October 28th, 2011 by peter.bassill
I have been asked on a few occasions if I would put together an outline on how to build a secure server from scratch. Having thought the topic through on a number of occasions and having tried to write this blog article on what is probably nearer 20 times I finally bit the bullet and got on with it.
In this post, I will explore how to take a default Ubuntu install, in this case it is 11.04 server, and build it as a secure web server.
Read the rest of this entry »
September 2nd, 2011 by peter.bassill
Update 2
I now have processed 20 drives from a reasonable spread of reclamation businesses and private individuals and thus far only three drives have failed to give up the previous owners information. That is a good return for me, and a very poor display for information security practises. The home users I am not too surprised with, but still the corporates are getting this wrong. I am certain that the business entities engaging these reclamation organizations who are reselling this equipment on ebay would be shocked that in many cases the drives were just formatted.
Of course, all of these drives have now undergone a DoD 7 pass wipe to make sure they are completely erased, but the top 5 data sets recovered are:
- Email
- Corporate documents
- iTunes collections
- Personal photo’s
- Personal Identifiable Information
August 7th, 2011 by peter.bassill
Compliance does not equal security.
July 17th, 2011 by peter.bassill
Update 1
Project Ebay is moving along very nicely. To date 10 drives have been purchased across a reasonable spread of reclamation businesses and private individuals and thus far each and every drive has given up the previous owners information. That is a 100% success rate at recovering previous owners data.
Of course, all of these drives have now undergone a DoD 7 pass wipe to make sure they are completely erased, but I have pulled back:
- Email
- Banking records
- iTunes collections
- Personal photo’s
- Very very personal photos
- University assignments
- Source code
- CAD images
The home users I am not too surprised with, but the corporates? I am certain that the business entities engaging these reclamation organizations would be shocked that in many cases the drives were just formatted, and in one case the all I needed to do was hook the drive up and mount it.
April 12th, 2011 by peter.bassill
Penetration Testing has been a part of information security since the early 1990’s, yet to this day security staff make the same mistakes over and over again. In this short piece I explore my personal views on selecting a penetration testing firm and how I go about engaging them in some real world attack scopes. Read the rest of this entry »