Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Wednesday October 21 2015, @04:55PM   Printer-friendly
from the would-you-like-the-good-or-bad-news? dept.

Update: Western Digital announced its acquisition of SanDisk on Wednesday for $86.50 per share, or about $19 billion.

Bloomberg reports that hard disk drive maker Western Digital (WD) is considering purchasing SanDisk Corp. for between $80 and $90 a share, or around $17-18 billion.

A merger would give WD access to SanDisk's NAND flash chip foundry deal with Toshiba and make WD an instant competitor in the solid-state drive market. As we reported last week, SanDisk is also partnering with Hewlett-Packard on Storage-Class Memory (SCM), a post-NAND competitor to Intel and Micron's 3D XPoint offering.

After three years of delay, Chinese trade regulator MOFCOM has approved WD's integration with HGST. The two businesses will be required to keep product brands and sales teams separate for two more years, but can begin "combining operations and sharing technology," such as HGST's helium-filled 7-platter hard drives. $400 million in annual operating expenses could be reduced by the integration.

WD can be expected to include helium-filled hard drives in its product lineup imminently. If WD merges with SanDisk, we may also see the inclusion of more large NAND flash caches in the form of hybrid hard drive (HHD/SSHD) products. The Xbox One Elite Bundle ships with a 1 terabyte SSHD, and Seagate recently released a 4 terabyte desktop SSHD.

It's not all good news for Western Digital this week. Security researchers have just disclosed multiple vulnerabilities in WD's "My Passport" and "My Book" self-encrypting hard drives that allow encryption to be bypassed.


mendax writes:

"Totally uselsss", the article from El Reg dubs it:

WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.

Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and "modg" – have tried out six models in the WD My Passport family, and found blunders in the designs.

For example, on some models, the drive's encryption key can be brute-forced, which is bad news if someone steals the drive: decrypting it is child's play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems. [...]

"In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically safe, and only cycles through a series of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information for this key to be recreated by brute-force, we're told.

"An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 240,"....

The paper that describes their exploit can be found here.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by throwaway28 on Thursday October 22 2015, @07:42AM

    by throwaway28 (5181) on Thursday October 22 2015, @07:42AM (#253117) Journal

    FYI, an easy way to get encrypted block devices on linux, is

    echo "0 1024000000 crypt aes-cbc-essiv:md5 d41d8cd98f00b204e9800998ecf8427e 0 /dev/sdc 0" | dmsetup create encrypted
    mount /dev/mapper/encrypted /mnt/encrypted

    I began using this command in 2009; though d41d8cd98f00b204e9800998ecf8427e is /NOT/ my password.