Hardware & Infrastructure
Commentary
2/16/2006
04:45 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: The "Dead Drive" Security Loophole

You may get a nasty surprise if you send your system out for repairs! Consider your options.

Easy To Resurrect Dead Files
Because normal Formats and Erase/Delete operations don't touch much of the data on your disk, it's not hard to bring those files back from the dead. In fact, there's a whole raft of tools that can get at the deleted info. For example, all comprehensive commercial software utility kits (including the most-popular suite, the Norton Utilities) have one or more ways to scour the hard-drive surface, looking for what's left of erased files and converting them back into easily accessible normal files. Many disk utility kits also include Unformat tools that can likewise recover data from a disk that's been completely reformatted.

Advanced users can employ low-level "sector editors" that can examine a hard drive bit by bit, recovering anything of value or interest, anywhere on a drive, even if it has been partially overwritten or is otherwise inaccessible to the normal disk operating system.

Professional data-recovery services and governmental investigative agencies can go even further: Using special hardware and software, they sometimes can recover data from disks that have been completely and repeatedly overwritten with new data, or even disks that have been physically damaged.

But sometimes, no fancy tools are needed at all. Take Andy's case. All the repair techs had to do was replace the motor and plug Andy's drive back into a PC. Windows, through its Plug and Play mechanism, would then auto-detect any hardware differences between Andy's system and the new one it's running on and load the appropriate drivers. When the system booted, it would return to the state it was when Andy last used it, with all the drive contents available to the drive's new owners.

Security, The Hard Way...
"Sanitizing" a hard drive so others can't access its data is possible, but achieving a high level of hard-drive security involves far more hassle than most of us are willing to endure.

For example, the U.S. Department of Defense-prepared "National Industrial Security Program Operating Manual" (see http://nsi.org/Library/Govt/Nispom.html) calls for the following steps to be taken to dispose of hard drives that contain moderately sensitive information:

  1. Overwrite all addressable locations with a single character.
  2. Degauss with a Type I degausser.
  3. Degauss with a Type II degausser.
  4. Overwrite all addressable locations with a character, its complement, then a random character and verify.
  5. Destroy: Disintegrate, incinerate, pulverize, shred, or melt.

Amazingly, this still doesn't provide the very highest levels of security (mainly because the many steps themselves constitute a potential security problem). The manual screams in all capital letters: "THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION."

Imagine what's involved in sanitizing really sensitive data!

...And The Easy Way
Fortunately, most of us don't have to worry about achieving the very highest levels of security. Simpler, gentler (and nondestructive) methods may suffice, as long as your drive is still spinning. (We'll return to Andy's special case in a moment.)

For one thing, you can take simple preventive measures: If a drive doesn't fail in its first few hours or days of use, it will usually work fine for a very long time. So, I never load anything critical on a new hard drive until it's "burned in" and I'm fairly sure it's going to be reliable for the long haul. (See "System Setup Secrets.") There have been times I've had to send almost-new systems and drives back for warranty repair, but in those cases, I haven't had to worry about security because there wasn't any sensitive data on the returned system.

But what happens once a drive or system has been put into use and does contain sensitive data? In many cases, the solution is a thorough "data wipe." This doesn't mean simple file deletion or disk reformatting. Rather, it refers to a more elaborate process that's sometimes called a "government wipe" (because it's based on earlier Department of Defense recommendations for hard-drive sanitizing). It's an automated 7-pass procedure that involves overwriting the entire file area (including the directory entry, where the file's name and attributes are stored) multiple times with random data, and truncating the file allocation record so that the wiped file appears to be a zero-length item. This kind of wiping is proof against all but the most elaborate, expensive, and time-consuming data-recovery techniques.

Many software tools offer "government wipe" ability (or an approximation thereof), including the Norton Utilities WipeFile plus the freeware tools Eraser and File Wipe For DOS). You can find many others by searching your favorite download site.

In most cases, running a thorough government wipe on a hard drive is about all you'll need before sending it in for repair, selling it, discarding it, or passing it on to someone else.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.