Archive for July, 2010

Before selling or discarding an old computer, or throwing away a disk
or CD, you naturally make sure that you’ve copied all of the files you
need. You’ve probably also attempted to delete your personal files so
that other people aren’t able to access them. However, unless you have
taken the proper steps to make sure the hard drive, disk, or CD is
erased, people may still be able to resurrect those files.

Where do deleted files go?

When  you  delete  a file, depending on your operating system and your
settings,  it  may  be  transferred to your trash or recycle bin. This
“holding   area”   essentially  protects  you  from  yourself–if  you
accidentally  delete  a  file, you can easily restore it. However, you
may  have  experienced  the panic that results from emptying the trash
bin  prematurely  or  having  a file seem to disappear on its own. The
good  news is that even though it may be difficult to locate, the file
is probably still somewhere on your machine. The bad news is that even
though  you  think  you’ve  deleted  a  file,  an  attacker  or  other
unauthorized person may be able to retrieve it.

What are the risks?

Think  of  the  information  you have saved on your computer. Is there
banking  or  credit  card account information? Tax returns? Passwords?
Medical  or  other personal data? Personal photos? Sensitive corporate
information?  How  much would someone be able to find out about you or
your company by looking through your computer files?

Depending  on what kind of information an attacker can find, he or she
may be able to use it maliciously. You may become a victim of identity
theft.  Another possibility is that the information could be used in a
social  engineering  attack.  Attackers  may use information they find
about  you  or  an organization you’re affiliated with to appear to be
legitimate  and  gain  access  to  sensitive data (see Avoiding Social
Engineering and Phishing Attacks for more information).

Can you erase files by reformatting?

Reformatting your hard drive or CD may superficially delete the files,
but  the  information is still buried somewhere. Unless those areas of
the  disk  are  effectively  overwritten with new content, it is still
possible  that  knowledgeable  attackers  may  be  able  to access the

How can you be sure that your information is completely erased?

Some  people  use  extreme  measures to make sure their information is
destroyed,  but  these  measures  can  be  dangerous  and  may  not be
completely  successful.  Your  best  option is to investigate software
programs  and  hardware devices that claim to erase your hard drive or
CD.  Even  so,  these  programs  and  devices  have  varying levels of
effectiveness.  When choosing a software program to perform this task,
look for the following characteristics:
* data is written multiple times – It is important to make sure that
not  only  is the information erased, but new data is written over
it.  By  adding  multiple  layers  of  data,  the program makes it
difficult  for  an attacker to “peel away” the new layer. Three to
seven passes is fairly standard and should be sufficient.
* use  of  random  data  -  Using  random  data  instead  of  easily
identifiable  patterns  makes it harder for attackers to determine
the pattern and discover the original information underneath.
* use of zeros in the final layer – Regardless of how many times the
program  overwrites the data, look for programs that use all zeros
in the last layer. This adds an additional level of security.

While  many  of these programs assume that you want to erase an entire
disk,  there  are  programs  that  give  you  the  option to erase and
overwrite individual files.

An  effective  way  to ruin a CD or DVD is to wrap it in a paper towel
and  shatter  it.  However, there are also hardware devices that erase
CDs  or  DVDs  by  destroying  their  surface.  Some  of these devices
actually  shred  the  media itself, while others puncture the writable
surface  with  a  pattern  of holes. If you decide to use one of these
devices,  compare  the  various features and prices to determine which
option best suits your needs.

Authors: Mindi McDowell, Matt Lytle

You may have been exposed to web site, or host, certificates if you have
ever clicked on the padlock in your browser or, when visiting a web site,
have been presented with a dialog box claiming that there is an error with
the name or date on the certificate. Understanding what these certificates
are may help you protect your privacy.

What are web site certificates?

If an organization wants to have a secure web site that uses encryption, it
needs to obtain a site, or host, certificate. There are two elements that
indicate that a site uses encryption (see Protecting Your Privacy for more
* a closed padlock, which, depending on your browser, may be located in
the status bar at the bottom of your browser window or at the top of the
browser window between the address and search fields
* a URL that begins with “https:” rather than “http:”

By  making  sure  a web site encrypts your information and has a valid
certificate, you can help protect yourself against attackers who create
malicious sites to gather your information. You want to make sure you know
where your information is going before you submit anything (see Avoiding
Social Engineering and Phishing Attacks for more information).

If a web site has a valid certificate, it means that a certificate authority
has taken steps to verify that the web address actually belongs to that
organization. When you type a URL or follow a link to a secure web site,
your browser will check the certificate for the following characteristics:
1. the web site address matches the address on the certificate
2. the certificate is signed by a certificate authority that the browser
recognizes as a “trusted” authority

If the browser senses a problem, it may present you with a dialog box that
claims that there is an error with the site certificate. This may happen if
the name the certificate is registered to does not match the site name, if
you have chosen not to trust the company who issued the certificate, or if
the certificate has expired. You will usually be presented with the option
to examine the certificate, after which you can accept the certificate
forever, accept it only for that particular visit, or choose not to accept
it. The confusion is sometimes easy to resolve (perhaps the certificate was
issued to a particular department within the organization rather than the
name  on  file). If you are unsure whether the certificate is valid or
question the security of the site, do not submit personal information. Even
if  the information is encrypted, make sure to read the organization’s
privacy  policy  first  so  that you know what is being done with that
information (see Protecting Your Privacy for more information).

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you
trust the organization and the certificate authority. If the web address
matches the address on the certificate, the certificate is signed by a
trusted  certificate authority, and the date is valid, you can be more
confident that the site you want to visit is actually the site that you are
visiting. However, unless you personally verify that certificate’s unique
fingerprint by calling the organization directly, there is no way to be
absolutely sure.

When you trust a certificate, you are essentially trusting the certificate
authority to verify the organization’s identity for you. However, it is
important to realize that certificate authorities vary in how strict they
are about validating all of the information in the requests and about making
sure that their data is secure. By default, your browser contains a list of
more  than  100  trusted  certificate authorities. That means that, by
extension, you are trusting all of those certificate authorities to properly
verify  and  validate  the information. Before submitting any personal
information, you may want to look at the certificate.

How do you check a certificate?

There are two ways to verify a web site’s certificate in Internet Explorer
or  Firefox. One option is to click on the padlock icon. However, your
browser  settings may not be configured to display the status bar that
contains the icon. Also, attackers may be able to create malicious web sites
that fake a padlock icon and display a false dialog window if you click that
icon. A more secure way to find information about the certificate is to look
for the certificate feature in the menu options. This information may be
under  the  file  properties  or  the  security option within the page
information.  You  will  get  a  dialog box with information about the
certificate, including the following:
* who issued the certificate – You should make sure that the issuer is a
legitimate,  trusted certificate authority (you may see names like
VeriSign, thawte, or Entrust). Some organizations also have their own
certificate authorities that they use to issue certificates to internal
sites such as intranets.
* who the certificate is issued to – The certificate should be issued to
the organization who owns the web site. Do not trust the certificate if
the name on the certificate does not match the name of the organization
or person you expect.
* expiration date – Most certificates are issued for one or two years. One
exception is the certificate for the certificate authority itself,
which, because of the amount of involvement necessary to distribute the
information to all of the organizations who hold its certificates, may
be ten years. Be wary of organizations with certificates that are valid
for longer than two years or with certificates that have expired.

Authors: Mindi McDowell, Matt Lytle