Jump to content


Photo
- - - - -

Aegis Secure Key - USB Drive


  • Please log in to reply
16 replies to this topic

#1 MonGoWonGo

MonGoWonGo

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts
  • Country:
  • Gender:Male

Posted 10 February 2012 - 04:12 PM

I am looking for a secure USB drive. I was thinking about the 16GB Aegis Secure Key. After reviewing the product and reading some reviews, it seems like a pretty secure and stable device. I was wondering if any one has one and would they recommend it. Also, if there are any known vulnerabilities.

I would also be interested in hearing if there is another product people would recommend.

Thanks!

#2 dragon:ONE

dragon:ONE

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 14 posts

Posted 10 February 2012 - 05:53 PM

I am looking for a secure USB drive. I was thinking about the 16GB Aegis Secure Key. After reviewing the product and reading some reviews, it seems like a pretty secure and stable device. I was wondering if any one has one and would they recommend it. Also, if there are any known vulnerabilities.

I would also be interested in hearing if there is another product people would recommend.

Thanks!


Hm. The only thing I've ever found to be secure so far has been the IronKey. After seeing a lot of Sprite_tm's hacks to various "secure" drives both fingerprint, password, and PIN-based, I'd be nervous with "secure" measures employed. I haven't heard of an Ironkey being hacked but I've seen numerous other secured drives nailed.

#3 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 10 February 2012 - 08:04 PM

+1 for the iron key. It also has physical security. If you try to open it, you will destroy it.

#4 MonGoWonGo

MonGoWonGo

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts
  • Country:
  • Gender:Male

Posted 12 February 2012 - 09:30 PM


I am looking for a secure USB drive. I was thinking about the 16GB Aegis Secure Key. After reviewing the product and reading some reviews, it seems like a pretty secure and stable device. I was wondering if any one has one and would they recommend it. Also, if there are any known vulnerabilities.

I would also be interested in hearing if there is another product people would recommend.

Thanks!


Hm. The only thing I've ever found to be secure so far has been the IronKey. After seeing a lot of Sprite_tm's hacks to various "secure" drives both fingerprint, password, and PIN-based, I'd be nervous with "secure" measures employed. I haven't heard of an Ironkey being hacked but I've seen numerous other secured drives nailed.


Thanks for your thoughts!

+1 for the iron key. It also has physical security. If you try to open it, you will destroy it.


I appreciate your input. Thanks!

#5 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 12 February 2012 - 11:44 PM

Iron Key hmm need to look that up sounds rather interesting.

Might I also add why aren't people with under a 10 post count keep ending up with 5 nuclear waste/nuclear area symbols...?

#6 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 22 March 2012 - 01:28 PM

I wouldn't trust any of those. I warned clients and friends against them in the past. I told them: any time a cheap hardware maker says their product is secure there will be easy attacks against it. Time proved this true. To see what a secure device is like, look up NSA's Inline Media Encryption device (link below). It's for hard drives. It incorporates EMSEC protections, certified crypto implementation, a token the user possess, a trusted path so the user's PIN isn't captured by malware, a max PIN entry, and a zeroize function. Subtract the token and EMSEC, then you have the minimum design requirements for a secure secondary storage system.

So, let's look at these products. Most of them will have FIPS certification, meaning the algorithms are right. They should have a decent random number generator, although many systems fail here. How is the secret entered? Did you say through a possibly backdoored PC? Holy misguided efforts, Batman! The better solution is to use TrueCrypt. It's effectiveness has been proven over time & it's code/mechanisms are open to inspect. Further, it is harder to crack a truecrypt volume just b/c it doesn't say which algorithm was used, meaning several must be tried. It will also be vulnerable to key sniffing, but there's actually potential for improvement there due to source availability & control of the OS. The closed, limited, and driver-restricted nature of these USB products makes improving their weaknesses harder.

Hence, use a cheap USB stick & portable TrueCrypt. Keep the computers you use it on as malware-free as possible. Make backups. Less convenient than the "secure" (lol) USB sticks, but you can have more confidence in the results.

NSA IME
http://www.nsa.gov/i...tor/index.shtml

#7 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 22 March 2012 - 01:52 PM

I wouldn't trust any of those. I warned clients and friends against them in the past. I told them: any time a cheap hardware maker says their product is secure there will be easy attacks against it. Time proved this true. To see what a secure device is like, look up NSA's Inline Media Encryption device (link below). It's for hard drives. It incorporates EMSEC protections, certified crypto implementation, a token the user possess, a trusted path so the user's PIN isn't captured by malware, a max PIN entry, and a zeroize function. Subtract the token and EMSEC, then you have the minimum design requirements for a secure secondary storage system.

So, let's look at these products. Most of them will have FIPS certification, meaning the algorithms are right. They should have a decent random number generator, although many systems fail here. How is the secret entered? Did you say through a possibly backdoored PC? Holy misguided efforts, Batman! The better solution is to use TrueCrypt. It's effectiveness has been proven over time & it's code/mechanisms are open to inspect. Further, it is harder to crack a truecrypt volume just b/c it doesn't say which algorithm was used, meaning several must be tried. It will also be vulnerable to key sniffing, but there's actually potential for improvement there due to source availability & control of the OS. The closed, limited, and driver-restricted nature of these USB products makes improving their weaknesses harder.

Hence, use a cheap USB stick & portable TrueCrypt. Keep the computers you use it on as malware-free as possible. Make backups. Less convenient than the "secure" (lol) USB sticks, but you can have more confidence in the results.

NSA IME
http://www.nsa.gov/i...tor/index.shtml



thats all fine and dandy, but truecrypt has many versions and the development is being funded by an unknown source. While it may be open source, the amount of new versions that come out are being deployed so rapidly that it's hard for the open source community to audit all the code.

also, who's funding the developers for truecrypt? who are the developers?

#8 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 22 March 2012 - 06:24 PM

thats all fine and dandy, but truecrypt has many versions and the development is being funded by an unknown source. While it may be open source, the amount of new versions that come out are being deployed so rapidly that it's hard for the open source community to audit all the code.

also, who's funding the developers for truecrypt? who are the developers?


"thats all fine and dandy, but truecrypt has many versions and the development is being funded by an unknown source. While it may be open source, the amount of new versions that come out are being deployed so rapidly that it's hard for the open source community to audit all the code."

You're talking like it's an anonymous, black-box Fedora. TrueCrypt 1 was released in February 2004. Truecrypt 7.1, current version, was released in February 2012. That's 7 major versions over an 8 year period. Many had little .1 or .2 versions that did bug fixes or added a few features. Hardly a tough release schedule to keep up with, eh?

Additionally, many security researchers audit the software and report bugs. Many promote it. Schneier's team did a security assessment of the "deniable" partitions and many issues they raised were fixed in the next version before the paper was finished, which they noted in the paper.

"also, who's funding the developers for truecrypt? who are the developers? "

Who are the developers for IronKey? Who funds the company? Did they backdoor it like AT&T, Vodaphone and Clipper? Idk. That's private, like the design & implementation. TrueCrypt is funded primarily by donations & built by volunteers far as we know. The developers have kept the code open & consistently refused commercial activity. Their licensing issues are probably deliberate to keep them in control of the code and brand, most likely for quality. They have excellent documentation telling you how to do things right, what can cause problems and the limitations of their software. (People backdooring things don't go that far usually.)

Of course, you can always tell if it's a government scheme when they easily break the crypto and get their man: "In July 2008, several TrueCrypt-secured hard drives were seized from a Brazilian banker Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried unsuccessfully for five months to obtain access to TrueCrypt-protected disks owned by the banker, after which they enlisted the help of the FBI. The FBI used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them."

Or not lol

Nick P
schneier.com

#9 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 23 March 2012 - 11:52 AM

Hence, use a cheap USB stick & portable TrueCrypt. Keep the computers you use it on as malware-free as possible. Make backups. Less convenient than the "secure" USB sticks, but you can have more confidence in the results.


Bingo. This guy's got it.

Edited by serrath, 23 March 2012 - 11:55 AM.


#10 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 23 March 2012 - 06:04 PM


Hence, use a cheap USB stick & portable TrueCrypt. Keep the computers you use it on as malware-free as possible. Make backups. Less convenient than the "secure" USB sticks, but you can have more confidence in the results.


Bingo. This guy's got it.


looks like ive been told. I do use truecrypt. I dont trust it 100% tho

#11 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 23 March 2012 - 07:49 PM



Hence, use a cheap USB stick & portable TrueCrypt. Keep the computers you use it on as malware-free as possible. Make backups. Less convenient than the "secure" USB sticks, but you can have more confidence in the results.


Bingo. This guy's got it.


looks like ive been told. I do use truecrypt. I dont trust it 100% tho


I don't blame you. A suspicious attitude toward security products is a good thing. The people who invented the first "high assurance" OS's were the one's that said absolute security on a general purpose PC is impossible. If a high assurance design comes with a bit of skepticism, shouldn't we be even more critical of a typical program interfacing with an EAL4 certified OS? Note: EAL4 means secure against "casual or inadvertant attempts to breach security." High robustness (EAL6-7) means secure against well-funded, sophisticated attackers with time on their hands. Medium assurance (EAL5) is a bit vague. Windows and Linux are EAL4+. Mac was EAL3 (lol). Most security software is EAL2-4. Only one OS (XTS-400) is currently even medium assurance. High assurance is mostly dead, so trust nothing unless it proves itself over time. Truecrypt has, so I trust it a bit and way more than its proprietary barely tested competition.

#12 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 25 March 2012 - 04:04 AM

What you really oughta worry about are the guys who program your compilers. ;)

#13 mSparks

mSparks

    elite

  • Members
  • 102 posts
  • Gender:Male

Posted 25 March 2012 - 08:53 AM

The better solution is to use TrueCrypt.

2nd That.
Or is that 3rd, 4th or 5th that.......

Edited by mSparks, 25 March 2012 - 09:19 AM.


#14 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 29 March 2012 - 12:06 PM

What you really oughta worry about are the guys who program your compilers. ;)


Generally not, as the major OSS compilers get a lot of attention. However, verified compilation is a big thing for me in my research into high assurance and trustworthy systems. Anyone worried about their compiler should use CompCert. It's another excellent product of Xavier Leroy's team at INRIA. They used the Coq (lol i know) proof assistant to formally specify and verify the phases of compilation. Only the initial phase, concrete syntax tree i believe, isn't formally verified. (Good luck doing that anyway). The compiler is automatically extracted from Coq code as ML or Ocaml code. (Ocaml is another great product of INRIA.) The Ocaml compiler was used almost as-is during a DO-178B project, so it's super high quality. The study below that tested many different compilers found tons of bugs in all of them, although very few in CompCert. It also had NO middle end bugs that were present in others. Goes to show their formal verification process works. They're currently making a MiniML compiler for the type of ML Coq generates. That would make the chain complete from specification to assembler, if we verify the autogen.

http://lambda-the-ul...e.org/node/4241

#15 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 29 March 2012 - 03:30 PM


What you really oughta worry about are the guys who program your compilers. ;)


Generally not, as the major OSS compilers get a lot of attention. However, verified compilation is a big thing for me in my research into high assurance and trustworthy systems. Anyone worried about their compiler should use CompCert. It's another excellent product of Xavier Leroy's team at INRIA. They used the Coq (lol i know) proof assistant to formally specify and verify the phases of compilation. Only the initial phase, concrete syntax tree i believe, isn't formally verified. (Good luck doing that anyway). The compiler is automatically extracted from Coq code as ML or Ocaml code. (Ocaml is another great product of INRIA.) The Ocaml compiler was used almost as-is during a DO-178B project, so it's super high quality. The study below that tested many different compilers found tons of bugs in all of them, although very few in CompCert. It also had NO middle end bugs that were present in others. Goes to show their formal verification process works. They're currently making a MiniML compiler for the type of ML Coq generates. That would make the chain complete from specification to assembler, if we verify the autogen.

http://lambda-the-ul...e.org/node/4241


I was talking about the whole "Trusting Trust" bit:
http://www.ece.cmu.e...61-thompson.pdf

I get that there are ways to detect this, the point is if you're worried about a company who's supposed to provide you with a secure product giving you something with a backdoor in it, a compiler's a better target than a flashdisk.

Edited by serrath, 29 March 2012 - 03:33 PM.


#16 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 02 April 2012 - 01:16 PM

I was talking about the whole "Trusting Trust" bit:
http://www.ece.cmu.e...61-thompson.pdf

I get that there are ways to detect this, the point is if you're worried about a company who's supposed to provide you with a secure product giving you something with a backdoor in it, a compiler's a better target than a flashdisk.


I agree. Most developers install or update their product, but don't check past that. I think a MITM attack is more common. It's well known, though, that subversion is the sophisticated attacker's tool of choice. I'm included in that. I also have a love for BIOS/firmware rootkits & covert channels. I like the latter b/c they're hard to notice, few "IT security pro's" even know what they are, and you can get a lot of data out b/f anyone knows it's happening. Not that I'm stealing data from anyone. ;)

Nick P
schneier.com

#17 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 02 April 2012 - 08:32 PM


I was talking about the whole "Trusting Trust" bit:
http://www.ece.cmu.e...61-thompson.pdf

I get that there are ways to detect this, the point is if you're worried about a company who's supposed to provide you with a secure product giving you something with a backdoor in it, a compiler's a better target than a flashdisk.


I agree. Most developers install or update their product, but don't check past that. I think a MITM attack is more common. It's well known, though, that subversion is the sophisticated attacker's tool of choice. I'm included in that. I also have a love for BIOS/firmware rootkits & covert channels. I like the latter b/c they're hard to notice, few "IT security pro's" even know what they are, and you can get a lot of data out b/f anyone knows it's happening. Not that I'm stealing data from anyone. ;)

Nick P
schneier.com



There's elegance in simplicity; those are useful tools, but I wouldn't go recommending that people apply a blowtorch to light their candles when they've got matches at hand.




BinRev is hosted by the great people at Lunarpages!