What's the best way to protect data on old hard drives? Pound them into little pieces, according to one security analyst who says data crooks are buying--and mining--recycled hard drives.
Users should pound old hard drives before recycling the bits and pieces, a security analyst warned Monday.
"Remove the disks and crush the cases, making sure that you break or bend the actual platters. Use a hammer," said Richard Stiennon of IT-Harvest.
Stiennon's recommendation was prompted, by BBC reports that Nigerian fraudsters have been buying recycled hard drives from the U.K., then diving into the data in search of usernames and passwords for accessing online bank accounts. According the BBC, drives are sold in the West African country's commercial capital of Lagos for as little as 20 pounds ($37.87). Many of the drives the BBC found in Lagos came from U.K.-based recycling companies.
"This goes beyond the casual discovery of critical information," Stiennon said. "Cyber thieves are well-equipped to use forensic tools to recover deleted files."
Nigeria is notorious for harboring identity thieves, who typically run elaborate scams that involve supposedly dead or dying millionaires, money transfers, and pleading innocents. Dubbed "419" schemes for the section of the Nigerian criminal code they violate, the scams predate e-mail and the Internet, but have boomed because of both. In February, for example, Dutch authorities arrested a dozen Nigerians for operating a 419 ring and bilking North Americans out of $2 million.
Stiennon also cited a report issued last week by British Telecommunications (BT) done by researchers at the University of Glamorgan in Wales and Australia's Edith Cowan University which said a large number of second-hand hard disks contained "significant volumes of sensitive information."
The researchers -- who were repeating their 2005 study -- examined more than 300 drives obtained from the U.K., Australia, North America, and Germany via online auctions, flea markets, and computer fairs. Among the data recovered from the used drives were payroll information, cell phone numbers, invoices, employee names and photos, porn, and details of bank and credit card accounts.
"Companies and individuals need to take disposal of information stored on hard drives more seriously," said Andy Jones, BT's head of security research, in a statement last week when the report was released. "Just from looking at this random sample, it is obvious that there are hard drives on public sale that still contain highly confidential material."
"I'm raising my recommendation for disposing of old PCs because of this new level of attack," said Stiennon. "Totally destroy the hard drives."
It's not that other methods of destroying data -- such as zapping drives with massive electromagnets or running government-approved eraser programs -- don't do the job, he said.
"The whole managed control approach, where companies have a check-off process before a machine is retired, isn't enough," said Stiennon. "I'm confident in magnets and erasers, but I'm not confident in the process. [Erasing hard drives] just doesn't get done."
By physically removing and destroying the drives, businesses are adding another check to the system. "If a bunch of computers are on the shipping dock and someone notices that they still have their drives, then they'll know the machines aren't to leave. Or if the receiver sees that the drives are intact, he'll know to ask 'did you mean to ship these with hard drives?'" said Stiennon.
Erasing a drive with for-free or low-cost software -- Stiennon, who once worked for Webroot, recommended that company's $30 Window Washer -- does work in some situations. "If you're giving the PC to a friend or someone in the family, use software to clean it up," he advised.
But in every other instance, for businesses ranging from small to large, he repeated the bash-and-bang recommendation. "Hard drives cost next to nothing. They're one of the cheapest components of a PC and could easily be replaced with a higher capacity, faster disk."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.