Debian Security Advisory 3488-1

Debian Linux Security Advisory 3488-1 – Aris Adamantiadis discovered that libssh, a tiny C SSH library, incorrectly generated a short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. This flaw could allow an eavesdropper with enough resources to decrypt or intercept SSH sessions.

Avast finds personal data on phones sold at pawn shops

Many people sell their used smartphones but fail to ensure their personal data is wiped away.

A year and half ago, Avast mobile security researchers bought 20 used phones from online consumer-to-consumer sites, like eBay and Amazon, in the USA. Using easily available recovery software, they were able to access more than 40,000 personal photos, emails, and text messages.

Since then, smartphone technology has progressed and numerous educational articles have been published to inform people about cleaning their phones before selling, so we wanted to see what would happen if we did a similar experiment now. This time, our researchers bought phones from pawn shops: Five devices each in New York, Paris, Barcelona, and Berlin — and again, used widely available free recovery software to detect the data found on the devices.

infograph_used_smartphone_pk_v3

Install Avast Anti-Theft from the Google Play Store for free

Because all the phones in this experiment came from pawn shops, Avast researchers were able to consult with the shop owners prior to purchasing the phones. Each shop owner assured them that the phones had been factory reset and that all data from previous owners was wiped clean. Avast found otherwise. Twelve of the supposedly clean phones were not clean at all.

Avast retrieved more than 2,000 personal photos, emails, text messages, invoices, and one adult video from the phones that the prior owner assumed was deleted. On two of the phones, the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name.

Avast researchers were able to recover the following files from the 20 phones:

  • More than 1,200 photos
  • More than 200 photos with adult content
  • 149 photos of children
  • More than 300 emails and text messages
  • More than 260 Google searches, including 170 searches for adult content
  • Two previous owners’ identities
  • Three invoices
  • One working contract
  • One adult video

Why did these phones still have data on them?

Of the phones that were factory reset, 50 percent still contained personal data because the previous owner was running an outdated version of Android that had an improperly functioning factory reset feature.  Some of the previous owners only deleted their files without doing a factory reset. However, this doesn’t mean that the files were removed completely – only the reference to the file was deleted. Other phone owners simply forgot to delete their data or do a factory reset. The possibility that some of these phones were lost and not wiped clean of data before they arrived at the pawn shop also exists.

Scenarios such as these highlight both the responsibility of shop owners to properly wipe and reset phones prior to sale, and also the need for phone owners to utilize anti-theft software in the chance their phone is lost or stolen, in order to remotely wipe the data.

“New Android phones are pretty safe when it comes to the factory reset, but used phones with older Android versions that have a less thorough reset feature are still being sold,” said Gagan Singh, president of mobile at Avast Software.

How to make sure you don’t sell your identity along with your old phone

If you are selling a phone with an older version of Android (version 4.3 is the last one where factory reset did not work properly for some devices), then you cannot depend on the factory reset to ensure your personal data is wiped clean. Deleting files from your Android phone before selling it or giving it away is also not enough. You need to overwrite your files, making them irretrievable. To do so, install Avast Anti-Theft from the Google Play Store for free.

Your mobile device must be connected to your Avast account at https://my.avast.com. Linking your device to your Avast account also allows you to remotely wipe your phone in case it’s stolen or lost.

The final step is to wipe the phone clean, which will delete and overwrite all of your personal data.

Once the app is installed, turn on the WIPE command within the app.

  • Choose WIPE in the Send command column and click Send.
  • Confirm if you really want to delete all your data from the mobile phone.
  • To delete click Send, otherwise click Cancel. Your mobile will be rebooted.
  • The WIPE command will erase all data on your mobile and initiate a factory reset.

Avast at Mobile World Congress

Avast Mobile Security is at Mobile World Congress in Barcelona in Hall 8.1 (App Planet), Booth H65 this week, until February 25. Please stop by if you are around.