A big thanks to Michael Farnum for mentioning on the InfoSecPlace Podcast some new Computer Security Bloggers joining the ranks. I’m excited to be joining the infosec blogshere and appreciate the mention on the podcast. I look forward to contributing to the Security Bloggers Network and any comments or advice my professional colleuges may have.
I hope all have enjoyed the content thus far.
I was asked by a co-worker how I keep track of so many passwords for so many accounts, all of which have to change annually. I told her I use a custom formula in my head that allows me to determine what a password is on a given account. I don’t have to remember 100 passwords, only the formula.
Passwords are the oldest and most widely used form of authentication, but also the weakest. To get the biggest bang for your buck, you must choose a password that incorporates as many character variations and the longest length possible. That means numbers, letters (both uppercase and lower), punctuation marks, any symbols allowed by the system, and at least 8 characters in length. If you are logging into multiple systems or websites, varying your password is also recommended. If a password is compromised, you don’t want the attacker to gain access to every account you own on a single password. Each account a user holds should have its own unique password.
You will want to develop a personal method of managing multiple passwords. That way you will only need to remember the method, not each individual password. To develop your personal technique, open your mind and create something easy to remember but hard to guess.
This is an example. Design your own using any number of things. Take characteristics of your life that are static and some that are dynamic. Let’s create a 10 character password that is different for each system or website, and will be changed every year. We’ll need to create a formula that is simple to remember.
John Smith
Spouse: Kristen Smith
DOB: 04/12/1972
A fictitious password for a Fidelity account.
1st and 2nd character
The first and last letter of the computer or website’s name.
“fy” for Fidelity
This should change for each account. If the computer is named Yoda the characters would be “ya”; if it was Bank of America “ba”. Therefore, we have unique passwords for each account.
3rd character
A separation symbol
“.” A period
Includes a non alpha numeric character to increase the number of password possibilities if attempted to crack.
4th and 5th characters
Capitalized initials, but the last letters
“NH” for John Smith
Adding capitalized letters doubles the password possibilities value of using alpha characters.
6th character
Another separator
“_” underscore
7th character
Last number of my year of birth plus the last two digits of the current year
“0” for ’72 plus ‘08
Used as an easy mathematical equation that varies from year to year.
8th character
Capitalized first letter of Significant other’s name
“K”
A simple & easy to remember letter
9th and 10th characters
The last 2 digits of the current year
“08”
Another revolving couple characters that are used when changing passwords yearly.
Now when John Smith logs into Fidelity he types in “fy.NH_0K08” which is much better than him using a birthday “04121972.” Instead of just 10 to the 8th power in possibilities, this technique has given him much more security against password crackers due to the incorporation of so many character types.
Once you have a method of your own constructed, it will only be a short time until you have the formula memorized and it becomes just as simple as typing in a birthday. For John Smith all he has to remember is first and last letter of website, period, capitalized reverse initials, underscore, last number of DOB + year, capitalized K (note the ones that are capitalized are initials which is an easy association), and the current year.
You could get however extreme you want with your own technique. Maybe taking the first letter of the site “F”, finding its place in the alphabet “6” and using that to determine which letter in your name to use. John Smith – 6th letter – “m”. You see? This could get as difficult as you wish. Just make sure your not using the same password for each account and that it changes at least yearly.
If you had a password formula such as this, you would rarely need to have your password reset. The questions often asked for password reset authorization are, in reality, a second password. A fellow security blogger wrote an article titled, “A Different Approach to Password Reset” that effectively outlines such concerns. Below is an excerpt.
Mother’s Maiden Name - public record
Street you grew up on - can be findable.
Place of Birth - discoverable
Name of Pet - guessable (top list of pet names on Internet, or just check their facebook)
Do yourself a favor and create your multiple password formula now.
The CISSP Study Sheet Series identifies the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. This second study sheet will focus on the Access Control domain.
Access Control Attacks – Denial of Service, wardialing, brute force, shoulder surfing, dumpster diving, sniffing, spoofing, and dictionary attacks.
Identity Management – centralized technologies designed to control access rights of specific identities, such as directories LDAP, NIS, or DNS.
Data Classification – a multitier labeling of information that dictates how a piece of data should be treated.
Identification – unique usernames recognized on computer systems.
Authentication – proof of the claimed identity. Something you know…Something you have…Something you are.
Authorization – what the identity is permitted to do.
Accountability – the use of such things as audit trails to hold responsible the activity of the user.
Who you are… Ok, you are you…What can you do…What you did.
Preventative – access controls enabled to stop unwanted actions by blocking the ability to do them.
Detective – access controls that identify the unwanted actions after they have occurred.
Corrective – access controls which cure the enabling of unwanted actions and restore previous conditions.
Directive – government laws and organizational policy that determines what is allowable.
Deterrent – the repercussions of not following directives.
Recovery – access controls involving the restoration of computing resources after an incident.
Compensating – backup and contingency controls that reinforce normal operations.
Least Privilege – allowing for only the minimum resources needed to accomplish tasks.
Need to Know – not everyone with a secret clearance needs to know everything classified at secret. Certain information should remain only with the persons required to know it.
Separation of Duties – requires collusion of two or more people to commit fraud instead of a single entity having control of complete transactions.
Administrative – access controls related to policies and personnel, such as separation of duties and procedures.
Technical – logical access controls utilizing software and hardware solutions, such as encryption.
Physical – environmental and material access controls, such as doors and locks.
All Access Controls should default to no access.
Password – most used form of access control, but susceptible to brute force and dictionary attacks.
Passphrase – a series of words converted into a password that is not as vulnerable as a simple password.
Password Synchronization – allows users to access multiple systems with one password.
Self Service Password – the ability for users to reset their own passwords without administrative assistance.
Assisted Password Reset – Identification and authentication of a user prior to password reset. Usually through a question and answer process.
One Time Password – a time based synchronous changing of passwords to avoid shoulder surfing and replay attacks.
Single Sign On – centralized authentication database that gives access to numerous resources from one authentication, such as SESAME.
Kerberos – an SSO protocol using a ticket from the key distribution center for authentication in a single security domain. The ticket granting service then generates new tickets with the session keys.
Discretionary Access Control (DAC) – data owner designated access via identity permissions of users or group.
Mandatory Access Contorl (MAC) – sensitivity labeling of information to restrict access via two attributes to an object from unauthorized users.
Role Based Access Control (RBAC) – A form of DAC that uses the owner’s discretion to categorize access based on a users specific function or role.
Content Dependant Access Control – an object’s content is analyzed by an arbiter program to determine access privileges.
Nondiscretionary Access Control – role based access control managed by the system’s administrator rather than the data owner.
Centralized Access Control – One individual, device, or group makes the decision for network access, such as RADIUS, TACACS+, and Diameter.
Decentralized Access Control – the network access decision is distributed locally, such as peer to peer.
Access Control Lists (ACLs) – a common DAC that designates what users have access to an object, and what functions they are allowed to do on that object.
Capability Table – much like an ACL, but bound to a subject and lists what objects he or she can access.
Constrained User Interface – disallows the ability of a user to interact with certain objects, such as grayed out icons and database views.
Tempest – a way to combat the electrical signals in the airwaves.
Audit Logs – protected and reviewed record of user activities, system events, and application actions.
Keystroke Monitoring – a form of auditing that records every keystroke performed by a user.
Physiological Biometrics – identification and authentication controls recognizing physical characteristics, such as fingerprints and retina scans.
Behavioral Biometrics – identification and authentication controls recognizing mannerisms, such as voice inflections and keyboard strokes.
Biometrics Type I error – rejection of an authorized individual.
Biometrics Type II error – imposter was authenticated.
Smart Card – a physical access control device for authentication
User Provisioning – creation, maintenance, and removal of user attributes in systems, applications, and directories.
HR database – having been developed first and maintained by personal, the HR database is the primary source for user identification.
Intrusion Detection System (IDS) – monitors events in real time to detect intrusion attempts via statistical or signature based analysis, and alerts administrators of a possible attack.
Intrusion Prevention System (IPS) – acts as an IDS but also has advanced capability to stop or prevent attacks.
Host Based IDS & IPS – analyzes single computers for suspicious activity using audit logs and processing irregularities.
Network Based IDS & IPS – analyzes network packets, discards dangerous traffic, and alerts administrators.
Penetration Testing – a series of steps used to bypass systems security controls to gain unrestricted access to systems and data.
Degaussing – returns media to its original state through magnetism.
Phishing – a social engineering attempt to gather sensitive information.
More CISSP Study Sheets and other CISSP resources.
Ever wonder if what the hackers do in the movies can actually be done?
So did I. Now that I’m in the industry, I’m continually analyzing every Hacker based movie theme for accuracy. Sometimes I wonder if Hollywood even employs a Computer Security Expert or Hacking consultant to advise on technical possibilities. I get a kick out of a film that portrays a hacker at the computer and the screen displays them flying around like an X-wing in an asteroid field of formulas while they frantically type at the keyboard.
Below are movies involving a hacker of some sort. I’d like to poll my readers and get your opinion on the most realistic hacker movies. I’ve purposely left out pictures that are beyond reality, such as The Matrix and Tron. I also didn’t include Documentaries or true story based films, such as Revolution OS and Takedown. Please refrain from voting on movies that you have not seen. The scaling is 1 – 5.
1 - Unrealistic
Not a chance that this is possible
2 - A bit Absurd
Ok some elements work, but the presentation is all wrong
3 - Somewhat Realistic
About half of what is shown is possible
4 - Quite Accurate
The majority was accurate, but there are some holes.
5 - Realistic
Everything featured is possible, and the terms, technology, and display are all real.
Comment below if you have another nomination. I’ll leave these polls going indefinitely and continually add hacker movies as they are released. Maybe this archive will get to a point where you can actually identify a non documentary but educational hacker film.
Loading ... Loading ... Loading ... Loading ... Loading ... Loading ... Loading ... Loading ... Loading ... Loading ... Loading ...Digg this to bring in more voters, and don’t forget to Bookmark this page for future results and additional movies.
The CISSP Study Sheet Series will identify the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. Let’s begin with the Information Security and Risk Management Domain.
Confidentiality – the security objective to protect from improper disclosure of sensitive information.
Availability – the requirement of business to have access to systems and data.
Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.
Known as the CIA or AIC Triad, Confidentiality, Availability, and Integrity have to work in concert to keep data not only protected and accurate, but accessible to authorized users.
Policy – management stating the role security plays in an organization.
Procedure – a mandated series of steps to accomplish a task, such as software installation.
Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.
The Organization’s Security Policy is an abstract statement from management which is implemented through the IT staff. For example, the following of a procedure, to install a standard, in accordance with a guideline, and is setup referencing the baseline, is an instance of adhering to policy.
Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
Threat – a potential accidental or intentional danger to an information system.
Exposure – an opportunity for a threat to cause damage.
Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
Risk Transference – the passing on of risk to a third party, such as insurance.
Countermeasure – reactive controls applied after an incident.
Safeguards are installed to protect against threats, but if a vulnerability exists in a safeguard an exposure to a threat surfaces resulting in a risk which either has to be countered or transferred.
Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
Operational Planning – a mid term plan focusing on an organization’s functional plans.
Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.
The Planning Horizon is the compilation of strategic, operational, and tactical planning.
Job Rotation – movement of employees to expose collusion and policy violations.
Mandatory Vacations – forced leave to detect elements of fraud.
Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
Need to Know – only those persons absolutely requiring information should have access to such information.
Least Privilege – allowing processes and users only enough permission to accomplish their job.
Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
Due Care – responsible acts reducing the probability of being held liable or negligent.
Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
Data Custodian – is the security enforcer for the data owner, such as an email server admin.
Auditor – independent assurance that the security controls are being implemented correctly and are operational.
Application Owners – addresses user permissions and security controls on data specific to a particular application.
Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
Asset Identification – are tangible, such as the facility, and intangible, such as data.
Assurance – a level of confidence that a particular security level is being upheld.
CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.
Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management, and appropriate use of enterprise resources.
Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.
Project Sizing – a pre risk analysis documentation of the scope of the project.
Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
Quantitative Risk Analysis – a monetary determination of risk.
Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
Delphi Technique – an anonymously communicated group decision.
Single Loss Expectancy (SLE) – amount that could be lost if a threat is executed upon, such as the value of data, cost to replace data, and potential opportunities missed.
Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.
Total Risk = Threats X Vulnerability X Asset Value
Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year
More CISSP Study Sheets and other CISSP resources.
Dancho Danchev’s Computer Security blog has been releasing consistent posts revealing fake websites on a number of topics. This information is invaluable to identify fake sites claiming to offer a legitimate service or product. In reality, a fake website is either mimicking the template of a genuine company’s webpages, or creating professional looking sites that run malicious code in the background infecting a visitor’s system.
A Diverse Portfolio of Fake Security Software
In this series, Dancho exposes domains, such as antivirus-scanonline.com, xpantivirus.com and other URL’s all parked on a few suspect IP addresses. He followed up this post with two more entries found here and here .
How can the President of the United States be denied a basic security clearance? How can the Commander and Chief of the most powerful military be denied access to classified information? Barack Obama would be denied the necessary security clearance for President if he was held to the same standard as everyone else. If you can’t pass a Secret level background investigation, which is required for many soldiers, you should not be eligible for the Presidency.
What is a Security Clearance?
Having served in the U.S. military, law enforcement, and as a civilian government contractor, I’ve had my fair share of background investigations. The United States government employs a multitier security clearance paradigm.
Confidential – Unauthorized disclosure could cause “damage to national security.”
Secret – Unauthorized disclosure could cause “serious damage to national security.”
Top Secret – Unauthorized disclosure could cause “exceptionally grave damage to national security.”
Each level of access requires a progressively more in-depth background investigation before the clearance is obtained. The President of the United States should be able to flawlessly pass the most extensive investigation and a polygraph test. Both are required for workers in some Special Access Programs classified Top Secret.
The purpose of the clearance is to determine an individual’s honesty, trustworthiness, reliability, financial responsibility, criminal activity, emotional stability, foreign influences, family associations, drug use, mental health, judicial proceedings, employment history, traits of character, and loyalty to the United States. This collective data is used to evaluate your ability and willingness to safeguard national secrets. Based on the facts about Barack Obama, he fails to satisfy the minimum requirements for even a basic secret clearance. His background investigation would have “Red Flags” shooting up in so many places; the issuing panel would deny him a clearance outright.
Instead of going through all the Security Clearance Application questions, I’ll examine the questions that would deny Barack Obama a Secret Clearance.
List foreign national relatives whom you or your spouse are bound by affection, obligation, or close and continuing contact.
Barack Hussein Obama, Sr. of Kenya, and Lolo Soetoro, the Indonesian oil manager his mother married. These two foreign relatives would probably initiate a Defensive Security Services or Department of Defense investigation that would take roughly a year to explore. I’m not sure how many degrees of separation are involved, but Obama Sr. and Soetoro’s associations are not friendly to the United States. However, they are not the primary concern.
Barack Obama’s brother, his kin Abongo Obama, is a militant Muslim who has been quoted saying, “A black man must liberate himself from the poisons of European cultures and western values.” Obama’s paternal cousin, Raila Odinga is also a Muslim extremist who recently lost the Kenyan Presidential election to a Christian. How can such relations exist between the President of the United States and radical Muslims?
Have you ever been an officer or a member or made a contribution to an organization dedicated to the violent overthrow of the United States Government and which engages in illegal activities to that end, knowing that the organization engages in such activities with the specific intent to further such activities?
Have you ever knowingly engaged in any acts or activities designed to overthrow the United States Government by force?
These two questions go hand and hand. Having gone through the interview phase of the clearance process a number of times, I can’t image the look on the face of the investigator nor the sheer amount of time it would take to explain Barack Obama’s anti American ties.
Sen. Barack Obama served as a paid director alongside a confessed domestic terrorist and granted funding to a controversial Arab group that dubbed the creation of Israel as a “catastrophe.” The founder of the Arab group in question, Columbia University professor Rashid Khalidi, also has held a fundraiser for Obama. Khalidi is a harsh critic of Israel, has made statements supportive of Palestinian terror and reportedly has worked on behalf of the Palestine Liberation Organization while it was involved in anti western terrorism.
Barack Obama also served on the Wood’s Fund board with William Ayers, a member of the Weathermen terrorist group which sought to overthrow of the U.S. government and took responsibility for the bombings of New York City Police Headquarters in 1970, of the Capitol building in 1971, and the Pentagon in 1972. Bill Ayers has killed hundreds of civilians, police officers, and was recently quoted saying, “I don’t regret setting bombs, I feel we didn’t do enough.”
I would deny a security clearance for anybody that even shook these men’s hands, never mind launching a campaign from Ayer’s living room.
Have you illegally used any controlled substance, for example, marijuana, cocaine, crack cocaine, hashish, narcotics (opium, morphine, codeine, heroin, etc.), amphetamines, depressants (barbiturates, methaqualone, tranquilizers, etc.), hallucinogenics (LSD, PCP, etc.), or prescription drugs?
Barack Obama has specifically admitted to using marijuana and cocaine in his book “Dreams From My Father.” He even confesses pursuing heroin, but was scared of the drug dealer. A clearance question such as this is used to test someone’s ethical fortitude to stand up for what is right, legally forbidden, and ultimately make correct decisions. Obama fails this test with his weakness to deny temptation.
Would anyone question your honesty?
Obama’s lies regarding his recollection of policies supported and the reality of what he actually did endorse are too numerous to count. However, these lies are unfortunately common in today’s politics. An article written in a conservative blog has outlined 26 more personal deceptions Obama has made to the American people. How can anyone trust this guy with confidence?
Although not a question on the Security Clearance application, “Are you a Patriotic American” should be.
The National Anthem is playing and Barack Obama is the only person on the stage not inclined to put their hand over their heart. The hand over the heart is symbolic of your respect and love for your country. Of all people, the President of the United States must be the most devote patriot in the nation. If you are not a patriot, how are you to provide unconditional national security? Three other instances come to mind that have me question how loyal he is to the U.S. and if he even loves this country.
Reverend Jeremiah Wright
I bet most of us have heard about Reverend Jeremaiah Wright’s radical anti American preaching and Barack Obama’s consistent attendance of this man’s sermons, but did you know Reverend Wright officiated Barack and Michelle’s wedding and even baptized their kids? It appears to me that Wright is a significantly influential person in the Obama family’s life. Do we want a President who has been barraged and apparently supports their religious leader’s lectures containing anti American propaganda, such as…
“We bombed Hiroshima, we bombed Nagasaki, and we nuked far more than the thousands in New York and the Pentagon, and we never batted an eye.”
“We have supported state terrorism against the Palestinians and black South Africans, and now we are indignant because the stuff we have done overseas is now brought right back to our own front yards. America’s chickens are coming home to roost.”
“The government gives them the drugs, builds bigger prisons, passes a three strike law and then wants us to sing ‘God Bless America.’ No, no, no, God damn America, that’s in the Bible for killing innocent people. God damn America for treating our citizens as less than human. God damn America for as long as she acts like she is God and she is supreme.”
“In the 21st century, white America got a wake-up call after 911. White America and the western world came to realize that people of color had not gone away, faded into the woodwork or just ‘disappeared’ as the Great White West kept on its merry way of ignoring black concerns.”
“Racism is how this country was founded and how this country is still run!…We [in the U.S.] believe in white supremacy and black inferiority and believe it more than we believe in God.”
“Barack knows what it means living in a country and a culture that is controlled by rich white people. Hillary would never know that. Hillary ain’t never been called a nigger. Hillary has never had a people defined as a non-person.”
“Hillary is married to Bill, and Bill has been good to us. No he ain’t! Bill did us, just like he did Monica Lewinsky. He was riding dirty.”
“The Israelis have illegally occupied Palestinian territories for over 40 years now. Divestment has now hit the table again as a strategy to wake the business community and wake up Americans concerning the injustice and the racism under which the Palestinians have lived because of Zionism.”
“God Damn America”
- Reverend Jeremiah Wright
I don’t care that Obama now condemns Wright’s remarks. He never denounced the man before, and continued to attend Wright’s church for over 20 years.
Michelle Obama
The person you marry is your closest confidant and Barack Obama has recently said that Michelle is one of the people he listens to and respects the most. Michelle has been quoted saying, “Our souls are broken in this nation”; “For the first time in my adult life, I am proud of my country”; and “…as a member of the black community, I am obligated to this community and will utilize all of my present and future resources to benefit the black community first and foremost” to name a few. As a President’s closest adviser and the country’s first lady, take pride in how far this nation has come, and work toward the benefit of all not just your ethnicity. Can this woman, with such animosity toward ancestral shortcomings, come into the present and forget about skin color? Isn’t that what Martin Luther King Jr. meant by, “…all men are created equal” and “…not be judged by the color of their skin but by the content of their character?” Michelle’s narrow vision, obvious unwillingness to conform to unity and equality, and her desire to benefit the black community instead of the community at large is not first lady material.
Not visiting the troops
As a former enlisted soldier having been deployed twice and a current government contractor, Obama’s recent neglect to visit our country’s courageous troops is insulting. He had time to woo German citizens and play basketball, but opt out on supporting wounded soldiers. Retired Lt. Col. Joe Reypya had me nodding in approval when commenting on Obama’s decision, “”The most solemn duty of a commander in chief is to fulfill his responsibility to the men and women who serve this country in uniform. Barack Obama … broke that commitment, instead flitting from one European capital to the next…For a young man so apt at playing President, Barack Obama badly misjudged the important demands of the office he seeks. Visits with world leaders and speeches to cheering Europeans shouldn’t be a substitute for comforting injured American heroes.”
I could go on and on about how this man is not fit for office, but my point in this post is to express my opinion that the potential Commander and Chief of the United States could not receive a Nation Security Clearance to even hold a low level intelligence position within the government. How can he be President? Better yet, how is he even a Senator?
I’d like to get other’s opinions on this so please Digg.
Identity Theft is the fastest growing crime over the last few years. The amount of data stored on computer systems is an ideal repository for criminals to attempt identity theft. When someone either discards or sells a used computer system, hard drive, or external storage device most people do not appropriately sanitize the media, but rather delete or format a disk falsely believing all the data is gone.
A friend of mine recently bought a new fancy rig costing $2,000 or so. When I asked him what he did with his old system, he said he sold it on craigslist for $550 to help fund the new purchase. “Did you put in a new hard drive?” “No, but I reformatted it.”
There is a misconception among those unfamiliar with the inner workings of computers that deleting files and formatting hard drives removes data completely. Think back and try to remember all the files you deleted over the past 10 years. Did you ever delete financial data, such as accounting spreadsheets, bank numbers, credit card data, or personal information? How about scanned documents, such as mortgage paperwork, driver’s licenses, birth certificates, or pay stubs? What happened to those computers or hard drives with which you think you deleted those files from? Did you sell the PC like my friend, donate it to an organization, or just throw it away? Who has used that computer since, and what may they have found? These are all important and scary questions.
I recall a thesis paper written by some graduate students from the Massachusetts Institute of Technology that outlined this very threat. They had purchased 150 or so used hard drives from eBay to study how much personal data was left on old systems. They reportedly found medical records, email correspondence, corporate financial data, illicit personal photographs, thousands of credit card numbers, and even an ATM drive with numerous bank accounts. This is a very real concern for every computer owner, especially my friend now that the system is out of his possession.
I proceeded to give my friend a little education on how computers store information and what deleting and formatting actually does. Basically, the hard drive is broken down into sectors in which the data is stored. In the figure below, suppose File A is a Tax return for 2007. 2008 comes around and you delete 2007’s record and the file appears gone. All that has happened is the Operating System (OS) has marked those sectors as available and removed it from the user’s view. It is still easily recoverable through a variety of software. The file still exists and is in just as good of shape as before you deleted it.
When space is needed the Operating System will then overwrite the sector with a new file. Perhaps, 2008’s Tax return isn’t as large as 2007’s, and the OS decides to use Sector 1 and 2 to store the data. 2007 (File A) has now been overwritten, but part of Sector 2 was not needed. This extra space is called “Slack Space,” and still retains part of the deleted file. Again, this information is recoverable.
Because my friend decided to format the drive, he figured all the information on the drive was inaccessible regardless. In reality, formatting only redefines the hard drives characteristics to store information. The data is still physically embedded on the media and recoverable with simple tools, such as MediaRECOVER. This software even allows for the overwrite sanitization technique I explain below.
What needs to happen to totally remove the data yet keep the drive functioning is repetitive overwriting. This should be done multiple times. As an analogy, say your child writes his name with permanent marker on the living room wall. You take some left over paint and coat the area, but after it dries the writing is still visible. This is called residual data. The same applies with overwriting as a technique to sanitize your computer drives. You’ll need multiple coats or overwrites to sufficiently mask what was originally written. Tools, such as WipeDrive will overwrite all addressable sectors with random characters eliminating the slack space and the residual data. WipeDrive is a U.S. Department of Defense approved software solution to sanitizing hard disks. It is relatively inexpensive in comparison to its features and protections.
If you are going to donate, sell, or dispose of your computer be sure to appropriately safeguard your private information by using some sort of sanitization method. You don’t want to be a victim to evil folks whom actually purchased used computers for just this purpose.
I was recently required by the United States Department of Defense (DOD) to cram for the ISC2 Certified Information Systems Security Professional certification or CISSP . The company I work for graciously sent me to a Common Body of Knowledge (CBK) Seminar and paid the testing fee. As far as certifications go, the CISSP is by far the most sought after and reputable credential in the Information Security field. I had planned on taking the exam in the next couple of years, but a DoD directive has put a time constraint on me.
There is plenty I could write about the CISSP, but for this post I’ll share with you the study materials that have best prepared me for passing the exam. You could be in this field for 30 years and still not pass the exam. There are 10 domains of knowledge relating to all aspects of security that you must know in depth before you are ready.
CISSP Certification All-in-One Exam Guide, 4th Ed. (All-in-One) 
Official (ISC)2 Guide to the CISSP CBK ((Isc)2 Press Series) 
www.CCCure.org – is a massive collection of CISSP practice questions. You can choose from which domain(s) you wish the questions generated, the relevancy of the questions, and the difficulty. The site allows you to choose the number of questions you wish to try and a timer to judge your speed. Upon completion of a question you can check your answer and see a detail description of why the answer is correct. Again, question drilling is my favored way of learning.
If anyone else knows of valid, recent, and accurate CISSP study resources, please comment.
It has been almost 2 months since my last post and for that I apologize. Anyone in the field will know that there are periods of straight out high priority projects, and times when days are mostly responsive. There are just not enough hours in the day. Anyhow, I had an article about 75% complete before the onslaught of work. You can expect this soon.
Most Popular Posts
Do Not Fall Victim to Internet Auction Fraud
Setup a Secure Wireless Network at Home
Selling Used Computers Identity Theft Concerns
Barack Obama Denied National Security Clearance
Exciting Computer Security Career Jobs
Funniest Computer Security Story Contest
Do Not Fall Victim to Internet Scams
Subscribe to main blog in a reader
Subscribe to the Deals & Discounts Feed
