Introduction
Recently, I've been asked by the Dutch IT-newssite Tweakers.net (they run their version of this story too, in Dutch and English.) to look into the security aspects of a product called the "Secustick", which is touted as an USB-stick which requires a password before allowing access to the protected space. The website it's offered on tells us it's used "by various French multinationals and government instructions, like Dassault, Credit Agricole en the Department of Defence". It is sold for a hefty 130 Euro's, which is some 17 times the price you pay for a normal 1G-stick. For that price and with these institutions using it, the Secustick has to be good, right?
First looks
I got the device as a testing unit, so I don't know if this is the retail
package, but it looks really nice:
The package seems to be made of black velvet, and there's a nice keychain hidden
in a compartment of the package which you can use to hang the stick around your
neck. I'm not so fond of metal on my body, considering I work with electricity
a lot, but I can imagine it's a nice way to carry really valuable data around.
First thing I did is plug the device into my Linux-machine. It showed nothing but a 2MB partition containing a Windows program called PASSWORD.EXE, so no chance of getting it to work easily in a non-Windows environment. So much for cross-platform compatibility... Ok, so let's boot into Windows.
Under Windows the program was runnable OK. Hmm, seems someone already entered
a password for me... and I now only had nine retries before the unit would
self-destruct!
Ok, I just had to do something about the stick decreasing the number of tries
left with every wrong password
I entered, or I would have a dead stick in no-time. Now, how to archieve that...
1 Next »