Flash Forensics

I recently came across a couple of interesting articles on the difficulty of securely wiping data from solid state disks.
Both articles are based on a paper [pdf] from a University of California team that tested sanitizing both an entire disk and individual files on SSDs using standard ATA commands.
The outcome? Full disk sanitization was usually (but not always!) effective, while single file sanitization "consistently fail(ed) to remove data from the SSD".

Interesting stuff!

With SSDs rapidly dropping in price, and becoming more and more common in a wide vaiety of devices (especially portable devices) the paper is well worth a read for those tasked with protecting sensitive data from loss.

Not so Lush

Lush Cosmetics seem to be the latest Australian retailer to have suffered a credit card breach.

From the article:

"Yesterday we were contacted by the web hosting provder to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holds and working through the process of how to address the problem and what steps we need to take."
"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."
 While I do applaud the company's reaction of going public immediately and contacting their 39,000 Australian customers, I do find it a little disturbing that security comes under "enhancements" - it does make it sound like a luxury add-on (eg: leather car seats) as opposed to a pretty fundamental requirement (eg: seatbelts or airbags).
Real details on the breach are scarce, so there's no indication if they were storing credit card numbers in cleartext (hello PCI-DSS!) or if they suspect the bad guyshad just pwned the server and were capturing transactions as they occurred.

I guess the good news it that it is hitting the major news sites down under - so other businesses may review their web security and ask themselves "have we done enough?"

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme