I have written about really stupid USB security more than once but this has got to be the absolutely stupidest thing ever. (or if your the guy selling it I guess it is pure brilliance.) The previous USB security measures I wrote about claimed to be one thing and turned out to be another like using XOR when you claim to be using AES or just not using anything at all. In this case however there are no extravagant claims just a simple combination lock to physically lock your USB drive. A combination lock with only three digits, a combination lock that a three year old could probably open inside of five minutes. Granted this things only costs $7 but just how rock hard hard stupid do you have to be to use something like this even if it was free?
I’m still busy recovering from the excellent Source Boston conference and I will post a recap soon but I wanted to get this out there.
Last week I wrote about RFID enabled external hard drives that supposedly offered secure encryption of your data that turned out to be simple XOR. Well now USB thumb drives with integrated fingerprint readers have been found to be just as much Snake Oil. Hiese Security has reviewed several of the devices and have found it very easy to bypass the security of all of them. Companies that make crap like this should be found criminally responsible for fruad.
People see biometrics and automatically think they are secure, same thing when they see the word ‘encryption’. Your fingerprint is not a secret, you leave thousands of copies lying around everyday. In addition once the attacker has physical access to the device then your security will be compromised, fingerprint or not.
Oh, and I hope everyone had fun on Pi Day yesterday.
Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).
Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.
When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.
Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.
I don’t have time for all of the stupidity out there but this is just to stupid to let pass by. Easy Nova a German company that makes a variety of computer storage accessories, recently released a hard drive case with hardware data encryption with 128-bit AES and access control via an RFID chip. Which on the surface sounds really really cool. Portable secure data, what more could you ask for? As it turns out you still need to ask for it to be secure because according to Heise Online and c’t Magazine that despite the claims of AES hardware encryption the product actually uses XOR encryption to write your data! Evidently the AES is only used to encrypt the RFID signal between the drive and the key fob. AES for the RFID chip but XOR for the data? I mean WTF! How about some truth in labeling. I suppose we should be happy they didn’t use double XOR.
This is yet another example of a security product that isn’t secure. How is the consumer supposed to know? Not everyone has diagnostic labs and forensic tools at the their disposal to test each and every product they buy for security. I’ve mentioned the formation of a Cyber UL before and clearly it is sorely needed.