Eraser – Windows Secure Erase Hard Drive Wiper

The New Acunetix V12 Engine


Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.

Eraser - Windows Secure Erase Hard Drive Wiper


Eraser is a Windows focused hard drive wiper and is currently supported under Windows XP (with Service Pack 3), Windows Server 2003 (with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7,8 ,10 and Windows Server 2012.

Secure drive erasure methods are supported out of the box. Erases files, folders and their previously deleted counterparts. Works with an extremely customizable scheduler.

Why a Secure Erase Hard Drive Wiper is important?

A lot of people underestimate the importance of this, especially if you are throwing out an old hard disk or selling something on that contains a hard disk (an old laptop or desktop).

Your first thought may be that when you ‘delete’ the file, the data is gone. But that is not true, when you delete a file, the operating system does not really remove the file from the disk; it only removes the reference of the file from the file system table.

The file remains on the disk until another file is created over it, and even after that, it might be possible to recover data by studying the magnetic fields on the disk platter surface.

Before the file is overwritten, anyone can easily retrieve it with a disk maintenance or an undelete utility.

That is why it’s critical to erase your disks properly before finding them a new home (be that a bin, recycling plant or selling them on).

Depending on the value of the date, select one of the below secure wipe algorithms.

Secure Erase Hard Drive Wiper Methods


Pseudorandom data, 1 Pass, The fastest wiping scheme. Your data is overwritten with random data (if you use a CSPRNG the data is indistinguishable from random noise.)

British HMG IS5 (Baseline), 1 Pass, Your data is overwritten with zeroes.

Russian GOST P50739-95, 2 Passes, GOST P50739-95 wiping scheme calls for a single pass of zeroes followed by a single pass of random data

British HMG IS5 (Enhanced), 3 Passes, British HMG IS5 (Enhanced) is a three pass overwriting algorithm: first pass – with zeroes, second pass – with ones and the last pass with random data.

US Army AR380-19, 3 Passes, AR380-19 is data wiping scheme specified and published by the U.S. Army. AR380-19 is three pass overwriting algorithm: first pass – with random data, second with a random byte and the third pass with the complement of the 2nd pass

US Department of Defense DoD 5220.22-M (E), 3 Passes, DoD 5220.22-M (E) is a three pass overwriting algorithm: first pass – with zeroes, second pass – with ones and the last pass – with random data

US Air Force 5020, 3 Passes, US Air Force 5020 is a three pass overwriting algorithm with the first pass being that of a random byte, followed by two passes of complement data (shifted 8 and 16 bits right respectively)

US Department of Defense DoD 5220.22-M(ECE), 7 Passes, DoD 5220.22-M(ECE) is seven pass overwriting algorithm: first, fourth and fifth pass with a random byte, its 8 right-bit shift complement and 16 right-bit shift complement; second and sixth passes with zeroes, and third and seventh pass with random data

Canadian RCMP TSSIT OPS-II, 7 Passes, RCMP TSSIT OPS-II is a seven pass overwriting algorithm with three alternating patterns of zeroes and ones and the last pass – with a random byte

German VSITR, 7 Passes, The German standard calls for data to be overwritten with three alternating patterns of zeroes and ones and in the last pass with random data

Schneier’s Algorithm, 7 Passes, The Bruce Schneier algorithm has seven passes: first pass – with ones, the second pass – with zeroes and then five times with random data

You can download Eraser here:

Eraser 6.2.0.2982.exe

Or read more here.


Topic: Privacy

Web Security Stats Show XSS & Outdated Software Are Major Problems

The New Acunetix V12 Engine


Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.

Web Security Stats Show XSS & Outdated Software Are Major Problems

Data-based stats like these, which are not based on surveys, can be pretty useful – at least to get a broad overview of what is going on. These statistics also serve a solid purpose – they help all developers, security professionals and anyone who works with web applications better understand what might be going wrong.

XSS is way more common than SQL Injection

SQL Injection has been the most critical web application vulnerability in the last decade according to the OWASP Top 10 list of most critical web application security flaws (yeah come-on guys, we are still waiting for the new version!). Though the Netsparker statistics show us that it is the other way round, at least in terms of volume.

26% of the identified vulnerabilities, 40,908 to be exact, were a mix of reflected and DOM Cross-site scripting (XSS) vulnerabilities. Only 2% of the identified vulnerabilities were SQL Injections.

That is a big discrepancy, though this is not a surprise according to the authors. They said:

Developers have a lot of resources to write code that is not vulnerable to SQL Injections, such as prepared statements. New frameworks by default protects against SQL Injection and makes it quite hard to write insecure SQL code. On the other hand XSS vulnerabilities are much more complex to address and even when the framework has built-in protection, it’s very easy to make mistakes

Outdated & vulnerable software is still a major web application security risk

Update your apps, your server, your software – Apple, Google, Microsoft are constantly harping on this topic but it doesn’t seem to help that much.

It’s one of the easiest best practices to follow, especially in modern times with automated updates and patch management software easily available.

Insecure software versions are a problem

It seems not to be the case that people are following it with 5% of the identified issues related to outdated software.

If Equifax and Mossack Fonseca had their software up to date, last year we wouldn’t have had two of the biggest data breaches on the internet.

Accuracy is key to more secure web applications

There are several other statistics from which we can learn something from, an interesting one for me was the fact that Netsparker automatically verified around 80% of the identified vulnerabilities.

False positives are a big problem in automated vulnerability and security scanning as someone has to manually spend hours verifying the results and weeding out the false positives. With Netsparker automatically doing this, a smaller team can do more effective work and a larger team can be more productive doing less manual verification.

Read The Netsparker Scan Web Security Stats Report

The report is much more detailed and has much more statistics, so please read the Netsparker scan statistics report for all the numbers and common security issues that make web applications vulnerable to malicious hacker attacks and can save you from some embarrassment.


Topic: Countermeasures

CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains

The New Acunetix V12 Engine


CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.

CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains


You missed AXFR technique didn’t you? (Open DNS zone transfers), so how does it work? CTFR does not use dictionary attack or brute-force attacks, it just helps you to abuse Certificate Transparency Logs.

What is Certificate Transparency?

Google’s Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.

From: http://www.certificate-transparency.org/

Usage of CTFR to Abuse Certificate Transparency Logs

Example:

This is quite a new and novel technique compared to more traditional scripts like DNSRecon – DNS Enumeration Script.

You can download CTFR here:

ctfr-master.zip

Or read more here.


Topic: Hacking Tools

testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws

Use Netsparker


testssl.sh is a free command line tool to test SSL security, it checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws


testssl.sh is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin (slow). It is supposed also to work on any other unixoid systems. A newer OpenSSL version (1.0) is recommended though. /bin/bash is a prerequisite – otherwise there would be no sockets.

Features to Test SSL Security in testssl.ssh

  • Clear output: you can tell easily whether anything is good or bad
  • Ease of installation: It works for Linux, Darwin, FreeBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
  • Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
  • Toolbox: Several command line options help you to run YOUR test and configure YOUR output
  • Reliability: features are tested thoroughly
  • Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you’ll get a warning
  • Privacy: It’s only you who sees the result, not a third party
  • Freedom: It’s 100% open source. You can look at the code, see what’s going on and you can change it. Heck, even the development is open (github)

Usage of testssl.sh SSL Security Testing Tool


Similarly there is also:

TLSSLed v1.2 – Evaluate The Security Of A Target SSL Or TLS (HTTPS) Web Server Implementation

You can get testssl.sh here:

Latest zip: testssl.sh-3.0rc2.zip

Or read more here.


Topic: Security Software
Four Year Old libSSH Bug Leaves Servers Wide Open

Four Year Old libssh Bug Leaves Servers Wide Open

A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn’t that big as neither OpenSSH or the GitHub implementation are affected. The bug is in the not so widely used libSSH library, not to be confused with libssh2 or OpenSSH – which are very widely used. […]

Topic: Exploits/Vulnerabilities
CHIPSEC - Platform Security Assessment Framework

CHIPSEC – Platform Security Assessment Framework For Firmware Hacking

CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell. You can use CHIPSEC to find vulnerabilities […]

Topic: Hardware Hacking