Protecting Passwords and Sensitive Data – With a Pen!

Many companies and government agencies will attempt to obfuscate printed confidential data or credentials by blacking them out with a marker before releasing reports publicly or discarding them. In many cases this is a very ineffectual method of protecting data from prying eyes.

The solution? A pen!

Here is a quick example – Let’s take this made up social security number:

SSN number

Now, if we had this social security number on a paper that was going to be publicly released, many will just take a black marker and swipe over it. This seems to work great when the marker ink is wet, but when it dries, many times you can still see the data underneath!

Like so:

SSN number blocked out

A little hard to see, but if we zoom in a bit:

SSN number blocked out zoomed

As you can see, all the numbers are still very visible.

I used to do a lot of field network support. When onsite we would be handed a lot of printed confidential information. At times people would literally just write credentials on pieces of paper and hand them to us and say something like, “I am going to lunch, but here is my password”.

The paper would look something like this:

Username password

If you don’t have immediate access to a shredder, what can you do to make this information more secure or obfuscated before discarding it?

The power of the pen!

Many numbers and letters have the basic shape of others. Simply take a pen and convert them to look like something else.

Like so:

SSN obfuscated

What works better is adding extra information to the data to obfuscate it even further, like so:

Username password Obfuscated

“T’s” can become “F’s”, “L” can become “U”‘s, numerous letters and numbers can be made to look like “8’s” and “B’s”. Use your imagination!

Now, compare the obfuscated social security number and account information with the originals above and notice the differences.

If you recovered the obfuscated ones, could you guess the correct data?

You can then run a black marker over it if you prefer, (always follow your organization’s policy on handling and discarding sensitive information) but as you can see from the examples, this is very effective.

There are times when printed reports with confidential data on them need to be publicly released, there are times when credentials or other important data will be written down, and there are times when a paper shredder may not be right at hand.

Physically changing the data, works much better than trying to scribble the data out or using a black marker alone. And it only takes a few seconds to obfuscate sensitive data with a pen!


Malware Analysis: How to Decode JavaScript Obfuscation

When performing malware analysis one of the techniques the bad guys uses to hide their code is obfuscation. What this means is that the program is hidden or obscured to make malware analysis much more difficult. You didn’t think they would make it easy on you did they?  🙂

I found a good intro to javascript malware analysis and video on the HIR Information Report website. It shows you one method (the Tom Liston Method) on how to take obfuscated code that looks like this:

And decode it so you get the original Javascript, like this:

Excellent article, check it out!