Vulnerability in Some Secure USB Sticks

Recently a slew of news sites announced www.mcafee.com/activate a newly discovered vulnerability (care of the German Security firm SySS) on a range of supposedly “secure” consumer USB sticks mcafee.com/activate product key.With the right tools and know-how, these www.mcafee/activate models from SanDisk, Kingston and www.mcafee.com/activate product key Verbatim were apparently easy to defeat and retrieve the data from without knowing the user’s password www.mcafee.com/activate download. Of course, the biggest threat to data on unencrypted USB devices is from device loss or theft.

Going back to the vulnerability mcafee.com/activate product key, the exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, all sticks use www.mcafee/activate the same authentication key www.mcafee.com/activate download. By simply sending this known key to the stick, you can unlock it, or any other stick.Interestingly, some of these insecure devices www.mcafee.com/activate product key had www.mcafee.com/activate been through Level 2 security certification, so they should have been immune to this kind of attack.

Affected device models include:

  • This issue shows mcafee.com/activate product key a classic design problem – software-based password validation. The big mistake here in the design was www.mcafee.com/activate not making www.mcafee/activate a strong link between the www.mcafee.com/activate product www.mcafee.com/activate download key password entered by the user and the cryptographic key on the stick itself.

If the programmers had set a www.mcafee/activate unique key on the stick when the user set their password, the SySS attack would never have www.mcafee.com/activate product key worked mcafee.com/activate product key. Because they just used the password www.mcafee.com/activate as a www.mcafee.com/activate download validation (effectively giving an entropy of 1 bit), they allowed SySS to bypass this whole “Is the password correct – Yes/No?” routine.

As for the McAfee supplied sticks, our Zero Footprint sticks and hard disks are fully protected from this attack, the exact models are:

  • • McAfee Encrypted USB Standard (v.2)
  • • McAfee Encrypted USB Zero-Footprint
  • • McAfee Encrypted USB Bio
  • • McAfee Encrypted USB Hard Disk

These devices do in-hardware validation of the www.mcafee/activate users credentials, the only thing mcafee.com/activate product key the software does is send it over. If the stick does not agree that your password is correct www.mcafee.com/activate download, it simply won’t unlock www.mcafee.com/activate the protected www.mcafee.com/activate product key partition. No amount of snooping will help you bypass the protection.

These sticks are made by MXI, and are amongst the most secure on www.mcafee.com/activate product key the market. The McAfee devices have been through validations such as FIPS-140, and also through several rounds mcafee.com/activate product key of penetration testing by www.mcafee/activate several international  www.mcafee.com/activate download companies www.mcafee.com/activate.

The EUSB 1.2 supported SanDisk models (those connected to and managed by ePolicy Orchestrator) already have the patched www.mcafee/activate firmware www.mcafee.com/activate product key on them mcafee.com/activate product key. They are not subject to this flaw either www.mcafee.com/activate download.

However, I must say if you bought stand alone SanDisk sticks with McAfee AV from McAfee last year www.mcafee.com/activate product key, you would have the same basic SanDisk USB device that you could buy at retail, plus the McAfee anti-virus software www.mcafee/activate  . In this case, the SanDisk USB stick will require the SanDisk patch (which is available now from SanDisk directly) to fix the vulnerability mentioned above www.mcafee.com/activate. No changes  www.mcafee.com/activate download are needed to mcafee.com/activate product key the McAfee anti-virus software installed on the device


Comments

Popular posts from this blog

Introducing tracking prevention, now available in Microsoft Edge preview builds

Why businesses need to back up

Hackers and their motives