For non-Solid State Drives (SSDs) I would use a tool like the open source TrueCrypt full-disk encryption. Using the software you want to encrypt the entire disk, including all system partitions, and then change the key to a very long random string. Then format the drive. If you put sensitive data on a non-encrypted SSD then a good way to physically decommission the drive is to heat it with a propane torch until the PCB catches fire. At that point the magnetic domains aren't magnetic anymore. -- Willy Yam [This question got some great answers, and in addition provided some interesting insight into the differences between traditional hard drives and SSDs, and why SSDs are harder to rid of data. Check out the full question for more info.-- OH] |
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Saturday
How To Sanitize A Hard Drive
Saturday
FAQ: BlackBerry Messenger & PIN Messages are NOT Encrypted
I just wanted to provide some more detail to my previous explanation of what communications are encrypted on a BlackBerry. This issue has caused quite a bit of confusion recently so I thought I would clear it up specifically for BlackBerry Messenger and PIN messages.
BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses. BES administrators have the option to encrypt the body of PIN messages (but not the PIN itself) using a organization specific encryption key but that limits users to only be able to send PIN messages within the organization so it is usually not done. It is possible to use the S/MIME Package RIM sells to encrypt PIN to PIN messages but that gets complicated and is really only done by Government organizations.
There are a couple of problems with PIN to PIN messaging that is also the basis of BlackBerry messenger that you should know about. The Communications Security Establishment in Canada was kind enough to detail some of these issues:
As said before PIN to PIN messages by default are NOT encrypted they are scrambled using a cryptographic key
If an wireless carrier or government manages to reroute your PIN message to any other BlackBerry in the world by changing the header then it will be readable on that device
Devices cannot be reused by another person since messages for that PIN will continue to come to the device for the original owner. Think of it this way. If you sell your BlackBerry the new owner will get your PIN messages. The sender would also have no idea that this is the case.
You have no idea if the person sending you that PIN message has not sold their device or had it stolen by another person who is impersonating them.
Even if an organization uses their BES with a organization specific PIN key the PIN number is still not encrypted and sent in the clear. That means a snoop could see who is sending messages back and forth.
BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses. BES administrators have the option to encrypt the body of PIN messages (but not the PIN itself) using a organization specific encryption key but that limits users to only be able to send PIN messages within the organization so it is usually not done. It is possible to use the S/MIME Package RIM sells to encrypt PIN to PIN messages but that gets complicated and is really only done by Government organizations.
There are a couple of problems with PIN to PIN messaging that is also the basis of BlackBerry messenger that you should know about. The Communications Security Establishment in Canada was kind enough to detail some of these issues:
As said before PIN to PIN messages by default are NOT encrypted they are scrambled using a cryptographic key
If an wireless carrier or government manages to reroute your PIN message to any other BlackBerry in the world by changing the header then it will be readable on that device
Devices cannot be reused by another person since messages for that PIN will continue to come to the device for the original owner. Think of it this way. If you sell your BlackBerry the new owner will get your PIN messages. The sender would also have no idea that this is the case.
You have no idea if the person sending you that PIN message has not sold their device or had it stolen by another person who is impersonating them.
Even if an organization uses their BES with a organization specific PIN key the PIN number is still not encrypted and sent in the clear. That means a snoop could see who is sending messages back and forth.
Monday
EVEN EGYPTIAN GODS HAVE KNOW-HOW FOR WEB 2.0?
Alan Moore wrote Watchmen, V for Vendetta, and thought-provoking short stories for DC comics. Have a look at him in the middle of a other cartoon characters in the Simpsons, below:
Quote from a fellow named MYSTICO in Moore's Terra Obscura:
"They were drowning in data, but almost bereft of knowledge....and of wisdom they knew nothing."
This definitely describes the plethora of web-based opportunities available in "the cloud" of information available nowadays.
The data that was previously stored in hard drives is now "in the cloud," which poses a different set of security challenges; improving security of web-based software is the cost - the benefit of having data available anywhere / anytime.
Alluding to the above quote, the data stream ("knowledge") flowing to your browser is only as safe as the standard features ("wisdom") implemented by the vendor.
What are some of the features that might be important? Think about the following:
SECURE: It's brilliant that many of the free vendors are including HTTPS options for their software applications - Gmail is one popular example. Though it may slow-down the performance of retrieving the data, security is crucial for some people's information, which might include CRM data, financial details, and communication logs.
Let's follow Gmail's example and at least have the option available, eh?
SHARE: The application ought to be open and usable by other applications, through a current API / online standard format. It's messy out there with all of the different options running around, so making data available to standard online tools is essential.
For instance,
integration with iCal/Outlook calendars,
strong searchability,
and comma-delimited import/exportability is nice, isn't it?
STABILITY: Free is great, but what happens if the vendor gets subsumed by another vendor, or simply closes business forever? If you examine the Legal Agreement that most people click-past, most free vendors simply state that "if we close our doors, your data is toast, and we aren't responsible"...!
Pay for an web-based system that is redundantly backed-up every day for 30-60 days, with the back-up significantly away from its operating servers, and an iron-clad 99.9999% (six nines) guarantee of "up time."
Quote from a fellow named MYSTICO in Moore's Terra Obscura:
"They were drowning in data, but almost bereft of knowledge....and of wisdom they knew nothing."
This definitely describes the plethora of web-based opportunities available in "the cloud" of information available nowadays.
The data that was previously stored in hard drives is now "in the cloud," which poses a different set of security challenges; improving security of web-based software is the cost - the benefit of having data available anywhere / anytime.
Alluding to the above quote, the data stream ("knowledge") flowing to your browser is only as safe as the standard features ("wisdom") implemented by the vendor.
What are some of the features that might be important? Think about the following:
SECURE: It's brilliant that many of the free vendors are including HTTPS options for their software applications - Gmail is one popular example. Though it may slow-down the performance of retrieving the data, security is crucial for some people's information, which might include CRM data, financial details, and communication logs.
Let's follow Gmail's example and at least have the option available, eh?
SHARE: The application ought to be open and usable by other applications, through a current API / online standard format. It's messy out there with all of the different options running around, so making data available to standard online tools is essential.
For instance,
integration with iCal/Outlook calendars,
strong searchability,
and comma-delimited import/exportability is nice, isn't it?
STABILITY: Free is great, but what happens if the vendor gets subsumed by another vendor, or simply closes business forever? If you examine the Legal Agreement that most people click-past, most free vendors simply state that "if we close our doors, your data is toast, and we aren't responsible"...!
Pay for an web-based system that is redundantly backed-up every day for 30-60 days, with the back-up significantly away from its operating servers, and an iron-clad 99.9999% (six nines) guarantee of "up time."
Subscribe to:
Posts (Atom)