RSS Alerts

Share

More services

Related Links

Related Stories

  • Quocirca releases encryption value analysis report
    Quocirca, the business and IT research analysis company, has released a report looking at how encryption can add value to an organisation.
  • Keeping sensitive information secure when staff is leaving
    Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, let alone their entire lives. But with such a fluid stream of employees keeping human resources busy, and countless eyes being cast over company data, Rob Stringer investigates how sensitive information can stay faithful to its organisation, even if its staff don’t...
  • Majority break information security policies – survey
    The majority of employees admit to serious non-compliant workplace behaviour when it comes to information security, according to a study from the Ponemon Institute and sponsored by Californian secure flash drive provider IronKey.
  • Secure USB drives have flaws, warns Kingston
    Kingston Technology, the memory and secure drives specialist, has warned users that some of its DataTraveler secure USB drives - under the right conditions - "a skilled person" can access the data on the drive.
  • The evolution of anti-virus
    Sometimes considered more an irritant than prophylactic, has the traditional anti-virus file checker been assigned to the recycle bin of computer history? William Knight scratches beneath the surface to ask where all that anti-virus scanning technology will end up

Top 5 Stories

News

Cracked USB drives show NIST certification is not so secure

06 January 2010

Vendors of encrypted USB drives are recalling their NIST-certified products and issuing security updates after a fundamental flaw was found in the way that information is accessed. The flaw enables attackers to access encrypted data without trying to tackle the AES256 encryption algorithm used by the drives.

The H reports that experts from German penetration testing company SYSS discovered a flaw in the way that the Windows-based password entry program accesses the encrypted USB drives. The Windows software always sends the same character string to the drive to gain access to the data, regardless of the password that is used, it was discovered. It was therefore relatively simple to alter the program, making it send the character string to access the encrypted data regardless of which password was entered.

The news has caused a panic among drive vendors. Kingston issued a recall for its DataTraveler BlackBox, Secure, and Elite ranges of encrypted USB drives, although the company said that several of its other drives were not affected.

Verbatim chose not to recall its encrypted drives, but instead provided a software update to fix the problem. "This issue is only applicable to the application running on the host system," the company noted. "It does not apply to the device hardware."

SanDisk indicated the same thing, providing a software patch for its encrypted device access mechanism. The flaw affects 16 of its encrypted drive SKUs, it said.

All of these encrypted drives were issued with a FIPS 140-2 Level 2 certificate by the National Institute of Standards and Technology in the US. This enables them to be used to store sensitive government data.

This article is featured in:
Encryption • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012