Dirty disks pose threat

Rene Hamel recently bought a hard drive to install on a machine at work. Hamel, an ex-RCMP officer and vice-president of forensic technology services at KPMG in Toronto, knows a thing or two about retrieving data from computers – he does it for a living.

But this time his newly installed drive didn’t require any of his expertise. “This drive was full of information, it was not even reformatted,” he said.

On the drive Hamel found accounting information from a U.S. funeral home. The kicker is that the drive was sold to Hamel as new, hermetically sealed in an anti-static bag.

For all of corporate Canada’s efforts to secure its data, one of the easiest holes to plug often goes unattended. With firewalls beating back attacks and intrusion detection systems set on stun, corporate data stored on old hard drives escapes notice. Often the drives have been reformatted, but experts say this is no more useful than taking search engines off of the Web and assuming no one is going to find anything. It might make the task more difficult, but it is far from impossible.

Hamel’s anecdote may sound like an anomaly, but unfortunately it is not. In a paper titled Remembrance of Data Passed: A Study of Disk Sanitization Practices, two Massachusetts Institute of Technology grad students (Simson L. Garfinkel and Abhi Shelat) performed an experiment. They bought 158 used hard drives from a variety of resellers, from computer stores to consolidators. Not surprisingly, the majority of the drives had not been properly sanitized.

A lot of what they found was exactly what one would expect; Word documents, love letters and the ever-ubiquitous pornography. But some of the data was far more worrisome. They retrieved corporate memoranda, hospital information and credit card numbers. Garfinkel and Shelat stated that to actually verify the validity of a credit card number would require attempting to use it, something they decided not to do. Instead they set up a test which determined whether a number likely came from a credit card. One in four drives had numbers that passed the test. One drive contained several thousand possible credit card numbers. Another apparently came from a bank machine.

“Two drives contained consistent financial-style log files. One of these drives (#134) contained 2,868 numbers in a log format. Upon further inspection, it appeared that this hard drive was most likely used in an ATM machine in Illinois, and that no effort was made to remove any of the drive’s financial information. The log contained account numbers, dates of access, and account balances. In addition, the hard drive had all of the ATM machine software,” they wrote in their report (which can be found at http://www.computer.org/security/).

What makes this entire situation so aggravating, Hamel said, is the ease with which drives can be cleaned. Commercially available software, most of it under $100, can sanitize drives using the U.S. Department of Defense standard.

“You can actually sanitize a drive pretty well, and unless you have the budget of the U.S. government…you are not going to retrieve [data],” Hamel said. Do most companies properly clean their drives prior to disposal? “No, no, no,” he laughed.

Though there is an ongoing debate as to what level of sanitization is actually needed to completely destroy data, everyone ComputerWorld Canada interviewed said the commercially available software does a good enough job for the vast majority of situations.

But sanitizing drives is time consuming. “It is a question of physics, the drives can only read and write data at a certain speed,” said Steve Hardwick, director of emerging technologies with Austin, Tex.-based Infraworks Corp.

He said it takes about 30 to 40 minutes per gigabyte to properly sanitize a drive. The software writes, checks and rewrites over the data. This can be done up to 100 times. Some companies have a computer that does nothing but sanitize drives. For those with less time, or lacking dedicated equipment to do the job, most commercial software allows users to fully sanitize specific files or folders, so even if there is not enough time to properly clean the entire drive, classified portions can be quickly cleansed.

policy required

The system fails when there is no corporate-wide policy for data deletion, something Hardwick has witnessed first-hand.

Once, at his old company, Hardwick’s laptop was on the fritz so he asked IT to replace the hard drive. Eager to please, they quickly installed another one. Like Hamel, Hardwick likes to check his new technology. He ran un-format on the drive and found himself staring at the CEO’s old drive. He returned it to IT.

“It comes down to good policies [for] getting rid of computer equipment,” Hamel said.

Companies have to understand that any change in hard drive ownership needs to be treated as though the drive is being handed to the corporate enemy, according to experts. If the sanitization process is done for all drives, all the time, there will be no confusion as to whether a particular drive needs to be cleaned or not.

This is the approach favoured by Blake, Cassel and Graydon, a Toronto-based law firm. Each new user starts with what is effectively a “blank slate,” said Richard Corley, co-head of the information technology practice group at Blakes.

“Confidentially is obviously very important to the legal profession,” he said. So the corporate policy is to sanitize and re-image all hard drives whether they are being moved within the firm, for example going from a lawyer to receptionist, being recycled or being returned to a leasing company.

“We are not going to hand it back to them (leasing company) with information on it…it is a necessity in this environment,” he said.

Currently, there is no law in Canada that requires companies to sanitize drives when they are moved, sold or disposed of.

“The law generally defines the obligation in terms of keeping the information confidential, it doesn’t prescribe…the precise mechanisms that you are going to use,” Corley explained. The law operates this way because the precise methods or technologies, which may be required to wipe a drive and to clean and preserve confidentiality, may change over time, he said.

The University Health Network in Toronto (UHN is an affiliation of three local hospitals) also uses the same techniques to guarantee the control of data. All of its asset management is centralized, so if a computer comes off of a hospital floor, it is cleaned and re-imaged before it goes to the next user. Hewlett-Packard employees, who work on-site, service UHN’s technology. They are also required to sign a confidentiality agreement. Even though they work for an outsourcing company, “it is like they are hospital staff,” a UHN spokesperson said.

Hamel referred to a recent case of a burned, but not completely destroyed, drive the U.S. government needed to build a case against a child pornographer. It took the agents six months, but in the end they successfully retrieved the data. So corporations that are absolutely adamant about destroying drive information have only one option – completely destroy the drive. Drilling holes in the drive, for instance, isn’t enough.

Like the end of the movie Terminator 2, melting a drive down to whence it came is the only 100 per cent failsafe method. Not surprisingly, there are government agencies that reputedly do just this.