Friday 11 December 2009

Facebook Privacy Settings Change Swindle

I logged onto Facebook today and to my utter horror I was automatically forced to page to accept changes to my privacy settings. These privacy settings had defaulted to new settings to replace my existing "secure" settings, which are configured to protect my personal information from strangers.

Now I wasn't caught out by this cheap stunt, but I fear many people who had previously made the effort to configure their Facebook acccounts to only share their private information with friends they know, may of been tricked.

I only blogged about how to configure Facebook securely a couple of weeks ago, http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html  My blog posting was aimed at protecting children using Facebook, and I fear this forced privacy settings change will have caught out many children, as I find children tend to have a just click and not read properly approach when using the Internet.  Facebook are forcing this privacy change screen on all their users, a user cannot use any element of Facebook until they click the "Save Settings" button.

I just think this is an utter disgrace and crime against privacy, it's about time social networking sites are regulated to ensure they understand their responsibility in protecting their customer's personal information, rather than profiteering as much as they can out it. The simple reason why Facebook want their users to share their private information more, is to generate more traffic to their site, which in turn leads to more advertising revenue. Facebook should be doing the complete opposite and suggesting default privacy settings to share only with friends.

Make no mistake, the "Friend of a Friend" setting means "Strangers" will be accessing your personal information and your family photos, so make sure you are not deceived by Facebook's darn right reckless approach to protecting your personal information.

Monday 30 November 2009

Child Facebook Safety

Recently I was invited to participate on Radio Five Live debate on children’s usage of social networking sites, and specifically child bullying within Facebook. Various parents were calling the radio programme and were saying their children had suffered from issues like cyber bullying and the receipt of obscene messages from perverts. Several individuals thought the answer was to prevent their children using social networking websites and even suggesting banning children from using the Internet altogether.


The main point I made was banning children from using social networking sites like Facebook, Bebo and MySpace will just not work, for one banning illegal activities like under aged smoking and drinking doesn’t work, sooner or later children will find a way to access social networking websites anyway, which isn’t illegal by the way. Furthermore preventing a child from using the home PC is a reckless approach in the information age and pretty pointless exercise, as children can access the internet and social networking from their mobile phones, on school computers, perhaps with friend’s laptop, crikey they can even access social networking sites through games console!

The clear answer I gave to this problem, cyber education. Not the usual optional Internet awareness classes give out of hours in secondary school, but mandatory classes on how to use the Internet safely in the later years of primary schools. For me this type of Information Communication Technology (ICT) education should not be just akin to the “don’t talk to strangers” and “crossing the road safely” type education, but needs to be as essential as Maths and English. School ICT lessons simply should not be just about how to do a bit of Desktop Publishing and putting together PowerPoint presentations, but be about the essential “life” skills on how to keep safe and secure when online.

While talking on Five Live about my thoughts on this subject, I went on to give an example of five things to which our primary children should be taught about social networking, and indeed what parents should be aware of too, apart of cyber bullying, social networking is the favourite tool of identity thieves. These five pieces of advice were:

1. USE GOOD FRIENDS MANAGESMENT

Child Advice: The first golden rule is to only accept friend requests from people you know, by know I mean actually have met face-to-face. Secondly only accept friend requests from people you actually like. Just because you know someone it does not necessary mean you like them. If you don’t get on with someone don’t accept them as friend, as usually this leads to no good. Remember a social networking site is not supposed to be about collecting as many friends you can. If you have 100s of friends on your friend’s list, you are just asking for trouble, as no doubt most of these “friends” will be strangers, amongst which there will always be some bad apples.

Parent advice: If your child has more than 10 to 15 friends on their social networking friends list, you should be concerned, ask your child to go through their friends list and confirm who they are. Also understand most social networking sites use all sorts of “rewards” to encourage their users to amass friends, some sites like Twitter is based on it, in the case of Twitter see point 2 and 3.

2. CHECK YOUR PRIVACY SETTINGS

Child Advice: Make sure your privacy settings is fully on, particularly ensure you are only sharing your personal postings and pictures with “Friends only”, “Friends of Friends” setting is not good, while “Public” is just asking from trouble.
Parent Advice: Periodically double child the social networking privacy settings as per child advise. Some social networking sites default new accounts with privacy fully on, but not all, for example Twitter’s privacy settings are off by default. However many applications within social networking sites tend to fool children (and adults) into switching these settings off. Leaving privacy settings off allows the world (strangers) to see your child’s comments and pictures.

3. WHAT GOES ONLINE, STAYS ONLINE!

Child Advice: Before posting a comment or picture, stop and think before you hit confirm. Remember once a comment or picture is posted it stays forever, just because you delete it seconds later doesn’t not mean it is gone from the internet. For instance most social networking sites send out an email updates containing your post, and can even post to other social networking sites, for instance Twitter integration with Facebook, so be very careful what you post. If you need to have private and sensitive conversation with your friends, it is always best stick to verbal communications, as you never know who could pickup on your posting.

Parent Advice: Periodically check your child’s posting to ensure you child is posting sensibility. The best way to do this is to add yourself as a friend of your child.

4. NEVER GIVE YOUR PASSWORD OUT

Child Advice: No one ever needs to know your password, except your parents. Emails from Facebook, Bebo, Twitter etc, and from social networking applications asking for your password are always false. Do not share your account with anyone and never give your password out to any of your friends.

Parent Advice: Cyber bullies and worst, often try to fool social networking users to provide them with their password, once they have it, they can get up to allsorts of nasty tricks, ensure your child uses a strong password and remind them never to share it with anyone accept yourself.

5. ENSURE ANTI-VIRUS & PATCHING IS UP-TO-DATE


Child and Parent advice: Make sure your PC’s Anti-virus is operating and kept up-to-date, and also ensure your PC’s Firewall is enabled, and make sure you apply the latest operating systems patches on a regular basis. This will help prevent malicious software covertly installing onto your PC, such software can steal your social networking passwords and send them on to bad guys without your knowledge.

Social Networking, like most things in life, can be fun, an extremely useful tool, and ultimately safe if used responsibly.

There are several useful website resources for this below:

Kidscape (Cyber bullying Awareness for Children)
http://www.kidscape.org.uk/cyberbullying/cyberbullyingchildrenyoungpeople.shtml

DirectGov (Cyber bullying Awareness for Adults)
http://www.nidirect.gov.uk/index/parents/your-childs-health-and-safety/internet-safety/cyberbullying-1.htm

A Guide to Facebook Security and Privacy
http://www.thetechherald.com/article.php/200938/4434?page=1

Anyone else would like to recommend further websites, please post in the comments, thanks

Saturday 28 November 2009

Gary McKinnon Extradition

Gary McKinnon is in the news again after the Home Secretary, Alan Johnson refused to block the intended extradition to the United States. I was invited to comment on Radio Five Live on Friday morning, to raise points on the security and technical specifics of the case.
It is clear Gary has plenty of public support in the UK, from people who believe he shouldn’t be extradited to the United States, mainly on human rights grounds. Gary’s lawyers stated he is happy to pled guilty to the crimes in a UK court, therefore he appears to be guilty of these crimes, but his lawyer feel justice just won’t be served if he was sent to a US court.

I have actually meet Gary a couple of years back, however my comments on Radio Five Live were made from totally impartial and an Information Security expert’s point of view. Here is a summary of what I said.

The main point to understand is, what was the motivation of Gary McKinnon’s “hacking” attack? It clearly wasn’t for fraud, as he wasn’t trying to steal any financial information, and there appears to be no accusation of Gary stealing information to sell on for profit. This is the first point to understand, as people who are motivated to hack systems to steal for personal profit, do need the book throwing at them.

The next question, did Gary set out to damage systems maliciously? Well if you listen to his lawyers, they will tell you Gary’s motive wasn’t to break and damage systems, but to acquire knowledge, mainly about UFO’s and their power source. However the US authorities say Gary’s intension was to break and damage their systems and point to messages left on their systems, such as this one below, which I understand has been verified as being left by Gary, by his lawyers.

“US foreign policy is akin to government-sponsored terrorism these days? It was not a mistake that there was a huge security stand-down on September 11 last year...I am SOLO. I will continue to disrupt at the highest levels.”

For me these are all important questions to ask and answers to understand, as there is a big difference between a fraudster using hacking techniques to steal financial information, a malicious hacker out to deliberately out to deface and break systems, and a curious hacker trying to satisfy a “What If”. Confusingly Gary is portrayed as the later, but he also tends to be branded and tarnished with same brush as these other types of hackers. I feel this is because the general media and the public do not understand the significance of the different types hacking which are occurring today.

I believe there is negligence on US system owners part. For example if I were to park a shinny new BMW in an undesirable part of town, left the car unlocked with the keys in the ignition, wouldn’t I be negligent and be at fault if the car was stolen? Would an insurance company pay out? In the same way everyone knows the Internet is a dangerous place, and for any organisation to place “sensitive” servers directly on the internet without even the basics of best practice in IT security of the day, and then has these said servers hacked, in my view that organisation has only themselves to blame. If Gary didn’t get there first someone else or perhaps even malicious application would of breached these systems eventually. The majority of Information Security professionals I know tend to share this point of view on information security, however a lawyer wouldn’t, and perhaps the people who didn’t properly secure their systems in the first place won’t exactly be blaming themselves either. But I’m definitely with the insurance company on this point.

Gary is summarised by most media as being some sort of Super Hacker, actually in my experience and knowledge of the actual “hacking” which is alleged to have occurred in this case, I have to say Gary is far from being a super hack or even an accomplished hacker. It looks like Gary didn’t really have to work very hard to access these systems, such was the alleged lack of basic security on them, and at the end of the day he got caught. Even an average grade hacker knows how to be anonymous on the internet, and how to cover their tracks properly, only the inexperienced and the not so clever hackers actually get caught. So in my view Gary is far from being a “Super Hacker".

My final point on the Radio, which will not be popular with pro-Gary campaigners, but is a word of caution. We need to give some thought to the legal precedences which could be set here. There is a problem in bringing real serious cyber criminals to justice, because hackers tend to operate across international borders. I know our US extradition treaty isn’t the best as it currently stands, but if this extradition were to be blocked, I fear the next time the we arrest a credit card fraudster operating out of the UK (which has happened recently), that the fraudster’s legal team would use this case to prevent extradition. Similar legal precedents have been used to stop the extraditon of a foreign nationals back to their country of origin, despite them committing allsorts of heinous crimes are way much more serious than breaking a few servers.

There is much more I could have said on this subject, such as looking at the way US authorities have appeared to have put in place an over the top sentencing for this crime, which doesn’t have appear reflect the actual crime. It is ridiculous that this particular type offence seems to be carrying a greater punishment than murder in terms of prison sentence time. I understand Gary's hacking at worse caused a 24 hour outage, with no member of public (or military) armed as a result, and as I said it could be argued the system owners were partially to blame as well. I don’t believe any information of value was stolen, only system “software” damage is alleged to have occurred, which is estimated to be around $700,000 by the US authorities, which many would say is kind of high for rebooting and restoring less than 100 systems. The punishment for the actual offence must fit the crime, and if it did then extradition of Gary to face justice in a US Court might not be the problem it currently is.

Sunday 1 November 2009

How Secure is your UK Online Banking?

The UK maybe still in the midst of a recession, but these times are proving anything but a recession for cybercriminals, as UK Online Banking fraud is sky rocketing at the moment. The ‘Financial Fraud Action’ showing a 55% increase for the first half of 2009, while the ‘UK Payments Administration’ figures reports a 44% year on year rise. Through my own research and underground monitoring of UK cybercriminal activity, I am seeing increasing numbers of stolen UK online bank account access details being put up for sale, and increasing numbers of keylogger malware being deployed, which are specifically targeting the theft of UK online bank access credentials covertly.
Despite these increases in criminal activity and years of warnings, UK banks still aren’t doing enough to protect their customers from the dangers of the internet. Many UK banks are still yet to provide their customers with a security best practice Two-Factor authentication access to their online banking, so are making it all too easy for cybercriminals to steal UK bank account access details. Two-Factor authentication involves using an individual hardware token which is possessed by each individual online account holder. This hardware token displays a constantly changing number on an LCD screen (see picture below), which is typed in along side the customer’s identity (name) and password to provide access to the online bank account. Using a hardware token such as this would prevent the majority of online banking theft today, as without the physical possession of the 2nd factor hardware token, you cannot gain access into the online bank account.
Many UK banks still resort to the security dated “knowledge based” authentication along side a person’s password. “Knowledge based” authentication is about asking the account holder a question which only that individual is likely to know the answer to. For example typical knowledge based questions are: What is your mother’s first name? What is the first school you attended? What is the name of your favourite pet? The problem is this type of personal information is no longer private in the information age, and can be found in all manner of places on the internet, both legitimately and illegitimately. So fraudsters who steal bank account details often do a bit of simple research to build up a knowledge profile about their target, so they can get pass the knowledge based questions as well. This information gathering can be done in just minutes from a computer keyboard, anywhere in the world, a wealth of personal details on target can be quickly found by using websites such as Google, Facebook and various public record websites like the electoral role directory 192.com. I have seen UK cyber-fraudsters selling complete profiles of UK individuals along with their online bank account username and password, including one which stated the victim’s favourite pet’s name!

Two-Factor authentication will not completely solve online banking fraud, but if deployed by UK banks, would go some distance in bringing down the number of UK online bank accounts being compromised. My own research shows the majority of UK bank theft is actually done from criminals based abroad, who generally regard the UK as easy pickings and a soft target. The slow take up of Two-Factor authentication by UK banks just goes to re-enforce the UK’s perception as being a soft target by cybercriminals around the world.

Why don’t all UK banks deploy Two-Factor authentication?
Their excuse is cost. Although the actual cost of deploying Two-Factor authentication is relatively small (£3 to £6 per customer), UK banks do not want to spend in the current climate and are more than happy taking the hit on cyber fraud, which is regarded as a more acceptable cost than shelling out on security prevention, no matter the inconvenience and stress this type of fraud places on it’s victims. There is a thought, given a choice customers would be happy to pay a one off £5 fee, paying for their hardware token to gain security benefits it provides.

Seriously, why do UK Banks continue to shoot themselves in the foot by not providing Two-Factor authentication to their customers?
Ok, here is the real food for thought on the cost argument. Most UK banks actually want their customers to use online banking for reviewing bank statements, than sending paper statements to their customers in the post. Surely the cost of having a customer use online banking and being provided with a hardware token for security is much cheaper than posting 12 statements a year. I say this as I know people who are put off by using online banking because they don’t feel confident in the security, personally I think using a hardware token would give them that a security assurance. Providing a Two-Factor token could actually turn out to be a real cost saving! And let’s not forget the carbon saving by not printing those paper bank statements and shipping them around the country too.
What can you do to protect your online bank account?
IT Security Expert advice
1. If your bank does not provide Two-Factor authentication (token/key), consider switching to a bank which does.

2. Password Protection
a. Ensure your bank account password is a unique password to you. Using the same password with other websites such as Social Networking websites, Message Boards, Webmail and Job Recruitment Websites must be avoided at all costs. The bad guys hack these types of websites to specifically lift individual username and passwords for the purpose for trying against their online banking websites.
b. Change your password at least once a year, once a quarter is what I personally recommend.
c. Ensure your password is strong. By strong I mean use upper, lower case letters, at least one number, but most of all include at least one “special character”. By “special characters” I mean @, ”, $, %. However I know of one recently taken over Yorkshire based bank which actually prevents you from using special characters in your password!

3. Email Security
a. We all know about phishing Emails now, but it’s still a major problem and a favourite attack by deployed by cybercriminals to harvest online bank details. Phishing Emails are becoming more realistic and more specifically targeted. Unfortunately this attack still works, people are still suckered in by these Emails. So no matter how genuine an Email looks, never click on the links, a bank will (should) never request your accounts details or ask for you to login for any reason via an Email. Remember a phishing Email always prays on the emotion of greed (you won something) or fear (your account has been compromised, change your details).
b. Never send your bank details by Email, no matter what legitimate company or person requests it, be strong and always resist, just say no!

4. Ensure your Operating System is patched up to date, and you have Anti-Virus and Anti-Spyware applications running at all times, and make sure they are kept up to date. The bad guys like to deploy key logging malware onto unsuspecting user PCs, who then have not idea their key strokes are being recorded and sent on to fraudsters, key strokes including those bank account access details, namely the username and password.

5. Check your bank statements regularly. UK banks are getting better at detecting bank fraud but it’s far from perfect. Therefore it’s important you take responsibility and check through your statements regularly looking for fraudulent transactions. Pay particular attention to internet transactions and transfers out.

Monday 19 October 2009

TalkTalk’s WiFi Hacking No No!

Last week Internet Service Provider (ISP) TalkTalk pulled a hacking publicity stunt, which they aimed to demonstrate why they should be absolved of all responsibility for the portion of their customers who illegally file shared pirated material. TalkTalk visited a street in North London, and hacked into poorly secured residential wireless networks. Accessing insecurely configured residential WiFi is old news and is illegal, TalkTalk’s point in doing this was to show that anyone could be using residential wireless access points for file sharing illegal material, again nothing new in that either.  http://blog.itsecurityexpert.co.uk/2008/11/reason-to-secure-your-home-wifi.html

However the double standards here, is the prime reason why the majority of home wireless networks in the UK aren’t secured to a sufficient degree in the first place, is because ISPs have been providing their customers with wireless access points (routers) in an insecure fashion for years.

As far back as 2001 WiFi WEP security has been known to be broken, however in 2007 when I assessed new home Wifi Router provision by ISPs in the UK, I found the majority of ISPs were still providing home Wireless Access Points with WEP security by default. Of course the vast majority of their customers aren’t savvy enough to properly secure their home Wi-Fi with WPA2 encryption, in fact most customers when asked tended to trust their ISP to provide them with an appropriately secure home WiFi network.

Any school boy with a “Facebook” level of computer knowledge can break into a WEP protected WiFi home networks in just minutes. WEP is not encryption, and it should never be referred to as “Secure WiFi” as some ISP’s had been describing it in recent years. TalkTalk tended to not provide their customer with Wireless networking, however this led to many of their customers to go out and buy their own wireless access point as a result, many of which haven't properly secure their WiFi or even use worst, deployed it without any security in place at all . Interesting how TalkTalk charge £99 to configure their customer’s WiFi Router to WPA2, in my view they should be doing this for free, as TalkTalk’s competitors have moved to providing their customers with WiFi networks with WPA2 enabled by default for zero cost.

I think TalkTalk should face up to their responsibilities as an ISP, and stop TalkTalk customerswho share illegal content, which isn’t always pirated movies and computer games, but can be the more unsavourily stuff on the Internet. I don’t think it's right for TalkTalk to go around hacking real world environments which are already well known to be vulnerable for self publicity, even with the resident’s permission. I think the ethics of this is highly questionable because TalkTalk’s message wasn’t about advising citizens and their customers on how to secure their home WiFi networks, but about TalkTalk not wanting to spend the money in policing their customer’s internet activity.

Finally illegal file sharing is never in the interest of TalkTalk’s honest and legitimate customers, who are likely to suffer slower internet speeds as a result of the illegal internet bandwidth hogging by the few.

Thursday 8 October 2009

How the Payment Card Industry could stop Card Fraud

If the payment card industry, the card schemes such as Visa and MasterCard, and merchants really desired to dramatically reduce payment card fraud, it can be simply done.
Today, by far the biggest problem with payment card security (credit and debit cards), is the little black magnetic stripe on the back. This magnetic stripe holds the full card details unprotected. This information is referred to as “track 2 data” within the payment card industry. The problem is this magnetic stripe track 2 data can be easily read with a "cheap to buy" magnetic stripe reader (see picture above), allowing fraudsters to “skim” card details quickly in a variety of ways, for instance placing covert magnetic stripe readers on ATMs (see picture below).
Track 2 data is also held in plain text on some payment devices and payment processing applications which store this information. Once track 2 data falls into the hands of card fraudsters, they simply create clone cards by replicating the magnetic stripe, and then use the cloned card in the same way as the original card holder uses the original card, of course only at those places which accept magnetic stripe swiping. Making card payment using the magnetic stripe reading is increasingly rare in Europe, however elsewhere in the world it is still used, and sometimes even without a signature.

Using a magnetic stripe to store card data on our plastic is an out dated technology, in Europe where "Chip and Pin" has now been widely adopted, using a chip to read the card data instead of the magnetic stripe increases security. The chip is difficult to clone and holds card information encrypted, so making it difficult for the bad guys to “swipe skim” the card data, and it is extremely difficult to create a clone working "chip" on a card. The issue is there are places like the United States where they haven’t adopted the securer chip technology and are intent on continuing to use the insecure magnetic stripe for the foreseeable future, meaning all payment cards around the world still need to keep the magnetic stripe on the back to be used globally accepted. As a result UK payment cards which still have their magnetic stripe track 2 data stolen, are still being cloned but used in places like the Thailand, where card magnetic stripe swiping is still the way to pay.

One of the arguments for the non-full adoption of chip technology in places like the US, is merchants don’t want to front the cost of replacing their card readers, well that doesn’t wash with me, most merchants in Europe managed to adopt chip reading technology fairly rapidly without any major hassles, and in general merchants continue to replace their card readers over a period of time anyway. So I don’t see why a “phased in” approach wouldn’t be acceptable on a world wide basis. During my recent trips to the United States I have encountered a general shift in the type of payment card readers to touch screen card devices, but they are still using magnetic stripe swiping to read the card. But this demonstrates there is always a continued evolution of card reading devices being deployed by merchants.
I don't want to even muddy the water by talking about the extra security using a PIN with the chip to provide two factor authentication at the cash register, that’s great for increasing security too, but my main point is about using a chip to read the card instead of a magnetic stripe.
I believe removing the magnetic stripe from all payment cards and card processing terminals would result in a drastic reduction in card fraud, which specifically targets “card holder present” transactions. A “card holder present” transaction is where the card holder and payment card are both physically present when making payment, for instance making a payment at the cash register.

What about card holder not present transactions? These transactions are where it is impossible to tell whether the cardholder is present and in actual possession of card when making a payment, for instance an internet transaction or a telephone payments, where it is impossible for the merchant or payment processor to know whether the buyer is typing his card details in from the actual card or it's a frauder using skimmed card information. Sure the 3 digit security code helps with this, but the bad guys have ways around this.

In the UK following the introduction of Chip and Pin in 2005, there was a dramatic shift in the types of payment card fraud, in that the card fraud dramatically swung to “card holder not present” fraud, mainly internet transactions opposed to fraud at the cash register, mainly because cloning cards and their magnetic stripe became a waste of time for the fraudsters, as merchants moved to using chip only payment transaction processing.

There is an answer to securing “card holder not present” transactions which is simple and just requires an update in the card technology used. This technology has been available for quite a while now and involves the addition of a digital authentication system to the actual payment card.
I have seen many proto-types of this technology, such as the EMUE card (featured in the pictures), which displays a uniquely generated LCD number on the card, which is then typed in by card holder when making a “card holder no present” transaction, such as an internet payment. The system checks the number is valid and if it is, this proves the card is actually present as the payment is made. In addition there is a PIN entry on the card which is used to create the generated number, proving the actual card holder is also present. This type of card effectively would turn all “card holder not present” transactions into “card holder present” transactions. This card is not more bulker than a normal card, so still works in ATMs.
If the payment card industry took these steps, not only would this dramatically reduce card fraud by vast amounts in my view, but it would remove the security burden of protecting card holder data. Payment processors and merchants must  comply with the 260 security requirements of the Payment Card Industry Data Security Standard (PCI DSS), I question whether PCI DSS would even be required to oversee the protection of card holder data if the measures I have talked about was globally adopted, because the bad guys wouldn’t be able to commit much fraud with payment card information anymore, meaning card holder data would no longer require to be protected.

I don’t believe I’m saying anything radical here, or indeed anything new, as always any thoughts and comments on this is always appreciated. I can say I have raised these points with leaders in the global payment card industry, as yet no one has given me good reason why this wouldn’t work. The excuse I tend to be given is the fraud rates aren’t at a sufficient rate to bring about these sorts of changes in security. Some might say the payment industry are happy taking the fraud hit, and passing on the fraud costs on to merchants and ultimately consumers through PCI DSS related costs and fines, while the inconvenience to customers who actually get hit with fraudulent transactions on their credit card and bank statements, mainly due to no fault of their own, is of little conscience.

Information Security is often a game of cat and mouse, with the good guys introducing security measures and bad guys finding ways around the security measures, then the good guy’s introduction new security measures and so on. The question is, has the payment card industry stopped playing the security game of cat and mouse? The answer is within the magnetic stripe on the back of your payment card.

Friday 14 August 2009

Secure Encrypted Data Backup on a Budget Tutorial

FOREWORD: It's a bit tricky doing proper document formating and decent screenshots within this blog format, so I have also created separate PDF document for this post/tutorial, which can be downloaded/viewed here - http://itsecurityexpert.co.uk/downloads/ITSE_Secure_Encrypted_Data_Backup_on_a_Budget.pdf

One of the most neglected areas of home computing and indeed with many small businesses, is data backup, and properly securing data backup.

What personal value do you place on the data files stored on your PC right now?
How would your business cope if all the business data held on that single PC was lost?

Backing up puts all your data, including sensitive files, in one easier to access single place, how do you ensure it is protected from prying eyes.

These days most people have built up quite sizeable collections of digital camera pictures and videos spanning many years on their PCs, which they regard as irreplaceable. And then there is those word processing documents and spreadsheets which some people just can't do without, yet these files contain personal and even finically sensitive information which needs to be protected when backed up to outside the PC.

In this tutorial/post, I am going to explain how to cheaply and securely backup sensitive data held on a PC.

Pre-Tutorial Requirements

1.Equipment
First buy a USB hard disk drive with a storage capacity large enough to cater for your needs. You can pick up a 500 GB USB hard drive from eBuyer for around £60 to £70, which should be more than enough to cater for most home PC users and small business data backup requirements. If you have just a small amount of data to securely backup and a tighter budget, you can use a USB thumb drive instead, which can cost anything from £5 to £40 depending on their storage capacity, heck you might even have a spare one lying around which was given to you for free at that trade show.

2. Download TrueCrypt http://www.truecrypt.org/downloads.php
TrueCrypt is a completely free application, but I urge you to do the right thing and donate, even if it's a just a little bit to guys behind creating and supporting this great application. For further information about TrueCrypt see my post http://blog.itsecurityexpert.co.uk/2009/02/truecrypt-best-open-source-security-app.html

3. Backup Planning
On the USB backup drive, we will create a Secure Encrypted Area to backup sensitive files, which will automatically become available when the drive is plugged into the PC. In addition we will keep an unsecured area on the same USB drive, to store non-sensitive files.

So first you must decide on how much of the USB drive’s storage capacity you will need to backup personal and sensitive data files. You need to think about whether you just want to securely backup just your word processing and spreadsheet documents, which tend not to take up a lot storage space, or securely store your entire directory of your digital camera pictures and videos, which tend to require large amounts of storage.

The larger the secured area, the longer it takes to setup. There isn’t a great performance hit in accessing the information from the secured (encrypted) area once data is stored.

What should be kept non-secured on the backup drive? Well consider anything you are happy to place on the internet, such as downloaded freeware applications, which tend to be large in size and therefore should be ear-marked to be stored in the unprotected area on the USB drive.

Tutorial
In this tutorial, I will assume the contents of “My Documents”, and a very large collection of personal digital camera images and videos need to be securely backed up. After assessing these storage requirements, I am going with a 400Gb secure area (partition) on my 500Gb USB drive, leaving around 100Gb of space for unsecured data storage.

If you have not done so, so install TrueCrypt, just follow the installation wizard. Note I have used TrueCrypt version 6.1a on a Microsoft Windows system for this tutorial

Creating the Secure Storage area on the USB Drive

2.1 Launch TrueCrypt

2.2 From the “Volumes” drop down menu, select “Create New Volume…”



2.3 Select “Create an encrypted file container” (as per default) and click next



2.4 Select “Create a Standard Volume” (as per default) and click next



2.5 Click “Select File…” in the Window that opens select your USB drive.



2.6 Next right click and select “Create New Folder” on the USB drive, and then name the folder “SecureArea”

2.7 Next select the "SecureArea" folder, and within this folder you will be requested to "create a filename", call it “secured” (or pretty much any name you might prefer)

2.8 Next is the Encryption and Hashing algorithms options

I find the most efficient encryption algorithm to choose is “Two Fish”, in terms of security you cannot go wrong with any of the algorithms offered by TrueCrypt, so you may as well take my advice and select Two Fish



2.9 Again you can't really go wrong with the hashing algorithms offered, I don't want to get too technical within this tutorial which is aimed at non-security folk, so go with the default. (I'm happy to talk about encryption and hashing in detail in a separate post if anyone wants me to)

2.10 Next select the size, for me I will be going with a Secure Area of 400Gb.

It's important ensure you leave at least a couple of megabytes of free space for the unsecured area of the USB drive, as this is needed for the automated mounting of the secured area when the USB drive is plugged into the PC.



2.11 Next enter a pass phrase (password - ensure this something you can remember!

If the pass phrase is less than 20 characters in length, TrueCrypt will warn you. My recommendation is to go for a pass phrase with a mixture of uppercase, lowercase, numbers and special characters (e.g. @,#,!) and be at least 12 characters in length. If you are paranoid about government cracking your personal data with their super-computers, go with 20+ characters!!!



2.12 Unless you have individual files above 4Gb in size which need to be securely stored, which is generally rare for home users, select the default of “No” and click next.



2.13 Volume Format, move the mouse around the screen, accept the defaults and click “Format”



2.14 Depending predominately on the secured area storage size, it can take anything from a few minutes to several hours for TrueCrypt to finish creating the Secured Area.



3. Automatically making available (mounting) the secure area (encrypted volume).

Once the Secure Area has been created, it is time make the secured area of the USB drive automatically become available upon pluging the USB storage device into the PC.

3.1 Within TrueCrypt, from the "Tools" pull down menu select “Traveler Disk Setup”

3.2.1 Navigate and select your USB drive (root)

3.2.2 Uncheck “Include TrueCrypt Volume Creation Wizard”

3.2.3 Click the Auto-mount TrueCrypt Volume

3.2.4 Navigate and select the TrueCrypt encrypted file. In this tutorial it is "\SecureArea\secured.tc"

3.2.5 Check “Open Explorer window for mounted volume”

3.2.6 Finally Hit “Create” - it should only take a few seconds to complete.


3.8 Once complete remove the USB drive, count to 5 and reconnect to USB drive. Your PC should automatically mount the unsecured area as a volume (drive letter) and mount a second volume as a secured (encrypted) volume (drive letter). TrueCrypt will ask for the correct phase phrase to be typed in correctly prior to the secured area becoming available.

If the automatic mounting of the USB drive volumes are not working, it indicates the PC has USB/CD autorun disabled, which is actually a good setting to have security wise, just google “enable CD autorun windows” for help.

And there you have it, a USB drive which upon plugging into the PC will connect with a Secure Encrypted Area (Volume) and a Non-Secure Area (Volume).



4. Finally backup your information to the appropriate storage areas of your USB drive.

You can do this manually by dragging and dropping files in Windows, or using an automated backup tool. Comodo Backup is one of my preferred backup tools. http://backup.comodo.com/

Once your backup has finished, I recommend storing the hard disk offsite. So give it to a relative or a friend or even a neighbour to store, it's not as though your neighbour will be able to access your personal information as it will be encrypted to industrial standards!

It is important to repeat your PC backup process at regular intervals These intervals will be dependant on your requirement and your personal attitude to risk of personal data loss. If it is a typical small business, I suggest on a weekly basis, for highly active home users I suggest backing up on a monthly basis, and for typical home users probably on a six monthly basis or after you store a significant amount of data in an single instance, such as dumping holiday snaps from your digital camera to your PC.

If you regard these recommend backup rates as not being enough, you are probably storing too much information onto a single PC. If this is the case I would recommend investing in a Network Area Storage (NAS) device. A NAS device starts from £80 upwards and offers much more data resilience and automated daily backup/mirroring options, this is a particularly important solution to adopt if you are operating a business which is reliant on computer systems and data. I have heard of small businesses going to the wall following a simple PC theft.

Thursday 23 July 2009

Who you gonna Trust to repair your PC or Laptop?

A Sky News investigation uncovered the shady dealings of some computer repair shops in London. An undercover reporter presented a laptop for repair at several computer repair shops, with the only problem being an easy to detect loose memory chip. However Sky had rigged their laptop to monitor how it was dealt with utilising keylogger software and they even had the laptop camera video the dodgy goings on.

One cheeky rogue trader charged the reporter £130, saying the laptop required a new motherboard, even though the original motherboard was absolutely fine, however more sinister and worrying was the invasion of customer privacy. Computer shop repair engineers were recorded rifling through marked private documents held on the laptop (folder was titled "private"), one scoundrel was captured actually stealing documents, removing them onto a USB memory stick, which included a text file labelled as holding passwords for Facebook, Hotmail, eBay and an online bank account. After lifting this information he went on to try to access the online bank account.

Unfortunately knowing the IT repair industry as I do, these kinds of abuse of trust is common place, IT repair staff, especially those with time on their hands are always likely to have a snoop, and within this subset of snoopers, there are those who will go that step further and actually do something devious with the information they find. I have even heard of computer shop chains employees doing the same type of snooping; just recall how Gary Glitter got caught for downloading illegal images.

Putting this Risk in Context
We all need to understand that sending your personal computer or laptop to a computer repair shop is on par with leaving a “stranger” alone in your home to carry out a domestic repair. If you aren’t happy trusting a stranger to do a domestic repair all alone in your home, why on earth would you trust a stranger to repair a problem with your personal computer all alone?

What should you do to Protect Yourself?
As with my “stranger in your home analogy”, you must insist on having your computer repaired while you are present, either have an engineer come to your home and repair it in front of you, or have it repaired while in your presence at the shop. Remember it’s not like having your car repaired at garage, as we have all kinds of personal and sensitive material digitally stored on their computers these days, I mean you really wouldn’t leave your car at the garage for repair, if your car contained your bank account books, your correspondences and r all your photo albums.

If you must give your PC or laptop to a third party for repair, if you are IT savvy I would either remove the hard disk or fully encrypt the hard disk. For the non-technical, I would advise approaching that family member or friend who is computer literate, just like with good lawyers or indeed good handymen, everyone should make a point of knowing a computer techie they can trust.

Friday 17 July 2009

A History of Battling Payment Fraud

On Wednesday I popped into The Manchester Museum, and as I strolled into the “Money" collection of exhibits, I was greeted by a bunch of friendly guys sat behind a desk. The desk had various old coins laid out and a sign stating “Please DO Touch”. After a couple of minutes of weighing up and flipping various 2,000+ year ancient Alexander the Great and Roman coins, naturally me being me I started chatting about the fraud aspects, when one of the guys produced a Chinese bank note from the 14th century, which was safely housed in a protective plastic cover. This particular note happens to be one of the oldest surviving banks notes in existence. Now the Chinese invented and started using paper money around 960 following a metal shortage, without copper, silver and gold they couldn’t meet the demand to make coins, although there is evidence of cruder forms of paper money being made by Chinese centuries earlier, but these weren't widely adopted. The construction of the Great Wall of China was financed by printing paper money, which has echoes of our approach to resolving the current financial crisis.
As you can see from the picture the Chinese bank note depicts stacks of coins to show its value. However what I thought was particularly fascinating is the warning; on the bank note it states anyone attempting to produce a copy of the note will be executed. So we can see with this ancient creation of a new payment method, came the understanding to protect it against fraudulent exploitation. Without the death penalty deterrent I doubt if the first bank notes would have ever taken off.
I think Marco Polo describes the Chinese bank note invention best in his book The Travels of Marco Polo (Il Milione).
“All these pieces of paper are issued with as much solemnity and authority as if they were of pure gold or silver; and on every piece a variety of officials, whose duty it, has to write their names, and to put their seals. And when all is duly prepared, the chief officer deputed by the Khan smears the Seal entrusted to him with vermilion, and impresses it on the paper, so that the form of the Seal remains printed upon it in red; the Money is then authentic. Anyone forging it would be punished with death”
Whatever the payment form, be it gold bullion bars, coins, bank notes or payment cards, thousands of years of history shows there has always been a non-stop game of cat and mouse between the payment method issuers and those who seek to take advantage, the fraudsters. I thought this game play was clearly evident when I observed a display of the various examples of bank notes used within the UK over the past few decades, where gradually over of the course of time, bank notes were printed on different harder to acquire types of paper, used more complex design patterns, then watermarks and then holograms.
Modern Bank notes has plenty of anti-counterfeit protection
Now payment cards have actually been around for many decades, but the mainstream usage of plastic payment cards, which we are continually becoming more reliant on instead of cash, really started to take hold from the mid 1980s. As with the evolution of bank notes, which increasingly used anti-counterfeit measures, we see the exact same principles in battling fraud with payment cards, and their originally unintended usage in the Internet payment arena.
However in recent times the lack of general public exposure of major card payment breaches, lack of policing of the Internet (catching the fraudsters) and indeed the lack of a strong deterrent (remember the death penalty?), has resulted in payment card fraud escalation. So the question is, are the card issuers becoming lazy in playing the cat and mouse fraud game? The publicly known statistics on card fraud show payment card fraudsters are continuing to thrive and are getting away with payment card fraud in ever increasing numbers, and history clearly shows us there is no end game in combating payment fraud.

Friday 10 July 2009

118800 Mobile Phone Directory Search Privacy Concerns

"118800” is a new commercial Mobile Phone Directory Search venture, which charges absolutely anyone at all, £1 to obtain the mobile phone number of a UK citizen, searching by name and location. 118800 have amassed a database around 15 Million UK names, locations and mobile numbers for their directory, which was set to launch earlier in the week. I read a quote from an 118800 representative who stated the contact names and mobile phone numbers in their directory were harvested from the public domain, but what they really meant by public domain, was means they probably purchased the information from market research companies, online businesses and information brokers.

EDIT 12/06/09: Since I originally posted, a representative from 118800 has been in contact and provided further clarity on the 118800 directory search method. It seems my brief description of service was only partial, so may be misleading. I was unable to fully test the service at the time of posting, as the service was (still is) unavailable. I have decided to repost all of 118800 comments below within this post, both in the interest of fairness and to ensure the description of the service is correct and is not misleading.
"I'm from 118 800 and would like to correct the description of our service. We DO NOT give out mobile phone numbers to enquirers. We put people in touch with each other without disclosing any personal information. So if someone is trying to get hold of you through our service, you'll be called by us, told who is on the line for you and you can choose whether to be connected or not. The online service texts you with the enquirer's contact details so you can decide whether to contact them or not.

And, just like any other directory enquiry service, the enquirer needs to know your name & address. So it's very likely the first person to try to contact you using our service will be a friend or acquaintance who has lost your number or not got it on them." - 118 800

Most market research companies and online websites which collect our personal information, pretty much forcing individuals to input their mobile number these days. A minority of companies where this information is collected from, do a good job in warning their users that their information could be shared with a third party, however some companies use small print consent and opt out boxes which are disabled by default, knowing a percentage of people will neglect to read it properly, and some companies don’t even ask for consent, which is illegal under our regularly unenforced Data Protection Laws. So it is small wonder 118800 are able to go from zero to 15Million personal names, locations and mobile numbers in no time at all. Let's be clear on this, mobile service providers such as O2 and Vodafone are not providing your phone number to these guys, in fact I know they are just as annoyed at this practice.
Now it is true our government happily place our personal details on online searchable electrical roles, which can be fully searched for charge, and BT publish our names and home phone numbers in phone books which make them profit by way of advertising as well, but it doesn’t make this is right, we are now in the information age, information, especially personal information has value and companies handling our personal information are entrusted with it, they must protect it, not sell it or exploit it for profit.  With the BT phone book you can opt out and go ex-directory, in fact over a third of UK citizens concerned about this have already done so, but try searching the BT website for information about going “ex-directory”, you won’t find it. Just like Sky won’t let you cancel TV package subscriptions without phoning their call centre up, BT do the same “round the houses” tactic. Incidentally Sky happily let you add TV packages by the web and via the TV. Online audio book providing company Audible use same tactic, sign up for a free trial and enter your payments details online to subscribe, but to cancel, you have to phone them up, this from an internet based company too.

So coming back to the subject of the day, I don’t think its right that companies profit from our personal information, but at the same time they are providing a useful tool for identity thieves. An ID thief would be happy pay £1 to obtain a victims mobile phone number, while we are all aware of issues of voice mail hacking by private detectives, which is hitting the

Interestingly the 118800 website is currently down, perhaps due to complaints and negative media coverage, and they are going to the trouble to clearly describe the mobile directory search as a “Beta”. I suspect they are waiting until the heat dies down before re-launching the service.
http://www.phonepayplus.org.uk/ which regulates premium rate and directory enquiry services. And if this sort of privacy exploitation really annoys you, send a letter to your MP. Remember complaining worked with web tracking advertising venture Phorm, such was the public outcry, this week after a year of evaluating BT and TalkTalk finally dropped their plans to use Phorm.
The Information Commissioners Office (ICO), charged with protecting our personal information in this information age, again shows its complete lack of teeth by basically giving this service and others similar services than will inevitably follow the green light.


So what can we do?
1. Complain -
Some might say you will be wasting your time complaining to the ICO, but is still well worth a shot; however I recommend complaining with PhonepayPlus

2. Remove your Mobile Number from the 118800 Directory
Now if everyone did this, their service would crumble, but either way it well worth ensuring the removal of your mobile number from the directory (it really shouldn't have to be this way) and here's how.

When the 118800 website comes back, click on the ex-directory button on the 118800 website or you can text the letter 'E' to 118800 (which is also currently down) from the mobile phone you want to be made ex-directory. 118800 will send you an SMS message confirming you've been taken off.  I have to give some kudos to 118800 for offering this clearly; certainly BT could learn a lesson here.

Sunday 5 July 2009

Secret Service tells UK Government not to Publicly Disclose Data Breaches

Are you wondering why there haven’t been any UK Government Department Information breaches making the news headlines in recent months? Has our government departments resolved their poor Information Security Management and poor security cultures? Has other topics such as swine flu and dodgey MP expenses claims kept government data breach headlines out of the press?  I would love to think UK Government Departments have cleaned up their Information Security Act, as I know serious efforts are being made, however we can't really be sure government have stemmed their poor information management tide, as I heard another reason which goes to explain why the once steady drip of media coverage of government departments data breaches has come to a halt.

I don’t want to name any names, but I heard a member of government committee working on the Digital Britain report say, government departments had been advised by a UK security service department to stop publicising data breaches, because it is letting our enemies know our weaknesses. If this is indeed true, I have to say I really don’t agree with this sweeping under the carpet approach, for one the cat is out already out of the bag regarding our government track record on security, tens of millions of records have been lost that we know about, so I think our enemies already know about our weaknesses!

I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.

Wednesday 17 June 2009

Insecure placing of Chip & Pin (PED) places Customers at Risk

Don't tell the misses, but I walked into a popular fast food restaurant in Central London today, I noticed the restaurant had fixed to the payment counter their Chip & Pin payment devices, these devices are known as Pin Entry Devices (PEDs) within the Payments Card Industry. The problem was they had fixed these devices behind the main raised counter, and the devices had no “pin protectors” on them, so forcing their customers to reach over a raised counter to the cashier's side, to type in the their 4 digit pin numbers. I observed several transactions taking place, each customer did not shield their pin entry with their free hand, probably because it would be too cumbersome to reach over the raised counter with both hands. The net result was most people in the queue and behind the counter could observe the 4 digit pin number as it was typed in.
This type of setup is a real goldmine for any potential pickpocket or mugger, as obtaining a payment card together with the pin number is a free license to withdraw hard money from cash machines and to spend freely in shops in the short term. The flipside is this is all very bad news for the victim, in such instances where payment cards are stolen together with the knowledge of the pin number, most card issuers and banks assume their customer is at fault, and must have written their pin number down and left it in their purse or wallet, and so are liable for any fraud losses. It can be very difficult to obtain refunds against fraudulent transactions losses in this type of scenario, not to mention the trauma of potentially being mugged for your card, remember the card has an instant high cash value if the pin is known, so the thief simply views the card as a wade of £50 notes

I am not saying shops should not screw down Chip & Pin devices to their shop counters. Fixing these devices to counters is actually a security necessity to prevent them from being “swapped out” by credit card fraudsters. Card fraudsters have been known to swap Chip & Pin machines when out of the sight of the cashier, then introduce a new identical looking and perfectly working device in it’s place. However the introduced device has been electronically modified by the card fraudsters to record each customer card details together with their pin number. After a few hours or even days, the criminals return and swap out their device and download all credit card details together with the pin numbers, and you know the rest.

So it is important for card security to attach payment entry devices to shops counters, and this is my main point with this post, merchants need to understand these payment devices are meant for their customer usage, not their own staff usage, so must present the pin entry devices on the customer side of the counter, so allowing the customer to put in their own card and enter their pin number without being overlooked by anyone.

Further there is really no excuse to not have pin protectors installed, especially as they don’t cost much. Merchants choosing to accept card payments do have a duty of care to protect their customers from card fraud, there is even an official security standards which they must follow called PCI-DSS.

 Chip & Pin (PED) with Pin Protector

While on this subject, I was at a popular catalogue shop outlet in Chorley a few months back, they too had fixed their Chip and Pin devices to the counter, but this time they had a CCTV camera aimed at the shop counter and their payment devices from a high angle. In their wisdom they had positioned a screen to display the CCTV images, so allowing everyone in the store to view people’s pin numbers as they typed them in. So it is important for high street merchants to position CCTV correctly within their card payment environments, and consider whether it is really a good idea to show the CCTV output to general public.
What can we do as consumers? Always keep possesion of your card at all times, avoid handing it over, even to cashiers and especially waiters. Always shield your pin number entry with your spare hand as you type as in the above picture.

Thursday 11 June 2009

A Clear CRB Check means They haven’t been Caught Yet!

Vanessa George, who worked at a Portsmouth nursery, stands accused of appalling sexual offences against young children. Already media reporters are queuing up in criticising the “enhanced Criminal Records Bureau (CRB)“ check, which this apparently despicable person passed, saying the check must of either failed or the CRB checking system itself is at fault. The CRB checking system has not failed nor is the CRB system at fault, as any seasoned security professional worth his salt will know, clear staff background checks does not guarantee an individual is not a dodgy person and is not capable of doing bad things. The truth is no background security check or test can ever provide a guarantee, whether it’s checking airport workers aren’t terrorists, checking child minders are suitable to be alone with children, or a data entry clerks aren’t data thieves.

Most organisations with staff dealing with financial information, government data or child care are required to carry out a CRB checks on their employees. Personnel whom pass these checks tend to be implicitly trusted by both their employers, and by the governing bodies which make the policies to have the checks done in the first place. As I always, always say, a clear background or CRB check simply means an individual has not been caught yet! Therefore individuals within their roles, depending on the organisation, should always be considered as a potential fraudster, a terrorist or indeed a sexual offender. By all means carry out background checks on staff, but never implicitly trust humans will not do bad things given an opportunity, only by accepting this together with assessing the internal risks staff can pose within their role, can we build the right security controls within processes and systems which will protect against internal staff threats.

Monday 1 June 2009

EU Elections & Hypocritical Privacy Protection Practices

I reluctantly posted my European electoral postal vote today, reluctantly because I considered not voting at all mainly due to a lack of an anonymous voting system, reluctantly because the European Union Parliament is not very democratic, in that unelected and non-accountable members of committees make the laws, not the people to whom I am being asked to vote to represent me as an European Union (EU) Member of Parliament.

Voting choice wise, there is no other option provided other than a postal vote, for whatever reason it is just not possible to vote at a traditional polling station, not in my area anyway.

The postal voting system involves enclosing a traditional ballet form within a pre-paid envelope, on which your full name is pre-printed with a unique ID number, your date of birth and your signature. Once sealed, the envelope must be placed into the public postal system as a “normal” letter, with its contents easily identifiable as a voting ballot (see picture). Should the envelope be lost (or stolen), then the person in possession will have obtained your full name, your date of birth and your approximant area of resident, from which it is child's play to establish your full address, which ironically can be found on the electoral role, which is publicly searchable. The voter also needs to sign the envelope in order for the vote to count, so your signature is part of the package of information, which is more than enough for identity thieves to start cloning your identity and stealing credit in your name.

Aside from the personal identity theft concerns, your political beliefs can also be discovered, assuming you didn’t spoil the ballet paper! Under European Data Protection Directives (laws) an EU citizen’s political beliefs is classed as “Sensitive Information”, the highest form of information classification.  The EU Information Commission would be most upset if a company were to ask or send out such information by public post; however it appears the EU must be above their own laws.

And those volunteers who open and count the ballet envelopes will be privy to your political beliefs, more than likely they will be from the same area and so could know who you are. Hmm I wonder who Mr. Smith at number 24 voted for?  While the bar codes sporting a unique number for each envelope will sure throw fuel on the conspiracy theorists fire, and they wonder why turn outs for EU elections are so low.

In the end I reluctantly posted my vote after reflecting on the millions of people who died to give me the right to vote in Europe during the last century. I concluded it was worth risking my financial identity out of respect to those who risked and lost their lives, fighting for the right for a just, fair and anonymous voting system and a democratic and accountable government system. Whether we are now taking backwards steps in Europe must be up debate, and whether such democratic debate can actually lead to changes in laws..

Thursday 7 May 2009

Secure Hard Disk Wiping & Disposal

A study by researchers from the University of Glamorgan and BT, resulted in several alarming privacy headlines in the media today - http://news.bbc.co.uk/1/hi/wales/8036324.stm The study involved the purchasing of old computer equipment from trade fairs and online auctions from the UK, US, Germany, France and Australia, and the recovery of data from these purchased items. The researchers were able recover a raft of personal and sensitive data from hard disks, including detailed medical records from a Scottish NHS Trust, military secrets, business financial transactions and an variety of personal information, which included bank details, and the sorts of things identity thieves crave. The study concluded around 40% to 50% of the second hand hard disk drives they randomly purchased held sensitive data which could be recovered by pretty much anyone with half a brain.

I have to say, I am not surprised by this study’s outcome, which highlights the problem of hard disk disposal by both organisations and especially individual home users, who simply neglect to properly erase their personal information from their computer hard disks before selling or disposing of their old computers. Over a year ago I posted about this subject before using a hypothetical story - http://blog.itsecurityexpert.co.uk/2008/03/hard-disk-shredding-story.html I have come across several real incidences of where personal computers had been donated to charities by the way of the old computer equipment recycle bins at local supermarkets and rubbish tips (or as the Council calls them household waste and recycling centres) . These computers end up in places like West Africa, UK young offender’s institutions and youth clubs etc, where new PC users soon discover the original owner’s personal information and website access credentials, and unsurprisingly go on to compromised the bank account and the various online websites used by the original owner, now that’s gratitude for you!

Anyway on to the big question and what the media stories avoided explaining…

What should we do to ensure our personal information is "gone" from our old computer systems before flogging or binning them?

Well removing the hard disk drive from the computer and hitting it repeatedly with a sledge hammer is not quite the best approach. Physically damaging a hard disk does not necessary render it impossible to recovery the data held on it, but hey, it’s still better than doing nothing.

To do the job properly I recommend using a “Hard Disk Wiping” utility. Obliviously the first thing you should do before using such a tool, is ensure you have backed up all your the data, as once you use a hard disk wiping tool, there is no way back.

There are several commercial hard disk wiping utilities available, but there are also some good free utilities which can adequately do the job. My personal favourites are "Darik's Boot And Nuke” aka “dban” http://www.dban.org/, and Eraser http://www.heidi.ie/node/6 (includes dban), [edit based on comments] also Secure Erase is also highly recommended http://cmrr.ucsd.edu/hughes/SecureErase.html

Downloading and running these applications results in the creation of a bootable CD, which you use to boot your computer system direct into the tool operation. If you are a computer novice, you may want to ask that techie relative to help you out.In terms of the type of actual disk wiping method, I always go with securely wiping hard disks to the US Department of Defence standard, by selecting the “US DoD 5220-22.M” option, which will prevent even government secret service forensics experts from recovering the data, never mind petty ID thieves. Some say this level is a little over the top for a personal computer, but if you don't mind the "extra wait" for the process to complete, where's the harm hey!After completion of the hard disk wiping, it’s always a good idea to just double check the hard disk wiping actually worked by trying to boot the computer normally. And if you are super paranoid after applying the DoD 5220 disk wiping standard, go ahead and take your sledgehammer to the hard disk if you really want to.

There are file level secure deletion tools such http://www.fileshredder.org/, but for me, if you are selling or disposing of a computer holding a hard disk, or just a hard disk itself, which has held personal information, you should go with wiping the entire hard disk rather than individual files. This ensures nothing is missed, it is surprising where your personal details end up being stored within a Windows system.

If anyone has any other disk wiping utilities they would like to recommend or novel ways of physically destroying hard disk drives, please go ahead and post a comment.

[edit] NIST have the ultimate say on this subject, read http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Monday 27 April 2009

Should companies block Twitter?

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.


Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate http://news.bbc.co.uk/1/hi/england/shropshire/8018471.stm and perspective Cisco employee http://today.msnbc.msn.com/id/29796962/#storyContinued. So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.