Information Technology

Cybersecurity reports often talk about threat actors and their malware/hacking operations as self-standing events, but, in reality, the cybercrime ecosystem is much smaller and far more interconnected than the layperson might realize.
Cybercrime groups often have complex supply chains, like real software companies, and they regularly develop relationships within the rest of the e-crime ecosystem to acquire access to essential technology that enables their operations or maximizes their profits.

ZDNet Recommends

According to cybersecurity firm CrowdStrike, these third-party technologies can be classified into three categories: services, distribution, and monetization.
Breaking down each, the services category usually includes:
Access brokers – threat actors who breach corporate networks and sell access into a company’s internal network to other gangs.
DDoS attack tools – also known as DDoS booters or DDoS-for-hire, these groups provide access to web-based panels from where anyone can launch a DDoS attack against a target.
Anonymity and encryption – threat actors who sell access to private proxy and VPN networks, so hackers can disguise their location and origin of their attacks.
Phishing kits – threat actors who create and maintain phishing kits, web-based tools used to automate phishing attacks, and the collection of phished credentials.
Hardware for sale – threat actors who sell custom-made hardware, such as ATM skimmers, network sniffing devices, and more.
Ransomware – also known as Ransomware-as-a-Service, or RaaS, these groups sell access to ransomware strains or a web-based panel where other gangs can build their own custom ransomware.
Crime-as-a-Service – similar to RaaS, but these groups provide access to banking trojans or other forms of malware.
Loaders – also known as “bot installs,” these are threat actors who already infected computers, smartphones, and servers with their own malware and offer to “load/install” another group’s malware on the same system, so the other group can monetize it through ransomware, banking trojans, info-stealers, etc.
Counter antivirus service/checkers – these are private web portals where malware devs can upload their samples and have them tested against the engines of modern antivirus systems without the fear of the malware’s detection being shared with the AV maker.
Malware packing services – these are web-based or desktop-based tools that malware developers use to scramble their malware strain’s code and make it harder to detect by antivirus software.
Credit/debit card testing services – these are tools that hackers use to test if the payment card numbers they acquired are in a valid format and if the card is (still) valid.
Webinject kits – these are specialized tools, usually used together with banking trojans, to allow a banking trojan gang to insert malicious code inside a victim’s browser while they visit an e-banking (or any other) site.
Hosting & infrastructure – also known as bulletproof hosting providers, their name is self-evident as they provide private web hosting infrastructure specifically tailored for criminal gangs.
Recruiting for criminal purposes – these are specialized groups that recruit, bribe, or trick normal citizens into participating in a cybercrime operation (e.g., someone who travels to the US in an attempt to bribe a Tesla employee to run a malicious tool inside the company’s internal network).
On the other hand, distribution services include the likes of:
Groups that run spam campaigns on social networks or instant messaging apps.
Groups specialized in email spam distribution.
Groups who develop and sell exploit kits.
Groups who purchase traffic from hacked sites and distribute it to malicious web pages that usually host exploit kits, tech support scams, financial scams, phishing kits, and others.
As for monetization services, Crowdstrike says this category usually includes:
Money mule services – groups who offer to physically show up and pick up money from hacked ATMs, receive money in their bank accounts, and then redirected to the hackers, their preferred money laundering or reshipping fraud service.
Money laundering – groups who often operate networks of shell companies through which they move funds from hacked bank accounts, ATM cash-outs, or cryptocurrency heists. Some money laundering services also operate on the dark web as Bitcoin mixing services.
Reshipping fraud networks – groups that take stolen funds, purchase real products, ship the products to another country. The products, usually luxury goods like cars, electronics, or jewelry, are then resold and converted into clean fiat currency that’s transferred to the hackers who contracted their services.
Dump shops – groups that sell data from hacked companies via specialized websites and social media channels.
Ransom payments & extortion – groups specialized in extorting victims, and which can be contracted by other gangs in possession of stolen data.
Collection and sale of payment card information – also known as carding shops, these are typically forums where cybercrime groups go to sell stolen payment card data.
Cryptocurrency services – a form of money laundering, these services offer to “mix” stolen funds and help hackers lose the trail of stolen funds.
Wire fraud – as the name says, groups that are specialized in performing wire fraud, such as BEC scams.
Image: CrowdStrike
Tracking all the connections between groups and their suppliers and who works with who is almost impossible today due to the broad use of encrypted communication channels between parties.

However, in the realm of malware attacks, some signs of cooperation can be observed by the way the malware moves from attackers to infected hosts.
Although these connections can never be fully verified, it’s also pretty obvious that when the Emotet malware is downloading the TrickBot malware that the two gangs are cooperating as part of a “loader” mechanism provided by the Emotet crew for the TrickBot gang.
In its 2021 Global Threat Report, released on Monday, security firm CrowdStrike has, for the first time, summarized some of the connections that currently exist on the cybercrime underground between various e-crime operators.
The company uses its own nomenclature for e-crime groups, so some group names might sound different from what we’ve seen before. However, CrowdStrike also provides an interactive index so anyone can learn more about each group and link it to the names used by other companies.

Image: CrowdStrike
What the chart above shows is that enablers play just as important a role in cyber-intrusions as the groups executing the intrusion.
As Chainalysis pointed out in a separate report last month, law enforcement agencies are most likely to achieve better results in disrupting cybercrime operations when targeting these shared service suppliers, as they could end up disrupting the activities of multiple cybercrime groups at once.
Furthermore, there are also other benefits. For example, while top-tier cybercrime gangs often have top-notch operational security (OpSec) and don’t reveal any details about their operations, targeting lower-tier enablers, who don’t always protect their identities, could providing law enforcement agencies with data that could help them unmask and track down the bigger groups. More

More hacking groups than ever before are targeting industrial environments as cyber attackers attempt to infiltrate the networks of companies providing vital services, including electric power, water, oil and gas, and manufacturing.
Threats include cyber-criminal groups looking to steal information or encrypt systems with ransomware, as well as nation-state-backed hacking operations attempting to determine the potential disruption they could cause with cyberattacks against operational technology (OT).

More on privacy

According to cybersecurity researchers at Dragos, four new hacking groups targeting industrial systems have been detected over the past year – and there’s an increased amount of investment from cyber attackers targeting industry and industrial control systems.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The four new groups identified over the course of the past year – named by researchers as Stibnite, Talonite, Kamacite, and Vanadinite – come in addition to 11 previously identified hacking groups targeting industrial control systems.
Some of these new groups have very specific targets – for example, Stibnite focuses on wind turbine companies that generate electric power in Azerbaijan, while Talonite almost exclusively focuses on attempting to gain access to electricity providers in the US.
The remainder of the new hacking groups are more generalised in their targeting; Kamacite – which Dragos links to the Sandworm group – has targeted industrial operations of energy companies across North America and Europe.

Meanwhile, Vanadinite conducts operations against energy, manufacturing and transport across North America, Europe, Australia and Asia, with a focus on information gathering and ICS compromise.
The discovery of four additional hacking operations targeting industrial systems does represent a cause for concern – but their discovery also indicates that there’s increasing visibility of threats to industrial systems. These threats might have been missed in previous years.
“The more visibility we build in the OT space, the greater understanding of its threat landscape and the adversaries active there we can identify,” Sergio Caltagirone, vice president of threat intelligence at Dragos, told ZDNet.
“OT network attacks requires a different approach than traditional IT security. IT incidents see high frequency, relatively low-impact incidents and effects when compared to OT attacks that are lower frequency, but have potentially very high impacts and effects”.
However, according to the research paper, visibility remains an issue for industrial networks, with 90% of organisations examined by Dragos not having a full grasp of their own OT network, something that could help cyber attackers remain undetected.
In many cases, hackers are able to combine this lack of visibility with the ability to hide in plain sight by abusing legitimate login credentials to help move around the network.
Often, campaigns targeting industrial systems involve phishing attacks or the exploitation of remote services, allowing the attackers to use real accounts to perform malicious activity while helping to avoid being detected as suspicious.
“The lack of visibility raises risks significantly because it allows adversaries freedom to conduct operations unimpeded, time to understand the victim environment to locate their objectives, achieve their desired effects and satisfy the intent for conducting a compromise,” said Caltagirone.
This activity could have physical effects away from a network environment, as recently demonstrated when a malicious hacker was able to modify the chemical properties of drinking water after compromising the network of the water treatment facility for the city of Oldsmar, Florida.
There’s also examples where cyber attackers have gained access to electrical power grids to the extent that they were able to shut down power.
SEE: Phishing: These are the most common techniques used to attack your PC
However, there are cybersecurity procedures that industrial organisations can undertake in order to boost visibility of their own networks and help protect systems from cyber intrusions.
These include identifying which assets exercise control over critical operations and prioritizing security in order to help make them more difficult for attackers to gain access to – and setting up procedures that make attacks easier to identify.
Organisations should also attempt to apply network segmentation, separating operational technology from information technology, so that in the event of attackers compromising the IT network, it’s not simple for them to move laterally to OT controls on the same network.
Login credentials should also be properly secured via the use of multi-factor authentication, while organisations should attempt to avoid the use of default login credentials to help provide additional barriers to remote attackers.

MORE ON CYBERSECURITY More

Between 666 million and 819 million workers in Asia-Pacific will use digital skills by 2025, up from just 149 million today, with the average employee requiring seven new digital skills to keep up with emerging technologies. Businesses then are likely to face severe talent shortage, particularly in data, cloud, and cybersecurity, if they do little to build out these capabilities. 
Singapore, for one, would require 1.2 million digital workers by 2025, up 55% from 2020, including non-digital workers who would need to reskill and new entrants to the workforce, according to commissioned research from Amazon Web Services (AWS), which surveyed 500 digital workers in the country. The report polled 3,196 respondents across six Asia-Pacific markets including Australia, South Korea, India, Japan, and Indonesia.
By 2025, the region’s workers would require 6.8 billion digital skills to carry out their job, up from 1 billion today. This was estimated to require 5.7 billion digital skill trainings over the next five years to ensure the average worker acquired capabilities needed to keep pace with technological advancements. The document referred such trainings as what would be needed to skill one worker from the proficiency level today to the relevant level required in 2025. 
In Singapore, this figured clocked at 23.8 million digital skill trainings needed for the local workforce through to 2025, which would enable the country to plug a 35% gap of such trainings recommended for workers who currently did not possess digital skills or were not in the workforce.

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

To boost their employability, the report further noted, students across Asia-Pacific today should be educated in digital skillsets projected to see the largest spikes in demand, specifically, capabilities in designing and refining new cloud architectures. Demand for such skills in the region was expected to climb 36% over the next five years — the highest growth amongst all digital skills.
Australia had the highest proportion of employees using digital skills today, at 64%, followed by Singapore at 63% and South Korea at 62%. Japan weighed in at 58%, compared to Indonesia’s 19% and India at 12%. 
Singapore, however, led the pack with the highest proportion of workers — at 22% — who were using advanced digital skillsets, such as cloud architecture design, followed by South Korea at 21% and Australia at 20%. 

Demand for skills types differed by market, with Indonesia and South Korea, for instance, likely to see the fastest growing demand for advanced digital content creation skills, such as ability to create customised digital content including web applications. Japan, in comparison, was expected to see the highest demand jump at 30% for advanced cloud skills, such as migrating organisations’ legacy on-premise environment to cloud-based architectures. 
Across the region, in 2025, the report indicated that organisations were likely to challenged by particularly severe skills scarcity in data, cloud, and cybersecurity if they did little to beef up capabilities in these segments. 
For instance, the ability to develop digital security and cyber forensics tools and techniques was projected to be in “severe shortage” by 2025. In fact, 30% of digital workers in Singapore and 48% in India pointed to such skills as necessary to carry out their jobs but that they currently lacked. 
According to AWS, decision makers interviewed for the report suggested this was the result of rising adoption of cloud and data analytics in the region. “With many compliance standards for data integrity written before cloud computing technology was established, it is critical businesses have the expertise to translate these existing standards for cloud security,” the report noted.

(Source: AWS)
RELATED COVERAGE More

Facebook announced on Wednesday it has banned almost all Myanmar military-controlled state and media accounts from its platforms, Facebook and Instagram.
The ban disables the Tatmadaw True News Information Team page, as well as the MRTV and MRTV Live pages as they violated Facebook’s policies by coordinating harm and inciting violence, Facebook APAC emerging countries policy director Rafael Frankel said in a blog post.
The ban comes in response to the Myanmar military inciting a coup at the start of February, which has resulted in the National League for Democracy’s leader Aung San Suu Kyi and other senior political leaders being detained.
Since the coup, the country has been in a state of emergency while suffering from internet and phone service disruptions. The military also temporarily blocked Twitter and Instagram a fortnight ago.
“We’re continuing to treat the situation in Myanmar as an emergency and we remain focused on the safety of our community, and the people of Myanmar more broadly,” Frankel said.  
“We believe the risks of allowing the Tatmadaw on Facebook and Instagram are too great.”
In addition to banning military-controlled state and media accounts, Facebook has also blocked any ads from military-linked commercial entities. Facebook has also reduced the distribution of content on 23 pages and profiles that are either controlled or operated by the Myanmar military so fewer people can see them. 

The bans, which will last indefinitely, were made using the UN Guiding Principles on Business and Human Rights as a guide, Frankel said.
The exceptions to this ban are government ministries and agencies engaged in the provision of essential public services, such as the country’s Ministry of Health and Sport and the Ministry of Education. 
Since the coup occurred, Facebook has expressed concern regarding the situation.
“We are extremely concerned by orders to shut down the internet in Myanmar and we strongly urge the authorities to order the unblocking of all social media services. At this critical time, the people of Myanmar need access to important information and to be able to communicate with their loved ones,” Frankel said in a previous blog post.
Related Coverage More

Image: VMware, ZDNet
More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.
Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets.

The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972.
This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations.
Last year, security firm Positive Technologies discovered that an attacker could target the HTTPS interface of this vCenter plugin and execute malicious code with elevated privileges on the device without having to authenticate.
Because of the central role of a vCenter server inside corporate networks, the issue was classified as highly critical and privately reported to VMware, which released official patches yesterday, on February 23, 2021.
Due to the large number of companies that run vCenter software on their networks, Positive Technologies initially planned to keep details about this bug secret until system administrators had enough time to test and apply the patch.

However, the proof-of-concept code posted by the Chinese researcher, and others, effectively denied companies any grace period to apply the patch and also started a free-for-all mass-scan for vulnerable vCenter systems left connected online, with hackers hurrying to compromise systems before rival gangs.
Making matters worse, the exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.

According to a Shodan query, more than 6,700 VMware vCenter servers are currently connected to the internet. All these systems are now vulnerable to takeover attacks if administrators failed to apply yesterday’s CVE-2021-21972 patches.
VMware has taken this bug very seriously and has assigned a severity score of 9.8 out of a maximum of 10 and is now urging customers to update their systems as soon as possible.
Due to the critical and central role that VMware vCenter servers play in enterprise networks, a compromise of this device could allow attackers access to any system that’s connected or managed through the central server.
These are the types of devices that threat actors (known as “network access brokers”) like to compromise and then sell on underground cybercrime forums to ransomware gangs, which then encrypt victims’ files and demand huge ransoms.
Since a PoC is now out in the open, Positive Technologies has also decided to publish an in-depth technical report on the bug, so network defenders can learn how the exploit work and prepare additional defenses or forensics tools to detect past attacks. More

Hardly a week goes by without yet another major Windows security problem popping up, while Linux security problems, when looked at closely, usually turn out to be blunders made by incompetent system administration. But Linux can’t rest on its laurels. There are real Linux security concerns that need addressing. That’s where Google and the Linux Foundation come in with a new plan to underwrite two full-time maintainers for Linux kernel security development, Gustavo Silva and Nathan Chancellor. 

ZDNet Recommends

Silva and Chancellor’s exclusive focus will be to maintain and improve kernel security and associated initiatives to ensure Linux’s security. There’s certainly work to be done. 
As the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) found in its open-source contributor survey, security is often neglected in open-source software development. True Linux has over 20,000 contributors, and as of August 2020, one million commits, but security is not one of their top-of-mind issues. 
Unfortunately, it starts at the top. Linus Torvalds, Linux’s creator, really dislikes people who make improving security in Linux more trouble than it needs to be. In 2017, in his own inestimable style, he called some security developers “f-cking morons.” But Torvalds, while often colorful, also gave direction to security programmers.
From Torvalds’ viewpoint, “Security problems are just bugs. … The only process I’m interested in is the _development_ process, where we find bugs and fix them.” Or, as Torvalds said in 2008, “To me, security is important. But it’s no less important than everything *else* that is also important!”
Torvalds isn’t the only one who sees it that way. Jason A. Donenfeld, creator of Linux’s Wireguard Virtual Private Network (VPN), said on the Linux Kernel Mailing List (LKML) that “some security people scoff at other security people’s obsession with ‘security bugs.'” 
He added: “The security industry is largely obsessed by finding (and selling / using /patching /reporting /showcasing /stockpiling /detecting / stealing) these ‘dangerous/useful’ variety of bugs. And this obsession is continually fulfilled because bugs keep happening — which is just the nature of software development — and so this ‘security bug’ infatuation continues.”

While Torvalds and Donenfeld recognize the importance of securing Linux, too many developers hear their disdain for security researchers while missing that they both regard fixing real security bugs as necessary work. The result? On average, open-source programmers use just 2.27% of their total contribution time on security. Worst still, most open-source developers feel little desire to spend more of their time and effort on security. 
As David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said in the Report on the 2020 FOSS Contributor Survey: “It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors.” 
The solution, the report authors suggested, was to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.
Specifically, OpenSSF and LISH suggested:
Funding security audits of critical open-source projects and require that the audits produce specific, mergeable changes. 
Rewrite portions or entire components of FOSS projects prone to vulnerabilities to produce a substantially more secure result (e.g., contribute a rewrite in a memory-safe language). 
Prioritize secure software development best practices. 
Companies should make secure software development training a requirement for hiring or continued professional development for their paid FOSS developers. 
Use badging programs, mentoring programs, and the influence of respected FOSS contributors to encourage projects and their contributors to develop and maintain secure software development practices. 
Encourage projects to incorporate security tools and automated tests as part of their continuous integration (CI) pipeline; ideally as part of their default code management platform. 
By Google providing funds to underwrite two full-time Linux security maintainers signals the importance of security in the ongoing sustainability of open-source software. “At Google, security is always top of mind and we understand the critical role it plays to the sustainability of open-source software,” said Dan Lorenc, Google staff software engineer, in a statement. “We’re honored to support the efforts of both Gustavo Silva and Nathan Chancellor as they work to enhance the security of the Linux kernel.”
Chancellor’s work will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing CI systems to support Clang and LLVM compiler tools. Two years ago, Chancellor started contributing to mainline Linux under the ClangBuiltLinux project, which is a collaborative effort to get the Linux kernel building with Clang and LLVM. 
The Linux kernel has always traditionally been compiled with GNU toolchains such as GCC and binutils. The more modern Clang and LLVM utilities enable developers to create cleaner and more secure builds. Linux distributions such as Android, ChromeOS, and OpenMandriva already use Clang-built kernels.
Chancellor has been working on the Linux kernel for four and a half years. “I hope that more and more people will start to use the LLVM compiler infrastructure project and contribute fixes to it and the kernel — it will go a long way toward improving Linux security for everyone,” said Chancellor. 
Gustavo Silva’s full-time Linux security work is currently dedicated to eliminating several classes of buffer overflows by transforming all instances of zero-length and one-element arrays into flexible-array members, which is the preferred and least error-prone mechanism to declare such variable-length types. Silva is also working on fixing bugs before they hit the mainline, while proactively developing defense mechanisms that cut off whole classes of vulnerabilities. Before that, Silva led the effort to eliminate implicit switch fall-throughs in the Linux kernel Silva sent his first kernel patch in 2010 and is an active member of the Kernel Self Protection Project (KSPP). He is consistently one of the top five most active kernel developers since 2017 with more than 2,000 mainline commits. Silva’s work has impacted 27 different stable trees, going all the way down to Linux v3.16. 
“We are working towards building a high-quality kernel that is reliable, robust, and more resistant to attack every time,” said Silva. “Through these efforts, we hope people, maintainers, in particular, will recognize the importance of adopting changes that will make their code less prone to common errors.”
“Ensuring the security of the Linux kernel is extremely important as it’s a critical part of modern computing and infrastructure. It requires us all to assist in any way we can to ensure that it is sustainably secure,” added Wheeler. “We extend a special thanks to Google for underwriting Gustavo and Nathan’s Linux kernel security development work along with a thank you to all the maintainers, developers, and organizations who have made the Linux kernel a collaborative global success.”
Google has recently been putting more resources behind security for all open-source software. The company recently proposed a framework, “Know, Prevent, Fix,” for how we can think about open-source vulnerabilities and concrete areas to address first, including:
Consensus on metadata and identity standards: We need consensus on fundamentals to tackle these complex problems as an industry. Agreements on metadata details and identities will enable automation, reduce the effort required to update software, and minimize the impact of vulnerabilities.
Increased transparency and review for critical software: For software that is critical to security, we need to agree on development processes that ensure sufficient review, avoid unilateral changes, and transparently lead to well-defined, verifiable official versions.
Going back to Linux in specific, funding Linux kernel security and development is a collaborative effort that needs support from everyone. To support work like this, discussions are taking place in the Securing Critical Projects Working Group inside the OpenSSF.  If you want to be involved in the work, now’s your chance. It’s not just Google and top Linux developers, everyone who works with Linux needs to be involved.
Related Stories: More

Image: Oleksii Leonov (CC BY 2.0)The Ukrainian government said today that Russian hackers compromised a government file-sharing system as part of an attempt to disseminate malicious documents to other government agencies.
The target of the attack was the System of Electronic Interaction of Executive Bodies (SEI EB), a web-based portal used by Ukrainian government agencies to circulate documents between each other and public authorities.
In a statement published today, officials with Ukraine’s National Security and Defense Council said the purpose of the attack was “the mass contamination of information resources of public authorities.”
Ukrainian officials said the attackers uploaded documents on this portal that contained macro scripts. If users downloaded any of these documents and allowed the scripts to execute (usually by pressing the “Enable Editing” button inside Office apps), the macros would secretly download malware that would allow the hackers to take control of a victim’s computer.
Ukraine links the attacks to Russian cyberspies
“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker spy groups from the Russian Federation,” NSDC officials said.
Even if most state-sponsored hacker groups have been assigned names by the cyber-security industry, Ukrainian officials did not attribute the attack to a specific Russian activity cluster.
Officials did, however, publish indicators of compromise (IOCs) used in the attacks. They include:
Domains: enterox.ru
IP addresses: 109.68.212.97
Link (URL): http://109.68.212.97/infant.php

Today’s NSDC security alert is the second warning the agency has published this week. The agency also warned on Monday that Russian hackers launched DDoS attacks last week that targeted the websites of the Security Service of Ukraine, the National Security and Defense Council of Ukraine, and resources of other state institutions and strategic enterprises. More

Many charities are encouraging individuals and organisations to donate their old laptops, tablets and other devices, and while many want to support good causes, it can be hard to know how to make sure devices are in the right state to hand over.

ZDNet Recommends

The UK’s National Cyber Security Centre (NCSC) has issued advice on erasing data from devices so they can be passed on as safely as possible.
Firstly, donors should be encouraged to erase all of the data on the laptop or tablet before they give it to charity – because failure to do so could result in their personal data like usernames and passwords being available to others.
The NCSC notes that users should be encouraged to do this themselves, so they have the most control possible over their data, including backing up any information or files they want to keep before erasing the data from the device.
SEE: Technology in education: The latest products and trends (free PDF) (TechRepublic)
Secondly, charities which receive donations of laptops and other computers should erase data on donated devices – even if the user says they’ve already deleted the data. By performing a factory reset like this, it will revert the laptop to as if it was being used for the first time, allowing the new user to set it up as the please.
This also prevents information preciously stored on the device from being shared and will also prevent most malware that could have potentially been installed on the laptop from compromising the new user.

It’s also recommended that the charities which are providing laptops to schoolchildren are selective about what devices they pass on and don’t give out any computers which are reliant on an operating system which is no longer supported by its manufacturer.
This is because unsupported operating systems no longer receive security updates from their manufacturers, something which leaves users unprotected against new vulnerabilities, malware and other cyber attacks.
It’s recommended that devices which can’t be donated due to being out of support are recycled instead.
MORE ON CYBERSECURITY More