XOR story RELOADED

Security firm Syss reports what allegedly seems to me another case of XOR story, speaking of a false sense of security.

In an article from H-Security, the reports a serious weakness in some Secure-pendrive certified with the FIPS 140-2 Level 2 certificate:

During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.

The response from the affected vendors was mixed: some recalled the affected products, some issued a security bulletin.
I wonder how many final user will hear about that bulletin. What’s worst is that the weakness didn’t involve any cryptography at all, thus putting these super-secure drives on the reach of a trivial attach./

I wonder also how long this will go on: hurrying a product to the market with an allegedly known or poorly designed security scheme, boasting about super-secure-powers and super-secure algorithms (which will, eventually be rendered useless by the poor design), hoping that no one will notice, have a quiet response when someone discovers the flaw, and as a last measure, eventually threaten legally who discovered the flaw in the firm place.

That is, I repeated a lot of times, security thru obscurity DOES NOT work, does not help anyone except the vendor who can go away for a while with a poor designed product.

‘unhackable’ netbook network

“The appearance of safety was mistaken for safety itself.” (Walter Lord)

It seems reasonable to me that the prefix UN- should be banned from the world of computing and technology in general.
We have several examples of UN-thingies.
RMS Titanic
Enigma machine
so why not go on with the ‘unhackable’ netbook network
“There was no way we could do any of this on XP,” he said. “Windows 7 nailed it for us.”
OMG

Another sad XOR story: Tornado plus from Alutek

Tom Olzak from TechRepublic.com reports another sad XOR story.

Whilst an indipendent confirmation would be needed, it seems that the Tornado Plus from Alutek present us with another bad XOR story: poor cryptographic knownledge and a strong target towards clueless home users. Tom says they used XOR encryption for real!

OMG. More snake oil for everyone…

USB sticks and cards with fingerprint readers: another Sad XOR story

Heise-online.co.uk is reporting another sad-sad-sad XOR Story. It seems that some usb biometric pendrives are relying on the pc’software to unlock the safe partition, instead of bothering inside the chip itself.

“…the controller on the stick does not decide whether to provide access to the partition; the software running on Windows does. “

It seems that a simple open source utility, PLscsi, will unlock the safe partition, without superglue and latex biometric hacks.

“…You do not need to use superglue and latex to forge fingerprints if you want to access the data “protected” on these sticks from **** and ****

and finally:

“Conclusion: The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. “

I don’t understand the point of these Snakeoils sellers. Nowadays, these tricks don’t stay covered for a long time. Sometime someone will find out and verbose it. And personally, I would never buy again from a company that resorts to these ugly commercial tricks, so it’s all-loss, on my opinion.
See my other post here and here, and thanks Heise-online.co.uk to uncovering this out.

[Source: ./ ]

False sense of security strikes again

Year 2008, and still cheap encryption could bring a false sense of security.
./  has a story on cracking (not literally) and encrypted hard disk open.

http://www.heise-online.co.uk/security/Enclosed-but-not-encrypted–/features/110136

You may think you payed less and still got AES, and what you got was the old’and safe (pun intended) XOR.

It reminds me of  another XOR story so much, that I’m starting collecting it.
If you know more, please send them.