Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/28/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

65% of Resold Memory Cards Still Pack Personal Data

Analyzed cards, mainly from smartphones and tablets, contained private personal information, business documentation, audio, video, and photos.

Wipe your device, then check it twice: A new study has found most secondhand memory cards contain personal information belonging to previous owners who either failed to properly remove their data or didn't attempt to delete it at all.

"We make such a big deal out of Facebook giving away our details, but many of us just leave this stuff out there on our local memory," says Comparitech privacy advocate Paul Bischoff.

In a study conducted by the University of Hertfordshire and commissioned by Comparitech, researchers bought and analyzed 100 used SD and micro SD memory cards from eBay, secondhand shops, auctions, and other sources over a four-month period. They created a forensic image of each card and used freely available software to recover data.

Most of the cards came from smartphones and tablets, Bischoff says, but some also came from satellite navigation systems, cameras, and drones. Sixty-five of the 100 cards analyzed still contained troves of personal materials: contact lists, browsing histories, intimate photos, passport copies, resumes, identification numbers, and business documentation, among them.

"It's really easy when people get a new device to just throw out the old one and get rid of it completely," Bishop notes. "If this information gets out there into the wrong hands, it could do a lot of damage … identity theft, extortion, blackmail."

Only twenty-five cards had been properly wiped so that no information could be recovered. Thirty-six were not wiped at all; neither their owners nor sellers took any steps to try and erase the data, either. Twenty-nine appeared to have been formatted, meaning their owners attempted to try and erase their information, but data still could be revered "with minimal effort," researchers explain. Four were broken, four were blank, and two had had their data deleted, but it was easily recoverable.

If a card is tossed without the proper precautions, Bischoff says, it's fairly easy for any third party to access the data inside. "It really doesn't take much know-how," he explains, noting that the researchers used free forensics software they found online to recover information.

Their findings indicate how device owners, businesses, and resellers are responsible for wiping information before it falls into someone else's hands. Users need to be more careful about deleting their data, of course, but resellers also need to properly wipe devices sold to them. Card manufacturers also play a role in making the process of erasing and disposing of cards both easier and more apparent for users, Bischoff adds.

"If it's corporate-owned, it really depends on what the business structure is for dealing with this sort of thing," he continues. In the case of BYOB devices, IT teams might not be able to remotely control or access an employee's smartphone or tablet. Bischoff says the cards containing business data in this study were likely personal and that the owners downloaded sensitive files.

Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.

Researchers anticipate problems related to improperly erased data will continue as local storage gets less expensive and people store more types of information on memory cards. However, Bischoff argues, the expansion of cloud storage will cause people to shift.

"Obviously storage demands are increasing, but the rise of the cloud will minimize the effects to some degree," he says. "I think people will store in the cloud and skip local storage altogether."

How to Properly Delete Data
If you plan on reselling your smartphone, laptop, camera, or other device equipped with an SD or micro SD card, you need to properly delete the data. Many people try to wipe their SD cards but fail to get rid of all the information. Simply deleting a file from the device doesn't actually delete the ones and zeroes that make up the file; those stay on the device until overwritten.

You need to perform the "full format," not "quick format," Bischoff says. The process varies depending on your operating system, but both Windows and Mac devices have built-in formatting to erase all information from an external storage device.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OliverJ237
50%
50%
OliverJ237,
User Rank: Apprentice
8/3/2018 | 3:13:39 AM
Re: Not just memory cards
Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.,electronic components,https://www.allicdata.com
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/2/2018 | 8:34:28 AM
Not just memory cards
Ages ago I purchased an Ebay Lexmark priner for a medical office I supported - it was identical to other systems so installation would be smooth, same drivers.  it arrived, worked great and when I hooked it up, a ton of saved print jobs from WHEREVER IT CAME FROM before starting winding out.  About 50 of them.  So not just cards but any memory device can have data. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10136
PUBLISHED: 2020-06-02
Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access cont...
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.