Lazybit

Backing up SIM cards and making copies of your contacts and SMS is the first thing you'd want to do if a SIM reader got into your hands.

However, there may be cases in which destroying data is more important than keeping them. In such cases it becomes a good idea to clear SIM card memory in order to prevent private information from getting into wrong hands. Here are a few examples:

• A distant friend visits you, you give them an old phone of yours and a spare SIM - such that they could keep in touch. You don't want them to look through your SMS or SIM contacts.
• The phone that you use is given to you by your employer, as you change jobs - you have to return the phone, but you don't want them to access your personal information (ex: the phone numbers of your family and friends, kept in the SIM phonebook, or the SMS you've been exchanging with your significant other).

In these circumstances, you should erase SIM card data before giving the card to anyone. This includes wiping SIM contacts, the SMS archive, the list of last dialled numbers, own numbers stored on the SIM card.

To clear SIM card memory, you have to manually go through each entry and delete it. This is a long and boring operation; besides that - there is a risk that you will accidentally miss some of the entries - simply because there are hundreds of records, and a monotonous operation that involves pressing buttons on a tiny key-pad of a mobile phone is error prone.

There is another risk - some phones do not delete the SMS, making deleted SMS recovery possible. So, when clearing a SIM card, the objectives are:

• erase all SIM card data (not just SMS or phone-book);
• wipe SMS, to make it impossible to restore deleted SMS;
• automate the process, to remove the possibility of human error.

The solution to this problem is SIM Manager's Clear SIM card feature, it does all of the above in a few clicks.

Besides that, with SIM Manager you can backup SIM cards before erasing them, thus you get to keep a copy of all the sensitive information from the SIM's memory.

Take a look at this video tutorial, which describes how to clear SIM card data without leaving a trace.

This beta is now obsolete, go for the release version instead.

An updated version of the upcoming Keeper 4 is now available: http://files.dekart.com/beta/Keeper4-starscape.zip

It is a more polished version of the previous release, described here.

Note: The download link is obsolete, copy the final release version instead

A new version of Secrets Keeper is about to be released. It will be called Keeper. You can download a preview from this address: http://files.dekart.com/beta/Keeper-nohands.zip

An installer is not yet available, but we're working on it. At this point just unzip it. Run the included BAT file to enable the integration into MS Office and Windows Explorer.

Of course, no story is complete without screenshots, so here we go (screenshots are clickable):

Keeper's main window, nothing special in it, but notice that the main menu is not shown by default.

The key management window enables you to manage the passwords and contacts stored on your keys. Keeper will generate passwords for you, as well as evaluate their strength. You can have an unlimited number of groups and contacts in each group.

The email addresses will be used when you click the "encrypt and email" option.

The file encryption dialog. You can choose whether you wish to use a password from a key connected to the system (otherwise type it by hand). If you use a password from the key, you can choose which group to encrypt the data for.

• You can create self-extracting archives, so people who don't have Keeper on their computers can still decrypt the files you sent them (if they know the right password, of course);
• You can wipe the original files, to make sure they cannot be recovered using forensic methods. This is handy if you're encrypting your po world domination plans;
• Encrypt and email will automatically start the default mail client and create a new message, with the encrypted file attached to it.

The settings window looks like any other settings window.

Note that the update checking feature does not work yet, therefore if you wish to track Keeper's progress, check this page every now and then.

Keeper integrates itself into the Microsoft Office suite, enabling you to encrypt files or decrypt them from within Word, or other programs from Office.

Keeper 4 also integrates itself into the context (right-click) menu of Windows Explorer. This gives you quick access to features such as:

• File wiping - remove sensitive data without leaving a trace
• Encrypt
• Encrypt and email

If you right-click an encrypted archive, you will see options such as:

• Decrypt...
• Decrypt here
• Decrypt to <name of file>
• Decrypt each archive into separate directory (when selecting multiple archives)
• Decrypt each archive into separate directory and make me a cup of tea

As you can see, Keeper 4 is a huge step forward from Secrets Keeper 3.5. The new version is prettier, it provides an excellent user experience, and it will run on platforms other than Windows ;-)

So, you and your employer are not on good terms anymore and you think it is payback time? Here is a beginner's guide to expressing disagreement.

Disclaimer: the article does not focus on the moral and legal side of the issue, the focus is purely technical.

Note: a complementary article for employers will follow shortly, but if you're sharp enough you can derive the protection methods from this information.

The options are different, but if you're in the IT industry, the common choices are:

• change all the passwords and do not disclose them;
• delete all the data;
• encrypt all the data;
• apply subtle changes to the systems configurations, so that they seem to be working right, but somewhere deep inside a problem is waiting to happen;
• share private data with your employer's worst enemy.

Change all the passwords

It is a matter of time before they find a new person who knows how to apply the password reset procedure - most (if not all) systems have one. Sometimes it is as easy as reading the manual (which they should've told you to write in the first place) and following the instructions.

As an IT expert, you are aware of the fact that if someone has full physical access to a system - they can override pretty much every security measure.

Cons:

• it is a matter of time before they reclaim access to the resources. Since the bridges are already burnt down - your image suffers badly, your future employment opportunities are quite shady. You gained nothing.

Pros:

• easy to implement;
• it is more difficult and time consuming to get past this if there are remote resources (ex: servers) controlled by other companies, in other timezones;
• once they get everything back and sue you, you can say "I didn't want it to be serious, so I chose this trivial method" [then pray they'll buy that].

Delete all the data

This is a better approach, because in this case there is nothing to recover. They can have the passwords for every server, the key for every door - but there is nothing to be found behind any of the doors.

Cons:

• there are backups, you'll have to delete those too, thus there is more work to be done;
• there are data recovery techniques, you'll have to make sure they won't work
  • destroy the data (crash the hard disks; burn the DVDs, literally);
  • wipe the data - wiping is the process of deleting data, then overwriting it with other data, to prevent recovery software from being able to retrieve the original files. In spite of the belief that you need multiple overwrite-passes to make a file impossible to recover - even one pass is good enough.

Pros:

• the more time passes since the files were deleted, the more difficult it is to recover them. The employer will feel a lot of pressure because they have to do everything fast, or they'll have to disrupt the service for a while. This should make it evident for them that they should've given you the raise you asked for, it would've cost them less;
• if you were unprofessional enough to not make those regular backups, the employer will understand that they made more mistakes than they originally thought, one of them was that of employing you in the first place.

Encrypt all the data

This is an extension of the previous method, and it is psychologically more aggressive, because this time they know they have the files, and "all they need" is the password. This gives them the false feeling that they're almost there.

Cons:

• encrypting data takes time, especially if there are large amounts of it;
• you may be foolish enough to use an encryption program that has backdoors in it - which makes your effort useless;
• the employer may have keyloggers installed on your systems, thus they will be able to find the password - rendering the exercise useless again;
• if you use a weak password - they can guess it or brute-force it.

Pros:

• the method is meaner than simply deleting the data;
• even if they have full physical access to the system - it does not help them;
• if you are sure that you are using the best encryption program that does not have any backdoors and employs the best encryption algorithm, you're safe;
• if you use a smart card to encrypt the data, any brute-force or dictionary attack attempts will be futile.

Apply subtle changes to the systems configurations, etc.

If you need an example of this, remember the movie "Office space" to get an idea about how this is done.

Cons:

• they won't know you've had them, because these backdoors are so subtle - thus you lose some of the moral satisfaction;

Pros:

• when the new guy shows up, it may take a long time until the flaws are revealed (especially if you were insightful and weren't kind enough to document what you were working on, making it difficult to understand the system you left behind);
• you can exploit these flaws for many years, and perhaps get some benefits out of it. If you're not greedy and keep everything below the radar, you may never get caught.

Share corporate secrets with the competition

If you are not bound by an NDA, they won't be able to use this against you.

Cons:

• if you don't keep this low profile, future employers won't be able to trust you, and your career may not get far from where you're standing.

Pros:

• if there were no NDAs, technically you succeeded in making them suffer without breaking the law.

Final thoughts

All the methods above have one thing in common - you'll have to pay for it sooner or later, and there is no approach that enables you to get away scot-free.

I do not encourage employees to cheat their employers (and vice-versa), I consider that a direct dialogue is the best way to solve a problem, as well as to prevent it from happening in the first place. This article must not to be used as legal advice.

A new release is going to be made public in the nearest future - Private Disk 2.11 is here. This version brings us one step closer to Private Disk 3.0, adding some new features.

Private Disk Explorer is the major new feature of this release - it enables you to access your encrypted disks even on systems where you don't have administrator privileges.

Yes, that's right! Private Disk is the first program of its kind that can run on any computer, in any circumstances; from Windows 9x to Vista and the not-yet-official Seven - your encrypted files are at your fingertips.

You will be able to explore NTFS and FAT32 images, regardless of their size, having the possibility to add new files to an image, remove existing ones or replace them with updated versions.

From now on Private Disk is unarguably the best option for those who need rock-solid encryption and mobility.

Other changes include:

• faster start-up times - the 2.10 had a noticeable delay in its start up time, caused by the run as a service mode. This problem has been addressed, and now Private Disk is as quick as snappy as it used to be in the old days.
• improved Disk Firewall mechanism - Disk Firewall is another unique feature of Private Disk, we continue to tweak it and bring it closer to perfection, and to what it will become in the 3.0 version of Private Disk. In the 2.11 release the Disk Firewall is quicker and more stable.
• better portability support - in 2.10 we added a feature that created encrypted key backups automatically when the image was mounted; this feature is a great idea, but it lead to errors in cases when the image was stored on read-only media, thus making it impossible to write the backup somewhere. This problem has been fixed now.

Overall Private Disk became more polished and more reliable. Currently only the English and the Russian versions are available, other language versions will follow shortly.

PD Explorer is a free tool that enables you to explore Private Disk encrypted images even in the cases when Private Disk is not installed on the computer, even if you don't have administrative privileges.

You can view the contents of the encrypted disk, write or remove files from it - as you can normally do with an archive such as a ZIP file.

It is extremely simple in use, making it easy to add new files to the encrypted vault, delete or update existing files.

PD Explorer is compatible with NTFS images of any size, there are no file size restrictions, nor are there limitations about the maximum number of files that can be processed.

PD Explorer is a available for free, you can download it right now.

A report published recently by IC3 (Internet Crime Complaint Center), provides a lot of insightful tips to those who often engage in Internet commerce. The study was carried out in cooperation with the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance.

The study is extremely useful, as modern life is a path that will inevitably intersect with the Internet, whether we want it or not. The web helps us - consumers, do things faster and easier; the problem is that fraudsters get the same benefits. As a result, if you fall for an Internet scam, the damage can be of a greater magnitude, and it can be inflicted upon you so quickly that you won't even notice it happened. Here are some numbers that put things in perspective:

• From January 1, 2007 to December 31, 2007, the IC3 website received 206,884 complaint submissions. This is a 0.3% decrease when compared to 2006 when 207,492 complaints were received.
• The total dollar loss from all referred cases of fraud was $239.09 million with a median dollar loss of $680.00 per complaint.
• This was an increase from $198.44 million in total reported losses in 2006.
• Email (73.6%) and web pages (32.7%) were the two primary mechanisms by which the fraudulent contact took place.

It is highly recommended that you look through it and study the charts, and the recommendations section, which explains how to deal with such cases, as well as prevent them from happening. The remaining part of this article focuses on the issue of identity theft, which sadly was not given enough attention in the survey.

It is interesting that the study concludes that identity theft is one of the smaller troubles, as shown in the chart below.

Such a state of things is quite strange, because another study (the Computer Security Institute survey for 2007) found identity theft a much more serious problem. Could it be so that the victims of identity theft are not yet aware of their status?

Another possible explanation is that the scope of the IC3 report is simply different, it focuses on issues that occur after a transaction is complete (i.e. it is assumed that everything was ok before the final click in the process), while the truth is that identity theft has much more serious consequences. There is no need to use fake cheques, there is no need to engage in a long conversation with a "Nigerian scammer", nor there is a need to get involved in auction bidding. With your data in their pocket, a fraudster can do anything in a clean way - the sellers will not suspect that something is wrong, because from their point of view, they are dealing with an honest person, and everything is legal.

Identity theft occurs when someone else uses your personally identifying information without your knowledge or permission, to obtain credit cards, loans and mortgages, buy various products on your behalf, leaving you responsible for the consequences.

To minimize the risk of identity theft, you have to make sure that all the ways in which an identity can be stolen (attack vectors) are taken care of.

• If you use a public computer for online banking transactions (ex: buy merchandise or purchase tickets for travel, concerts, or other services):
• • First of all, avoid using public computers, perform all the tasks that involve dealing with sensitive data on your home PC;
  • If you are forced to use a public computer, you can be the target of a keylogger, or the target of malware running on that workstation. There is no guarantee that the computer does not have any harmful programs installed there on purpose. You need a tool such as Password Carrier, which will automatically fill in the forms on the web-sites and in Windows programs - thus keyloggers won't capture your passwords and other personal information, because you don't have to type anything by hand.
• If you store personal information in your home computer, there is a chance that it will be compromised (ex: if your antivirus or firewall failed), or that someone who uses the computer inadvertently ran an unknown (and malicious) program or an attachment that came with an email.
• • Make sure that all the sensitive files on the system are stored in encrypted form, so that they cannot be copied by someone who connects to the computer remotely. Use Private Disk to encrypt your files;
  • Use additional protection offered by Disk Firewall, to ensure that trusted but compromised programs won't allow an attacker to access private data;
  • As in the previous case, it is a good idea to use Password Carrier, because it takes a lot of expertise to thoroughly study a system and say "this system is 100% clean, no viruses, no spyware, no malware of any kind". If you are not one of those who can check their own computer and guarantee that it is clean, then Password Carrier will definitely help you.
• Social engineering is another instrument an attacker can use to steal your identity. Why install various malicious tools and risk getting caught, when you can just go ahead and directly ask what you want? Due to the way our brains are wired, this approach is very often effective!
• • Be careful when someone asks you for personal information; it is good to be suspicious, so do not be afraid to question what they intend to do with this information;
  • Always double-check the information you are about to submit, sometimes a detail that seems unimportant can actually make a difference. If you don't know whether some data are sensitive or not, treat them as sensitive and do not disclose them;
  • Examine the privacy policy of the services that are used, in order to find out how they store and apply your data. In addition, if you are dealing with an intermediate party, they might request other, apparently not important data; if you know which details are needed by the service that does the actual processing, you will be able to find out whether the intermediate party requested data which they don't normally need;
  • Cautiously share your personal information with your friends and colleagues. You may trust them, but are you sure they won't accidentally (or even intentionally) share your details with other parties? Is your friend aware of the existing threats? If you are not sure, then you should think twice before handing out passport numbers, addresses, phone numbers, etc.

Conclusions

• The Internet is a dangerous place, don't forget that.
• It is a good thing to be a little bit paranoid, when not sure whether you really understand what is going on, take your time to ask someone in the know, or read the available documentation.
• Software can assist you in protecting your privacy, programs such as Private Disk and Password Carrier will make your life safer, and easier.
• Keep track of your expenses, to find out if you are already a victim of identity theft before it is too late.