers. Normally, the amount of security is sufficient, not everyone has the technical expertise that you have.

This is quite a different statement from the one made near the start of the article.

The stick was commissioned by the French government and - according to the company's press release - the result is revolutionary, ultra safe and approved by the French intelligence service.

Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function, and change the return value from 0 to 1. Pretty embarassing. But the article went pretty easy on them after that. Really good read by the way.

Re:Well they could have been like other companies (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18717515)

If you're satisfied with a level of security that was proven to be broken easily, you prove that you don't need any security altogether.

If people don't bother breaking your security, they aren't that interested in your information in the first place.
If people who are interested in your secrets are able to do so trivially, you can just as well abstain from encryption altogether to save you the hassle.

Re:Well they could have been like other companies (4, Funny)

jandrese (485) | more than 7 years ago | (#18717713)

I love the part where it is "approved by the French intelligence service". Of course it is, since it's so easy to break. Of course it's not approved for their own use, they just want everybody else to use it.

Re:Well they could have been like other companies (4, Insightful)

morgan_greywolf (835522) | more than 7 years ago | (#18717779)

Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function


Wait. The executable was compiled with debug symbols turned on? With functions with easy-to-understand names? I mean, I know it's only security-through-obscurity, but c'mon! At least up the ante a little bit ... many programmers are not skilled enough to disassemble a program with no symbol table. And the ones that are ... *shrug* rely on the security of your methods, not on the obscurity of your code. IOW, they should have used encryption, even with the self-destruct mechanism.

Re:Well they could have been like other companies (1)

morcego (260031) | more than 7 years ago | (#18717381)

At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.

I was going to comment on that too.
I find it very decent of them to not only assuming there is a problem, but also taking off their site, even if it means they might be loosing business.

Keeping their clients' trust means much more than technical security, but also they can be trust to react correctly when an issue like this happens.

I know we should wait and see what they will do from now on but, so far, I have to praise their response.

lol (0)

Anonymous Coward | more than 7 years ago | (#18717053)

I feel the bad for the people that bought one. $175 for a memory stick? Ouch.

A cheaper alternative that actually works (4, Informative)

jrumney (197329) | more than 7 years ago | (#18717165)

  1. 1Gb USB stick - from around $20 (maybe even cheaper)
  2. Truecrypt [truecrypt.org] - free

No self-destruct, but hard enough enryption for all but the most sensitive secret data.

Re:A cheaper alternative that actually works (1)

ePhil_One (634771) | more than 7 years ago | (#18717299)

No self-destruct,

I imagine self-destruct was the lure. If they had bothered to Encrypt the contents as well, bypassing the self-destruct would not have been the catostrophic failure it was. The crunchy on teh outside, chewy on the inside security model fails again!

Nice one! (5, Interesting)

Anonymous Coward | more than 7 years ago | (#18717075)

At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.

Re:Nice one! (0)

Anonymous Coward | more than 7 years ago | (#18717095)

If I weren't an Anonymous Coward, I'd mod this response up. :)

Re:Nice one! (0)

Anonymous Coward | more than 7 years ago | (#18717421)

The manufacturer actually asked Tweakers.net for a review, so a suit would be pointless. They just got a little more criticism than what they had bargained for ;)

Re:Nice one! (1)

Curien (267780) | more than 7 years ago | (#18717487)

And that make debuggers a circumvention device; and Microsoft (and Borland, and Apple, and FSF) would be guilty of trafficking in circumvention devices.

I'm having a boring day. Bring on the lawsuit!

Well.... (0)

Anonymous Coward | more than 7 years ago | (#18717077)

We are currently working on an improved version of the Secustick.

I would hope so.

SUCK-u-stick (0, Offtopic)

notpaul (181662) | more than 7 years ago | (#18717113)

Yay!

I was the first one who said it.

Just put - (4, Informative)

ditoa (952847) | more than 7 years ago | (#18717115)

TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.

Re:Just put - (1)

Savage-Rabbit (308260) | more than 7 years ago | (#18717471)

TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.
I use an encrypted image generated by the Apple Disk utility which is capable of creating AES-128 encrypted DMG's. I don't know if aes-128 has been cracked yet but even if it has I rather doubt any thief will go to the trouble of trying to access my data. Of course I might be unlucky enough that my memory stick is stolen by a super Hacker who will go to the trouble of cracking my little DMG crypto image but that seems highly unlikely.

Re:Just put - (1)

CogDissident (951207) | more than 7 years ago | (#18717535)

Sadly, they weren't smart enough to layer a self-destruct over an encrypt.

Re:Just put - (1)

jimicus (737525) | more than 7 years ago | (#18717831)

I doubt the data was encrypted in the first place. If it was, they certainly didn't use the password as the key to encrypt it because a wrong password still gained access to the data.

Re:Just put - (0)

Anonymous Coward | more than 7 years ago | (#18717577)

Even if the encryption was cracked, it is highly unlikely that those who took the thing will even know what to do with the encrypred drive .
The thief is more likely to reformat it and use it as their own even with broken encryption ,
Either way, yu have prevented them from using your data !!
Better back the thing up to another stick , CD or drive and keep that one in a safe place, Maybe even a safe !!

the problem with these things is that they are so small, so easy to lose, forget or have them stolen

Re:Just put - (1, Funny)

Anonymous Coward | more than 7 years ago | (#18717597)

actually, I cracked Truecrypt last year but they paid me a billion dollars to cover it up.

Linux... (1)

bilbravo (763359) | more than 7 years ago | (#18717121)

password.exe seems to me that it would be a Win32 application. So, what if I put this in a Linux PC? Surely it's encrypted somehow? Maybe I need to read the article again, but I didn't see any mention of encryption.

No encryption... (1)

Animaether (411575) | more than 7 years ago | (#18717243)

... as far as the article details.

The password.exe does, however, address a controller chip. Without the correct password, the controller chip will simply refuse to provide further access to the flash memory.

So if you're really wondering - I would imagine that the entire thing won't work with Linux, period.

Re:No encryption... (1)

Derek Pomery (2028) | more than 7 years ago | (#18717315)

... but "It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password."
huzzah! a linux version should soon be in the works! ;)

Re:No encryption... (1)

Alphager (957739) | more than 7 years ago | (#18717331)

...unless someone sends the giveAccess()-command to the controller, which should be pretty easy.

Re:Linux... (1)

Chysn (898420) | more than 7 years ago | (#18717649)

From TFA:

As it turned out, we already had full access to the 'protected' files. Apparently, the program merely checks to see if the password has been entered correctly, and the stick's contents are unlocked on the basis of this. By simply altering the return value of the VerifyPassWord() routine, the - unencrypted - data is revealed.

Truecrypt (1)

sakdoctor (1087155) | more than 7 years ago | (#18717129)

Doesn't truecrypt have a traveller mode. This seems a bit useless as well as the insecurity.

Re:Truecrypt (2, Insightful)

bcoff12 (584459) | more than 7 years ago | (#18717163)

Yep, traveler mode + solid password + key files = oops I lost the USB stick with my password list on it, oh well.

TrueCrypt (5, Informative)

Teckla (630646) | more than 7 years ago | (#18717131)

Most Slashdotters know you should not trust the built in security on these devices.

The solution for real security on these devices is to use TrueCrypt [truecrypt.org] .

It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.

Re:TrueCrypt (5, Insightful)

Rob T Firefly (844560) | more than 7 years ago | (#18717215)

The type of people who have got the wherewithal to set up TrueCrpyt are not the market this was aiming for. This seems like a product made for the techno-clueless PHB types who just want to buy something off the shelf they can stick in their magic computer box and have it "just work," and who see that high a price on a simple 1-gig USB stick not as an obvious ripoff, but as a measure of how much good computer magic it must surely contain.

MOD PARENT UP. (1)

TapeCutter (624760) | more than 7 years ago | (#18717383)

Funny and insightfull.

Re:TrueCrypt (1, Insightful)

SuseLover (996311) | more than 7 years ago | (#18717629)

I'm sorry, but secure encryption is a complicated subject and anyone who doesn't understand it should not rely on it to be secure. If you lack the basic skills to properly implement it then you have no business using it.

Re:TrueCrypt (1)

Rob T Firefly (844560) | more than 7 years ago | (#18717851)

Good point. However to continue along that line of thought, if you're in a position in which you want or need encryption, then you have no business lacking the basic skills to properly implement it. Take a class or read a book, the knowledge you gain will be immeasurably more useful than any magic box you buy off the shelf. The only other option is to get someone with the proper skills who you can trust to do it for you.

Re:TrueCrypt (0, Flamebait)

EnglishTim (9662) | more than 7 years ago | (#18717863)

What an idiotic statement.

Re:TrueCrypt (1)

sarathmenon (751376) | more than 7 years ago | (#18717229)

BTW, what is in this device that disallows me to dd if=/dev/sdb1 of=usb_bckp? I think the basic concept is flawed, there is no true security in a portable device that someone else can physically take away.

Re:TrueCrypt (1)

Lumpy (12016) | more than 7 years ago | (#18717289)

unless the idiot executive uses his SOCIAL SECURITY NUMBER as his passphrase.

biggest problem with non technical people like CEO's CFO's CTO's and the like is they can not understand what you mean when you say "use a secure passphrase." they think their SSN is secure, it takes a amateur 20 minutes and $30.00 to get someones SSN from one of the big databases by having a name and address or phone number. Most executives info is based off of name + business name in these DB's.

They can not understand that their personal information is not secure and they really need to pick and memorize a secure phrase that someone can not guess. we missed a security audit 3 years ago because of executives using ssn, pet names, spouse names or even their car brand/make (like BMW725, or kompressor) for passphrases on secure files.

Re:TrueCrypt (0)

Anonymous Coward | more than 7 years ago | (#18717411)

What? I always use my SSN, my mom's of pet's name of my birthday, are you telling me those are not secure? I better change the password for my pr0n of my mom might catch me!

Re:TrueCrypt (1)

Opportunist (166417) | more than 7 years ago | (#18717757)

Security is always the minimum of the technical capabilities and the user capabilities. That's a given. Security is like a castle defending against an invader. It doesn't mean jack if one side is invincible if the other one is made out of plywood. All sides have to withstand the assault.

I know that there are ways to improve the technical side to the point where it can be trusted to be Fort Knox. The human factor is the limit, and if I knew a way to improve the human side of security, I'd be traveling from company to company as a consultant and make a million per year. You cannot teach those who don't want to listen, the best for security would be to eliminate managers from the system. The best for humanity would be to eliminate them from the genepool.

Re:TrueCrypt (1)

Library Spoff (582122) | more than 7 years ago | (#18717455)

Don't you need Admin Priv's for Truecrypt to run under windows?
Even the `portable` mode as far as i remember.

Re:TrueCrypt (1)

Opportunist (166417) | more than 7 years ago | (#18717867)

You say that like there's any manager in the world that doesn't insist in having admin privs on 'his' (company) PC...

Re:TrueCrypt (1)

wkk2 (808881) | more than 7 years ago | (#18717475)

I like TrueCrypt but having crypto tools marks you as a criminal in some localities. It would be nice if the desktop icon could be changed to something a little innocuous like a PDF or modem dialer.

TrueCrypt instead? (1)

DonCarlos (222830) | more than 7 years ago | (#18717147)

It's great to be grown up and still believe that in security aspects "unique technology" buzz does not simply smell bad. Real crypto is widely known. All can read how it works. But it still remains solid. Before you get hired by "European governments", ensure you won't get fooled. Ordinary USB stick and real, free crypto tools as TrueCrypt - that's what you shall consider using, instead of paying almost $200 for "unique technology".

This begs the question...... (4, Interesting)

8127972 (73495) | more than 7 years ago | (#18717161)

...... Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?

Re:This RAISES the question...... (5, Informative)

Xanni (29201) | more than 7 years ago | (#18717227)

http://begthequestion.info/ [begthequestion.info]

Re:This begs the question...... (2, Informative)

CowTipperGore (1081903) | more than 7 years ago | (#18717387)

First, it doesn't beg the question [wikipedia.org] . Please learn the proper use of the phrase.

Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?
According to TFA, the product was commissioned by the French government and is approved by the French intelligence service. It also is reportedly used in the defense and banking industries. One would hope that there would be some sort of verification by knowledgeable IT folks prior to approval by all these groups, but it appears that no one gave it a real examination.

Re:This begs the question...... (1)

Ruvim (889012) | more than 7 years ago | (#18717417)

Yes we are

Mod +1 erudite-sounding (3, Funny)

jpellino (202698) | more than 7 years ago | (#18717453)

mod -5 absent-the-day-they-covered-fallacies

Re:This begs the question...... (1)

Opportunist (166417) | more than 7 years ago | (#18717835)

There are actually such companies. But they have huge drawbacks that explain why so few makers of security devices go through the hassle.

1. They don't simply hand out their seal of approval like it's a "Vista compatible" sticker. They actually DO test your stuff.
2. They don't refrain from telling you if your product is actually flawed, and (what's worse), they don't even stay silent when you toss it on the market regardless.
3. Managers don't know jack about them, they don't care about security seals and listen to marketeers.

$175 for a flash drive? (1)

FlyByPC (841016) | more than 7 years ago | (#18717167)

Even if it had great security, why pay that much when software encryption is Free (and apparently a whole lot more reliable)?

Re:$175 for a flash drive? (1)

Opportunist (166417) | more than 7 years ago | (#18717783)

Because decisions like that aren't made by your tech crew but by some managers who usually have 2 things in mind when making those decisions:

1. This which doesn't cost anything has no value.
2. If there is no company behind it, we cannot sue anyone if it breaks (because we all know MS is close to bankrupcy because of those horrible lawsuits that follow their blunders).

Dumb design (4, Interesting)

binaryDigit (557647) | more than 7 years ago | (#18717181)

The whole thing is just stupid. Oh where to start ...

- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.

- No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.

- So smug in their design they don't even encrypt the data. Outstanding.

- Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?

Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.

Hey, I have a secure self destructing bridge to sell to ....

Re:Dumb design (1)

Quietust (205670) | more than 7 years ago | (#18717275)

A MS with a builtin self DOS.
MS-DOS? Now that would explain a few things...

Re:Dumb design (1)

TheJasper (1031512) | more than 7 years ago | (#18717439)

- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.

well, built in self destruct isn't so bad. It just shouldn't be the only place the data is stored (unless the point was transporting it to a secure location for storage). Sure it might make it easier for a malicious attack to destroy the data, however that might not weigh in against it being stolen.


Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.


Being Dutch this whole story doesn't surprise me at all. There were a couple of incidents with lost pc's/usb sticks. So a group of 'officials' get together to form a committee. This committee won't allow itself to be confused by knowledge of the subject matter or trivial things like that. After receiving the appropriate advice from companies with a vested interest they will obviously choose the least suitable solution. Unfortunately, in this whole incident someone forgot to do the exact opposite of what was advised. If that was sop when working with advice from committees imagine how much better the world would be.

Seriously though, I never expected the people who manage to leave critical defense/police investigation materials open to the public in so many different ways to come up with a good solution. SecuStick originally started out stealing candy from babies, but they found it easier to sell bogus solutions to the gov't.

It should have been obvious (3, Insightful)

hey! (33014) | more than 7 years ago | (#18717545)

When they are harping on the device's unique technology.

Unique and secure are mutually exclusive.

It is not possible, through a feat of sheer genius, to make something that is both novel and demonstrably secure. It turns out that genius isn't a particularly rare commodity. With 6.5 billion people in the world, there are 6,500 people who are walking around with one-in-a-million levels of intellect. Any one of those people, on a good day, can beat any other person on earth in a battle of wits. Any one of of the millions of people with one-in-a-thousand intellects probably can, too.

Security is the one aspect of technology where state of the art is better than something which advances state of the art. State of the art means nobody has yet, even on the best day they've ever had, been able to beat it. We've seen some recent examples where very narrow vulnerabilities have been found in hashing algorithms, which has forced the state of the art to change slightly to favor drop in replacements. But by in large the state of the art has been remarkably stable over a long, long time. Anybody who claims to have something nobody else has probably has something worthless, if he has anything at all.

This is why product security is so bad. It's not possible to differentiate yourself based on security, without affecting other areas such as usability. There is considerable irony in this fact: a product that is carefully thought out and implemented using widely known techniques would have a good chance of being unique. The problem is selling the product. Lotus Notes is a good example. It has its strengths and weaknesses, but as of the early 90s it was the most secure email system in the world. In fact it still would be. But it wasn't the easiest to use or administer. Unfortunately their attempts to make the system more attractive were failures. It's never been more attractive than Exchange. But it's always been more secure.

Re:Dumb design (1)

CowTipperGore (1081903) | more than 7 years ago | (#18717605)

- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.
Actually, a real self-destruct process would be good - you don't seriously want the government keeping the only copy of their data on these memory sticks? Unfortunately, there is no self-destruct capability in the memory stick. Given the shoddy design in the rest of the product, my guess is that their version of destruction is to delete the files with software.

No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.
You don't even need to go that far. The design is so bad that you can hack it without removing the chip. It is a consumer-grade memory chip with some crappy software on it.

So smug in their design they don't even encrypt the data. Outstanding.
I'm not sure smug is even the appropriate word. I lean toward massive incompetence and ignorance. Their solution seems perfect to someone outside of the computer industry (and, no, I don't include salesmen, PHBs, or government employees) but displays a grotesque lack of understanding of basic data security and common hacking methods.

Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?
Unfortunately, stupidity and ignorance often are not solved by additional years on our planet. Just like the electronic voting implementations in the US, this displays the trademarks of a cheap and quick solution with no clue of basic safeguards and standards. And like Diebold, they made a killing by overstating the abilities of their commodity hardware and shitty custom software.

Encrypted data (1)

Stooshie (993666) | more than 7 years ago | (#18717209)

All your encrypted data are belong to us.

There's Your Problem (3, Funny)

organgtool (966989) | more than 7 years ago | (#18717239)

The developers of the Secustick are looking into the problem and they think that the issue is with their algorithm that encrypts the data into ASCII.

Re:There's Your Problem (4, Interesting)

vidarh (309115) | more than 7 years ago | (#18717423)

I worked for a company years ago where several of the engineers were seriously impressed when I showed them I could "break" their "base64 encryption" in realtime...

They had added it to close a previous security problem I'd pointed out with their product that stored an internal customer id in a cookie to grant access to a web app - problem was, the customer id's were allocated sequentially, so anyone brute-forcing it would get access to all their customer data in minutes, including the adress books of the entire top management team.... base64 "encrypting" the customer id was supposed to prevent anyone from trying that trick again... I left that company pretty much as soon as I could..

"Secure" Digital Already Cracked? (1)

Doc Ruby (173196) | more than 7 years ago | (#18717283)

Is the DRM built into SD/SDIO ("Secure Digital") HW already cracked?

Security through obscurity? (1, Interesting)

farker haiku (883529) | more than 7 years ago | (#18717297)

Instead of low level commands such as SendToStick(), we could see routines such as GetWriteProtectState(), RefreshFileBrowser(), and the most significant one, VerifyPassWord().

Screenshot of debugging windows [tweakers.net]

Obviously, this routine caught most of our attention. We used the debugger to study it, and found that its result was passed to the main program using an EAX register. The debugger allowed us to place a breakpoint immediately after the call to VerifyPassWord(), upon which we entered a fictional password and changed the return value 0 in the register to 1.


Tell me again why we as Software Engineers are supposed to use descriptive method and variable names? Sure, it may be useful during testing/building/debugging/etc; nobody will argue that. However, if your "secure" product can be easily hacked due to the fact that you use descriptive class/variable/method names, maybe the practice should be reviewed.

Now in this particular case, there were other flaws with the design (all verification happening on the pc?!?) What happened here though is that the hackers were looking for a place to start by looking through a debugger. During that exploration they discovered a gaping security hole. I'm not saying that they wouldn't have found the design flaw to begin with -- I have no doubt that they would have. But maybe we should look to the security through obscurity methodology as an additional layer of protection.

Re:Security through obscurity? (2, Informative)

am 2k (217885) | more than 7 years ago | (#18717427)

Not shipping with debug symbols is important, looks like just that happened here. It also reduces the file size greatly.

Those devs are very clueless.

Re:Security through obscurity? (2, Informative)

mark0 (750639) | more than 7 years ago | (#18717449)

Tell me again why we as Software Engineers are supposed to use descriptive method and variable names?

So you can maintain the other SE's crappy code.

But maybe we should look to the security through obscurity methodology as an additional layer of protection.

That's what obfuscators are for.

Re:Security through obscurity? (2, Insightful)

lexarius (560925) | more than 7 years ago | (#18717511)

Shouldn't stripping the debugger symbols from the executable be sufficient? The problem is that people don't give up that easily. Having everything obviously labeled made the job quicker, but not having those won't stop a sufficiently skilled/bored hacker.

Re:Security through obscurity? (0)

Anonymous Coward | more than 7 years ago | (#18717641)

They would have found it anyway; it would only have taken them longer. The real problem is that the data aren't encrypted. If the data were encrypted with a good, proven to be secure scheme it would not have made a damn bit of difference whether they were able to gain access to the storage device.

Re:Security through obscurity? (1)

carpe_noctem (457178) | more than 7 years ago | (#18717665)

Tell me again why we as Software Engineers are supposed to use descriptive method and variable names? Sure, it may be useful during testing/building/debugging/etc; nobody will argue that. However, if your "secure" product can be easily hacked due to the fact that you use descriptive class/variable/method names, maybe the practice should be reviewed.

We're supposed to use descriptive variable names because when you're working with a team of people, it's more apparent to your teammates what a method called VerifyPassWord() will do instead of, say, Ooeuk436snthk().

That being said, don't blame their engineering process. They should have just used a code obfuscator before depolyment.

Re:Security through obscurity? (1, Informative)

Anonymous Coward | more than 7 years ago | (#18717765)

If you read the article, the functions you mention are in the DLL. Now I could be wrong, but when you use a DLL there aren't any automatic obfuscation tools, nor can you simply turn off debug. A DLL must export function names so that the operating system knows what the memory address for them is. I'm not sure about Linux (I imagine it's the exact same thing), but under Windows, C compilers put the function name in the source into the DLL (C++ puts a mangled name in). So the only way they could have hidden that would have been to actually change the source code so the functions were called Function1, Function2, etc. No one wants to maintain code like that. As the article said, it would have been better if the DLL simple provided an abstract layer for the program to communicate with the controller which would perform all the verification, protection, etc. Also, the Flash memory should not have had the ability to be write-protected by a simple wire - everything should have gone through the controller (and encrypted as well)

Re:Security through obscurity? (1)

DaleGlass (1068434) | more than 7 years ago | (#18717781)

That won't help, in the end it's still the software what tells the USB key to unlock itself, and if you lose it you're screwed in any case, as the attacker's computer is under their full control. Any and all obfuscation can be broken given enough time.

There's only one good way of making this safe: Encrypt the data on the drive. But that makes the "protected memory stick" idea really pointless. AFAIK, there's no standard way of sending a passsword to an USB key. Since you're going to need special drivers for the thing anyway, it means that doing encryption in hardware inside the key would be pointless as doing it in software would be just as good.

So just use TrueCrypt and be done with it. Much safer, and a lot cheaper.

A surprise and a non-surprise. (5, Insightful)

eddy (18759) | more than 7 years ago | (#18717319)

No surprise that the security is non-existant, but a nice surprise that tweakers.net[0] have people skilled enough to do a thorough technical review. Tip-of-the-Hat to the reviewers and keep the good work up. Anyone can run 3D benchmarks and make graphs against the previous generation, but this requires a different level of technical know-how. It's always been my hope that the future would feature this type of review, using reverse-engineering techniques for indepth technical reviews, as a norm not an exception.

[0] No disrespect to the people of tweakers.net, I mean in the sense of 'any popular review site'.

nothing new here... (0)

Anonymous Coward | more than 7 years ago | (#18717321)

I used the same method on ZX81 or C64 or Amiga or PC to "crack" hundreds of apps/games...
In general it is always as easy as to change a "compare" to a "move" or change a "jump" to a "nop" etc, one or two bytes change and that's it.
(maybe there is also a CRC check but it can be defeated in the same way, changing a 0 by a 1, or just by recalculating it, etc)

GnuPG. GnuPG. GnuPG. (1)

Just Some Guy (3352) | more than 7 years ago | (#18717357)

I trust exactly one encryption product: GnuPG. It's had it's pucker moments, such as the El Gamal signing key problem (IIRC - and I'm too lazy to look it up right now), but those problems get fixed and we move on. Given the choice of whether to trust a little hardware gimmick or a piece of Free Software that millions of people use, even if they don't realize it, I'll stick with the code. If/when problems arise, I believe that it's developers will look out for my interests and not their bottom line.

Having said that, I do respect this company's acknowledgment of the issue. If I had to trust something like this, I'd seriously consider their products because of it. Still, one smallish company isn't going to have the resources of the Open Source community when it comes to development and testing.

French intelligence (2, Funny)

stnf (982894) | more than 7 years ago | (#18717379)

So French intelligence really IS an oxymoron. Go figure.

Yet another reason (1)

Ant P. (974313) | more than 7 years ago | (#18717415)

to not trust closed-source software for anything security-related. And the EU as well.

Suprising? (0)

Anonymous Coward | more than 7 years ago | (#18717435)

"The stick was commissioned by the French government and - according to the company's press release - the result is revolutionary, ultra safe and approved by the French intelligence service."

French, the country which is famous for being so technologically advanced.

Re:Suprising? (1)

meringuoid (568297) | more than 7 years ago | (#18717703)

French, the country which is famous for being so technologically advanced.

Get on a train and say that.

Everyone should know (1)

artoo (11319) | more than 7 years ago | (#18717479)

The only way this could possibly work would be to plug it into the SecuBus, which would quickly drain all data and render it useless.

Validation/Verification of Security (1, Insightful)

mykepredko (40154) | more than 7 years ago | (#18717549)

Sorry, I don't have the time to research the device, but what kind of testing/validation of this product was done? If this was for a government originally, shouldn't it have to have demonstrated some kind of hacker proof level of security? What was on the package was it marketing hype ("Protects your data from targeted attacks" which means nothing) or an indication that some kind of testing was done (ie "Meets MIL-1234 requirements for data security")?

It looks like that for $175, you get a 1GByte USB key, with a Windows access program on the Flash in a non-protected partition and a pretty box.

From the description it sounds like the product was just marketing razzamatazz with no real substance to back up marketing claims - so why would somebody have bought it in the first place?

myke

write protect (0)

Anonymous Coward | more than 7 years ago | (#18717553)

Write protect on an USB stick is much more useful that just another proprietary crypto software solution.

Too bad that only few current usb sticks have it.

It's absolutely necessary if you have to insert it into untrusted computers (especially Windows PCs).

Oblig. (0)

Anonymous Coward | more than 7 years ago | (#18717559)

Due to its unique technology it has the ability to destroy itself once an incorrect password is entered

Powered by Sony, then?

Your mission, if you choose to accept it.... (1)

Grashnak (1003791) | more than 7 years ago | (#18717573)

'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.'
"This stick will self-destruct in 10 seconds." Great, I can see people weeping and tearing their clothes after losing their novel because the caps lock key was on... Seriously though, how many people have data so sensitive that it requires a piece of hardware to self-destruct (destroying the data itself) because of one wrong password entry?

DUH! (1)

Opportunist (166417) | more than 7 years ago | (#18717601)

The password wasn't even used as the base for the crypt key, it was just matched against the stored passphrase and the result set a bit, then checked and depending on the outcome the program decrypted the content by a predefined algo. Hello? That was outdated before I started learning Assembler! All it takes to break that is a kid with Olly lying 'round on his HD. Soldering? Why the hassle when you can rip the data far easier.

Whether they fix that stick or not, after showing just how much clue they got about security, I wouldn't trust them to do a ROT13 reliably. I mean, what base do they sell their crap on? Hope that the customer is even more clueless, buying into your spin as long as you stamp a huge "secure and self destructive" on the box?

God, I'm angry. It's hypecrap like that that makes the whole industry look bad.

Lexar USB stick security was broken by @stake (1)

weld (4477) | more than 7 years ago | (#18717685)

Lexar Discussion: http://www.securityfocus.com/bid/11162/discuss [securityfocus.com]
This was also on slashdot: http://slashdot.org/article.pl?sid=04/09/14/185523 2 [slashdot.org]

I wouldn't trust USB stick security unless there was a 3rd party assessment of the security from a reputable security firm and that assessment was published. Customers need to start demanding this. What track record do these companies have on security?

The bad thing about hardware is how do you patch the security hole? All hardware these days should have the ability to do a USB firmware upgrade. These devices have a USB port build in already but can't be upgraded.

What? They're not suing? (2, Interesting)

Fantastic Lad (198284) | more than 7 years ago | (#18717707)

So. . , is Secustic a business filled with a large number of morally-abled people, or does Tweakers.net simply hold enough clout to swing the public perception balance between, "Lone Hacker Finds Flaw = Sue Him!" and, "Responsible News Agency Discovers Faulty Product = Retract Immediately While Covering Tracks With Slick PR Weasels!"?

I am also curious. . . What does the law in the Netherlands say regarding corporate mandates? Are Dutch corps allowed to put other things ahead of generating profit for shareholders?


-FL

English translation of site is still online... (1, Informative)

Anonymous Coward | more than 7 years ago | (#18717723)

Note this sentence in the second paragraph (2, Interesting)

jimicus (737525) | more than 7 years ago | (#18717777)

the result is revolutionary, ultra safe and approved by the French intelligence service.

I think that says quite a lot for the French intelligence service. Unless they wanted an insecure device to be marketed as secure.... black helicopters at the ready.

Unfortunate (1)

madsheep (984404) | more than 7 years ago | (#18717807)

Well this is unfortunate, but there are alternatives. The two that come to mind are the Lexar Secure II JumpDrive and the Kanguru MicroDrive. Both use AES for their encryption algorithm, but the Kanguru one has been FIPS 140-2 certified. I believe this was previously mentioned here on Slashdot (too lazy to look it up). Either one of these would probably be more than enough to replace the aforementioned drive.

Someone also referenced above about @stake finding an issue with the way passwords were stored on a Lexar drive. The link is ~3 years old and I believe they have definetely remedied that issue.

Stupid is as stupid does (3, Insightful)

mlwmohawk (801821) | more than 7 years ago | (#18717809)

Like other posters, I am at a loss at where to start.

(1) If you don't have encryption, GOOD ENCRYPTION, you can't protect squat.
(2) "Self Destruct" is interesting, but unless you have a custom micro-controller on the ram stick, AND an independent power supply, AND the device potted in epoxy, it is all just a made for TV gimmick.
(3) Password.exe? I didn't see this in the article, but what happens if one plugs it into a Mac, Linux, FreeBSD, etc? Does it just work or does it self destruct?
(4) With reference to #2, since the article showed that one could make the device read-only, would self-destruct no longer work? If so, it MUST be potted in epoxy.
(5) Does the "self destruct" operate on the PC or th ram stick? We all know if it runs on the PC, it is doomed to fail.

If they want to REALLY do this:

(1) before everything, encrypt the data. This buys the device time to operate and basic security.
(2) Install a PIC or something that MUST have an encoded heart beat with some sort of hard to reproduce calculated byte pattern.
(3) Without a valid heart beat, the PIC will simply not enable the flash device.
(4) With a valid heart beat, the system must pass a valid password hash string within a reasonable amount of time to the PIC, or the data will be destroyed.
(5) After a number of failed attempts, the PIC will destroy the data.
(6) When the heart beat stops, the PIC disables the flash. (It is presumed that the software clears he file system cache as well.)
(7) Pot the damned device in epoxy.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?