What do sexy selfies, search warrants, tax files have in common? They've all been found on resold USB sticks About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified. These results come this week from a study conducted by the University of Hertfordshire in the UK and commissioned by Comparitech, a …
Niche market, I guess. I've never seen anything like that for sale. They're cheap enough new.
Now if we were talking 1989, then I would have been getting discarded boxes of 5.25" floppies, checking for useful software and reformatting them. Actually that was lots of fun to look at funny resumes and letters to girl friends. Sadly there used to be a considerable number of financial and medical records as well.
I'm sure I remember reading here, many years back, a posting by someone who'd bought a second hand laptop off eBay only to discover the waste basket full of very intimate photos of the previous owner who was rather well known and her public persona was very different to that shown in the pictures on her old laptop.
I thought it was odd.
a) who is stupid enough to sell a stick they've used? If you don't need it anymore, destroy it. They aren't generally worth much anyway.
b) who id stupid enough to buy a stick? It is the same principal as finding a USB stick in the carpark, you don't know where it has been, you don't know if it is malicious (simply infected with a virus the seller didn't know about or someone has hacked the controller itself).
The only, half way, secure way is to buy new, sealed in original packaging sticks from reputable suppliers.
a) who is stupid enough to sell a stick they've used?
It beggars belief, doesn't it?
I rather assumed that any USB stick sold secondhand would be stolen (and that the original owner would not have been in a position to erase it before sale) ... but I suppose some may cone from house clearances, and the like.
"The only, half way, secure way is to buy new, sealed in original packaging sticks from reputable suppliers."
I note you say "half way", which is good, because even Amazon now sells fake usb sticks (well, they allow third party suplliers to do so quite openly, and to Joe Bloggs, that's the same thing - after all, it's Amazon you make your payment to.)
There ought to be a law.... (!)
Just one of MANY: https://www.amazon.co.uk/AMAZING-Flash-Drive-Memory-Thumb/dp/B07BCXKZCV/
And fake processors and and and.
They were caught in Germany selling fake Intel Core i3-K processors, they were sending out Core i3-8350K fully packaged and it turned out the packaging was a Pentium 4 chip with a sticker on the top saying Core i3.
They have variously alleged that the supplier supplied the wrong processors or that somebody had bought and returned unopened and it was sent back out (they've been caught a couple of times now).
I'd have thought than in 1989, second hand 5.25" floppies were worth the equivalent (taking into account inflation etc.) as second hand usb drives are now..
Might it just be that now you are earning, the cost is not relatively as high as when in 1989 and you were a kid on pocket money? (I know, I've made a number of assumptions here!)
I cant imagine ever feeling the need to recoup the paltry amount that a second hand drive is worth when I've been finished with it - certainly not one which may have contained sensitive data.
So these stats could also just show that people in the UK are more prone to disposal of their retired drives than resale.
As for the guy with the nude pictures and the contact details - If that was an accident Ill eat my hat.
I used to have a side business recycling second hand machines for resale from the local council recycling centre - the amount of home made porn being produced in central Lancashire and left on discarded PCs is astounding!
The last laptop (an MS surface) I bought the previous owner had put the copy of their document folder in the bin, but not even emptied it. There was his CV, a scan of his passport, their full photo library, scans and documents related to their mortgage application (nice house), stuff related to their last holiday and internal documents from his girlfriends business. Pretty well everything you need to make a life sold for a few hundred quid. Wasn't the first time I had seen stuff like that but the most complete.
I thought I could contact them about it (not like I didn't have the details to do so), but what was the point. So I deleted it all and made a note to never be them!
I made wind chimes out of mine........
Couple of holes drilled into the platers (watch out for the glass ones!), strung together with wire from a network cable. Tie them to the PCB and on the other end, tie to the motor as a weight.
Also made a pair of speakers as well
A “single pass doesn’t do it”, this article tells us, and then a little further down that we need a “full, low level format”.
When even the experts are confused, what chance does a consumer stand?
For a flash drive, one full format pass will do it. There’s no “lingering magnetic charge” to worry about. Even with modern hard drives, multiple passes sounds more like voodoo than science. To extract anything from a drive that has been fully formatted once is likely impossible. Used to be that wasn’t the case, but the way we write to spinning rust has changed.
A “low level format” is not so easily achieved with OS tools, though there are utilities for it. All it does for someone over a “full format” is map out bad sectors - that doesn’t make it more secure.
One full format ought to do it, for flash, ssd, and any hard drive manufactured in the somewhat recent past.
Maybe you should try this and its sister tool TestDisk. I have used it to recover data after a format and loss of partitions.
"PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. "
https://www.cgsecurity.org/wiki/PhotoRec
But that is the root problem right? Most use some kind of program that is/ should be trusted to do a proper job. But then again, does it? Are you sure? In the end, nobody knows (apart from the person doing the recovery and finding your nude selfies).
As for me; # dd if=/dev/zero of=/dev/sdX works for me. After that a shiny new partition table and were good to go. Sure somebody will tell me I'm ignorant (and saw the picture of the new wallpaper in my living room), but hey, it's a start ☺
I usually use recuva to retrieve data from something with a corrupted filesystem.
A 'fast-format' only removes the file tables, so the data is still there. A far as I am aware, this works just as well on SSDs / flash memory as it does on spinning rust.
A full format (writing the same value to every byte on the device) is relatively slow, and should in theory remove all traces of data on SSDs / flash drives. However, it doesn't work quite as well with hard disks. Because physically overwriting the data on a physical disk doesn't write in exactly the same physical position, you can get 'margins' along the side of the tracks where the old values are retained, or echoes, where for instance if the new value for a bit is '1', it may actually be '1.01' if the previous value was also a '1' - the disk controller will read this as a 1, but other techniques may read it as '1, previously 1', etc. Whilst it takes expensive forensic equipment to recover data from these, I believe such a thing is practically possible.
Proper erasure therefore involves overwriting the previous data multiple times, with random bytes, and if you want to be 100% sure, then permanently overwriting it with drill and bucket of bleach.
That exactly. "Edges of the track" is 80s tech. I really don't see that this is a thing any more. Do nation states have tools, ludicrously expensive and big, maybe some kind of magnetic scanner for hard drives, that could do this on modern drives? Your guess is as good as mine. But if your adversary is a nation state, you got bigger issues than drive erasure.
If you can get data back from a modern HDD, or Flash, or SSD, with PhotoRec or a similar software tool, or indeed any kind of hardware tool, after a single pass full format (procedure: Either dd the entire drive with /dev/null, or blow the part table away, create a new partition spanning the entire drive and choose to full format it during creation); and you've done me the courtesy of doing so in a way that a reasonable person would consider "verified, totally, dude", I will donate 50 bucks to the charity of your choice and consider myself put in my place / educated.
I realize that "any kind of hardware tool" makes it more likely I'll donate something somewhere. That'd be worth it to learn about the kind of tools that can do this magic, and what their cost to acquire / use is.
I believe the 'hardware tools' in question do involve disassembly of the drive in a clean room, and application of something more advanced than your standard drvie head, or at the very least, replacement of the disk controller to distinguish between that 1.0 and 1.01. I don't think it's nation state level stuff, more specialist forensic crime lab type stuff. You're probably still talking tens or hundreds of thousands of pounds, but I believe the capability exists.
Some work has been done recently into hacking sd card firmware. This is done by legitimate retailers to indicate a drive manufactured as 32gb sd with lots of bad blocks is only 16 gb in size. Miscrecreants can increase the size. I suspect with similar software tools you could get access to data on bad blocks that would never be presented to the OS for deletion or wiping running standard firmware.
I don't remember where I saw it. But I think the US DOD rules for securely removing all data from a hard drive involved dissembling the drive. Grinding off all the magnetic material from the platters. Then burning the magnetic dust.
And of course you have to do that quickly while the bad guys are boarding your ship/plane/Humvee.
I suspect writing from /dev/zero to an SD will not work 100%. I think this will write zeros to all the good blocks but skip the known bad blocks. You might have to hack the controller to get access to the bad blocks and odd bits will be missing but I think is normal for SD to have a large percentage of bad blocks so quite a lot of data might be available.
Better to physicaly destroy SDs if the have ever contained sensitive data.
IIUC, yorick's objection is that 'low level format' is about stuff like cylinders and not really something other than hard drive manufacturers do any more. A full format with erase is what you want, rather than simply replacing the filesystem superblock and leaving the tasty data in place for tools like photorec to rediscover.
Thanks for the mention of testdisk. I found that in the Debian repository and will have a lok at the tools and there are lots, as it turns out.
As a longtime Linux desktop user who has decided to learn more about its administration, I've started with "Linux Bible" so I'm running Fedora in VirtualBox on MX Linux, my main distro.
Hey, maybe it is THE YEAR OF THE LINUX DESKTOP! :)
"A “low level format” is not so easily achieved with OS tools, though there are utilities for it. All it does for someone over a “full format” is map out bad sectors - that doesn’t make it more secure."
And that's not exactly a new situation either. Back when I first got an HDD, a 20MB Seagate, only a low level format accessed by using DEBUG G=C800:09 (or something like that) would write to the entire hard disk. FORMAT C: even back then only re-created the root directory and scanned for bad sectors. And yet people today still act surprised when told formatting doesn't wipe the date. I've not tried with an SSD but would not be surprised in the least to find an OS level FORMAT does not write to the entire drive.
Might not, but there are reasons other than security to want it to, I'd think formatting flash should probably perform trim for the allocated area to allow wear-levelling to continue to work properly. (Whether that zeros the data on the device or simply causes the controller to report zero on an attempt to read that area I'll admit to not knowing off-hand. But modern SSD should have a secure erase hardware feature.)
All drives have some spare capacity to cover for wear leveling and fault tolerance. Really good hackers can swap the firmware to access whatever is left sitting in there. It seems that such hackers would be extremely rare but, on the other hand, excellent hackers and researchers might be the only ones who actually buy very old storage devices.
" I thought once they were full you threw them away."
My partner gave her father a digital camera as a present back in the day. A couple of years later, he mentioned that it was great how you could get so many pictures on each 'film', but that the film was terribly expensive.
On investigation we found he had around 100 CF cards in a storage case. He'd copied all the pictures to his PC, but wanted to keep the 'negatives' safe!
He'd even given away CF cards to neighbours so they could print their own photos from them!
EDIT: I know how to spell 'neighbour'. Will someone please explain to El Reg's comment box how to spell it?
>I guess I need to get rid of my old IDE drives, now that I don't own any computers that have the appropriate sockets,
Silly me. Was helping a lady from Church dispose of her old PC's after her husband passed away. Used Darik's Boot N Nuke on most of them. But his oldest PC could only read 5.25" floppies and I didn't have one with me and I'm not sure I could have made one at home even then.
But not wanting to throw out a 20 Meg 5" hard drive (I never had a 5" hard drive) I took it out before taking the PCs to be recycled. Only later when I thought about wiping the hard drive did I realize that I needed the controller card as it was a preIDE drive.
A good erasure tool: dd. For a typical disk, if=/dev/zero. For a disk that you a) want to sell and b) want to be very sure about*, do a zero pass, a random pass, a 1 pass, another random pass, and a final zero pass. Have fun getting through that.
*In reality, a disk that is old enough such that data can be realistically recovered after zero passing it without government-level hardware is probably not worth reselling. A disk that contains data so critical that you are worried that it might still be recovered after the multiple passes I suggested should be physically destroyed.
You would think by now with technology what it is, that when you empty the trash on a windows machine it would mark the file to be deleted and it would go back as a background process and write random data to at least make a good faith effort that it cant be recovered, it should be the default setting and maybe allow you to change it to x amount of days or something. I use 3rd party stuff to do it now, but it should be included.
Then users of the penguin could just dd to the drive from /dev/zero.
Then along came behind-your-back wear leveling and sector remapping, reserves held back to replace failing sectors and so forth.
And oldie but goodie, I think one can assume it's only become more interesting since, with big SSDs as well. Bunnie and Xobs on what's really in flash devices:
https://www.bunniestudios.com/blog/?p=3554
And now there are even rubber duckies, although at the price, I doubt people are selling them cheap or leaving them around much other than for targeted pen testing.
https://shop.hak5.org/products/usb-rubber-ducky-deluxe
I've been downvoted here before for pointing out that the flaw in USB that has it "believe" a device is what it says it is cannot be fixed and keep back compatibility. I'm still correct about that.
A regular format, despite a wrong statement above, never did much more than erase the "allocated" bits in the filesystem. Maybe if you formatted to a completely different filesystem or did a complete write-read error check, but I've seen some tests that then put the original data back, sector by sector.
"I've been downvoted here before for pointing out that the flaw in USB that has it "believe" a device is what it says it is cannot be fixed and keep back compatibility. I'm still correct about that."
I didn't see this before and am not downvoting, but that point is somewhere between off the path and wrong. USB devices are what they say they are. A malicious device issuing keyboard commands is a keyboard. It needs to be identified as a keyboard in order to do keyboard things. It might be a physical keyboard with keys, a programmable keyboard, a dongle for a wireless keyboard, or a thing that issues key commands for a malicious purpose. In all cases, it is a keyboard. The computer does not err in trusting it when it says it is a keyboard. It errs when it doesn't ask for verification that the user intends to connect a keyboard. Of course, such verification can be difficult if that is the only input device available, so that is a thing to consider when trying to install a more restrictive policy. However, the "flaw" you have identified is a feature of USB that is required for the thing to be universal. The only way to change that is to have separate incompatible ports for each type of device (I'll vote against that).
The operating systems all say that they are going to "reformat the disk" and so the average user is going to think that they have done the right thing. It's way past time for the operating systems to offer an "erase disk" option that actually does what it says it does instead of just clearing the file table.
DBAN.
Mine's the one with the bright red USB pen and neon orange mini-CD both set to "nuke first, ask questions later" automatically without intervention if left in a PC.
EDIT: Drat, seems it was bought and now shills out for some crummy "pro grade" solution...
Looks like I need to keep my original media safer...
EDIT: Drat, seems it was bought and now shills out for some crummy "pro grade" solution...
Looks like I need to keep my original media safer...
Just boot with a Linux liveCD and run the "shred" command against the drive device (/dev/sdX). You can have it run enough passes to duplicate a DoD wipe, works just as well as DBAN.
"did they buy them all from ex-government auctions?"
I'm sorry, but the government does not have any used USB sticks available for sale at present. Because your government cares about your security, it will continue to practice its standard secure disposal policy, and leave them on trains.
Best: Proper physical destruction, choose your favourite method, just be thorough.
next: Any secure erase function built-in, fastest possible overwrite, may overwrite bad "blocks", use hdparm to access it
next: single pass overwrite ones or zeroes or preferably random bits, use dd with random or zero, slower than built-in due to interface bottlenecks
next: overwrite software like dban, blancco, or whatever with one or more passes to meet regulatory requirements including certificate, slow as molasses at the north pole
Format was never meant to erase, only prep for use. The same goes for "Low-level" or "Full" or "Guaranteed complete thorough better than new" format which may or may not overwrite all accessible blocks, it usually is used when there is no existing format or changing to a different format.
Windows cipher command is a good try, but it fails on multiple levels.
Delete, trash, recycle, hide, forget, ignore, store in vegetable drawer, will also not properly dispose of sensitive digital bit patterns.
I like to disassemble and apply a propane or mapp gas torch to the bit holding parts. For the really sensitive stuff I would use a microscanning microplasma torch or microsharks with microlasers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
