BitSecurity.org

Background

Using GPG (or another OpenPGP utility of your choosing) to sign web pages can provide an extra layer of trust in the authenticity of your website for its visitors. GPG signed web pages enable visitors to check the integrity and authenticity of the pages, and also allow the website’s creator to verify that their pages have not been modified.

Step 1: Install GPG

If you don’t already have GPG installed, then Download GPG and install it. If you are not familiar with GPG, there is a how-to guide for gpg located here.

Step 2: Sign Each Page

From the command prompt, type: GPG –clearsign your_page.html
GPG will prompt you for your private key’s passphrase and will create a file named your_page.html.asc. Copy this file to another directory and remove the .asc extension.

Step 3: Upload

Upload the signed document to your web server just as you would a standard page.

Step 4: Verify the signature

When you or a visitor wish to verify the signature of a web page, ensure that you have an unmodified version of the page, as content filtering proxy servers and web browsers will make subtle changes to a page, which will invalidate the signature. Using FTP or “right clicking and selecting ‘save as’” will address this problem.

Background

The secure deletion of data is an often overlooked aspect of computer security, but without the secure deletion of sensitive information, such as encryption keys, many other security methods are ineffective. When files are normally deleted, the data is not actually overwritten or removed from the disk, but instead the area of the disk where the file(s) reside is marked as free. Until another file occupies this space, the data remains and is easily recoverable. If an attacker can obtain encryption keys that were stored on disk and insecurely deleted, they can easily defeat even the most secure cryptosystem. Similarly, if an attacker can obtain a complete, or even partial, plaintext version of an encrypted message, it is much easier to decrypt that message and any other messages encrypted with that same key. There is also the concern that an attacker will scavenge insecurely deleted data from the windows or Linux paging files, such as credit card information, banking information, and business information. This How-To guide details methods of securely deleting information from various types of media, including destructive and non-destructive methods.

Hard Drives

Securely deleting data from hard drives can be difficult due to alternate data streams, various encoding schemes utilized by hard drives, bad sector recovery methods, file slack, and more. Details about each of these issues is available, although this guide will focus on circumventing these issues and securely deleting data.

The easiest and most cost effective method of securely deleting data from a hard drive is to use a software-based overwrite utility such as those found on the software page of this site. These utilities will overwrite files and the free disk space on a disk. Of these utilities, Eraser and DBAN are most highly recommended. Using a single pass will prevent software based utilities from recovering data, and multiple passes will be increasingly effective against hardware based recovery techniques, which are capable of recovering data that is deleted with multiple passes.
For low security environments, a single pass will be sufficient. If there is the concern that an attacker will hardware based recovery techniques, then multiple passes are suggested. Given the encoding methods used by modern hard drives, the best method is probably multiple passes with pseudorandom data. According to the authors of DBAN, 4 passes provides medium security, and 8 passes provides high security. More passes can, of course, be used.
If maximum security is needed, other methods of securely deleting data from a hard drive can be used. These methods will result in the destruction of the drive:

Degaussing: A degausser can be used to remove the magnetic fields from the hard drive. For this method to be effective an extremely powerful degausser must be used, and it is difficult to verify its effectiveness.
Acid: A thread on the overclockers.com forums from a couple years ago discussed the use of acids to destroy hard drives. Members of the forum tested various acids, with some success
Grinding: Arguably the most effective method involves grinding the magnetic coating off the hard drive platters and disposing of it.

Floppy Disks

The basic principles that apply for the secure deletion of data from hard drives also apply to floppy disks. Overwrite utilities such as those mentioned above are effective. Given the low cost of floppy disks and low reliability when they are repeatedly and repetitively used, plus their slow write speed, it is often easier to simply destroy a disk that has sensitive information on it. Floppy disks can easily be opened and the magnetic media can be removed. This can then be shredded and/or burned, depending on the security concerns.

CDs/DVDs

CDs and DVDs that contain sensitive information can easily be destroyed to prevent an attacker from gaining access to this information Methods for destruction include microwaving, burning, and shredding. For maximum security, these methods can be combined. Due to the damage the occurs to the media in each step, the recommended order is: microwaving, then shredding, followed by burning. It should be noted that the effects upon the microwave oven are unknown.

References

Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann.
Media Destruction Guide from SpywareGuide.

Background

I’ve used gmail for years, and the amount of free space is nice. Unfortunately the web interface for Gmail doesn’t support encryption in a secure manner. Thunderbird and the Enigmail extension can be combined with GPG to fix this problem. I selected the portable version of Thunderbird so that I could use one instance of Thunderbird on my desktop and laptop by bringing along a USB drive, but you can use the standard version if you prefer.

Step 1: Get a Gmail Account

If you don’t already have a gmail account you will need to get one.

You could use also any other email system that supports POP and SMTP access, but I’m partial to Gmail, and I like the fact that they only allow SSL secured access to the mail server if you use POP and SMTP instead of the webmail front end. Obviously, if you don’t use Gmail then the server address, ports, and security settings may vary.

Step 2: Install GPG

If you don’t already have GPG installed, then Download GPG and install it. If you are not familiar with GPG, there is a how-to guide for gpg located here.

Step 3: Install Thunderbird and Enigmail

The portable version of Thunderbird, which runs out of a single folder, is available here. Download and unzip it, then download the Enigmail extension.

Next, open Thunderbird and select the ‘Tools’ menu, and then ‘extensions’. Click the ‘Install’ button and locate the Enigmail extension file you downloaded. Close and restart Thunderbird.

Step 4: Configuration

The next final step is to configure Thunderbird to work with gmail. Below are the server settings that Google provides that you will need to configure in Thunderbird:

Incoming Mail (POP3) Server – requires SSL: pop.gmail.com
Use SSL: Yes

Outgoing Mail (SMTP) Server – requires TLS: smtp.gmail.com (use authentication)
Use Authentication: Yes
Use STARTTLS: Yes (some clients call this SSL)
Account Name: your Gmail username (including ‘@gmail.com’)
Email Address: your full Gmail email address (username@gmail.com)
Password: your Gmail password

Using Thunderbird with the Enigmail plugin is rather simple – when you compose mail there is the ‘Open PGP’ button/menu which allows you to select if the email is to be encrypted and/or signed. When you receive email, it is automatically decrypted and the signature is verified. If you need further help, there is a guide here. Hopefully this guide was helpful. If anything is unclear or you have any questions, feel free to contact me.