Disk Overwrite or Wipeout Best Practice

An online search shows majority of tools available for wiping out data on a disk points to a practice of 7 wipes. They believe that it is a US DoD requirement. Some of them support the Gutmann method of 35 wipes.

However, I could not find any documentation on US government website that indicates seven wipes. The US DoD 5220.22-M, “National Industrial Security Program Operating Manual that most online tools refers to does not have any requirements of number of wipe passes. However, I found a wiki page on Data Remanence that has enough citation and it contains the following –

“As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only degaussing  or physical destruction is acceptable for the latter.[4]

On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): “Studies have shown that most of today’s media can be effectively cleared by one overwrite” and “for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged.”[1] An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes “has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss. “[5]Continue reading “Disk Overwrite or Wipeout Best Practice”

India’s Unique ID Use Case

Nandan Nilekani’s…..Fully integrated ID card system for Indian citizens!!

Operator : “Thank you for calling Pizza Hut . May I have your…”

Customer: “Heloo, Heloo, can I order..”

Operator : “Can I have your multi purpose ID card number first, Sir?”

Customer: “It’s he…,hold……….on……889861356102049998-45-54610”

Operator : “OK… You’re… Mr Singh and you’re calling from 17 Jal Vayu. Your home number is 22678893, your office 25076666 and your mobile is 09869798888. Today morning you landed in India at IG International Airport. Welcome back, Sir. Which number are you calling from now Sir?”

Customer: “Home! How did you get all my phone numbers?

Operator : “We are connected to the system , Sir”

Customer: “May I order your Seafood Pizza…”

Operator : “That’s not a good idea ,Sir”

Customer: “How come?”

Operator : “According to your medical records, you have high blood pressure and even higher cholesterol level Sir”

Customer: “What?… What do you recommend then?”

Operator : “Try our Low Fat Pizza. You’ll like it”

Customer: “How do you know for sure?”

Operator : “You borrowed a book entitled “Popular Dishes” from the National Library last week Sir”

Customer: “OK I give up… Give me three family size ones then, how much will that cost?”

Operator : “That should be enough for your family of 05, Sir. The total is Rs 500.00”

Customer: “Can I pay by! Credit card?”

Operator : “I’m afraid you have to pay us cash, Sir. Your credit card is over the limit and you owe your bank Rs 23,000.75 since October last year. That’s not including the late payment charges on your housing loan, Sir..”

Customer: “I guess I have to run to the neighbourhood ATM and withdraw some cash before your guy arrives”

Operator : “You can’t Sir. Based on the records, you’ve reached your daily limit on machine withdrawal today”

Customer: “Never mind just send the pizzas, I’ll have the cash ready. How long is it gonna take anyway?”

Operator : “About 45 minutes Sir, but if you can’t wait you can always come and collect it on your Nano Car…”

Customer: ” What!”

Operator : “According to the details in system ,you own a Nano car,…registration number GZ-05-AB-1107..”

Customer: ” ????”

Operator : “Is there anything else , Sir?”

Customer: “Nothing… By the way… Aren’t you giving me that 3 free bottles of cola as advertised?”

Operator : “We normally would Sir, but based on your records you’re also diabetic……. ”

Customer: #$$^%&$@$% ^

Operator : “Better watch your language Sir..Remember on 15th July 2010 you were convicted of using abusive language on a policeman…?”

Customer: [Faints]

Here is an excellent use case for a badly implemented identity system. Thanks to my friend Lakshmi K (last name purposely not given) who forwarded this joke to me.  I couldn’t resist posting it to this boring security blog. I guess some humor adds some spice!

The Unique Identification Authority of India, or the UIDAI, is an agency of the Government of India responsible for implementing the envisioned Multipurpose National Identity Card or Unique Identification card (UID Card) project in India. It was established in February 2009, and will own and operate the Unique Identification Number database. The authority will aim at providing a unique number to all Indians, but not smart cards. The authority would provide a database of residents containing very simple data in biometrics. [Wikipedia]

The Open Group Security Practitioners Conference Day 1

The Open Group Security Practitioners Conference opened with Allen Brown and Jim Hietala of The Open Group welcoming the community followed by the presentation by Murray Rosenthal of City of Toronto.

Murray says security is not just the integration with system development life cycle, but also deals with industry sectors, legal framework, and should be based on established standards. The intent of having security should marry with the reality.

Domain architecture should supplement solution architecture. He says if you don’t have security architecture, then you end up with trial and error methods, reverse engineering existing enterprise letting the enterprise go out of business. Similar is the case even for projects too.

Manu Namboodiri of BitArmor presented a different approach perspective on security virtualized environment. He suggests avoiding the legacy way of thinking and approach to security – think out of the box.

In virtualized environment, everything except data is virtualized. Data is tangible and traverse between environments. It could be duplicated and may remain remanent for ever unless disposed securely. Data is the lifeblood of the business and that’s what the business is primarily concerned about; infrastructure and the rest come secondary. Data has more threat surface than any other component in virtualized world. It requires higher and stronger security controls in the virtualized world.

Alex Woda of Avient Solutions Group, Steve Whitlock of Boeing, Predrag Zivic and Bob Steadman of Loblaw presented their thoughts on Security Architecture and how it should be developed.

The second half of the day concentrated on Cloud Computing and how to secure various types of clouds. Tim Brown of CA presented the concept of Cloud Computing followed by Views of Cloud Computing Architecture and Security by Chris Hoff of CISCO. Chris Hoff introduced Cloud Security Alliance to the community and encouraged everyone to be part of its efforts.  Steve Whitlock provided a short illustration of how Cloud Security Alliance aligns with Jericho Forum Cloud Architectural Views.