Secure Hard Disk Wiping & Disposal

A study by researchers from the University of Glamorgan and BT, resulted in several alarming privacy headlines in the media today - http://news.bbc.co.uk/1/hi/wales/8036324.stm The study involved the purchasing of old computer equipment from trade fairs and online auctions from the UK, US, Germany, France and Australia, and the recovery of data from these purchased items. The researchers were able recover a raft of personal and sensitive data from hard disks, including detailed medical records from a Scottish NHS Trust, military secrets, business financial transactions and an variety of personal information, which included bank details, and the sorts of things identity thieves crave. The study concluded around 40% to 50% of the second hand hard disk drives they randomly purchased held sensitive data which could be recovered by pretty much anyone with half a brain.

I have to say, I am not surprised by this study’s outcome, which highlights the problem of hard disk disposal by both organisations and especially individual home users, who simply neglect to properly erase their personal information from their computer hard disks before selling or disposing of their old computers. Over a year ago I posted about this subject before using a hypothetical story - http://blog.itsecurityexpert.co.uk/2008/03/hard-disk-shredding-story.html I have come across several real incidences of where personal computers had been donated to charities by the way of the old computer equipment recycle bins at local supermarkets and rubbish tips (or as the Council calls them household waste and recycling centres) . These computers end up in places like West Africa, UK young offender’s institutions and youth clubs etc, where new PC users soon discover the original owner’s personal information and website access credentials, and unsurprisingly go on to compromised the bank account and the various online websites used by the original owner, now that’s gratitude for you!

Anyway on to the big question and what the media stories avoided explaining…

What should we do to ensure our personal information is "gone" from our old computer systems before flogging or binning them?

Well removing the hard disk drive from the computer and hitting it repeatedly with a sledge hammer is not quite the best approach. Physically damaging a hard disk does not necessary render it impossible to recovery the data held on it, but hey, it’s still better than doing nothing.

To do the job properly I recommend using a “Hard Disk Wiping” utility. Obliviously the first thing you should do before using such a tool, is ensure you have backed up all your the data, as once you use a hard disk wiping tool, there is no way back.

There are several commercial hard disk wiping utilities available, but there are also some good free utilities which can adequately do the job. My personal favourites are "Darik's Boot And Nuke” aka “dban” http://www.dban.org/, and Eraser http://www.heidi.ie/node/6 (includes dban), [edit based on comments] also Secure Erase is also highly recommended http://cmrr.ucsd.edu/hughes/SecureErase.html

Downloading and running these applications results in the creation of a bootable CD, which you use to boot your computer system direct into the tool operation. If you are a computer novice, you may want to ask that techie relative to help you out.In terms of the type of actual disk wiping method, I always go with securely wiping hard disks to the US Department of Defence standard, by selecting the “US DoD 5220-22.M” option, which will prevent even government secret service forensics experts from recovering the data, never mind petty ID thieves. Some say this level is a little over the top for a personal computer, but if you don't mind the "extra wait" for the process to complete, where's the harm hey!After completion of the hard disk wiping, it’s always a good idea to just double check the hard disk wiping actually worked by trying to boot the computer normally. And if you are super paranoid after applying the DoD 5220 disk wiping standard, go ahead and take your sledgehammer to the hard disk if you really want to.

There are file level secure deletion tools such http://www.fileshredder.org/, but for me, if you are selling or disposing of a computer holding a hard disk, or just a hard disk itself, which has held personal information, you should go with wiping the entire hard disk rather than individual files. This ensures nothing is missed, it is surprising where your personal details end up being stored within a Windows system.

If anyone has any other disk wiping utilities they would like to recommend or novel ways of physically destroying hard disk drives, please go ahead and post a comment.

[edit] NIST have the ultimate say on this subject, read http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Should companies block Twitter?

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.

Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate http://news.bbc.co.uk/1/hi/england/shropshire/8018471.stm and perspective Cisco employee http://today.msnbc.msn.com/id/29796962/#storyContinued. So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.

Big EU is Watching You

As of last Monday all Internet Service Providers (ISPs) in the European Union (EU) are required to store the details of every email and every internet phone call placed by anyone, for at least one year. Principally this European law is in the name of protecting us all from terrorism. Let me make it crystal clear, this law is not about collecting and storing Email and internet phone call content, just tracking the “when”, “the sender” and “the recipient”, think of the information listed on your telephone bill, which is already legally required to be stored by telecoms companies.

Most ISPs in Europe already store this type of information, with the Email information used to help fight Spam for instance. Despite this most ISPs were dead against the law due to the hassle factor, but in the UK, ISPs have been “talked round” thanks to the UK government offering to reimburse ISPs the cost of storing and maintaining the data.

So why the law? Well I think one of the key reasons is to allow EU governments “easier” and direct access to the information on mass, so bypassing the legal system (no court orders), wait a minute, isn’t the legal system in place to protect individuals from governments? I think we can assume this information will be used for data mining, as well as the specific investigations of individual suspects. By data mining, I mean the scanning of these vast amounts of electronic communications data for patterns which match terrorism activity, whereby the system analyzes the data and then spits out the names of who it deems are terrorist suspects.

It’s not about the “Chatter”
In the Second World War before the German Enigma machine encryption was cracked, the UK intelligence would look for “chatter”, which is the tracking of the number of encryption communications being sent, with spikes in encrypted communications usually meant a german attack was being organised and therefore about to occur. The germans counteracted this by having all enigma operators send random messages periodically, so the spikes were not so obvious, in fact this counter activism actually helped with the breaking of the enigma code.

Anyway my point is looking for “chatter” in high volume Email and Internet telephone calls to predict a terrorist attack is about to occur is not likely to work, as unlike the mobilising of large military forces to carry out an attack, terrorist groups are very small and very insular in nature, generally very careful with their communications, which is why they aren’t discovered in the first place. Given the vast amount of daily communications taking place over EU part of the Internet, I just can’t see how it is possible to see terrorism communication chatter spikes, so this law cannot be about using chatter to help prevent or prepare against a terrorist act, not that anyone has said this publically, but it’s worth pointing out.

If anyone knows how the data mining of millions of the daily EU electronic communications is going to protect us from terrorism attacks, I’d love to know. In my view, surely it is much better to target our anti-terrorism resources with good old fashion "police work" approaches, and so investigate individual suspects, infiltrate suspect groups, rather than assume everyone is a suspect. Good luck if this big brother system decides you are a terrorist suspect, as ironically you will be the last person to find out if it does.

Protect Your Identity & Don’t Implicitly Trust

I was looking at new cars over the weekend, I saw a car I liked and naturally wanted to take it out for a test drive. On making this request, the car sales guy immediately asked to see my driver’s license or credit card.  A little puzzled by the “or credit card”, I asked whether he needed either one to prove I was lawful to drive, or for identification purposes.  The sales guy said told me it was their policy, and need it to prove my identity and to keep hold of for “security” while I took the car out.

Identity theft is the fastest growing crime in the UK, and there are certain elements which we cannot control in protecting ourselves, such as when companies lose or have stolen our personal information. But there are many elements we still can control, such as protecting the personal information we have in our possession. A UK driver’s license is one of the strongest forms of proving our identity in the UK, and therefore has value to identity thieves, who can easily clone fake versions using your details and their picture.  Therefore the last thing anyone should be doing is to implicitly trusting companies and strangers with holding these important forms of personal identification, especially if the document is going to be held out of sight for any period of time, or be photocopied.

Its clear many people are not doing enough to protect their identities, as the sales guy response was to tell me not to worry, as they do this thing all the time, and then went on to inform me that my driver’s license would be photocopied, but the details would be kept safe. Noooo! It doesn’t need a formal risk assessment to establish there was no way I was going to implicitly trust a car salesman with anything, let alone my key personal details and documentation.

So I came up with my own very simple solution, I just had the sales guy accompany me on the test drive, and so I didn’t allow a total “stranger” to hold on to and copy one of my key identity documents and the salesman could be sure I return with the car.  By the way, I didn’t buy the car!

Before handing over identity documents, just consider whether it is actually necessary, don't be afriad to question what they are needed for, and whether they will be photocopied. Consider what may happen to your identity documentation while it is out of your sight. Heaven forbid if it is photocopied, as at that point you lose complete control over protecting the document and another element of your identity protection.

UK Payment Card Fraud Continues to Soar

APACS, a UK trade association for payments and payment service providers, released their annual statistics on UK payment (credit) card fraud losses. As expected the APACS statistics shows UK payment card fraud is continuing to rise, breaking the £600 Million a year mark for the first time. 2008 fraud figures announced by APACS

In these times of billion pound bank bailouts, these figures might seem small fry, but we should remember these fraud costs are indirectly paid for by all of us payment card holders, and are recouped by card providers through higher interest rates and various charges. The card issuers and banks do cover consumers against payment card fraud losses and usually reimburse all fraudulent card transactoins, but just as insurance fraud losses are factored into our insurance premiums, payment card fraud losses are passed on to consumers, so in the grand scheme of things we all foot the bill for payment card fraud in UK. So we really ought to care more about these rising trends in UK payment card fraud, which increased by 14% in 2008. We should be questioning what the payment card industry and merchants are doing in tackling this problem and protecting our payment card information.

 

Another factor card issuers and banks overlook, is the personal stress and inconvenience card fraud causes the victim, especially if a bank card is compromised.

I’ll break down the APACS stats in another blog entry over the next couple days, explaining the trend, and the impact of the introduction of Chip & Pin in the UK.

As APACS released UK payment card fraud losses stats for 2008, the BBC published an undercover investigation report, which exposed how UK payment cards and personal details can be stolen to order from an India Call Centre. BBC Overseas credit card scam exposed Call Centres are one of the prime locations for targeted information theft, and particularly with internal based payment card information theft. It’s can be such a lucrative trade, so no surprisingly Call Centres are actively specifically targeted and even infiltrated by criminal gangs.

UK based Call Centres are problematic enough to secure against these types of threats, however where UK companies outsource or move their call centre function offshore to save money, so the risk of fraud, in my view, increases. Why? Well to be perfectly blunt crime rates are just a lot higher and less controlled in places like India than in the UK. Secondly UK companies generally do a very poor job of validating the security of their offshore and are mostly third party operated Call Centre due to the distant location. Companies often assume the required security policies and procedures are being practiced, and rarely conduct on-site security audits of the offshore Call Centre. Finally it is extremely difficult to criminal and credit check nationals in countries like India, because of the population size and commonality of names.  So it is of no real surprise to me when I read these types of stories, as it’s been happening for years now. I guess due to quick reimbursement process with UK card fraud, UK consumers tend not to question how their card details were stolen in the first place, and so such Call Centre operations aren’t put under the required scrutiny. I always avoid providing my card details over phone to anyone at all costs; it’s actually safer to pay online or in person than to tell someone you can’t even see your card and personal information.

The Payment Card Industry (PCI) has a Data Security Standard (PCI-DSS), which all merchants and payment processes are suppose to comply with, but what I find interesting in my card fraud research, is most Call Centres, UK based or not, just aren’t complying with the PCI standard. It’s routine to record all calls, so these voice recordings end holding volumes of card information and are often left unprotected, while operators routinely write down full payment card details, including the 3 digit security code, often known as the CVV2 number. According to PCI DSS requirements, the three digit security code is not allowed to be stored (written down), and that’s for a good reason, to help prevent card fraud.

So if you are a generally low paid Call Centre operator, you have all the information you need to commit card fraud against countless victims, a full name, a full address, full card number, card expiry date and the security code, plus other personal data such as email address. Combining a payment card with a profile of the personal details about the payment card holder, increases the black market value ten fold. I find most dodgy Call Centre operators who “skim” card payment details, don’t actually commit the card fraud transactions themselves, but they tend to sell the card information on to other criminals, so a real division labour.

Thanks to the global economic down turn, and judging by what I'm seeing on the ground, I think its safe to say UK payment card fraud will continue to soar into 2009. As payment card holders, be mindful in protecting your card information, so when that hotel receptionist over the phone asks for your card CVV2 number as part of the booking process, question it and refuse. And most importantly scrutinise your card statements, as an unknown percentage of card fraud goes completely unnoticed by us consumers, and so is not being refunded by card issuers and does not appear on those APACS card fraud statistics.

BBC Click’s Pointless & Unethical Botnet usage

After watching the latest BBC Click technology projavascript:void(0)gramme (see http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm and watch on BBC iPlayer (UK Only) click here), it is clear BBC Click not only controlled a botnet of 1,696 PCs to send Spam Emails, but actually paid criminals for the privilege! The angle for the BBC Click programme was to illustrate and highlight the internet botnet problem. Which to be fair is a good awareness objective and interesting, however botnets have been widely known about for many years now, certainly within security circles anyway.

"After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine." - BBC Click

I'm ALL for raising awareness of cybercriminal activities, but I think BBC Click programme crossed the ethical line on this one, in they actually used a botnet (namely thousands of PCs infected with centrally controlled malware) without the PC owner’s permission to send out Spam Emails. Which is just not an illegal act in my view but a pretty immoral way to make a point. Furthermore I am troubled the BBC paid criminals thousands of pounds of license payer’s money to buy the botnet. I think they were ill-advised to take this course of action, surely the programme makers could have spoken with any one of the many security vendors on the forefront of dealing with and understanding intricacies of botnets instead.

Many security vendors and organisations have a wealth of real world information and data on botnets accumulated over many years, as well as the botnet key output, which is namely Spam Emails, and to a lesser extent botnet usage in denial of service attacks.

  

I mean wouldn't it be completely unacceptable to use thousands of pounds of licenser payer cash to buy drugs, just to prove there is a drugs problem, when everyone already knows there is a drugs problem.

I don't enjoy bashing the BBC as I am a huge fan of their many excellent services provided on TV, Radio and Online, however I think they dropped the ball with this one.

I carry out a great deal of research on cybercriminal activity and methodology myself, especially with online payment card fraud. However I am extremely careful to never to cross the ethical and law breaking line, even though it can be highly frustrating at times.  For instance I would consider it highly unethical to purchase stolen payment card details from a cybercriminal, and it certainly would be illegal (it's fraud) to try use stolen credit card information to just prove a point.  Despite some frustrations, I generally find such limits within my own research do not affect my ability to produce good results and raise awareness of important security issues

In fact I have been asked to perform unethical and illegal criminal and hacking actions on several occasions by reporters working for national newspapers, all of which I have refused on ethical grounds.

So I guess I'm pretty disappointed with the BBC Click programme, as I am sure they could have easily illustrated botnet usage within a lab environment, and backed this up with the real world factual data on criminal botnet usage from the anti-spam vendors.

Spotify: An Application Security Vulnerability

Yesterday Spotify, a Swedish based online music/social networking type business, announced their music application had been successfully breached by a “Group". The Group/attackers managed to exploit what Spotify describe as a "bug" in their software, which is PR spin, yes maybe it's a bug or just bad application design causing the issue, still most security professionals would describe it as a security vulnerability within the application. This vulnerability was fixed on 19th December 2008.

I don’t know how or even whether Spotify had been testing their application for security vulnerabilities, but in my view it’s fairly likely a decent third party application penetration test or code review would have uncovered the vulnerability long before it was taken advantage of by the mystery Group. I think it’s dangerous to assume only the “Mystery Group” had taken advantage of the vulnerability, as eluded to on the Spotify breach statement. Just who this Group is and their motives for illegally exploiting personal details are unknown to me at this time of writing.

Credit where credit is due, the Spotify application account management did not store passwords in a plaintext form, but hashed the password (i.e. the password stored as a fixed value equating to the password plaintext when processed by a hashing algorithm) using a unique key (salt), creating a unique hash value for each user's account password. This is application security best practice, unlike what we saw with the recent Monster website breach. It was these unique password hash values along with account holder's personal details which were able to be compromised within the application.

Despite the good use of “salted” hashing, an individual password hash value can be “brute forced” or ran against a “dictionary attack” by the attacker to obtain the original password in plaintext, just not on mass.

Spotify were keen to stress that credit card details were not stolen, however credit card information isn’t always the prime information target for an attacker. Personal information can be worth much more than credit card details on the black market. Obtaining a person’s website password together with a raft of personal information, especially the person’s email address and login handle, is highly valued by Internet based fraudsters. Why? because most people tend to use the same internet login credentials on all their website accounts, the average internet user tends not to understand the importance, or just poorly risk assess the importance of using different passwords with their FaceBook and online banking web accounts.

If you had signed up to Spotify prior to 19th December 2008, in addition to the Spotify advice, ensure you are not using the same password on other websites (do this anyway!), if so it goes without saying to change your passwords as soon as possible and double check nothing untoward has occurred with those web accounts.

UK Online Concert Ticket Scams are Rising

History shows with economic downturns comes increases in fraud, as the economy continues to slide there are real rises in online fraud targeting citizens. According to a recent survey by the UK Office of Fair Trading, one in four UK citizens either have, or know someone who has been a victim of an online phishing scam in the last 12 months, increasing from around one in six in the previous year.

The reason why internet concern ticket scams are proving successful and are on the increase in the UK, is its child’s play for a fraudster to setup very genuinely looking website on the internet in no time at all, which dupes the victim into trusting the website’s ticket offerings and parting with their money. It’s near impossible for the authorities to police and remove such websites until it’s too late, while it’s relatively simple for fraudsters to remain anonymous and make off with the victims money without risk of being caught. Furthermore some of these ticket scam fraudsters go on to use the victims credit card details to commit further financial fraud against the victim.

Anyone seeking to buy tickets from unofficial sources online should exercise “glass half empty” caution, and be fully aware of the risks before providing their payment details, if it’s too good to be true, it usually isn’t true.

To underline the poor economic climate pushing an increasing fraud trend, it's worth noting several truly massive frauds involving banks have been alleged in recent months, such as with Bernard Madoff and Stanford International Bank, so it looks like it's not just the small time criminals which are at it.

TrueCrypt - The Best Open Source Security App (in my view)

During the week I was advising a group of techies about free anti-virus applications and free network vulnerability scanning applications and tools. I was asked, "What is the best free security application I have used to date?  Without any hesitation I replied TrueCrypt.

TrueCrypt is an example of an Open Source application at its best.  In TrueCrypt we have a multi-platform application of real commercial quality, providing seamless “on-the-fly” encryption; encrypting folders (mounted as volumes), disk partitions and entire hard disks to rigorous industry best practice standards. Yet TrueCrypt is completely free for anyone to download and use, local country laws permitting of course.

TrueCrypt is less than 3Mb download and is compatible with just about any version of Microsoft Windows, including the 64-bit versions and Vista, as well as Mac OS X, and Linux distributions. Taking well under a minute to install, TrueCrypt doesn’t even require a system reboot and is quickly ready to go, TrueCrypt's speed of usage and low background encryption overheads is testament to years of good open source code development and coding.

To download TrueCrypt, including the open source code visit - http://www.truecrypt.org/downloads.php

I have never had any problems installing and using the latest versions of TrueCrypt, however before installing and deploying any application which is going to provide an encryption function on your system, I strongly advise to backup all your important files and data on your system first.

The TrueCrypt “Create Volume Creation" encryption wizard and detailed tutorial guides, even allows non-techies to protect their valuable information in just minutes.  For the encryption geeks like me, there’s a whole raft of encryption and hash algorithms options to play with, such as AES, Twofish and Serpent on the encryption side, and SHA-512, Whilepool and RIPEMD-160 on the hashing side.

To secure an encrypted volume, TrueCrypt gives the options of either using a “Key File” (a text file holding the full encryption key), using a password, or using a combination of a “Key File” and a password, which controls and restricts access to the encrypted volume(s). 

For the best level of protection I personally would go with using a password and a Key File, storing the Key File on a USB flash drive, but don’t leave the USB flash drive in the system, keep it on your person (i.e. keychain). In doing this provides strong two-factor access control, which means you need to physically have the USB Flash drive (hardware token), and you need to know the password.. However I would say just using a good strength password is sufficient security for the average home user.  Also it's very important to make sure you create a “Rescue Disk” and store it somewhere safe, just in case.

TrueCrypt has been developed for over 6 years by a community of clever folk (http://www.truecrypt.org), with "V6.1a" being the latest version of TrueCrypt at the time of writing. I salute and heartily thank the community behind giving the world TrueCrypt, and least let us not forget those boffins who designed and have allowed their encryption algorithms to become open source as well, and therefore used by TrueCrypt.  I recommend TrueCrypt to the business community and home users everywhere, but hey, just make sure you don’t break your country’s encryption strength laws when using it! ;)

If you use TrueCrypt, especially in a commercial capacity, please do the decent thing and make a donation (http://www.truecrypt.org/donations/). Donating will encourage further development of TrueCrypt and encourage the development of other Open Source security tools.

If anyone else reading this has any favourite “must have” free security applications or tools, please let me know, as I’m thinking about compiling a top ten list.