Data remains on USB and Solid-State Hard Drives (SSDs) even after Secure Erase

New research shows that secure erase programs used on standard hard drives to wipe important data do not completely erase solid-state (SSD) drives and USB thumb drives. As much as 75 percent of the data could remain after a succesful secure wipe.

SSD drives are being used more frequently now, especially as boot drives in laptops, because of their high speeds. But it looks like raw speed is not the only difference between them and standard hard drives.

According to The Register, the difference lies in the way that SSD and USB flash drives function. Unlike standard hard drives that store the file in a single location, flash drives can make multiple copies of the file on the flash drive and just points to the latest version:

The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation later, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change.

According to scientists at the University of California at San Diego, different wiping techniques left varying levels of information behind. Up to 67% of data remained when using Mac’s OSX secure wipe. Up to 58% of data was recoverable when using British HMG IS5. Pseudorandom wipes were the worse, up to 75% of wiped data was recoverable.

When you run a secure wipe on a hard drive, the program will write data over top of the existing data to make sure it is unrecoverable. Random binary 0’s and 1’s are written over the existing ones, sometimes numerous times. This works very well, because the data is only located in one area of the drive. Because SSD drives could hold copies of the data in a couple of areas, only the active copy is securely erased, and the copies may go untouched and be fully recoverable.

The scientists used a $1,000 device to recover the data, but a DIY version could be made for about $200. According to the article, SSD drives that store information in an encrypted form are much safer to use. This is something for companies to keep in mind when they go to use and discard SSD drives that contain critical data.

I am sure now that the need has surfaced for a SSD secure erase program, we will probably see several in the near future.  

Caught in the Hack! Network Security Monitoring vs Backtrack Autopwn

This will be the first in a series of articles analyzing attacks used against networks and what can be done to catch them.

For this part of the series I will be using three machines – a target machine, an attacker system and a third computer running the Network Security Monitoring (NSM) Security Onion Live CD. The NSM machine will be connected to the target machine via a mirrored port (DualComm’s DCSW-1005PT) so all the incoming attacks can be monitored in realtime.

This article is for informational use only. Do not attempt anything found in these articles on any network or computer system without written permission from the owners. Doing so could get you into trouble and you may end up in jail. 

For quite a while now, I wanted to write some articles about NSM. Today, I finally set everything up and ran some tests. The first test I wanted to run was to pit the ever popular BackTrack 4 R2 Fast-Track “Autopwn” program against NSM and see what would happen.

Autopwn is a great program for new users to try their hand at penetration testing. Autopwn basically does all the work for you. All you need to tell the program is what you want to attack, and the program does the rest.

The program runs nmap and looks for open ports. It then uses that information to create a tailored attack against the target system using Metasploit. Quick, simple and easy.

You boot up your Backtrack 4 system, start networking, go to the Backtrack menu, select “penetration” menu, “Fast-Track” and finally “Fast-Track Interactive”.

You should have a screen that looks like this:


Just run the updates, option #1, then run Autopwn – option #2. Provide it with a single IP address or a range of addresses that you want to attack, then what kind of payload shell you want. I always pick “reverse” – connect back to me.  That’s it. The program then automatically attacks the systems and tries to open a reverse shell to it.

Wow, pretty impressive, but what can be done to detect this type of attack? Well, while this attack was running against my target machine, my NSM system monitored every packet coming into the system through a mirrored port. The NSM system runs Snort which detects intrusion attempts and displays the alerts in the network security analyst program Sguil.

The result?  Sguil lit up like a Christmas tree. See the Sguil interface screenshot below:

The alerts are color coded for severity and list the Source, or attackers IP address. You can click on each alert and find out more about it, or view the actual packets involved in the alert in Wireshark.

So even though this attack was not detectable by the target machine, my NSM machine captured the whole event, while it happened, in realtime.

Okay, we have a readout displaying that an attack occurred, which is nice to have, but how do we stop this type of attack?

Autopwn uses the standard exploits in Metasploit. The best defense in this case is to keep your machine and software patched, and updated. Also make sure that your firewall is on. If you do, then the attacker should see the screen below on his Backtrack system:

No Active Sessions. That’s a good thing for us, this means that none of the exploits worked and the attack was unsuccessful! 

And with Sguil and NSM, we also have an electronic packet trail of the attack and his source IP!


Cyber Weapon capable of taking down the entire Internet?

It seems to be standard procedure now in some countries to shut down the internet when there is political unrest. But what if a cyberweapon was capable of taking the entire internet offline?

The key would be to perform a crafted attack against internet routers running the border gateway protocol (BGP). According to Max Schuchard at the University of Minnesota, overloading the BGP routers could in effect shutdown the internet. Max presented his findings at the Network and Distributed System Security Symposium in San Diego, California last week.

In normal operation, the BGP protocol helps keep the internet up and running. If a router goes down, Routers update the missing link and go around it. But if these routers are attacked on purpose and flooded with updates, it could put the internet into a state where it could not recover. An article on New Scientist explains how this would work:

An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.

The attack could theoreticly be done with a botnet of 250,000 machines and would put the internet out of commission for days. Each router would need to be physically rebooted to clear the logjam.

Though highly unlikely that this would ever happen, New Scientist goes on to explain a slightly more plausible scenario for a nation under cyber attack:

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation’s internal network.

There currently isn’t a fix for BGP vulnerabilities. And China has already used this to their advantage. Last April, China diverted about 15% of the worlds internet traffic through their routers. They did this by telling the world’s internet service providers that they had the fastest routers. So, always looking for the fastest path, for about 18 minutes a huge amount of traffic from the internet was sent through Chinese routers. This included US government and military traffic.

If the world is going to depend on BGP for ensuring the security of the internet, changes need to be made, and quickly.

Hacker Group Anonymous claims to have Stuxnet

The hacker group Anonymous, known for its involvement in the Wikileaks DDoS attacks, now claims to have access to Stuxnet. Stuxnet was used to attack Iranian nuclear plants and has been called the first true cyber weapon.

Apparently the hi-tech virus or information about it was obtained by the group after they hacked security company HBGary Federal. The security company had been tracking down leaders of Anonymous and was preparing to release the names at an upcoming security conference. 

It looks like they social engineered their way into, a site run by Greg  Hoglund co-founder of HBGary. Next got access to a tech support server used by HBGary. Compromised an insecure Web Server, then obtained credentials to the E-Mail system. They used these credentials to siphon about 50,000 company e-mails and then posted them to a public Torrent site.

Apparently the data stolen by Anonymous contained part of the Stuxnet code.

So what will they do with Stuxnet? No one knows for sure, but some think that they may try to use it against Iran. Anonymous has released a video on YouTube stating their support for the Iranian Opposition. Their target in Iran would be unsure as security researchers report the crucial code needed to attack the Iranian nuclear plants was not obtained by the Anonymous hack.

The Stuxnet code appears to be so fine tuned to take out the Iranian plant, it is hard to tell if it could be modified for any other purpose.

Time will tell what comes next, but it would appear that Anonymous has taken a much more aggressive path.