If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

The latest revelation is that used BlackBerries are being traded, not by the value of the phone but by the value of the data contained on the phone!

It just shows most companies still don’t have responsible disposal policies when it comes to releasing old equipment and making sure it’s wiped of data or destroyed.

A TV investigation has revealed that secondhand BlackBerries on Nigerian markets are priced according to the data held on them, not the age or the model of a phone.

Jon Godfrey, director of Sims LifeCycle Services, who is advising on a TV investigation into the trade due to screen later this year, said that BlackBerries sell for between $25 to $65 on Lagos markets. Details of the trade come from an agent in Nigeria unaffiliated to Sims’ technology recycling business.

Godfrey explained that the smart phones offered for sale come from the US, continental Europe and the UK. “It’s unclear as yet whether the phones are either sold, thrown away, lost or stolen,” Godfrey explained.

Other type of smartphone are also of potential interest to data thieves, but it is the trade in BlackBerries that seems to be the most active. Data retrieved from smartphones is itraded by crooks in Nigeria.

I’d imagine the phones are older models sold off by lot from companies upgrading to the newer versions of the BlackBerry.

The BlackBerry is a wise choice for data thieves as it’s more likely to be used for business purposes and contain important e-mail information.

Other smart phones would be used more for media and leisure purposes.

BlackBerries include technology to remotely wipe devices and come with built-in encryption. But this encryption is often left switched off because it is considered an inconvenience.

“Business critical data is left on unprotected devices,” Godfrey explained. “Anyone who gets these devices will obtain a snapshot of someone’s life.”

“People need to take residual data issues more seriously and have a policy on how to use and dispose of devices,” he added.

According to a survey by endpoint security firm Credant Technologies, four in five mobile phone users store information on their phones that might easily be used to steal their identities. A survey of 600 commuters at London railway stations revealed that 16 per cent kept their bank account details saved on their mobiles, while 24 per cent also saved their PIN numbers and passwords in the same insecure manner. One in 10 (11 per cent) keep social security and inland revenue details on their phone. Two in five fail to take even basic security precautions, such as password protecting their devices.

It’s scary the amount of people that keep really important stuff in their phones like their bank PIN numbers, banking passwords, passport numbers, social security info and much more.

And only 3 out of 5 take some basic security precautions like passwording their device, that means the number who actually encrypt their data and secure it properly would be less than 5%.

Source: The Register

Changes in 0.8

• Added checks for errors when calling CUDA kernel.
• Now you can specify custom characters for charset using -X switch.
• You may specify minimal password length using -min_len.
• Save/restore feature added. State is being stored to barswf.save every 5 minutes or on exit. You may continue computation using -r switch. You may manually edit .save file to distribute job on several computers (but this is up to you – it is quite simple and non-documented ). BarsWF will also write found password into barswf.save at the end.
• Improved speed for cards GTX260, GTX280, 8800GT, 9600GSO, 8800GS, 8800GTS – by approximately 10%, all other cards will get just 1-2%.

System Requirements

• CUDA version only:nVidia GeForce 8xxx and up, at least 256mb of video memory.
• LATEST nVidia-driver with CUDA support.Standard drivers might be a bit older (as CUDA 2.0 is still beta)
• CPU with SSE2 support (P4, Core2Duo, Athlon64, Sempron64, Phenom).
• Recommended 64-bit OS (WinXP 64 or Vista64). 32-bit version is also available.

Download BarsWF 0.8 here:

CUDA:
BarsWF CUDA x64
BarsWF CUDA x32

SSE2:
BarsWF SSE x64
BarsWF SSE x32

Or read more here. (Thanks Navin)

Well how wrong the propaganda is! THC (famous for their tools and research in security) has just released some technical information, tools and a video which shows their cloned passport being read and verified by a passport reader.

The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips does not work. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport. Regardless how good the intention of the government might have been, the facts are that tested implementations of the ePassports Inspection System are not secure.

The passport reader appears to be in the Netherlands from my guise, but all the passports in use are the same just the templates slightly different.

Nice to see you again Mr Presley…imagine what could be done with this flaw in the sytem? I wonder if anything will be done about this or it’ll just be brushed under the carpet and remain knowledge of the security community.

Source: freeworld.thc

It just goes to show…implementation of these cards really isn’t good yet.

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

Apparently they can only use the cloned card for one day’s travel, but still…what would stop them from doing it every day?

Or cloning an access card to a more important place and wreaking some havoc there.

The hackers scanned one of the Underground’s many card readers to collect the cryptographic key that purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.

Jacobs says the same technique can clone smartcards that provide access to secure buildings. “An employee can be cloned by bumping into that person with a portable card reader,” he told the Times. “The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures.”

So break out your tinfoil hats and alumnium hats, the smartcard hackers are coming to a building near you soon.

The Dutch government are taking this VERY seriously, planning to replace all 120,000 smart cards used by their employees for access. That will be an expensive excercise.

I wonder will Oyster make any changes following the media coverage on this?

And what rights does a consumer have after their card is cloned and their credit used, are they insured? Would they even notice? Who’s responsiblity is it?

Source: Wired Blog (Thanks to razta).

This is everywhere today. Every major news site has this ‘magic’ number in it. Digg.com had stories with more than 24.000 diggs (that’s actually the first time I see that many).

In case you’ve been in a cave for the last 24 hours, the number above is the ‘Processing Key’ for most movies released so far (in HD-DVD format).

This, along with other things, enables users to watch HD-DVD movies in GNU/Linux. That same number also made possible the creation of BACKUPHDDVD.

Since a number CANNOT be copyrighted, share it!

Not everyone is interested in piracy …

Do you really trust that much the mirror websites?
Even I could set up a mirror website for any download website and spread malformed packages to include, trojans, backdoors, viruses and so… That’s why many websites give you a md5 checksum of the specific fies…

Have a got a md5 calculation two?
If you’re a Windows users, then I’m not quite sure… while on the other side if you are a *nix user than it is improbable that you haven’t got one of this…

So while coding for myself a md5 calculator I though other users could use it to. Of course there are other alternatives on the net, but I do not really like that GUI shit…

usage:

md5 f file.ext
md5 s string

download on Darknet :: backbones md5 calculator

Mirror 1 Mediafire :: backbones md5 calculator

No further versions will be released…

P.S. for easy access place it in your %WinDir%

md5.zip hash :: 894d6d941cab0c6a3648a5352b6aba11

But then recently, just last month China managed to make a wave out of it, almost 2 years after the initial ‘report’.

It was even Slashdotted on January 20th 2007, the article states the following:

These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang’s research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists’ minds.

Source: Epoch Times

Bruce Schneier wrote about this in 2005, February in fact, almost 2 full years ago.

SHA-1 Broken

Cryptanalysis of SHA-1

It’s not a major thing though and it’s far beyond anything most criminals could use to thwart national security…or even the security of things based on SHA-1 like OpenSSH.

There are however plenty of replacement algorithms if you are paranoid such as SHA-224, SHA-256, SHA-384, and SHA-512.

This two part article discusses some good points of Cryptology, more precisely in the field of Cryptovirology.

Writing a virus is just like writing any other piece of software, unfortunately. The designer tries to put some cleverness in the application to improve its function (or stealth), its robustness, its replication strategies, or even its payload. However, when an anti-virus analyst gets ahold of such a piece of code, he learns how it works, what it does, and so on. In the end, both the writer and the analyst share the same view of the virus, in what amounts to a Turing machine (we have a state-transition table and a starting state).

You read about the WoW Trojan and the Trojan Writers Coding for Money here at Darknet. This article will give you a clear idea of how things work.

To open your appetite, let me give you a little excerpt from the article:

A basic model seen today

This basic model can be seen according to intended targets:

• The virus writer creates an RSA key:
• The public key appears in the body of the virus.
• The private key is kept by the author.
• The virus spreads and the payload uses the public key. For example, it ciphers the data (hard drives, files, e-mail, whatever) of the targets with the public key.
• The virus writer requires a ransom before sending the private key.

Even if you’re not into Cryptology, I strongly recommended this reading.

Part 1 & Part 2

Source: Security Focus