Information Security

If You’re Paranoid, Remove TeamViewer

So, naturally, this is in response to the recent allegations that TeamViewer has been hacked…

While TeamViewer hasn’t admitted to having been breached, and although what they’ve suggested is completely plausible, one thing is clear: What has been reported thus far doesn’t give me the warm and fuzzy … so I’m going to play it safe for now.

I put together a script to remove TeamViewer from not only ma own machines, but also from the machines of friends and family I often support.  I’ve run this on Windows 7+ and so far it works as expected.  If you run into an issue, let me know and I’ll do what I can to troubleshoot asap.

Also

  1. If you’re not using a password manager or are still using easy to remember passwords or are recycling/reusing passwords across multiple sites;
  2. If you’re not using two-factor authentication (2FA)

You really should reconsider.  Check yourself out on https://haveibeenpwned.com/ to see what accounts may have been compromised in a data breach and take the necessary precautions.

This needs to be run from an elevated PowerShell console or ISE.

# Define TeamViewer Installation directory array for use below
$arrTVInstallDirs = @()

# Define TeamViewer Uninstaller EXE's for use below
$arrTVUninstallers = @()

# Get TeamViewer Install Directories for both architectures
$arrTVInstallDirs += gci $env:ProgramFiles *TeamViewer*
if($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $arrTVInstallDirs += gci ${env:ProgramFiles(x86)} *TeamViewer* }

# Loop through each 'TeamViewer' directory for EXE's and kill those processes
foreach($TVInstallDir in $arrTVInstallDirs)
    {
        write-host "Processing TVInstallDir [$($TVInstallDir.FullName)]"
        Foreach($TVEXE in $(gci -Path $($TVInstallDir.FullName) -Recurse *.exe))
            {
                if($TVEXE.Name -eq 'uninstall.exe') { $arrTVUninstallers += $TVEXE }
                write-host "Killing Process [$($TVEXE.Name)]"
                Stop-Process -Name $($TVEXE.Name) -Force -ErrorAction SilentlyContinue
            }
    }

# Stop Team Viewer services
Foreach($TVService in $(Get-WmiObject -Class Win32_Service -Filter "Name like '%TeamViewer%'"))
    {
        # Stop Service
        write-host "Stopping Service [$($TVService.Name)]"
        $TVService.StopService() | Out-Null

        # Disable Service
        write-host "Disabling Service [$($TVService.Name)]"
        If($TVService.StartMode -ne 'Disabled') { Set-Service -Name $TVService.Name -StartupType Disabled | Out-Null }

        # Delete Service
        write-host "Deleting Service [$($TVService.Name)]"
        $TVService.Delete() | Out-Null
    }

# Loop through the uninstallers
Foreach($TVUninstaller in $arrTVUninstallers)
    {
        $PSI = New-Object -TypeName 'System.Diagnostics.ProcessStartInfo' -ErrorAction 'Stop'
        $PSI.Arguments = '/S'
        $PSI.CreateNoWindow = $false
        $PSI.FileName = $TVUninstaller.FullName
        $PSI.UseShellExecute = $false
        $PSI.WindowStyle = 'Normal'
        $PSI.Verb = 'runas'

        $Proc = New-Object -TypeName 'System.Diagnostics.Process' -ErrorAction 'Stop'
        $Proc.StartInfo = $PSI

        write-host "Uninstalling TeamViewer [$($TVUninstaller.FullName)]"
        if($Proc.Start() -eq $true)
            {
                write-host "Uninstall started - waiting for it to finish..."
                $Proc.WaitForExit()
                Do { $Proc.Refresh(); Start-Sleep -Seconds 3 } while($Proc.HasExited -ne $true)
                if($Proc.ExitCode -eq 0) { write-host "Uninstall completed successfully! [$($Proc.ExitCode)]" -ForegroundColor Green }
                else { write-host "ERROR: Uninstall completed WITH ERRORS [$($Proc.ExitCode)]" -ForegroundColor Red }
            }
            else { write-host "ERROR Failed to start uninstall [$($TVUninstaller.FullName)] [$($Proc.ExitCode)]" -ForegroundColor Yellow }
    }

 

Good Providence and be safe!

Advertisements

[Im]Practical Disk Wiping for SSD’s

##########################
DANGER WILL ROBINSON!

This post specifically speaks to solid-state drives (aka SSD).
See my previous post for traditional, mechanical, spindle-based hard drives.
I’m not data recovery or security expert so feel free to take this with a grain of salt.

##########################


A while back I wrote about the process I use for wiping my mechanical or spindle-based hard drives.  That process was specific to those ‘traditional’ hard drives because of the way they work and was not meant for SSD’s.  So today, we’ll cover some options for wiping SSD’s.

Please Don’t 9 Pass Wipe Your SSD.  Please. Srsly.

Securely wiping SSD’s is something of a tough subject because SSDs are completely different from mechanical drives.  Wiping them properly is challenging for a variety of reasons which I won’t get into, but just know that doing a 3, 9 or 35 pass wipe on your SSD will (a) not guarantee the data has been wiped and (b) will likely severely reduce the lifespan of your SSD.  I encourage you to research this further via the keyword: Flash Translation Layer.

No matter how you slice it:

  • whether you’re using a trusted solution from a trusted source, OR
  • relying on the built-in commands set by the manufacturer

It all boils down to:

  1. whether or not the SSD manufacturer implemented those special commands properly, AND
  2. whether or not the data was only stored in areas that are able to be reliably sanitized

How Should One Wipe an SSD?

Your best bet is to reach out to the manufacturer of your SSD to get proper guidance on how to properly sanitize your specific SSD.  After all, they know their devices best … at least they should.  Chances are you have an SSD made by one of these manufacturers below, and they all provide some guidance on how to securely erase your SSD, usually by way of a specific utility.
(Listed alphabetically.)

Corsair – http://www.corsair.com/en-us/blog/2013/may/the-corsair-ssd-toolbox

Crucial – http://crucial.i.lithium.com/t5/Crucial-SSDs/SSDs-and-Secure-Erase/ta-p/112580

Intel – https://www-ssl.intel.com/content/www/us/en/support/software/000006084.html

OCZ – http://ocz.com/consumer/download

Samsung – www.samsung.com/samsungssd

SanDisk – http://kb.sandisk.com/app/answers/detail/a_id/16678/~/secure-erase-and-sanitize

There are other manufacturers but you get the idea.  You should also check with the manufacturer of your PC as they may have a utility for your specific configuration.

No matter what: Read everything you can about your specific drive before you do anything.
If in doubt, pick up the phone and call customer support for the manufacturer of your SSD and/or the manufacturer of your PC.

Any Other Options?

Do you have a hardware-based self-encrypting drive (SED) or full disk encryption (FDE) drive?  If so, a good chunk of the work is already done for you because you can ‘crypto erase’ the drive, which a process that throws away the old encryption keys and generates new ones effectively locking you out of the drive.  Although the data is still technically there, because the old encryption keys are permanently lost, there’s no way to access or otherwise retrieve the data.  The only downside is that you have to have one an SED, which are usually more expensive and typically found in business-class hardware.  Unless you specifically ordered a [TCG] OPAL SSD, you probably don’t have one.

If you don’t have a self-encrypting SSD, the best alternative would be to encrypt the drive using BitLocker then wipe it using the appropriate method or utility for your SSD.

How Am I Wiping SSD’s?

I’m not.  Truthfully, SSD’s are relatively new to my personal ecosystem so I have not yet had the need to wipe one.  But I do know that it’s something I’ll need to have an answer for some day.  If I had to do it today I’d first take my own advice above, before exploring something like Parted Magic.  That said, I am leaning towards WipeDrive (consumer | small business | enterprise) or Blancco 5 due to their reputation, but I prefer solutions that will integrate with my existing MDT and SCCM environments.

 

Good Providence and practice safe erasing!

 

Practical Disk Wiping (NOT for SSDs)

##########################
DANGER WILL ROBINSON!

This post specifically speaks to traditional mechanical or spindle-based hard drives.
This post is NOT for solid-state drives (aka SSD)
See this post for guidance on how to wipe SSD’s.

I’m not data recovery or security expert so feel free to take this with a grain of salt.

##########################


Over the years I’ve collected quite a few mechanical/spindle drives at home.  Most of them were inherited from other systems I acquired over time, some gifts and some purchased by myself.  As needs grew and technology evolved, I upgraded to larger drives here and there, made the move to SSDs on some systems and kept the old drives in a box for future rainy day projects.  Well there haven’t been too many rainy days and I’m feeling it’s time to purge these drives.

I’ve explored some professional drive destruction services, but honestly I don’t trust some of the more affordable ones, and the ones I do trust are almost prohibitively expensive.  And by that I mean: While I don’t want someone perusing through my collection of family photos, music and what little intellectual property I may like to think I have, I also don’t know what dollar amount I’m willing to pay to keep said privacy.

I’ve always been a big fan of dd and dban, the latter of which has been my recommended go-to disk wiping solution, and was even the solution employed by one of my past employers.  But being that I live in a Windows world driven largely by MDT and SCCM,  I wanted something I could easily integrate with that environment, leveraging “ubiquitous utilities” and minimizing reliance on third-party software.

TL;DR

Leverage some built-in and easily accessible Windows utilities to secure and wipe your mechanical disks.

Diskpart

Diskpart has the ability to ‘zero out’ every sector on the disk.  It only does a single pass so its not ideal, but its at least a start.

@"
sel vol $VolumeNumber
clean all
cre par pri
sel par
assign letter=$VolumeLetter
exit
"@ | Out-File $env:Temp\diskpart.script

diskpart /s $env:Temp\diskpart.script

]

Cipher

Cipher is something of a multi-tool because you can not only use it to encrypt directories and files, but also perform a 3 pass wipe – 0x00 on the first, 0xFF on the second & random on the third – that will remove data from available unused disk space on the entire volume.

Unfortunately cipher doesn’t encrypt read-only files which means you’d have to run something ahead of time to remove that property before encrypting and you should use the /B switch to catch errors otherwise it will just continue.

# remove read-only properties
Try{gci $Volume -Recurse | ? { $_.IsReadOnly -eq $true } | Set-ItemProperty -Name IsReadOnly -Value $false }Catch {}

# encrypt
cipher /E /H /S:$Volume

# 3-pass wipe
cipher /W:$Volume

BitLocker

BitLocker won’t wipe your disk, but it will allow you to securely encrypt whatever data may be on there.

Enable-BitLocker -MountPoint $Volume -EncryptionMethod XtsAes256 -Password $(ConvertTo-SecureString "123 enter 456 something 789 random 0 here!@*@#&" -AsPlainText -Force) -PasswordProtector

Format

Format allows you to zero out every sector on the volume and also overwrite each sector with a different random number on each consecutive pass.

format $Volume /FS:NTFS /V:SecureWiped /X /P:$Pass /Y

SDelete

Dating back to the Windows XP and Server 2003 days, this a tried and true utility’s sole purpose is to wipe data securely erase, both file data and unallocated portions of a disk, and offers an appreciable number of options:

  1. Remove Read-Only attribute
  2. Clean free space
  3. Perform N number of overwrite passes
  4. Recurse subdirectories
  5. Zero free space

In fact, sdelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M.  Boom goes the dynamite.

sdelete.exe -accepteula -p $Pass -a -s -c -z $Volume

The Plan

I do most of my wiping from a Windows 10 machine, versus WinPE, so diskpart, cpher, bitlocker and format are all available to me.  Sdelete however does require downloading the utility or at least accessing it from the live sysinternals site.

Knowing this, I follow this wiping strategy that I feel is ‘good enough’ for me.

Please Note: If you research ‘good enough security’, you’ll see that in reality it’s really not good enough so please don’t practice that.
.

1 – Run diskpart’s clean all on the Drives

I mostly do this just to wipe the partitions and zero everything out.

2 – Encrypt the Drives with BitLocker

If anything’s left, its encrypted using the XTS-AES encryption algorithm using a randomly generated 128 ASCII character long password.  (256 is the max by the way…)

3 – Wipe the Drives

When it comes to wiping drives, one pass is arguably sufficient, but I typically cite the well known & ever popular DoD 5220.22-M standard.  But what exactly is this alleged well-known standard?

The ODAA Process Manual v3.2 published in November of 2013 contains a copy of the ‘DSS Clearing and Sanitization Matrix‘ on page 116, which outlines how to handle various types of media for both cleaning and sanitization scenarios:

Cleaning:

  • (a) Degauss with a Type I, II, or III degausser.
  • (c) Overwrite all addressable locations with a single character utilizing an approved overwrite utility.

Sanitizing

  • (b) Degauss with a Type I, II, or III degausser.
  • (d) Overwrite with a pattern, and then its complement, and finally with another unclassified pattern (e.g., “00110101” followed by “11001010” and then followed by “10010111” [considered three cycles]).  Sanitization is not complete until three cycles are successfully completed.
  • (l) Destruction

I’m guessing the average person doesn’t have a degausser, and since I left mine in Cheboygan, I have to consider other options.  If you’re planning on donating, selling or otherwise repurposing this hardware – as I am – physical destruction of the drive isn’t an option.  This leaves me with performing a combination of ‘c’ and ‘d’ using a utility of my choosing as the document doesn’t specify what an “approved overwrite utility” is.

Because of sdelete’s reputation, its the most desirable utility from the get go.  But I’m of the opinion that between cipher and format, you have another multi-pass wipe solution at your disposal.  Also, I default to a 3 pass wipe since 7, 35, 42 (or more) passes really are not necessary
But if you’re paranoid, sky’s the limit pass wise and you should consider destroying your drives.

4 – Lock the Drive

The drive has been encrypted and wiped so before I move forward with the validation/verification phase, I take the key out of the ignition by locking the drives:

Lock-BitLocker -MountPoint $Volume

5 – Verification

I don’t have access to a state-of-the-art data recovery facility, so I do my best with a handful of utilities that recover both files and partitions.  Just search for data recovery, partition recovery, undelete software and that’s pretty much what I used.

For this post I downloaded 16 data recovery utilities to see what could be recovered:

  • The large majority of them couldn’t even access the drives and failed immediately.
  • Some fared better and were able to perform block-level scans for data and found nothing.
  • A few applications allegedly found multiple files types ranging from 200MB to 4GB.
    • For example, two different apps claimed to have found several 1-2GB SWF’s, a few 1GB TIFF’s and some other media formats as well.
    • I know for a fact I didn’t have any SWF’s and if I did have a one or two TIFF’s, they were nowhere near 1GB.
    • I’m guessing the applications are using some sort of algorithm to determine file type in an effort to piece things together.
  • I restored a few of those files but I wasn’t unable to reconstruct them into anything valuable.  Please note that I’m not known for being a hex-editing sleuth.
    .

Where Did I End Up?

If NIST Special Publication 800-88r1 is to be believed:

… a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.

I’m pretty confident there’s no real tangible data left considering I used a few multi-pass wipes then encrypted the drive.

Gotcha’s and Other Considerations

  • In my environment, Internet access isn’t a problem so I use sdelete from the live sysinternals site in both Windows and WinPE (MDT and SCCM).  The plus side is that I don’t have to bother adding it to the boot image, packaging it, downloading it somewhere or storing it in %DeployRoot% or %ScriptRoot%.
  • However, at the moment, sdelete will not work in an amd64 WinPE environment which is problematic for UEFI environments booting x64 boot media.
    .
  • The XTS-AES encryption algorithm is only supported by BitLocker on Windows 10 but you could fall back on AES256 if you’re on Windows 7 or 8/8.1.
    .
  • If you don’t have BitLocker cmdlets (I’m looking at you Windows 7) you’ll have to automate it using manage-bde or do it manually via the Control Panel.

When I think of that the old “security is like an onion…” adage, I believe there’s value in taking multiple approaches:

  • Use diskpart to zero out the drive.
  • Use cipher to wipe the drive a few times taking into consideration that each execution does 3 passes.
  • Perform an N pass format.
  • Encrypt the drive with BitLocker using up to a 256 (max) ASCII character long password.
  • Use sdelete from the live sysinternals site to perform an N pass wipe
  • Lock the drive leaving it wiped but encrypted.
  • Destroy the drive yourself with a hammer and a handful of nails in a few strategic locations.

Below is the framework for the ‘fauxlution’ I came up with.
It does include the cipher encryption step but not BitLocker. (See above for that)

[CmdletBinding()]
Param
     (
        [Parameter(Mandatory=$false)]
            [string[]]$Volume,

         [Parameter(Mandatory=$false)]
            [int]$Pass = 7
    )

if(!($Volume)) { [array]$Volume = $(((Read-Host -Prompt "Enter volume to utterly destroy.") -split ',') -split ' ').Split('',[System.StringSplitOptions]::RemoveEmptyEntries) }
if(!($Pass)) { [int]$Pass = Read-Host -Prompt "Enter number of passes." }

Foreach($Vol in $Volume)
    {
        $Vol = $Vol.Substring(0,1) + ':'
     if($Vol -eq $env:SystemDrive) { write-host "ERROR: Skipping volume [$Vol] as it matches SystemDrive [$env:SystemDrive]"; continue }
     If(!(Test-Path $Vol)) { Write-Host "Error: Volume [$Vol] does not exist!"; continue }

     <# Diskpart Section #>
     "lis vol`r`nexit" | Out-File $env:Temp\diskpart-lisvol.script -Encoding utf8 -Force
     [int32]$VolNumber = 999; [int32]$VolNumber = (diskpart /s "$env:Temp\diskpart-lisvol.script" | ? { $_ -like "* $Volume *" }).ToString().Trim().Substring(7,1)
     if($VolNumber -eq 999) { Write-host "No VolNumber Found For Volume [$Volume]";break }
     #"sel vol $VolNumber`r`nclean all`r`ncre par pr`r`nsel par 1`r`nassign letter=$Vol`r`nexit" | Out-File $env:Temp\diskpart-cleanall.script -Encoding utf8 -Force
     #$dpResult = diskpart /s "$env:Temp\diskpart-lisvol.script"

     <# Cipher Section #>
     #Try { gci $Vol -Recurse | ? { $_.IsReadOnly -eq $true } | Set-ItemProperty -Name IsReadOnly -Value $false } Catch {}
     #cipher /E /H /S:$Vol
     #for($i=0; $i -lt $([System.Math]::Round($Pass/3)); $i++) { cipher /W:$Vol }

     <# Format Section #>
     #format $Vol /FS:NTFS /V:SecureWiped /X /P:$Pass /Y

     <# SDelete Section #>
     if(!(Get-Command "sdelete.exe" -ErrorAction SilentlyContinue))
         {
             Try
                {
                    $NPSDResult = New-PSDrive -Name LiveSysinternals -PSProvider FileSystem -Root \\live.sysinternals.com\tools -ErrorAction Stop
                    if(!(Test-Path LiveSysinternals:\sdelete.exe -PathType Leaf)) { Debug-Echo "ERROR: Unable to locate sdelete"; Remove-PSDrive $NPSDResult -Force -ea SilentlyContinue; break }
                    $OrigLocation = (Get-Location).Path
                    Set-Location LiveSysinternals:
                }
             Catch { Debug-Echo "ERROR: Unable to connect to live.sysinternals.com"; break }
         }
     #sdelete.exe -accepteula -p $Pass -a -s -c -z $Vol
     if($OrigLocation) { Set-Location $OrigLocation; Remove-PSDrive $NPSDResult -Force -ea SilentlyContinue }
 }

 

Two things about this:

  1. I added a check to make sure you’re not accidentally blowing away your SystemDrive.
  2. All the damaging code is commented out to minimize accidental execution.  Only uncomment after you’ve debugged the script in  your environment.

It may not be worthy for use in corporate environments or to even replace whatever your current wiping solution is.
But if you’re not doing anything, please consider starting here!

 

Good Providence!