Archive

Archive for the ‘Encryption’ Category

“Cheap” Secure USB Sticks, you get what you pay for?

January 6, 2010 5 comments

Recently a whole slew of news sites announced a newly discovered vulnerability (care of the German Security firm SySS) on a range of “supposedly” secure consumer USB sticks.

These models from SanDisk, Kingston and Verbatim were apparently easy to defeat and retrieve the data from without knowing the users password or having any prior knowledge or touch on the stick.

The exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, ALL sticks use the same auth key. By simply sending this known ack key to the stick, you can unlock it, or any other stick.

Interestingly, some of these insecure devices had been through FIPS 140-2 Level 2 security certification, so should really have been immune to this kind of attack.

Read more…

Advertisements

Evil Maid, another nefarious trojan attack..

November 17, 2009 2 comments

Last month Joanna Rutkowska posted a very interesting article showing a practical “Evil Maid” attack against the open-source TrueCrypt FDE product.  The attack is reasonably simple, subvert the pre-boot authentication engine of the full-disk encryption product in question to add a password-sniffing routine, then wait for the unsuspecting user to authenticate to their machine and then retrieve the credentials at a later stage.

Evil Maid is simply hooking the pre-boot code of TrueCrypt and adding a routine to store the users password. Because the TrueCrypt code is quite simple, it’s a relatively easy thing to do, but the attack is theoretically valid regardless of this fact, just the effort to make the hook code increases with the sophistication of the pre-boot environment. Read more…