Information Technology

Got a pile of old drives that you need to wipe before sending them to Silicon Heaven? Or do you want to wipe a drive in a computer that you are selling or giving away? Here are some tips and tricks to help you get the job done.

Since hard drives (HDDs) and solid-state drives (SSDs) need different handling, so I’m going to cover them separately here.
HDDs
There are three approaches you can take to securely wiping hard drives.
Software
The cheapest way to tackle a pile of hard drives is to wipe them with a software eraser. I will warn you though: it’s not quick, and it won’t work on defective disks.
My tool of choice for wiping drives is Darik’s Boot And Nuke. It’s free and does an excellent job of wiping drives clean.

To use it, you’ll need to create a wipe CD or DVD, then hook up the drives you want to wipe to a PC, and run the software. Be careful not to inadvertently wipe a drive containing data you need because that will make your life suck. I suggest using a spare PC or, failing that, disconnecting all the data drives from the system you use, just in case. You can do this since you’ll be booting up off the Boot And Nuke disc and not the internal drive.
I recommend that you read and thoroughly familiarize yourself with the documentation for this software because if you take your eye off the ball and wipe the wrong drive, your data is gone.
Hardware

If you don’t feel like taking the software approach, another method you can take is to employ a bespoke hardware tool to do the job. At this point, though, things start to get a little expensive, but it is faster and does mean that you don’t have to dedicate a PC to the wiping operation.
The tool I use is Wiebetech’s Drive eRazer Ultra. It’s a fast, reliable, standalone solution to wiping hard drives and deleting everything. You hook up the drive to it, tap a few buttons, and Drive eRazer Ultra takes care of the rest.

I’ve used this tool to wipe dozens of drives with great success. It’s an expensive solution for sure — the eRazer Ultra starts at $250 — but if you have a lot of drives to wipe, it’s well worth it.
If you have a lot of drives to erase, then you might want to go for a tool that can erase multiple drives simultaneously, such as the StarTech four-bay drive eraser.
The StarTech four-bay drive eraser is packed with the following features:
Secure, standalone drive erasing for up to four 2.5-inch and 3.5-inch SATA SSD/HDD drives
Nine erase modes including: Quick and Secure Erase, Single Pass Overwrite, and Multi-pass Overwrites — meets DoD (5220.22-M) standards
Support for Secure Erase and Enhanced Secure Erase for SSDs
Easy operation with LCD and push-button navigation
The built-in nine-pin serial port enables you to print erase logs using a receipt printer
Supports SATA I and II (up to 3Gbps)
Also supports 2.5-inch and 3.5-inch IDE hard drives, mSATA drives, and SATA M.2 drives using a compatible StarTech.com adapter
TAA compliant
Plug-and-play installation
Out of the box, the four-bay unit is capable of dealing with 2.5-inch and 3.5-inch SATA drives (both SSDs and HDDs) and the hard drive eraser also works with 2.5-inch and 3.5-inch IDE hard drives, mSATA drives, and SATA M.2 drives using a compatible StarTech.com adapter.
The hard drive eraser is easy-to-use, thanks to its convenient menu navigation system, with push-button operation and a built-in LCD that clearly identifies the erase modes and task status. You can also connect the eraser to a computer to quickly access the drive that’s attached to port-1 on the eraser.
To ensure your records are complete for auditing, the hard drive eraser features a nine-pin serial port that can connect to a serial printer to provide on-demand erase logs.

The hands-on methods
OK, what do you do if you want to wipe drives that have died or become defective in some way with data still on them that now cannot be wiped? You could take a chance that since the drive is dead, the data is gone, but you got to plan on the drive falling into the hands of someone cleverer than you (or someone who has more time, patience, and resources).
Here’s where the hands-on methods come into play. These methods also work great if you just want to destroy drives before you take them to the recycling plant.
I have two methods. A surgical method, and a more medieval method.
For the surgical method you will need:
A drill and HSS drill bit (I use about 1/4-inch/6mm) — you see where I’m going with this
Thick gloves — shards of metal will shred you
Eye protection — we’re destroying drives here, not eyes
A vice or clamp — stops the drill bit from getting caught in the drive and turning it into a wildly spinning and flailing object
I then go about drilling three holes as shown below. If you want speed and only want to drill a single hole, pick the spot with the X. For a more complete job, hit the green stars, too. See the video above for a step-be-step guide. 
You can also optionally put a couple of holes in the circuit board on the other side for good measure.

Then there more brutal method. For this, you will need:
A hammer — I use my trusty 32oz “fine adjustment” hammer
A thick nail — a 6-inch nail will do fine
Thick gloves — because you’re going to be hammering that nail through the drive using the hammer, and hammers seem to be inexplicably attracted to thumbs
A block of wood — so you don’t nail the drive to your floor (it’s preferable to do this outside if you can)
Eye protection — you’ve only got a maximum of two to start with, so it’s silly to take chances!
Now, you apply brute force. Ideally, you want to put a nail through the platters of the drive, going all the way through (it’s actually not as hard as it sounds). Again, aim for the spot marked by the red X, and optionally the green stars for a more complete job.
This is a very effective method of destroying drives, and it’s also a lot of fun, not to mention a great way to relieve stress!
SSDs
With solid-state drives, things can get very complicated, and I could write reams about TRIM commands and garbage collection, and so on. The problem is things get convoluted, which is when mistakes happen and your precious baby pictures or work project gets deleted. With that in mind, I’m going to keep things simple.
Erase using manufacturer utilities
One way to erase SSDs is to use the manufacturer’s utilities. Here are some links to get you started.
If you have a drive from a different source, go check out their website.
Encrypt the whole drive
One of the easiest ways is to encrypt the entire drive with a complex passphrase. On Windows, you can use something like VeraCrypt. On Mac, you can use the built-in FileVault utility, and you’re done. No passphrase, no data.
You can then format the drive, from which point it should be sterile and ready to accept a reload of the data.
PARTED Magic
Another way to do this is to use a software tool called PARTED Magic. This supports both HDDs and SSDs.
While PARTED Magic is not free (price starts at a reasonable $11), it is a very effective tool, and one of the best I’ve used for wiping SSDs.
The hands-on method
If the drive is dead, or you just want to get rid of it in a hurry and don’t want a functioning drive at the end of it, then you can take a hammer to the SSD or flash drive.
One thing to bear in mind is that the data in SSDs is held on small flash storage chips rather than large platters, and to securely erase the data, you need to smash the chips. Usually this means taking the cover off the drive before you start swinging.
If you’re not sure which are the flash storage chips, just drive a nail through all the large chips to be on the safe side. More

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 
Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 
“You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,” GitHub says. “Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.”
See also: The biggest hacks, data breaches of 2020
GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.
Only active repositories have been included, not including forks or ‘spam’ projects. The package ecosystems analyzed are Composer, Maven, npm, NuGet, PyPi, and RubyGems. 

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript — 94% — as well as Ruby and .NET, at 90%, respectively. 
On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says “indicates clear opportunities to improve vulnerability detection.”
However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error — although threat actors can still take advantage of them for malicious purposes. 
In total, 17% of vulnerabilities are considered malicious — such as backdoor variants — but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages. 
CNET: Supreme Court hears case on hacking law and its limits
According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 
Defining the ‘worst’ open source vulnerabilities of 2020 is not an easy task as it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it comes to project maintainers, GitHub has named a prototypePollution in lodash as a top vulnerability. 
Tracked as CVE-2020-8203 and issued a severity score of 7.4, the RCE security flaw alone has been responsible for over five million GitHub Dependabot alerts due to lodash being one of the most widely-used and popular npm packages. 
TechRepublic: Companies are relaxing cybersecurity during the pandemic to boost productivity
The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a regular basis and should consider implementing automated alerts to remedy security issues in a more efficient and rapid way. 
“Open source is critical infrastructure, and we should all contribute to the security of open source software,” the organization added. “Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Absa has notified customers of a data breach potentially compromising their personal information. 

The Johannesburg, South Africa-based financial services group, which provides personal and business banking as well as wealth management services, has pointed the finger at an employee for the security incident. 
Absa maintains a presence in 12 countries across the continent and accounts for roughly 42,000 employees.  
See also: The biggest hacks, data breaches of 2020
As reported by local publication MyBroadband, Absa sent an email to customers on Monday informing them of the data breach. The message said that personally identifiable information (PII) belonging to clients was exposed to “external parties.” 
“We regret to notify you that Absa has identified an isolated internal data leak whereby personal information of a limited number of Absa customers was shared with parties external to the bank,” the financial group said. 
ID numbers, contact details, physical home addresses, and account numbers are thought to have been compromised. Absa has not revealed if any other sensitive, financial data was involved in the data leak. 

CNET: Supreme Court hears case on hacking law and its limits
It is also not known how many customers have been impacted, although the bank intends to monitor more closely for suspicious transactions in a “small” number of its client base that may have had their information stolen. If transfers are suspected of being fraudulent, Absa will ring customers to verify transactions.
Absa says that additional security measures are being implemented, but in the meantime, it is believed that a rogue employee is at fault. According to local media, Absa has accused a staff member of making “customer data available” to third-parties, illegally, and so criminal charges have been brought against the unnamed individual. 
TechRepublic: How to protect your personal data from being sold on the Dark Web
Data was found on devices during search and seizure operations and has been destroyed. The investigation is ongoing. 
Only three months before this security incident, Absa Group Limited’s cybersecurity team was named the “Not for Profit Team of the Year” in the 2020 Cyber Security Awards, with Absa CSO Sandro Bucchianeri commended in the Cybersecurity industry “Personality of the Year” category.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ivanti has snapped up both MobileIron and Pulse Secure in an acquisition spree designed to improve the firm’s zero-trust, cloud, and managed IT security portfolio. 

Announced on Tuesday, the Utah-based security company said the combination of both MobileIron and Pulse Secure will bolster Ivanti’s position in “unified endpoint management, zero-trust security, and IT service management (ITSM).”
Under the terms of the deals, Ivanti has purchased outstanding MobileIron stock for roughly $872 million. This figure represents a 27% premium on the firm’s share price as of September 24, 2020, and each stockholder received $7.05 in cash per share held. 
See also: Imperva acquires database security startup jSonar
Since 2007, Mountain View, Calif.-based MobileIron has focused on becoming a zero-trust specialist in the mobile device security space. The firm’s solutions include device validation, user context and app authorization checks, network verification, and threat scanning. 
Pulse Secure was acquired from affiliates of Siris Capital Group but the financial terms of the purchase were not disclosed. 
Founded in 2014, San Jose, Calif.-based Pulse Secure is another zero-trust organization that has created a framework for verifying mobile devices attempting to connect to a corporate network, data center, or the cloud. 

Ivanti says that the combined resources of MobileIron and Pulse Secure will give enterprise clients more robust solutions for protection, self-healing, and self-securing devices connected to corporate networks. In particular, Ivanti is exploring how zero-trust security practices and contextual automation can improve remote infrastructure — adopted by more companies than ever due to the disruption caused by COVID-19. 
CNET: Facial recognition is getting better at making matches around face masks
“We are excited to welcome the MobileIron and Pulse Secure teams into the Ivanti family,” commented Ivanti CEO and chairman Jim Schaper. “Our intelligent experience platform will power business through hyper-automation and secure connections on every device, for any user, wherever and however they work. This enables our customers to collaborate and innovate more freely while reducing the risk of data breaches and enhancing employee experiences.”
In other acquisition news this week, Salesforce announced the purchase of Slack for $27.7 billion, the cloud provider’s largest acquisition purchase to date. 
TechRepublic: How to protect your personal data from being sold on the Dark Web
Tools including Slack are also being used by enterprise players forced into remote work setups due to the pandemic, and according to Salesforce, the deal will see Slack integrated into Salesforce Customer 360. The Slack remote collaboration platform is a competing force against Microsoft Teams. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

the-lightwriter, Getty Images/iStockphoto
The security team behind the “npm” repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.

techrepublic cheat sheet

The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.
Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis.
According to Sonatype’s Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.
The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan) that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.
To make sure the njRAT download wouldn’t have any issues, Sharma said the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download.
All of this behavior was contained in the jdb.js package only, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behavior.
Npm security team: Change all passwords

Since infections with any type of RAT-like malware are considered severe incidents, in security alerts on Monday, the npm security team advised web developers to consider their systems as fully compromised, if they installed any of the two packages.
“Any computer that has this package installed or running should be considered fully compromised,” the npm team said.
“All secrets and keys stored on that computer should be rotated immediately from a different computer.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they also added.
Constant onslaught
While the npm security team publishes security advisories on a weekly basis, most of them are usually for vulnerabilities in a package’s code that may be exploited in the future.
However, since late August, the npm security team has been seeing an increased amount of npm libraries that have been intentionally put together to steal data from infected systems, suggesting that several theat actors are now interested in compromising programmers’ workstations in an attempt to breach and steal credentials for sensitive projects, source code and intellectual property, or even prepare larger supply chain attacks.
Previous cases include: More

The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts.

In a PIN (Private Industry Notification) alert sent last week and made public today, the FBI says the technique has been seen and abused in recent BEC (Business Email Compromise) attacks reported over the summer.
Also: Best VPN service in 2020: Safe and fast don’t come for free 
The hackers’ technique relies on a feature found in some email services called “auto-forwarding email rules.”
As its name implies, the feature allows the owner of an email address to set up “rules” that forward (redirect) an incoming email to another address if a certain criteria is met.
Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day — and be at risk of triggering a security warning for a suspicious login.
Recent spike of abuse in BEC attacks
Email auto-forwarding rules have been abused since the dawn of email clients; by both nation-state hacking groups, but also regular cybercrime operators.

But in a PIN last week, the FBI says it received multiple reports over the summer that the technique is now often abused by gangs engaging in BEC scams — a form of cybercrime where hackers breach email accounts and then send emails from the hacked account in attempts to convince other employees or business partners into authorizing payments to wrong accounts, controlled by the intruders.
The FBI provided two cases as examples were BEC scammers abused email forwarding rules during their attacks:
In August 2020, cyber criminals created auto-forwarding email rules on the recently upgraded web client of a US-based medical equipment company. The webmail did not sync to the desktop application and went unnoticed by the victim company, which only observed auto-forwarding rules on the desktop client. RSS was also not enabled on the desktop application. After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment. The actors obtained $175,000 from the victim.
During another incident in August 2020, the same actor created three forwarding rules within the web-based email used by a company in the manufacturing industry. The first rule auto-forwarded any emails with the search terms “bank,” “payment,” “invoice,” “wire,” or “check” to the cyber criminal’s email address. The other two rules were based off the sender’s domain and again forwarded to the same email address.
FBI recommends syncing email account settings
FBI officials say that the technique is still making victims in corporate environments because some companies don’t forcibly sync email settings for the web-based accounts with desktop clients.
This, in turn, limits “the rules’ visibility to [a company’s] cyber security administrators,” and the company’s security software, which may be configured and capable of detecting forwarding rules, but may remain blind to new rules until a sync occurs.
The FBI PIN — a copy of which is available here — contains a series of basic mitigations and solutions for system administrators to address this particular attack vector and prevent future abuse.
The FBI PIN comes after the FBI reported earlier this year that BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year. More

Special Feature

The new SMB stack
Picking the right tech vendors for your small or medium-sized business can be hard, especially with the cloud and everything-as-a-service providers giving you access to enterprise-level IT. ZDNet helps SMBs build a technology stack that promotes innovation and enables growth.
Read More

Google said it is launching Android Enterprise Essentials, a mobile device management service for small enterprises.
Based on the Android Enterprise Recommended program, Google’s Android Enterprise Essentials is a pared down version with default features and smaller budgets. Google is trying to address the reality that smaller organizations are often targeted by cybercriminals.
Features include:
Requiring a lock screen and encryption on devices to prevent unauthorized access to company data.
Enforcing mandatory malware protection with an always-on Google Play Protect.
The ability to wipe all company data from a device.
The core security features are applied automatically without the need to configure devices.
Google noted that Android Enterprise Essentials is aimed at small businesses but may also work for large companies that don’t need advanced capabilities.
Related: More

Image: Microsoft
Microsoft has removed 18 Edge browser extensions from the Edge Add-ons portal after the extensions were caught injecting ads into users’ web search results pages.
The extensions were removed between November 20 and November 25 after Microsoft received multiple complaints from users via Reddit [1, 2, 3].
A subsequent investigation found multiple abusive extensions that had been uploaded on Microsoft’s new fledgling Edge Add-ons portal.
According to a list shared by a Microsoft community manager, the 18 extensions can be grouped into two categories. The first one is for extensions that tried to pass as the official versions of various apps, even if those apps didn’t have official versions for Edge. This included:
NordVPN
Adguard VPN
TunnelBear VPN
Ublock Adblock Plus
Greasemonkey
Wayback Machine

Image: ZDNet
The second list contained extensions that were copied from authentic Chrome extensions, ported to Edge, and then had malicious code inserted. This included:
The Great Suspender
Floating Player – Picture-in-Picture Mode
Go Back With Backspace
friGate CDN – smooth access to websites
Full Page Screenshot
One Click URL Shortener
Guru Cleaner – cache and history cleaner
Grammar and Spelling Checker
Enable Right Click
FNAF
Night Shift Redux
Old Layout for Facebook
“If you were using any of these extensions installed directly from the Microsoft Edge Addon store, we suggest removing them from edge://extensions,” Microsoft said last month.
The findings highlight that even with a small userbase, Edge has already piqued the interest of cybercrime groups that have been flooding the Chrome and Firefox extension stores with malicious add-ons for the past decade.

As the browser continues to see its usage numbers grow, these types of incidents are expected to become more common, as malware authors usually go where the users are. More