Newsletter December 2007

~~~~~~~~~~~~
Erasing your Tracks
~~~~~~~~~~~~
This may sound crazy, but it was not too long ago that a research team in England purchased and analyzed 11 supposedly clean hard drives, bought for less than £1,000, and found that more than half still contained personal information. This included national insurance numbers, evidence of a married woman’s affair and detailed biographical information about children.

Why did that happen? As it turns out, when you delete a file in Windows and many other operating systems, the file data does not actually get removed. The operating system basically removes the reference to the data so it is no longer “seen”. Eventually the space the data takes up will be overwritten, but with the right software it is recoverable up to a certain point.

In the English study, ninety-seven of the hard drives were bought on eBay and four at car boot sales. As a control experiment, ten drives were also sourced from LCS Remploy, a company specialising in the destruction of data. All proved to be clean.

The original owners of the other 101 drives included universities, multinational companies and a Church of England primary school in East Yorkshire, all of which were breaking the Data Protection Act (in England) by failing to dispose of the information effectively.

Now, you may not think that any of your data is sensitive, and that may be true. However, if you keep any financial records, spreadsheets, or sensitive data (such as a Quicken or Money file), would you really want that to end up in the hands of someone else? Of course you do not.

Unfortunately, you need to do more than just format your hard disk. It’s not even sufficient to overwrite and fill your hard disk with non-sensitive information. In 1996 Peter Gutmann published a paper describing techniques for making it as difficult as possible for an attacker to recover data from magnetic media. Basically, it comes down to scrubbing the disk a number of times with random data.

Fortunately, there are several ways to handle securely erasing your data. My favorite (and free) application to do the task is Eraser. You install the program (for Windows – Linux and Mac have tons of tools for this), and secure erasing is as easy as right-clicking a file and choosing “erase”. You can send files to the Recycle Bin as normal, right-click the Recycle Bin and erase all the files in there. You have the ability to increase or decrease your erasure passes (more passes = more secure), and you can create a “nuke floppy” to erase an entire drive. Plus, it has the option to erase just the free space on your hard drive. In other words, it will remove the files.

Eraser
http://www.heidi.ie/eraser

What is Eraser?
Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS.
Eraser is FREE software and its source code is released under GNU General Public License.

The patterns used for overwriting are based on Peter Gutmann’s paper “Secure Deletion of Data from Magnetic and Solid-State Memory” and they are selected to effectively remove magnetic remnants from the hard drive.

Other methods include the one defined in the National Industrial Security Program Operating Manual of the US Department of Defence and overwriting with pseudorandom data. You can also define your own overwriting methods.

~~~~~~~~~~~~
Security for your Computer Data
~~~~~~~~~~~~

It seems that every other day there is a report of a new malicious virus or piece of malware. Unfortunately, most of these attack Windows computers, and even more unfortunately 90% of us are running Windows as our main operating system. Although hackers, trojans, and viruses rarely try to find sensitive data (most setup your computer as a zombie), there are occasions when your sensitive data can be at risk.

Most people also do not realize that emails are sent in plain text. It never ceases to amaze me when one of my web design clients wants to have users send credit card information through a web form – like on a “contact us” page. It does not matter whether the browser session is using SSL (when you see the little padlock in your browser). Once you have submitted your information to the website, that session is over. If the information is then sent from the webserver to the company via email, it just flew through the Internet in absolutely plain text just begging to intercepted at any of 100 points along the way. This is a big no-no, and I have refused to do websites for clients who insist on doing this.

So what are you supposed to do? Is there a way to really secure your data on your computer? What about your email?

Fortunately, there are several ways to do all of the above. Even better is the fact that open source software or free software is available to do it. With a little bit of research and reading, you can encrypt your data and feel very secure. I use these applications anytime that I am dealing with sensitive client data or even personal data that I do not want to share.

Following are some links to free software to do this. If you have any questions about using them, send me an email or give me a call. Better yet, schedule a training session with me. This applies to businesses with sensitive data or home users.

TrueCrypt – Free Open-Source On-The-Fly Disk Encryption for Windows XP/2000/2003
www.truecrypt.org

Main Features:

* It can create a virtual encrypted disk within a file and mount it as a real disk.

* It can encrypt an entire hard disk partition or a device, such as USB memory stick, floppy disk, etc.

* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (more information may be found here).

2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be distinguished from random data).

* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent (256-bit key), Triple DES, and Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent).

* Based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997.

KeePass Password Safe
http://keepass.sourceforge.net

KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

Enigmail
http://enigmail.mozdev.org

Enigmail is an extension to the mail client of Mozilla / Netscape and Mozilla Thunderbird which allows users to access the authentication and encryption features provided by GnuPG (see screenshots).

Enigmail is open source and dually-licensed under the GNU General Public License and the Mozilla Public License. You can download and install Enigmail from the Download page. See the Help page for post-installation instructions.

GnuPG
http://www.gnupg.org
*Note: you will need this for the enigmail extension for Thunderbird

GnuPG stands for GNU Privacy Guard and is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.

~~~~~~~~~~~~~~
FREE SOFTWARE: Google Local
~~~~~~~~~~~~~~

Since most of this edition’s newsletter has offered free security software, I decided to make use Google’s local search for the “Free Software”.

Google Local offers an easy way to search for local events or businesses in your town. The results are very accurate and the service is far easier to use than MapQuest or Expedia. Also, Google appears to be using their map technology with the local service.

http://local.google.com