This post was originally published on 14 June 2022.
Update 5 September 2022
ENCSecurity has updated it’s ENCDataVault software to fix these issues – so now I can update and resume using my portable SanDisk USB drive.
Update for ENCDataVault Software – ENC Security Help Center (zendesk.com)
Watch out for the the post later this week on CyberAwake on how these types of devices can be integrated into your cyber security infrastructure.
Original Post
This story also applies to you, if you are using a Sony or Lexar device using their bundled encryption software.
One of the reasons I bought my SanDisk memory stick (even though I really did not want to buy SanDisk – see below) was that it included encryption software – so I could use it to keep some of Octagon’s incident response/DR plan files with me securely – it was an easier solution than the one I had in place.
This obviously is quite an important part of our cyber security planning, hence I bought into a reputable brand, as I thought, they should have carried out the required due diligence before bundling the security software. It is not possible for a small organisation to check everything, you are dependent on trusting your vendors and suppliers.
Now Bruce Schneier has put me onto this research:
Practical bruteforce of AES-1024 military grade encryption – Kudelski Security Research (Sylvain. 2022)
Basically the encryption of my data is not strong enough to resist, what amounts to, quite straight forward brute forcing techniques. Making this encryption solution useless.
I have switched back to my previous encryption solution – which although is a little more involved, it is secure.
This story does illustrate why you always need to be reviewing your cyber security arrangements – things change.
This is not the first time I have been disappointed by SanDisk
There is a plus side to this story.
A while back I was again disappointed by SanDisk – I had bought a 128GB memory stick from them, which included an internal battery powered, Wi-Fi router, so I could access files from it, using an app on my iPhone. It was excellent for taking movies and other media away with me when I was camping and backpacking and backing up my photographs. Obviously the stick was not cheap, but it did appeal to my inner geek.
I had had the stick about 18 months, when Apple bought out a new version of iOS and SanDisk decided not to update it’s app, so I could no longer access files on the stick via Wi-Fi. Rendering my USB memory stick no more than the most expensive memory storage I own. I emailed SanDisk who explained carefully why they had trashed my stick and suggested I bought another device from them. I did not. But since then I have banned all my team from supplying or even specifying SanDisk solutions to clients and when we find them at clients we change them out for other vendors.
So, luckily, we have not got to go to clients to explain SanDisk’s latest issue to them as our clients do not use them.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Sylvain. (2022). Practical Bruteforce of AES-1024 Military Grade Encryption. Retrieved June 14, 2022, from https://research.kudelskisecurity.com/2022/05/11/practical-bruteforce-of-aes-1024-military-grade-encryption/