[ISN] 'Sanitized' hard drives prove data trove

From: InfoSec News (isnat_private)
Date: Wed Jan 15 2003 - 23:06:24 PST

  • Next message: InfoSec News: "[ISN] Ohio State University computers crippled by e-bomb"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.sunspot.net/technology/bal-drives0115,0,2320111.story?coll=bal-business-headlines
    
    [This is my idea of a sanitized drive (from Defcon 10)
    http://www.23.org/~chs/gallery/defconx/shoot/pict2205f.jpeg   - WK] 
    
    
    By Justin Pope
    The Associated Press
    January 15, 2003
    
    CAMBRIDGE, MASS. -- So, you think you've cleaned all your personal
    files from that old computer hard drive you're selling?
    
    A pair of MIT graduate students suggest you think again.
    
    Over two years, Simson Garfinkel and Abhi Shelat assembled 158 used
    hard drives, shelling out $5 to $30 for each at secondhand computer
    stores and on eBay.
    
    Of the 129 drives that functioned, 69 still had recoverable files on
    them and 49 contained "significant personal information" -- medical
    correspondence, love letters, pornography and 5,000 credit card
    numbers.
    
    One even had a year's worth of transactions with account numbers from
    an ATM in Illinois.
    
    "On that drive, they hadn't even formatted it," Garfinkel said. "They
    just pulled it out and sold it."
    
    About 150,000 hard drives were "retired" last year, the research firm
    Gartner Dataquest estimates. Many ended up in trash heaps, but many
    also find their way to secondary markets.
    
    Over the years, stories occasionally have surfaced about personal
    information turning up on used hard drives that have raised concerns
    about personal privacy and identity-theft risks.
    
    Last spring, Pennsylvania sold to local resellers computers that
    contained information about state employees. In 1997, a Nevada woman
    purchased a used computer and discovered it contained prescription
    records on 2,000 customers of an Arizona pharmacy.
    
    Garfinkel and Shelat, who report their findings in an article to be
    published Friday in the journal IEEE Security & Privacy, say they
    believe they're the first to take a more comprehensive -- though not
    exactly scientific -- look at the problem.
    
    On common operating systems like Unix variants and Microsoft Corp.'s
    Windows family, simply deleting a file, or even following that up by
    emptying the "trash" folder, doesn't necessarily make the information
    irretrievable.
    
    Those commands generally delete a file's name from the directory, so
    it won't show up when the files are listed. But the information itself
    can live on until it is overwritten by new files.
    
    Even formatting a drive may not do it. Fifty-one of the 129 working
    drives the authors acquired had been formatted, but 19 of them still
    contained recoverable data.
    
    The only sure way to erase a hard drive is to "squeeze" it: writing
    over the old information with new data -- all zeros, for instance --
    at least once but preferably several times.
    
    A one-line command will do that for Unix users, and for others,
    inexpensive software from companies including AccessData works well.
    
    But few people go to the trouble.
    
    Garfinkel said users shouldn't be forced to choose between wiping
    their hard drives clean or taking a sledgehammer to them.
    
    "There are ways of designing an operating system to make that problem
    go away," Garfinkel said.
    
    Indeed, future operating systems may make it easier. But many users
    like believing that, in a pinch, an expert could recover their deleted
    files. The resilience of hard drive data also is a powerful weapon for
    law enforcement.
    
    As it turned out, most of the hard drives the authors acquired came
    from businesses that apparently have a higher but misplaced confidence
    in their ability to "sanitize" old drives. Individual users are more
    likely simply to toss their old drives into the closet, or try the
    sledgehammer method.
    
    "Homeowners seem to understand there's not a lot to be gained by
    selling your 20-gig hard drive on eBay," Garfinkel said.
    
    That fits the experience of Tom Aleman, who heads the analytic and
    forensic technology group at Deloitte & Touche and often encounters
    companies that get burned by failing to fully sanitize, say, the
    laptop of an employee leaving the company for a job with a competitor.
    
    "People will think they have deleted the file, they can't find the
    file themselves and that the file is gone when, in fact, forensically
    you may be able to retrieve it," he said.
    
    Garfinkel has learned his lesson.
    
    As an undergrad at MIT in the 1980s, he failed to sanitize his own
    hard drive before returning a computer to his father, who was able to
    read his personal journal. The privacy concerns worry him, especially
    since the U.S. Supreme Court has held that the right to privacy
    doesn't apply to discarded items.
    
    But what really strikes him is how many people he found bidding for
    old drives on eBay. He shudders to think what they would want with
    them.
    
    "If I were a government interested in doing economic espionage against
    the United States, I would allocate a million dollars a year to buy
    these hard drives and analyze them," he said.
    
    In fact, it wouldn't even take that -- just somebody willing to hold
    their nose and walk around the municipal dump.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 16 2003 - 01:12:52 PST