One of our students who works in biometrics passed along two interesting article links. This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked. This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented. (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete. The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.
We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about. Security is about reducing risk of untoward events in a given system. To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses. Securing one component against obvious attacks is not sufficient. Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.” Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.
Good security takes into account people, events, environment, and the physical world. Poor security is usually easy to circumvent by attacking one of those avenues. Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!
[posted with ecto]