All posts by Grit City Security

An InfoSec student graduating with a BAS in March, 2019. CCDC participant. Hopeful pen tester.

Consumer DevicesVulnerabilities

Don’t-Link – Consumer-grade Appliances Strike Again

Consumer Devices – Sad.

Shopping. You like shopping, I like shopping, sites like Wirecutter and DudeIWantThat exist solely to facilitate shopping. There are few things more satisfying than peeling that protective plastic layer off of a new piece of tech gear, plugging it in and being treated to a fantastic blinkenlight show. We’re all guilty of making impulse purchases, replacing things that haven’t worn out or gone out of fashion. But what about that dusty modem / access point in the corner of the entertainment unit?

ArsTechnica reports on a new wave of attacks targeting vulnerabilities discovered in D-Link’s modem/router combination devices that allow attackers to alter DNS settings. An attacker can modify DNS entries and send users to malicious sites. In effect, it’s like having a 100% successful phishing campaign that’s invisible to the targeted users.

When initially detected, attackers were targeting Brazilian users of Banco de Brasil and Unibanco. In the former’s case, the legitimate site can be accessed via HTTP and therefore lacked means to verify the authenticity of the site. The latter bank’s redirect target was an empty landing page, indicating that the attackers hadn’t yet set up the spoofed site. Both malicious DNS servers were taken down shortly after being reported.

An interesting side effect of the attack is that, since the malicious DNS servers are offline, users with infected DLink devices won’t be able to resolve any addresses. It’s unclear if simply rebooting the affected devices will clear the malicious settings and prompt the router to pull fresh a fresh DNS server list from the ISP. Consumer internet-facing appliances like modems, routers and IoT devices are juicy targets for attackers because they are often poorly configured and are rarely patched when vulnerabilities are discovered.

 

Why Does This Happen?

There is a huge difference between the consumer device market and the enterprise sector. Consumers want things to be cheap, shiny and easy. They buy networking gear, get it running and that’s the last time it’s touched until the internet goes down or it’s time to replace the unit. Uneducated consumers don’t consider the implications of an unpatched, unconfigured core network device in their home. They should.

You, me and forward-thinking enterprises know something the general consumer doesn’t: we have things that are worth money to attackers. That could be PII, financial information, compute resources, intellectual property… the list goes on and on. Just thinking about your attack surface and the long list of desirables on your network is enough to make you sound like the local tinfoil hat guy at family dinners.

Enterprise gear is designed for performance, to be highly configurable and, most important, is supported with software updates. A big part of why enterprise-grade equipment is so expensive is the long chain of support from customer service reps all the way to engineers generating code and designing hardware. This seems pointless to the average consumer, until it’s too late – their router (the all-in-one network defender) has been compromised, now working as a double-agent and sending financial information to unknown attackers across the internet. Fortunately, there are some companies that span the divide between the consumer and enterprise segments. That’s where you’ll find products that are robust, easy to use and kept up to date with patches.

 

What do I do?

The internet is the magic fabric that enables global commerce, provides entertainment and delivers the world’s knowledge to our fingertips. We have to be able to trust devices on our home networks to help keep us safe. To do this, we must take a couple of simple steps to stay informed, proactively seek updates and make good purchasing decisions.

You have to check for updates and make good configuration choices. This means logging on to your modem / router / firewall and (1) checking for updates periodically, (2) Turning off services like UPnP, WPS and WAN management and (3) changing the password to a non-dictionary or easily-guessable value. That’s it. It sounds like tedious SysAdmin work but this will take you about 20 minutes to do the first time around.

Make good choices. Some companies like DLink, Linksys and Netgear (not an exhaustive list) drop support for their products after a couple of years. Save yourself some heartache and look at companies like Netgate (SG-1000 and SG-3000) and Ubiquiti (UniFi Security Gateway) for consumer-friendly offerings that won’t break the bank. These companies (also not an exhaustive list) make fantastic enterprise-grade gear and you can count on support and software updates for years to come.

Stay informed. Subscribe to a blog like Bleeping Computer or set up a Google Alert for your router’s model number and the word “vulnerability”. The best way to protect yourself on the internet’s mean streets is to be aware of your attack surface. If your device is vulnerable and hasn’t been patched in years (such as the DLink devices in this article), it’s time to replace it with a newer, younger, better-supported model.

If I learned anything from G.I. Joe:
knowing-is-half-the-battle

 

 

Blogs

Safe harbor is the best harbor

Disclose.io

arsTechnica published an article about Disclose.io, a site promoting an open source approach to creating standard policies for companies that protect security researchers and encourage responsible disclosure. This is a response to the technology sector’s current state, where every company has a unique policy (or in many cases, no policy) defining a process where researchers can submit their findings and be guaranteed protection from legal action. This policy minefield puts a damper on research and reporting of new vulnerabilities.

Disclose.io
Source: disclose.io

A study commissioned by the Center for Democracy & Technology (CDT) found that security researchers are often hesitant to report their findings for fear of legal action. This creates a chilling effect in the research community and harms overall security by preventing responsible handling of vulnerabilities. Think about this: If you’re a white hat hacker, who do you target for research? Company A with a clearly-defined vulnerability disclosure policy or Company B that takes legal action against researchers?

Of the researchers we interviewed, few reported receiving threats related to a disclosure, either veiled or explicit. The researcher reporting the greatest number of threats often serves as a disclosure intermediary for other researchers. This subject reported that many of the researchers for whom the subject had performed a notification or disclosure did not want to notify the company themselves because of the risk they associated with notification. Other interview subjects reported being pressured by companies to keep quiet or to sign non-disclosure agreements (NDAs).
– Page 12 of the “Risk Basis for Security Research” report.

What is responsible disclosure?

Responsible disclosure is one of several models of releasing security vulnerability research. The key differentiator in the Responsible Disclosure model is that the information is made public only after a period of time has passed and a patch has been released to the public. This model allows researchers to contribute to the greater good while companies have time to develop, test and deploy patches to protect customers. Researchers still receive credit and, in many cases, financial rewards. The SANS Institute InfoSec Reading Room has an excellent paper on Responsible Disclosure and touches on other models.

Why we need standards:

Malicious hackers are examining products as intensely as white-hats – perhaps even more so as there is a huge financial incentive to develop and weaponize vulnerabilities. These weaponized exploits are incorporated into attack tools available for free or at a moderate price on the dark web. Malware as a service (MaaS) is an extension of the shift to cloud-oriented and subscription-based models and is making sophisticated attack tools more accessible to would-be attackers.

Companies that don’t create a safe harbor for security researchers are only hurting themselves and their users. Policies that promote research, give legal protection and outline financial incentives attract ethical people. These researchers act like an extension of a company’s own security and QA resources. By protecting and enabling research the company will be made aware of vulnerabilities before they are discovered and used for malicious purposes. This allows companies to protect their users and avoid significant fines and loss of goodwill.

Companies with no safe harbor policy reap none of the benefits of this supplemental security blanket. Ethical researchers will avoid companies that stifle research and target responsible disclosures with legal action. As white hats avoid these companies, black hats will be attracted to products that aren’t being evaluated for vulnerabilities. Ironically, these vulnerabilities will cost the company many times what an incentive-based, safe harbor policy would. Now that GDPR is enforced, a company can face up to a 4% of Annual Global Turnover fine (or €20 Million, whichever is greater) for violating data privacy regulations.

All companies, whether the product is hardware and software or they’re used to support business operations, has a stake in the effort to promote responsible disclosure of vulnerabilities. Vulnerabilities will continue to be discovered and weaponized, putting users’ privacy at risk and costing companies millions of dollars in lost revenue and remediation. Vaccines are so effective because they create herd immunity. Like a vaccine, the more research directed at technology products the safer we will all be.

2fcibmMugatu knows a trend when he sees one.

Wireless

Bluetooth: King Harald’s Revenge

From avoiding awkward bus conversations to tether-less keyboards, Bluetooth is the magic sauce that frees us from the draconian bondage of wired peripherals. Who among us has not been enjoying some gnarly tunes and experienced the moment the music died when your headphone cord caught on a doorknob? That irrational split-second of rage followed by overwhelming concern that your beloved cans have been irreparably damaged (quality cans are user-serviceable, come at me audiophiles) is quickly becoming an experience of the past. Bluetooth, having come of age, has shown us the way of the future. It is good and wire-free. Unfortunately, as with many protocols that have grown up along with maturing cryptographic schemes and increasingly-sophisticated attacks (looking at you, DNS), a fundamental weakness in the protocol’s design has been uncovered – and published.

Professor Eli Biham and graduate Student Lior Neumann, at Technion’s Hiroshi Fujuwara Cyber Security Research Center & Computer Science Department at the Israel Institute of Technology, published their paper detailing an attack on the Bluetooth protocol last week. The Fixed Coordinate Invalid Curve attack targets the key exchange process when two devices are paired, giving attackers a privileged position in the chain of communication.

“The technology we developed reveals the encryption key shared by the devices and allows us, or a third device, to join the conversation. We can eavesdrop on or sabotage a conversation. As long as we do not actively participate, the user has no way of knowing that there is a third party listening in.”
– Prof. Biham, quoted in the paper’s press release.

A little history:

Bluetooth was developed as a wireless alternative to RS-232 in 1994 by Jaap Haartsen, an electrical engineer working for Ericsson. The standard uses the 2.4-2.485ghz wireless spectrum range for communication and can form peer-to-peer connections, piconets and personal area networks (PANs). Today, the Bluetooth Special Interest Group (SIG) manages development of the protocol and defines the standards manufacturers must meet to sell products as a “Bluetooth” device. What began as a low-bandwidth, limited protocol has blossomed into a well-rounded and indispensable technology.

Did I mention encryption? Bluetooth supports two security modes and four security levels. These can be mixed-and-matched by manufacturers to achieve a desired level of security. Check out Duo Security’s excellent article, “Understanding Bluetooth Security”, which takes a deep dive into the structure and implications of these options.

Bluetooth-acquired-its-name-from-the-second-ruler-of-Denmark-King-Harald-Bluetooth.
Fun fact: Bluetooth was named after 10th century Scandinavian king Harald Bluetooth, famed for uniting the Danish tribes under one banner. The Bluetooth logo is a combination of the Younger Futhark runes Hagall and Bjarkan (the famed king’s initials). Pretty metal, right?
Source: SeriousFacts.com

Wait, didn’t I read about a serious Bluetooth vulnerability a while ago?

Yes, yes you did. In April 2017 security firm Armis discovered BlueBorne, a collection of vulnerabilities in the Bluetooth implementation in Windows, Linux, iOS and Android. This attack was serious business – just about every device with Bluetooth was vulnerable (estimated at 8.2 billion devices by Armis). Exploiting these vulnerabilities allowed attackers to connect to devices and systems without authentication, even if the target device was not already paired with the attacker’s or in a discoverable state. This bypass of security measures gave attackers to have full control over compromised devices.

Armis worked with affected companies to produce patches before publishing their research, as did Biham and Neumann. Responsible disclosure practices help keep users safe while allowing security researchers to receive credit where it’s due. Discovering and documenting vulnerabilities often represents a massive investment in time, resources and passion. Researchers deserve to be recognized for their contributions – by finding and responsibly disclosing vulnerabilities they greatly reduce the potential for damage.

A number of Bluetooth vulnerabilities have been discovered over the years. Some have been addressed with OS patches, others with improvements to the protocol. Consider this: if you have a device that’s unsupported or hasn’t been updated since mid-2017, you’re vulnerable to BlueBorne attack as well as the new Fixed Coordinate Invalid Curve attack.

IMG_0086

Skwisgaar Skwigelf isn’t a a fan of Bluetooth, vulnerabilities or mediocre playing of the guitars.

How the Fixed Coordinate Invalid Curve works:

When devices are paired they use elliptic curve cryptography (Diffie-Hellman protocol) to secure the exchange of Bluetooth’s encryption keys. Each device generates a public DH key pair. These public keys are exchanged and used to generate the session key, which is used protect the Bluetooth traffic. This initial DH key exchange where the attacker must intervene.

The FCIC attack exploits a flaw in the way that devices validate solutions for the elliptic curve mathematical equation. Unpatched Bluetooth implementations don’t do a great job with this and allow an attacker to set a solution for the math problem that falls outside the curve. This attack has a success rate of 50% for pairing attempts.

With this vulnerability, the attacker is able to force devices to use a pre-determined key rather than one that was randomly-generated. Since the attacker knows the encryption key in use they can eavesdrop on data in a passive attack or issue commands and manipulate information in an active attack.

“In both cases, our attack recovers the session encryption key on success, while on failure our attack causes a denial of service.”
– Section 1.4  of Biham and Neumann’s research paper

In a successful attack, the attacker’s presence is undetectable as long as they’re only listening in on the conversation. In an unsuccessful attack the user would see the standard behavior presented by their device when pairing fails. This behavior is dependent on the software implementation in use. Android and iOS, for example, will have similar but distinct UI responses. We’ve all had this happen as users – you grumble about technology and move through the prompts to restart the pairing process. This presents the attacker with another opportunity to manipulate the conversation.

The fix for this vulnerability requires that the device verify the elliptic curve key being used is a valid solution (that it falls on the curve). If the key doesn’t fit, the devices will use a different key that does. The attacker won’t know the key being used and can’t eavesdrop on the conversation.

What you can do:

Fortunately, the mitigation for this attack is very straightforward: only one of the paired devices must be patched. For example, updating your smartphone protects the connection between it and a speaker or headset.

 Take inventory of devices and software. Knowing what you have is the first step in mitigating the threat this vulnerability poses. This process isn’t limited to enterprise environments – take a look around and think about the devices paired with your phone, tablet, computer… it’s likely a longer list than you thought and you’ll probably find a few surprises.

Update your software. For consumers, there is NO REASON to postpone updating your devices for more than a week. Bugs in patches will be found and fixed quickly. If you’re a company, being more cautious is prudent as IT services support the departments generating revenue. No computers, no money. No matter who you are, always ensure that your critical data is backed up before applying patches.

Leave computing devices that can’t be updated in the dust. The key here is to make sure at least one of the paired devices is patched. There’s no need to dump your beloved old Bluetooth speaker as long as the device it’s connected to is up to date. But if that Android tablet is stuck on KitKat and will never see an update, it’s time to:

letitgo

BlogsIoT

Amok IoT

Armis Security, the firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol in 2017, released a blog analyzing IoT device susceptibility to DNS rebinding attacks. The bad news: nearly half a billion devices are vulnerable. Worse: Patches are unlikely to be developed. Worse still: Most of these IoT devices are treated like appliances and aren’t touched until they fail.

What is a DNS rebinding attack?

A DNS rebinding attack occurs when an attacker manipulates the DNS trust model to their advantage. When a user visits a website under the attacker’s control (usually through phishing emails or instant messages), the user’s browser is fed malicious code. This code issues HTTP requests that, manipulated through DNS rebinding, direct queries to addresses on the user’s local network. The attacker can use the victim’s browser as a proxy to communicate with the private network, enumerate devices and send commands.

IoT devices see commands coming from the victim’s computer on the local network and will allow access to management pages. The attacker gains access to these devices by using default passwords and exploiting vulnerabilities in software. Once the attacker has control of the device they can initiate connections outside the network, bypassing NAT and common firewall security measures. These compromised devices can be used to attack laterally on the network.

Armis has a great, short video on YouTube explaining the flow of the attack:

An attacker got into my IP camera… so what?

With a foothold on the network and persistence established in multiple locations, the attacker can do just about anything they want on the network. IoT devices are treated like appliances but are actually low-power Linux boxes attached to cameras, microphones, door locks, kitchen appliances… and your network. The same network your file server with your engineering files and financial data.

A short list of possibilities:

  1. Add members to a botnet. Your dozens of IoT devices may have low power but can still push packets out and amplification attacks help them punch above their weight as part of a DDoS attack.
  2. Hijack devices to perform reconnaissance. Security cameras and smart locks are designed to make you more secure but can only so when under your control. An attacker could hijack security feeds to establish employee patterns and support more damaging attacks. For example, consider this: when does your company take deposits to the bank? When does the IT staff knock off for a long weekend? Can your PTZ camera zoom close enough to see access codes entered into a keypad?
  3. Pivot to other network devices. A compromised device on the network can be used to attack servers that are protected from internet traffic. Yes, access to that crusty Accounting Department box running Server 2003 is forbidden from the internet but what about the SMB shares for reports?

That’s bad but I would literally die without my IoT. What do I do?

There are a few relatively simple steps that can be taken to vastly improve the state of IoT security on your network. We know that these devices aren’t updated regularly (if ever) and we know they often aren’t actively managed or monitored.

  1. Monitor egress traffic and apply rules to prevent unintended outbound communication. If an IoT device is compromised through a DNS rebinding attack but outbound communication is blocked at the network edge you’ve prevented your device from being a productive botnet member. By monitoring egress logs you would see connection attempts and be able to respond to the compromised device.
  1. Isolate IoT devices on their own network segment, virtually or physically. By implementing VLANs and restricting access between networks you can limit the damage a compromised IoT device can do. Blocking lateral movement will help protect assets that may be vulnerable to attacks from the local network. For anyone who played the “I’m not touching you” game in the back of the family minivan the answer is clear: Captain’s Chairs for your network.
  1. Monitor IoT devices, keep them up to date and don’t buy the cheapest solution. In IoT, you get what you pay for. Those no-name cameras offer a low entry cost but don’t include the support you receive from established, market-leading companies. Your upfront savings will be obliterated in the face of lost IP, stolen PII, bandwidth consumed and IT staff hours spent remediating the problem. You must also keep tabs on your IoT devices: is anyone reviewing the camera footage? Is one camera angling for a better shot of the back office housing the safe? What about the server room?

Takeaway

IoT promises so much – convenience, security, intelligent devices. Unfortunately, they can’t – and shouldn’t – be trusted on the same network as the servers that house your critical files or the workstations your users depend on to get work done. Think about the smartphone revolution… it’s 2018 and most mobile devices are supported for a few years at best. What’s the refresh cycle on your security cameras?

Taking a few simple architectural steps at the network level, monitoring network egress traffic, locking down outbound communication and checking in on IoT devices regularly can vastly improve the security posture of your network and limit damage caused by compromised devices. The IoT industry will mature over time and standards for patching and security will emerge. Until then, Trust No One.

66423055

BlogsRemote Access

RDP? Yeah, you know me.

A recent McAfee Advanced Threat Research team blog post discusses the world of dark web RDP shops – sites specializing in the sale of access to machines via Microsoft’s Remote Desktop Protocol. There are many things for sale on the dark web, from novelty MDMA pills to stolen drone documents. While illegal products and classified information are concerning, sites selling remote access to systems poses an exigent threat to public safety.

trumpx3

Image source: IBTimes

What is RDP?

Remote Desktop Protocol is a proprietary protocol developed by Microsoft to allow users to connect to a remote machine through a GUI. The connection supports transfer of video, audio, clipboard data, printer data and keyboard & mouse traffic. RDP can be configured to encrypt traffic with RSA’s RC4 cipher with a 56 or 128-bit key. Remote Desktop is an invaluable tool for administrators and remote workers but presents a serious security risk when configured with weak credentials and left exposed to the internet.

So, what’s the appeal for threat actors?

Imagine that you’re trying to break into a bank vault. You spent months carefully digging a tunnel from the basement of the dilapidated theater across the street. You’ve assembled a highly-skilled crew: femme-fatale safe cracker, Vegas-native security system specialist, the best conman in the tri-state area and some muscle in case things go south. Months of planning and thousands of dollars have been spent pulling off this heist and acquiring specialized tools. Your tunnel finally intersects the bank’s vault room. Heart pounding, you carefully cut your way through the reinforced concrete and, at long last, face your ultimate challenge – the grey, implacable face of the best vault money can buy.

The elevator dings behind you. Your crew spins around in unison, now-sweaty palms gripping the stippled texture of their weapons. You shout, “Who’s there?” with an adrenaline-fueled voice over the barrel of your pistol.

“Hey guys, chill. It’s me, Donnie, the getaway driver. Remember me?” Donnie steps out of the elevator, arms raised, a set of keys in one hand and a Post-It note in the other. “I was sitting in the car and saw the manager taking off. He left his keys in the door and there’s this thing on the keyring that turns the alarm off.”

“Like a car alarm, right? Then I checked out his office and found this.” Donnie hands the note over. It reads, “Vault Code – 3389”.

You punch the code in, the vault opens like you own the place. Everyone gets paid, but you can’t help but think about the money you could have saved with an easy way in. And next time you’ll try Donnie’s approach.

That’s what having RDP secured with weak credentials and exposed to the internet is like. Someone with a low level of technical skill can breach your security totally with minimal effort.

Malicious hackers benefit from using RDP as it avoids needing to employ specialized tools. Why bother with creating a spear phishing campaign, hoping you get some poor soul to open an attachment and waiting for that malware payload to successfully connect to your C&C when you can easily (and cheaply) purchase direct access to a system?

dd693bc54cbeac15669b30584335e14b--funny-things-funny-stuff

Does that sound bad? It is.

McAfee researchers examined a fresh Windows Server 2008 R2 entry on sale for $10 at one of the larger remote access shops. For that princely sum, an attacker would gain administrative access to machines controlling security and building automation systems at an international airport in the USA. The team was able to determine the target machine’s full IP address (the last two octets are redacted on the shop site until you’ve paid) by using the Shodan search engine and narrowing results by the city and default RDP port number (3389).

The query returned three results. WHOIS queries on those results determined that they belong to a major international airport. Exploring further, three accounts were available on the Server 2008 R2 machine for RDP connections. The Administrator account was obvious. The other two usernames were determined to be related to two companies that specialize in airport security – one in building automation and the other in video surveillance and analytics. Researchers were also able to determine that the computer was joined to a domain likely related to an inter-terminal passenger transport system. This machine and the available accounts are in a great position on the network to cause major damage and support lateral movement.

Wrap-up

RDP is a great administrative tool and enables remote workers to chill in their adult jammies while cranking out a pivot table. It makes life easy for all, including cyber criminals. Fortunately for you, Defender of the Network, there are a few basic security steps you can take to harden RDP.

Use complex passwords + multi-factor authentication to defend against brute-force attacks. Strong passwords greatly increase the time needed to guess a password and multi-factor authentication provides an additional layer of security for accounts.

Enforce user & IP lockout policies when too many failed connection attempts. This prevents an account from being compromised and maintains the system’s integrity. If a specific account is attacked several times it may give insight into the attack.

Log connection attempts (successes and failures). Logging is important to identifying attacks, identifying the source of attacks and mitigating attacks in progress.

Use a VPN to wrap RDP up in a more secure shell. Don’t expose any machines directly to the internet that don’t have to be. Using a VPN provides stronger encryption as well as an excellent audit trail and nonrepudiation.

Remember: your security doesn’t have to (and can’t) be perfect. In many cases it just has to be better than the next guy down the IP block. Taking simple steps to harden your systems, applying the principle of least privilege to user access and looking at your network’s profile from the WAN side of the firewall are the first steps down the road of remote access security.

Accidental Disclosures

Quit Doxing Yourself, Tips to Sanitize Your Media

“Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners”, by Catalin Cimpanu at BleepingComputer.com drops some unsettling news: two-thirds of used media cards contain personal data – from personal information to nudes.  Researchers from the University of Hertfordshire purchased 100 used memory cards and examined them to see what data was left behind. Of those cards, only a third had been wiped using a tool that overwrote the storage. Another third had been erased but not wiped – data was easy to recover using free utilities. Worst of all, previous owners of the final third had made no attempt to delete their data.

This isn’t the first time a study has shown that data destruction is an often-overlooked detail:
Photocopiers – that’s right, they have hard drives
Arkansas Democratic Party – Official’s friend sold a “dead” drive on eBay

You and I might use dd or the Sysinternals SDelete utility to sanitize our media before disposing of it. Simple – open a terminal window, carefully select (and double, triple-check) that useless 2gb memory card and let the erasing begin. But what can the average user do to prevent accidental disclosure of their sensitive information to Strangers on the Internet?

Data Confidentiality Tips:

Use Full Disk Encryption (FDE) whenever possible.
Modern operating systems have brought FDE to the masses with streamlined, GUI-driven processes and background operation. The performance hit from using encryption has been largely mitigated by AES instructions baked into chipsets and the proliferation of Solid State Drives. One of the biggest benefits to FDE is that it’s largely set-and-forget. If you’re on a train and leave your laptop behind or you put your laptop on eBay, you can rest easy knowing that your data is protected from prying eyes by a strong password (no Password01 or Monkey123 here, folks) and AES encryption. These utilities can also encrypt removable media like USB flash and hard drives.

Windows: Bitlocker
OS X: FileVault
iOS: Filesystem Encryption
Linux: Linux Unified Key Setup (LUKS)
Android: Filesystem Encryption

Securely Wipe Media.
While FDE will protect you in many scenarios, it also relies on the integrity of the encryption algorithm and the strength of your password. Technology and research advance relentlessly and today’s state-of-the-art becomes tomorrow’s 3DES and MD5. Take advantage of these free, user-friendly tools to sleep easy:

Windows: BleachBit
OS X: Disk Utility
iOS: Erase Your Device
Linux: BleachBit
Android: Wipe Your Device

Don’t Sell Your Media – Destroy it.
As a frequent eBay-er, I bargain-hunt new hardware and try to get every penny out of decommissioned parts. But consider this: non-volatile storage media is cheaper than ever before and, more importantly, new parts come with a warranty. Is it worth recouping a few bucks, knowing that your Compact Flash card is out there in someone else’s hands? This Cambridge study on data remanence will make you think twice. The truth is: no matter what you do, there is always a chance that sensitive data remains on storage media. The only solution? Nuke it from orbit, just to be sure. Use your creativity here but stay safe. The goal is to physically destroy the media, like drilling holes through a hard drive or smashing a USB drive with a sledgehammer.

In Summary:

Every computer user can take a few simple steps to protect their data from theft, and accidental disclosure by taking three simple steps:

Step 1: Encrypt your data
Step 2: Sanitize media before disposal
Step 3: Give your media a Viking funeral

8 July 2018 - Media Sanitization and Doxxing YourselfWorth it.