Information Technology

Image: Alex Birsan
Microsoft has published a white paper on Tuesday about a new type of attack technique called a “dependency confusion” or a “substitution attack” that can be used to poison the app-building process inside corporate environments.

The technique revolves around concepts like package managers, public and private package repositories, and build processes.
Today, developers at small or large companies use package managers to download and import libraries that are then assembled together using build tools to create a final app.
This app can be offered to the company’s customers or can be used internally at the company as an employee tool.
But some of these apps can also contain proprietary or highly-sensitive code, depending on their nature. For these apps, companies will often use private libraries that they store inside a private (internal) package repository, hosted inside the company’s own network.
When apps are built, the company’s developers will mix these private libraries with public libraries downloaded from public package portals like npm, PyPI, NuGet, or others.
New “dependency confusion” attack
In research published on Tuesday, a team of security researchers has detailed a new concept called “dependency confusion” that attacks these mixed app-building environments inside large corporations.

Researchers showed that if an attacker learns the names of private libraries used inside a company’s app-building process, they could register these names on public package repositories and upload public libraries that contain malicious code.
The “dependency confusion” attack takes place when developers build their apps inside enterprise environments, and their package manager prioritizes the (malicious) library hosted on the public repository instead of the internal library with the same name.
The research team said they put this discovery to the test by searching for situations where big tech firms accidentally leaked the names of various internal libraries and then registered those same libraries on package repositories like npm, RubyGems, and PyPI.
Using this method, researchers said they successfully loaded their (non-malicious) code inside apps used by 35 major tech firms, including the likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others.
But besides npm, RubyGems, and PyPI, other package managers are also vulnerable, researchers said, including the likes of JFrog and NuGet.
Microsoft urges companies to analyze internal package repos
While the research team said it notified all the affected companies and package repositories, Microsoft appears to have understood the severity of this issue more than the others.
After the research team’s work went public on Tuesday, the OS maker, which also runs the NuGet package manager for .NET developers, has published a white paper detailing the dependency confusion technique, which Microsoft calls “substitution attack.”
The white paper warns companies about hybrid package manager configurations, where both public and private library sources are used, but also details a series of mitigations that companies can apply to avoid dependency confusions within their build environments.
Among some of the listed recommendations there are:
Reference one private feed, not multiple
Protect your private packages using controlled scopes on public package repositories
Utilize client-side verification features, such as version pinning and integrity verification
More inside the white paper. More

A Brazilian consumer rights watchdog has urged the federal government to take immediate and urgent action to protect citizens who had their personal details exposed online.
The notices sent by the Brazilian Institute for Consumer Protection (IDEC) to several government agencies relate to a massive data leak, which saw details of 223 million Brazilians, ranging from name, address to current income, personal vehicle information and tax returns exposed and sold in the dark web.
In addition, the leak also included information from Mosaic, a consumer segmentation model used by Serasa, the Brazilian subsidiary of credit research multinational Experian company exposed online and offered for sale online. The incident, which was discovered by cybersecurity firm Psafe in January, and is considered to be Brazil’s most significant data leak on record.
According to IDEC, the scale and scope of the situation calls for regular inspection measures be adopted for large scale databases, such as credit bureaus, which could have been the source of the leak. The consumer rights organization also noted that data leaks in Brazil became an “unacceptable routine” and that one way to reduce the likelihood of such occurrences is to prevent that consumer databases are formed without any limitations and that consumers are given the choice of opting out of them.
“What we have today is a single certainty, that the citizen is completely adrift. Fear is a constant, with fraud attempts increasing every day due to the amount of data that was leaked”, points out IDEC’s lawyer, Michel Roberto de Souza. “Institutions must investigate and punish, but they must also inform and guide citizens about what is happening. We need a lot of transparency as well as timely and adequate solutions.”
Yesterday (8)  Experian released a statement saying that it is carrying out a a “detailed forensic investigation” into the possibility that “some of the [leaked information] may have been sourced from its non-sensitive marketing data”.

On the other hand, the company argued that the data offered for sale online “includes photographs, social security numbers, vehicle registrations and social media login details, which Serasa does not collect or hold.” In addition, Experian stated that “there is no evidence” that credit data has been illegally obtained from Serasa, or that the company’s technology systems had been compromised.

According to IDEC, the data exposure is a serious violation of the General Data Protection Regulations, as well as the Brazilian Consumer Protection Code, due to the non-compliance with security measures, as well as a serious violation of security and information duties in the provision of services.
In the documents sent to the authorities, the Institute is requesting more effective measures and a “robust cooperation” from the recently created National Data Protection Authority and the National Consumer Secretariat with the Federal Police, the Public Prosecutor’s Office and the National Congress.
In addition, IDEC points out the need for involvement of the Central Bank, which regulates Serasa, due to the considerable doubt over the possibility that “at least part of the data leak” has originated from the company.
According to the consumer rights institute, the scope and risks posed by this incident require “coordinated action by all competent authorities to ensure efficiency and speed in investigations and in the adoption of measures necessary for consumer safety”.
In addition, IDEC argued that a contingency plan to minimize the damage caused by the leak, is among the actions needed, alongside extensive communication of the incident, with a website made available to outline the data leaked by each consumer, as well as wide dissemination of the necessary precautions to avoid scams with use of leaked data and mechanisms for monitoring usage of taxpayer registry identification numbers free of charge. More

Microsoft has released today its monthly batch of security updates, known as Patch Tuesday. This month, the OS maker has fixed 56 security vulnerabilities, including a Windows bug that was being exploited in the wild before today’s patches.
Tracked as CVE-2021-1732, the Windows zero-day is an elevation of privelege bug in Win32k, a core component of the Windows operating system.
The bug was exploited after attackers gained access to a Windows system in order to obtain SYSTEM-level access.
Details about the attacks where this bug was used were not revealed. Microsoft credited three security researchers from Chinese security firm DBAPPSecurity with discovering the attacks where this zero-day was employed.
Many bug details went public
Besides the zero-day, this month’s Patch Tuesday also stands out because of the high number of vulnerabilities whose details were made public even before patches were available.
In total, six Microsoft product bugs had their details posted online before today’s patches. This included:
CVE-2021-1721 – .NET Core and Visual Studio Denial of Service Vulnerability
CVE-2021-1733 – Sysinternals PsExec Elevation of Privilege Vulnerability
CVE-2021-26701 – .NET Core Remote Code Execution Vulnerability
CVE-2021-1727 – Windows Installer Elevation of Privilege Vulnerability
CVE-2021-24098 – Windows Console Driver Denial of Service Vulnerability
CVE-2021-24106 – Windows DirectX Information Disclosure Vulnerability
The good news is that none of these bugs were exploited by attackers, despite their details being posted online.
Warning about TCP/IP bugs

But that’s not all. This month, Microsoft has also released fixes for three vulnerabilities in the Windows TCP/IP stack, which allows the operating system to connect to the internet.
Two of these bugs (CVE-2021-24074, CVE-2021-24094) apply fixes for remote code execution vulnerabilities that could allow attackers to take over Windows systems remotely.
A third bug (CVE-2021-24086) could be used to crash Windows devices.
“The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely [to be exploited] in the short term,” Microsoft said in a blog post specifically published to warn about these three issues.
“We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release,” the company added. “Thus, we recommend customers move quickly to apply Windows security updates this month.”
Of all Windows systems, Windows Server instances are the ones most likely to be susceptible to attacks, as many are used to host web servers or cloud infrastructure and are almost certainly connected to the internet at all times and exposed to attacks.
“It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible,” Microsoft said.
If patches can’t be applied right away, various workarounds can be deployed, details in each vulnerability’s advisory.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 88 security updates are detailed here.
Android security updates are available here.
Tag
CVE ID
CVE Title
.NET Core
CVE-2021-26701
.NET Core Remote Code Execution Vulnerability
.NET Core
CVE-2021-24112
.NET Core Remote Code Execution Vulnerability
.NET Core & Visual Studio
CVE-2021-1721
.NET Core and Visual Studio Denial of Service Vulnerability
.NET Framework
CVE-2021-24111
.NET Framework Denial of Service Vulnerability
Azure IoT
CVE-2021-24087
Azure IoT CLI extension Elevation of Privilege Vulnerability
Developer Tools
CVE-2021-24105
Package Managers Configurations Remote Code Execution Vulnerability
Microsoft Azure Kubernetes Service
CVE-2021-24109
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
Microsoft Dynamics
CVE-2021-24101
Microsoft Dataverse Information Disclosure Vulnerability
Microsoft Dynamics
CVE-2021-1724
Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
Microsoft Edge for Android
CVE-2021-24100
Microsoft Edge for Android Information Disclosure Vulnerability
Microsoft Exchange Server
CVE-2021-24085
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server
CVE-2021-1730
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Graphics Component
CVE-2021-24093
Windows Graphics Component Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24067
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24068
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24069
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24070
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-24071
Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint
CVE-2021-1726
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2021-24066
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-24072
Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft Teams
CVE-2021-24114
Microsoft Teams iOS Information Disclosure Vulnerability
Microsoft Windows Codecs Library
CVE-2021-24081
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows Codecs Library
CVE-2021-24091
Windows Camera Codec Pack Remote Code Execution Vulnerability
Role: DNS Server
CVE-2021-24078
Windows DNS Server Remote Code Execution Vulnerability
Role: Hyper-V
CVE-2021-24076
Microsoft Windows VMSwitch Information Disclosure Vulnerability
Role: Windows Fax Service
CVE-2021-24077
Windows Fax Service Remote Code Execution Vulnerability
Role: Windows Fax Service
CVE-2021-1722
Windows Fax Service Remote Code Execution Vulnerability
Skype for Business
CVE-2021-24073
Skype for Business and Lync Spoofing Vulnerability
Skype for Business
CVE-2021-24099
Skype for Business and Lync Denial of Service Vulnerability
SysInternals
CVE-2021-1733
Sysinternals PsExec Elevation of Privilege Vulnerability
System Center
CVE-2021-1728
System Center Operations Manager Elevation of Privilege Vulnerability
Visual Studio
CVE-2021-1639
Visual Studio Code Remote Code Execution Vulnerability
Visual Studio Code
CVE-2021-26700
Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
Windows Address Book
CVE-2021-24083
Windows Address Book Remote Code Execution Vulnerability
Windows Backup Engine
CVE-2021-24079
Windows Backup Engine Information Disclosure Vulnerability
Windows Console Driver
CVE-2021-24098
Windows Console Driver Denial of Service Vulnerability
Windows Defender
CVE-2021-24092
Microsoft Defender Elevation of Privilege Vulnerability
Windows DirectX
CVE-2021-24106
Windows DirectX Information Disclosure Vulnerability
Windows Event Tracing
CVE-2021-24102
Windows Event Tracing Elevation of Privilege Vulnerability
Windows Event Tracing
CVE-2021-24103
Windows Event Tracing Elevation of Privilege Vulnerability
Windows Installer
CVE-2021-1727
Windows Installer Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-24096
Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-1732
Windows Win32k Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-1698
Windows Win32k Elevation of Privilege Vulnerability
Windows Mobile Device Management
CVE-2021-24084
Windows Mobile Device Management Information Disclosure Vulnerability
Windows Network File System
CVE-2021-24075
Windows Network File System Denial of Service Vulnerability
Windows PFX Encryption
CVE-2021-1731
PFX Encryption Security Feature Bypass Vulnerability
Windows PKU2U
CVE-2021-25195
Windows PKU2U Elevation of Privilege Vulnerability
Windows PowerShell
CVE-2021-24082
Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability
Windows Print Spooler Components
CVE-2021-24088
Windows Local Spooler Remote Code Execution Vulnerability
Windows Remote Procedure Call
CVE-2021-1734
Windows Remote Procedure Call Information Disclosure Vulnerability
Windows TCP/IP
CVE-2021-24086
Windows TCP/IP Denial of Service Vulnerability
Windows TCP/IP
CVE-2021-24074
Windows TCP/IP Remote Code Execution Vulnerability
Windows TCP/IP
CVE-2021-24094
Windows TCP/IP Remote Code Execution Vulnerability
Windows Trust Verification API
CVE-2021-24080
Windows Trust Verification API Denial of Service Vulnerability More

Cybersecurity firm SentinelOne said it has signed a deal to acquire Scalyr, makers of a data analytics platform for log management and observability, for $155 million in cash and equity.

According to SentinelOne, the acquisition will help the company add significant capabilities to its extended detection and response (XDR) platform. 
Specifically, the company said Scalyr’s technology will bolster SentinelOne’s ability to ingest, correlate, search, and action data across sources, including both public cloud and internal enterprise data sources.
Scalyr’s big data technology is perfect for the use cases of XDR, ingesting terabytes of data across multiple systems and correlating it at machine speed so security professionals have actionable intelligence to autonomously detect, respond, and mitigate threats,” said Tomer Weingarten, CEO of SentinelOne. “This is a dramatic leap forward for our industry – while other next-gen products are entirely reliant on SIEM integrations or OEMs for point in time data correlation and response, SentinelOne uniquely provides customers with proactive operational insights from a security-first perspective.”
The acquisition is expected to close during SentinelOne’s first quarter. SentinelOne said its data services team will continue offering log management, observability and event data cloud services in conjunction with integrating Scalyr.
RELATED: More

Appgate intends to go public by merging with Newtown Lane Marketing. 

The deal was made public on Tuesday. Under the terms of the agreement, Appgate will become a public company “with significant financial resources to accelerate growth, scale, and go-to-market strategies,” the firm says. 
The definitive merger agreement could value the combined company at up to $1 billion. 
Under the terms of the deal, Appgate received $50 million once the merger agreement was signed and will be given a further $25 million at closing, as well as another $25 million package moving forward. 
Miami-based Appgate, a spin-off of Cyxtera Technologies and provider of zero-trust security solutions, accounts for roughly 650 government and enterprise clients. 
The company says it intends to up-list on the “Nasdaq or NYSE as soon as possible” and as soon as the merger is complete and its application has been accepted — potentially as quickly as Q2 2021.   
Existing investors, including BC Partners and Medina Capital, will retain their share equity in the combined company for at least one year after closing as majority shareholders.

“This is a tremendous time of growth in our industry,” commented Barry Field, Appgate CEO. “Appgate is displacing outdated, easily compromised, traditional network security, such as VPNs and firewalls, by using cutting-edge software designed around the principles of zero trust.”
At the same time as the merger announcement, Appgate said that an investment manager, currently unnamed, has agreed to provide up to $100 million in convertible notes once the firm hits a $1 billion valuation. 
Appgate projects revenues of approximately $40 million in the 2021 financial year. 
According to research by Sijoitusrahastot, Special Purpose Acquisition Companies (SPACs) in the United States — used to speed up the typical Initial Public Offering (IPO) process — raised over $83 billion in 2020, a higher number than in the past 10 years combined. 
In total, 248 US-based SPACs raised $83.04 billion last year, with the market share of US-listed SPACs rising from 23% in 2019 to 53% in 2020. In total, 90% of SPAC deals made in 2020 completed. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

If you’re subscribed to us, you probably know by now how important using a VPN is. A reliable VPN is truly the easiest way to protect your online privacy besides shutting off your internet entirely. But for those of us who rely on the internet, whether for work or for play, a VPN is a necessity. 

ZDNet Recommends

The hard part is choosing the right VPN for you. There are dozens of options on the market, and everyone has different needs. Windscribe VPN is an excellent, highly-rated choice if you need an all-encompassing privacy and security solution, and Pro Plans are on sale right now for as low as $47.60 with promo code: VDAY2021. 
Windscribe VPN is a 2-in1 privacy solution that will keep your data and devices safe from harm. On one hand, it offers comprehensive VPN coverage by redirecting your traffic through an encrypted tunnel to one of its international servers. This masks your physical location, gives you a new IP address, and prevents 3rd parties such as hackers, government agencies, and even your ISP from tracking your behavior. On top of that, you can access content that’s blocked in your country since you now appear to be accessing the internet abroad. 
A new IP address alone won’t completely protect you; advertisers can still target you based on information from your browser. This is why the second half of Windscribe is a browser extension that blocks ads, beacons, and trackers from monitoring your browsing habits. Windscribe also uses a firewall to keep you safe in the event that your encrypted connection fails. 
With Windscribe VPN’s comprehensive security and privacy features, it’s no wonder it earned a user rating of 4.4/5 stars. If you’re looking for an all-in-one solution to maintain your anonymity, you can sign up for a Windscribe VPN Pro Plan today at a discounted rate. 
Prices subject to change.

ZDNet Recommends More

A new independent body will oversee training and standards in the UK cybersecurity industry, bringing the sector in line with other professions including law, medicine and engineering.
The UK Cyber Security Council is designed to provide the industry with a single government voice and to help boost job prospects for information security professionals of all experience levels by working with training providers to accredit courses and qualifications, as well as providing employers with information required to recruit effectively to ensure their security capabilities.

More on privacy

It aims to boost job prospects around the country by giving budding and existing workers a clear roadmap for building a career in cybersecurity. The council will also focus on boosting the diversity of people pursuing careers in the industry.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Funded by the Department for Digital, Culture, Media & Sport (DCMS), the body will work closely with the National Cyber Security Centre (NCSC) and aims to be a ‘one-stop shop’ for people people looking to enter or further their careers in information security. 
“Cybersecurity is a growing industry in the UK and it’s vital for high standards of practice and technical expertise to be at the heart of the profession as it develops,” said Chris Ensor, the NCSC’s deputy director for cyber growth.
“We look forward to working with the Council to help ensure that future generations of cybersecurity professionals have the skills and support they need to thrive and make the UK the safest place to live and work online.”

The establishment of the UK Cyber Security Council comes following a consultation on developing the UK cybersecurity profession, which found there was support for establishing a new industry body. It will be chaired by Claudia Natanson, who has served as CSO at DWP and MD at BT Secure Business Service.
“Having spent many years in cybersecurity, I’m very aware of the excellent work done by many varied organisations – but I’m also conscious that the time for an umbrella organisation has come in order to drive the profession forward in a unified way,” said Natanson.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
“It’s a privilege and a challenge to be part of the leadership of the Council, knowing that the future security and prosperity of the UK depends in part on the Council succeeding in its mission to develop the profession,” she added.
The Council will formally launch on March 31 and has appointed an inaugural Board of Trustees to help guide the organisation over the coming years.
MORE ON CYBERSECURITY More

The portable, secure and rugged diskAshur M2 comes in capacities ranging from 120GB to 2TB.
Image: iStorage
Supplied in a sturdy carrying case, the diskAshur M2 from iStorage is thinner and sleeker than previous models and has its own sliding sleeve to protect the keypad from getting knocked while it’s in a bag or pocket, as well as to keep dust out of the USB 3.2 Micro-B SuperSpeed data and power port on one end. 
There’s even a rubber gasket that makes the whole thing waterproof when the sleeve is fitted (IP68, up to 30 minutes in 1.5m of water); iStorage also claims it’s shock and crushproof (up to 2.7 ton) and we saw no errors after dropping it off a few desks and tables in the office. 
Flash storage isn’t going to suffer the kind of head crashes a hard drive might, but more importantly you don’t want it to be easy to crack open if an attacker wants to try the kind of hardware assault that involves disassembling the device (although there are built-in protections against the usual physical and monitoring attacks, and the components are encased in resin). 

The diskAshur M2 is supplied with short USB-A and USB-C cables for device connection.
Image: iStorage
The size of a small bar of chocolate or a feature phone, the M2 feels heavy for its size but is nicely balanced; you can stand it on one end if it’s not plugged in. But the USB-A and USB-C cables supplied are rather short, so it’s probably going to end up flat on the table next to your device where you can type in the PIN when you need it. That device can be pretty much anything with a USB port, including Android, Chrome, thin clients and embedded systems, as well as Windows, macOS and Linux, because the hardware encryption means you don’t need to install any software. You can even use the M2 as a boot drive. 
Previous versions of the diskAshur had a built-in cable, and the datAshur USB stick needed an adapter for mobile or USB-C devices. Switching that for separate cables makes the M2 more flexible, but since USB Micro-B SuperSpeed connectors aren’t particularly common you’ll need to have the right cable with you — making the carrying case more of a necessity than a nicety. 
When it’s unplugged, all the data is automatically encrypted using AES-XTS 256-bit hardware encryption (make sure any data transfers are finished first). The user PIN to unlock the drive to use it like a normal SSD can be seven to 15 digits long; the system blocks simple repeats and sequential PINs and having letters on the number keypad means you can use a passphrase that’s easier to remember than a string of numbers (we’d suggest avoiding the easily guessed suggestions in the manual though). Even so, there’s a polymer coating so the keys don’t wear down and give attackers a hint. 
There’s a wide range of admin features, from enforcing the length of user PINs (and whether to require special characters that use the Shift key) to setting how long the drive stays unlocked when it’s not in active use (the default timeout is short enough to annoy most users). 

Both admins and users can flip the drive into read-only mode — and if that’s set by an admin, users can’t change it, so you can use this for distributing content without worrying that it will be accidentally deleted, infected by malware or otherwise tampered with. 
If the user PIN is typed in wrong ten times in a row, it’s automatically deleted, so you can set one-time user recovery PINs to let people regain access to their data. All the previous diskAshur features are still there, like the choice of a device reset or a self-destruct PIN that deletes the data, encryption key and PINs so you can re-issue a previously used drive to another employee and ensure data deletion. 
But configuring those, or even creating user PINs, still requires a fiddly sequence of pressing various combinations of shift and lock keys on the device with various digits and watching the three-colour LEDs blink or turn solid in patterns that few people are going to bother memorising. Even unlocking the drive as a user means pressing two keys, typing in the PIN, pressing another key and then watching the green and blue LEDs flash for a few seconds. 
Even with the limitations of a numeric keyboard, we continue to find this unnecessarily complex and it’s the most annoying aspect of iStorage’s otherwise useful products. 

Top: moderate performance when copying a 12GB selection of files. Above: better results when handling large sequential files.
Images: Mary Branscombe / ZDNet
With a USB 3.2 Gen 1 connection, the M2 can theoretically deliver 370MB/s read and write speeds, although the encryption can slow that down. Copying a 12GB selection of files showed rather variable performance that didn’t get close to the theoretical maximum, but delivered similar write speeds to a USB 3.0 flash drive (for comparison we used a Kingston DataTraveler Ultimate 3.0 Generation 2). CrystalDiskMark showed closer to the theoretical speed with large sequential files. 
But in use, disk performance isn’t going to slow you down — although the drive settings might. The short timeout limit meant that both the benchmarks and the large file copy initially failed and required a Windows drive repair, with the drive light activity staying on even after the drive had disappeared from Windows Explorer. We found our test unit would lock after a few minutes even after we extended the timeout to the maximum 99 minutes, which was equally annoying. 
You’re also paying for the security, with prices starting at £155 for the 120GB version; we looked at the £515 2TB model. 

Image: iStorage
The diskAshur M2 offers a welcome combination of features from iStorage’s previous SSD and USB stick models: the one-time PIN from earlier diskAshur models and the protective cover from dataAshur. It’s also smaller, neater and more rugged than earlier offerings. But the interface continues to be opaque and occasionally frustrating, so build in time for training and user support.
RECENT AND RELATED CONTENT
Encrypted USB flash drive you can unlock with your smartphone (or Apple Watch)
cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud
diskAshur2 and datAshur Pro, First Take: Secure but pricey mobile drives
Seagate IronWolf 510 SSD, hands on: An enterprise-class cache to speed up your NAS
OWC Envoy Pro FX external SSD
Read more reviews More