PC_Pro_Issue_274_August_2017

More documents

Recommendations

Info

Real world computıng DAVEY WINDER “All the access techniques I know, which can compromise most storage devices, fail with this drive” Davey puts the “most secure portable drive ever” under some real-world scrutiny, and reveals why Dashlane has lost some of his trust Would you like to put the most secure portable hard drive ever made to the test? That was the question asked of me, along with a promise that I’d be the first journalist on the planet to get properly hands-on with the diskAshur Pro2. I could hardly say no, could I? So at the time of writing, I’ve been using the device in a very real-world setting for a few weeks now. In my other job as managing analyst at IT Security Thing, I get to play with all sorts of interesting security-related devices. I also get to challenge an awful lot of outrageous claims. In this case, the whole “most secure hard drive ever” claim is pretty much impossible for iStorage to prove – or for me to dismantle. Without wishing to burst too many readers’ impression bubbles, I don’t have the ear of insiders working for MI5, MI6 or the FBI/NSA. I’d hope that these organisations have devices for transporting data that are equally as secure as the iStorage drive, and it would be super-cool if they exploded when tampered with for good measure. Back in the real world, what I do know is that there have been plenty of instances where people working for government or law enforcement agencies have left laptops in a taxi or lost a USB memory stick with sensitive data upon it. Sometimes, the data on these devices isn’t even encrypted. There is, without doubt, a need for securing data in Davey is an award-winning journalist and consultant specialising in privacy and security issues @happygeek BELOW The most secure portable hard drive ever? transit. For most people, most of the time, that data isn’t commercially sensitive enough or of such national interest importance to warrant much more than the simplest of software encryption solutions. But what if you’re dealing with truly sensitive data, of the type that’s covered by regulatory compliance requirements? What if your organisation has got to grips with the forthcoming – from 25 May 2018 – impact of the EU General Data Protection Regulation (GDPR) that will still be an issue post-Brexit? If your business deals with the personal data of EU citizens then GDPR will require you take good care of it, and failure to comply could see fines of up to 4% of turnover – or €20 million, if that’s a higher figure. Oh, and if the legal and risk-consultancy minds I’ve melded with of late are right, failure demonstrably caused by bad practice or incompetency could leave management and staff both legally and financially liable. Okay, so that’s the scary stuff. But what does the diskAshur Pro2 bring to the security party that other mobile data solutions do not? The simplest answer would be layer upon layer of security, enough to make it “GDPR-compliant”, as well as either already having, or pending, security certification – including Common Criteria EAL4+, FIPS 140-2 Level 3, NCSC CPA (Foundation Level) and NLNCSA government accreditations. If you need your data secured by a device that’s compliant with such things, then you’ll already know what that acronym-fest means. If you don’t, just take it from me that it means we’re handling some seriously secure hardware here. And that’s where I’ll begin the hands-on bit of this “review” – with the hardware encryption. There’s an ongoing debate among security folk as to the benefits of hardware encryption over software encryption, which I find difficult to comprehend. Yes, software encryption is good enough for most people – and way better than no encryption at all. Yes, the software solutions tend to be cheaper and there’s more choice out there. The downside is that software encryption can only be as secure as the OS of the device upon which it’s installed enables it to be. An OS exploit can easily become an encryption vulnerability. Software encryption can also be turned off by the user. Hardware encryption, on the other hand, is totally self-contained and platform/device agnostic. There’s no software to set up, no drivers to install, no OS to attack. In the case of the diskAshur Pro2, the full-disk encryption is by way of AES 256-bit in XTS mode. Plug it into any host device with a USB port, enter the correct PIN, and your data is instantly decrypted. I’ll return to the specifics of that in a moment, but for now I must address another argument that some put forward at this point. Namely, that if you have a drive with a hardware-incorporated PIN pad then a thief will know the data must be of value and thus this makes you a bigger target. I don’t agree, and on so many counts. For a start, if you’re being targeted by a serious criminal or government organisation then it makes no difference whether you have your data on a £5 memory stick or a £250 hardware-encrypted drive – they’re still going to attempt to steal your data. The difference it does make is that they’re likely to have much less success in accomplishing this task with the latter. I know which option I’d rather use. Oh, and casual attackers aren’t simply waiting in the hotel lobby or airport café for someone to whip out a “secure drive” before attempting a drive-by hack. More to the point, someone transporting sensitive data on such a device is unlikely to be waving the drive around at every opportunity. Talking of the water- and dustresistant, epoxy-coated PIN pad, this is where the hands-on stuff starts to 118
@PCPRO FACEBOOK.COM/PCPRO get interesting. Your PIN code must be at least seven digits, and can stretch to 15. You can’t use sequential numbering for your code or all repeating numbers, for that matter. I’d change the factory default admin PIN of 11223344 sharpish, though; that’s just asking for trouble! That aside, rather than be restricted to 0 to 9, the Shift key when used in conjunction with any number registers that as a separate value, making guessing a PIN much harder. Guessing isn’t a good idea anyway, as a total of 15 wrong attempts kicks the drive into self-destruct mode. Actually, it’s better than that sounds. The 15 attempts are split into three groups of five under a brute-force protection umbrella. Five wrong guesses and the drive freezes, requiring physical reconnection before the next five goes are allowed. Get them wrong and it freezes again, but this time requires some Shift key jiggery-pokery while plugging it back in and a special code entering before offering one last batch of guesses. If those fail then the admin user PINs are reset and the encryption keys deleted, along with the data upon it. There’s also an admin self-destruct option that does the same thing, but using a data-exploding PIN code for want of a better term. That same PIN is then used as the new user PIN, and the drive will need repartitioning and reformatting to be usable again. Fine, you say, but what if some clever tech guys have permanent physical possession of the drive – surely that’s game-over for your data privacy? Usually, I’d agree, depending upon who is doing the holding of course. However, even in this worst-case scenario it isn’t straightforward to get at the data. I’d go so far as to say that pretty much all the access techniques I know about – including laser attack and fault injecting, which can compromise most storage devices – fail here. External tamper controls are impressive. In fact, with any attempt to physically dismantle the device being met by the internal components encased in layers of ultra-tough epoxy resin, it would almost certainly break those components during the attack process. This “tamper-evident” design is important: it’s good to see that someone has attempted an attack, even if they’ve failed. The activeshield violation protection also means that any attack on the microprocessor would initiate a deadlock state for the drive and require a power cycle to continue. Indeed, all the authentication parameters are encrypted and protected by the microprocessors’ memory encryption and access control schemes. You also get protection from “stupid user syndrome”, whereby the drive will go into lockdown if left unattended for a specified period of time (5 to 99 minutes), requiring PIN entry to start up again. The drive also does this when ejected from any host, or when the lock button is pressed on the keypad. Is being ultra-secure worth the premium that the device costs? That isn’t easy to answer, and will depend upon your data protection and regulatory compliance requirements. Maybe it’s better put the other way: can your organisation afford not to invest in truly secure data portability technology? ABOVE Performance of the diskAshur Pro2 was on par with my other external drives “The activeshield violation protection means that any attack on the microprocessor would initiate a deadlock state for the drive” BELOW That’s an unsafe password. Really, Dashlane? The 124mm x 84mm x 20mm (225g) device I’ve been testing is a “spinning rust” version, which is the cheapest route to entry. My 500GB drive, which I discovered packs a pretty reliable 7,200rpm SATA 600 WD Black laptop drive inside, runs at a recommended price of £209. The 2TB spinning rust version takes that up to £329. My CrystalDiskMark 5 sequential read/write testing revealed that the drive was little different, despite the hardware encryption, to any other USB 3.1 external drive I had to hand. The SSD versions of the drive will improve the speed, but at a cost: the 512GB equivalent is a hefty £429. The iStorage website (istorage-uk. com) has details of all the variants in the range, with price and distributor information. So, two big questions: is it the most secure portable hard drive ever made? I will venture the Carlsberg response: probably. Should you rush out and buy one? Possibly. If you’re a home user playing at data privacy without the regulators breathing down your neck, probably not. For you, software encryption is secure enough if you do it properly. Of course, doing it properly is the difficult bit and that’s the uncertainty the diskAshur Pro 2 removes. For any organisation that needs to transport sensitive data – and wants to make absolutely certain it’s as secure as it can be in transit – it’s a no-brainer. Dashlane dents my confidence Just as a few of the Real World Computing contributors use iStorage hardware-encrypted devices, so at least two of us have a liking for the Dashlane password management software. Or maybe that should be in the past tense? Let me explain. I’ve used Dashlane for a while now and rather like the combination of ease of use and security it brings. I used to recommend LastPass, but after one too many vulnerability faux pas, I switched my recommendation to Dashlane. But I started to notice some odd behaviour: passwords were being reported as weak, with the software issuing warnings that my security was at risk until I changed them. Ordinarily this would be a good thing, apart from the fact that the passwords in question were long, random and complex. Here’s an 119
Page 1 and 2:
p30 p74 p42 p30 ISSUE 274 AUGUST 20
Page 3 and 4:
@PCPRO FACEBOOK.COM/PCPRO August201
Page 5:
@PCPRO FACEBOOK.COM/PCPRO August201
Page 8:
August2017 Issue274 @PCPRO FACEBOOK
Page 11 and 12:
@PCPRO FACEBOOK.COM/PCPRO Briefing
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
@PCPRO FACEBOOK.COM/PCPRO The A-Lis
Page 19:
DOMAINS | MAIL | HOSTING | eSHOPS |
Page 22 and 23:
Profile BACKGROUND INFO ON INNOVATI
Page 24 and 25:
Viewpoints PC Pro readers and exper
Page 26 and 27:
Viewpoints @PCPRO FACEBOOK.COM/PCPR
Page 28 and 29:
Readers’comments Your views and f
Page 30 and 31:
30
Page 32 and 33:
What, exactly, is Windows 10S? We s
Page 34 and 35:
What’sin Store:Living with What
Page 36 and 37:
Meet the Windows 10 S laptop lineup
Page 38 and 39:
THE 19BEST COMMAND PROMPT COMMANDS
Page 40 and 41:
TIP: CUSTOMISING THECOMMAND PROMPT
Page 42 and 43:
LINUX on WINDOWS Windows 10 include
Page 44 and 45:
INSTALLING WSL WSL is available on
Page 46 and 47:
SEVEN WAYS TO GET THE MOST FROM OFF
Page 48 and 49:
functionality of each app, directly
Page 50 and 51:
Why every business needs to Konnect
Page 52 and 53:
Reviews Slug Section head The bigge
Page 54 and 55:
Reviews @PCPRO FACEBOOK.COM/PCPRO c
Page 57 and 58:
@PCPRO FACEBOOK.COM/PCPRO Reviews T
Page 61 and 62:
@PCPRO FACEBOOK.COM/PCPRO Reviews C
Page 63 and 64:
@PCPRO FACEBOOK.COM/PCPRO Reviews (
Page 65 and 66:
@PCPRO BATTERY: video playback, 8hr
Page 67 and 68: @PCPRO FACEBOOK.COM/PCPRO Bonus sof
Page 69 and 70: @PCPRO FACEBOOK.COM/PCPRO Technolog
Page 71 and 72: 3D Plus The ultimate graphics works
Page 73 and 74: @PCPRO FACEBOOK.COM/PCPRO Reviews o
Page 75 and 76: @PCPRO FACEBOOK.COM/PCPRO Labs Rout
Page 84 and 85: Thesimpleway tobuyacar Buy online a
Page 86 and 87: Asus BRT-AC828 Superb long- and sho
Page 88 and 89: Linksys WRT3200ACM Well-built and f
Page 90 and 91: Sky Q Hub Decent speeds and provide
Page 92 and 93: Slug Section head The Network Pract
Page 94 and 95: The Network Business Focus Brother
Page 96 and 97: Epson WorkForce Pro WF-8010DW A big
Page 98 and 99: The Network Business Focus Oki C843
Page 100 and 101: Broadberry CyberStore 224S-WSS The
Page 102 and 103: Video for business Videoconferencin
Page 104: The Network Videoconferencing @PCPR
Page 107: @PCPRO FACEBOOK.COM/PCPRO The Netwo
Page 111 and 112: Jon Honeyball Opinion on Windows, A
Page 113 and 114: @PCPRO FACEBOOK.COM/PCPRO iPhone in
Page 115 and 116: @PCPRO FACEBOOK.COM/PCPRO Note that
Page 117: @PCPRO FACEBOOK.COM/PCPRO potential
Page 121 and 122: @PCPRO FACEBOOK.COM/PCPRO As I foun
Page 123 and 124: DOES YOUR DAD LOVE TECH? 6 ISSUES F
Page 125 and 126: @PCPRO FACEBOOK.COM/PCPRO Futures T
Page 127 and 128: @PCPRO FACEBOOK.COM/PCPRO Futures W
Page 129 and 130: DENNISMAGS.CO.UK/PCPRO Coming next
Page 132: Did you know... 1 in4A3 Colour Prin
show all

PC_Pro_Issue_274_August_2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?