Vulnerability in Some Secure USB Sticks
Recently a slew of news sites announced www.mcafee.com/activate a newly discovered vulnerability (care of the German Security firm SySS) on a range of supposedly “secure” consumer USB sticks mcafee.com/activate product key.With the right tools and know-how, these www.mcafee/activate models from SanDisk, Kingston and www.mcafee.com/activate product key Verbatim were apparently easy to defeat and retrieve the data from without knowing the user’s password www.mcafee.com/activate download. Of course, the biggest threat to data on unencrypted USB devices is from device loss or theft.
Going back to the vulnerability mcafee.com/activate product key, the exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, all sticks use www.mcafee/activate the same authentication key www.mcafee.com/activate download. By simply sending this known key to the stick, you can unlock it, or any other stick.Interestingly, some of these insecure devices www.mcafee.com/activate product key had www.mcafee.com/activate been through Level 2 security certification, so they should have been immune to this kind of attack.
Affected device models include:
- This issue shows mcafee.com/activate product key a classic design problem – software-based password validation. The big mistake here in the design was www.mcafee.com/activate not making www.mcafee/activate a strong link between the www.mcafee.com/activate product www.mcafee.com/activate download key password entered by the user and the cryptographic key on the stick itself.
If the programmers had set a www.mcafee/activate unique key on the stick when the user set their password, the SySS attack would never have www.mcafee.com/activate product key worked mcafee.com/activate product key. Because they just used the password www.mcafee.com/activate as a www.mcafee.com/activate download validation (effectively giving an entropy of 1 bit), they allowed SySS to bypass this whole “Is the password correct – Yes/No?” routine.
As for the McAfee supplied sticks, our Zero Footprint sticks and hard disks are fully protected from this attack, the exact models are:
- • McAfee Encrypted USB Standard (v.2)
- • McAfee Encrypted USB Zero-Footprint
- • McAfee Encrypted USB Bio
- • McAfee Encrypted USB Hard Disk
These devices do in-hardware validation of the www.mcafee/activate users credentials, the only thing mcafee.com/activate product key the software does is send it over. If the stick does not agree that your password is correct www.mcafee.com/activate download, it simply won’t unlock www.mcafee.com/activate the protected www.mcafee.com/activate product key partition. No amount of snooping will help you bypass the protection.
These sticks are made by MXI, and are amongst the most secure on www.mcafee.com/activate product key the market. The McAfee devices have been through validations such as FIPS-140, and also through several rounds mcafee.com/activate product key of penetration testing by www.mcafee/activate several international www.mcafee.com/activate download companies www.mcafee.com/activate.
The EUSB 1.2 supported SanDisk models (those connected to and managed by ePolicy Orchestrator) already have the patched www.mcafee/activate firmware www.mcafee.com/activate product key on them mcafee.com/activate product key. They are not subject to this flaw either www.mcafee.com/activate download.
However, I must say if you bought stand alone SanDisk sticks with McAfee AV from McAfee last year www.mcafee.com/activate product key, you would have the same basic SanDisk USB device that you could buy at retail, plus the McAfee anti-virus software www.mcafee/activate . In this case, the SanDisk USB stick will require the SanDisk patch (which is available now from SanDisk directly) to fix the vulnerability mentioned above www.mcafee.com/activate. No changes www.mcafee.com/activate download are needed to mcafee.com/activate product key the McAfee anti-virus software installed on the device
Comments
Post a Comment