Schneier on Security
A blog covering security and security technology.
« Choicepoint's CISO Speaks |
| Flaw in Winkhaus Blue Chip Lock »
March 2, 2005
Sensitive Information on Used Hard Drives
A research team bought over a hundred used hard drives for about a thousand dollars, and found more than half still contained personal and commercially sensitive information -- some of it blackmail material.
People have repeated this experiment again and again, in a variety of countries, and the results have been pretty much the same. People don't understand the risks of throwing away hard drives containing sensitive information.
What struck me about this story was the wide range of dirt they were able to dig up: insurance company records, a school's file on its children, evidence of an affair, and so on. And although it cost them a grand to get this, they still had a grand's worth of salable computer hardware at the end of their experiment.
Posted on March 2, 2005 at 9:40 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Anybody interested in how to clear this computer of junk before selling a harddrive should go to here:
It's a free (as in beer and as in speech) product and obliterates any data from your hard-drive. It overwrites the disk with random looking data, although it isn't cryptographically secure.
Even this simple countermeasure would be enough to seriously ramp up the cost to a woodbie attacker.
Nothing surprising here, this has been happening since the days of the floppies where someone would sell a pack of floppies at a garage sale and lo and behold it contained information that the owner thought had been deleted. The problem has only been magnified since then because storage capacity is basically unlimited which allows for so many things to get stored and lost only to be found again in the wrong hands.
Platter destruction is pretty much your only guarantee that your data will not be recoverable by an average citizen; anything else is taking a gamble. The question is can you afford it?
Just use Mac OS X - the built in Disk Utility supports normal zeroing and stronger 8x wiping of hard drives. Very useful!
When we throw away computers here, I hook the hard drive to an opened firewire housing and wipe the drives that way.
Probably not a 100% method but those are rare as we all know.
Really, Bruce? The results seem fairly mundane and expected to me. I read two things:
1) People do not realize the risk of using an organization's computers for personal use. Even before the point of hard drive disposal, they need to know that their employer might be scanning and monitoring the data on the drives.
2) Companies usually do not have security baked into their asset lifecycles. IT groups, especially higher education and most non-profits, probably only think about the total security picture when management forces them to (via regulation or incidents). Otherwise they spend their (limited) resources in very specific areas of security, which rarely include disposal. Moreover, many charities and higher-ed organizations have traditionally operated under the mistaken assumption that information is meant to be open, or that they have far less sensitive than corporate...
So, what I found very disturbing in the article is the recommendation:
"From a consumer’s point of view the only way truly to clean a hard drive is to put an axe through it."
The only way?
The article makes no mention of the forensics method used to pull the data on the drives. Perhaps they just booted them and poked around the file table? That would explain their low cost of recovery and the low-tech recommendation. An axe might destroy the disk, but it hardly fits the business model of recovering some cost of depreciated assets.
Ckwop correctly points out that there are tools easily available to anyone who needs to wipe a drive. These tools might be slow but they will do a fine job preventing just about anyone from retrieving data, at little or no cost, while still allowing an organization to sell/recycle their assets.
It seems to me that when the solution supports the business model (enabling a process by reducing risk), security makes a lot more sense and is more likely to be adopted. Although I can understand why some people would want to advocate taking an axe to old computers...
Davi, it's all a matter of cost of destruction vs cost of recovery. If you're just worried about some non-tech-savvy person looking at the files on the drive, a simple deletion is all you need. If they know a bit more, then wipe the drive with zeros. If they're willing to put more effort into it, then rewrite with random bits, several times. If they're willing to go over it with a scanning electron microscope, then it's time for a good once- (or twice-)over with a belt sander. (Much more effective then an axe; an axe will leave most of the platters in acceptable condition, just in two pieces.)
A company that I worked at decided that physical destruction was the best option when disposing of old drives. They brought the drives to the parking lot then charged a few bucks per swing for employees who'd like to give them a whack with a sledgehammer. The money went to charity and the job was finished by the organizers on any drive not suitably demolished.
Effective, fun, and made the security issue forefront in peoples' minds...not something taken care of by someone else.
At my place of employment we are required to zero-write each drive ten times before we send the old PCs to surplus. In the vast majority of cases, it's a waste of time. But it only takes one or two really high profile cases where some important research data was given away to force the rest of us to go to these lengths. So what's been happening is that many of these hard drives are being physically destroyed. But it beats wasting hours of time writing zeros to hard drives, especially when the drive is an older 540MB dinosaur
How do you suggest disposing of faulty hard drives that won't work properly when hooked up to a standard PC? A relatively cheap solution gives extra credits, as this could happen to anybody when the hard drive is a few years old.
I don't doubt there is a way to still read data from those drives, even if that requires a special (i.e., less error-sensitive) controller or even more specialized equipment.
Sorry Bruce, you made a few mistakes in your summary. The value of the hard drives was 1,000 UK Pounds. Not $1,000. It's closer to $1,750.
National Insurance Numbers are the British equivalent of Social Security Numbers. Not "Insurance" information per se, but just as bad.
dban is great in most cases. It's even on the Ultimate Boot CD. However it doesn't seem to work on certain computers, particularly PIII Gateways. Killdisk will take care of those, but that's a commercial product. I usually just pull the hard drive and wipe it with dban in a PIII clone I keep for that purpose. Old laptops with little RAM are a problem.
We've had that same problem. I've solved it by using an Estwing geology hammer. There's a pick on one end that makes bullet-like holes through a hard drive. 8 or 9 good whacks and it's all over for the drive. :-)
I think we are in agreement.
The article mentions a control group of drives that were clean. Those drives were from "a company specialising in the destruction of data".
In terms of risk, the easy answer for companies that are looking for a fast way to dispose of a lot of equipment is to hire a dispose/recycle company that you can trust (or transfer liability to).
The UK appears to have several sources of data clear/purge standards that IMHO the article should have pointed people towards:
- HMG Infosec Standard No 5 (IS5) and CESG Infosec Manual S (Guide to Secure Erasure)
- The Security Equipment Assessment Panel (SEAP) in the Cabinet Office approves specific degaussers and other physical destruction methods
- The Crown Prosecution Service also has a "Security Manual 2000" with a Chapter 16 called "Destruction of Protectively Marked Material"
But note that all the gov't standards assume some level of awareness and/or data classification in order to calculate the risk and requireed level of data destruction.
I seem to remember hearing that the 'approved US military' method for wiping HDs is to run over it with a tank. Of course, being military, the type of tank is specified, as is the tread coverage required.
Can anyone confirm? Or is it urban legend?
Sounds like urban legend. The fact is, a tank could run back and forth over a drive all day long, and the poundage per square inch probably isn't high enough to crack the casing, let alone smash the platters uniformly.
There are stories about soldiers having their legs run over by tanks and getting up without even deep bruising. Of course, those were (based on the origin of the stories) probably lighter WWII-vintage US and British tanks, rather than Abrahms-style monsters, or even the heavier German and Soviet (and later-war US and British) tanks of the period. But the whole point of tank treads is that they spread weight out.
The whole point of tank treads is to spread the load. I can't imagine one cracking a drive case to destroy the platters. There are (possibly apocryphal) stories about soldiers having a leg run over by a tank and the just getting up again with no worse than bruising.
Oops, sorry for the double post. Thought the server ate the first.
The tank story is Urban Legend.
The US Government does, however, have standards for how many times data on hard drives needs to be overwritten in order to guarantee that it will be infeasible to recover it. I forget the actual figure, but it was in the range of 6-20 times. (Broad range, I know, but it depends on how tooled up your attacker is.)
Puts me in mind of the BTK case at present, in an only slightly OT way. Brought down by a floppy disk!
We use BCwipe, and it has a "Defence approved wipe" option. 25 overwrites, from memory. Some patterns, some random. "shred" does something similar. Dead easy to use: boot off KNoppix CD, "shred --verbose /dev/hda", go home for the weekend.
Physical deformation of the platters (though satisfying) doesn't always erase the data. A _really_ determined advesery could still read the disk.
For best results, heat up the platters above the curie(?) point (i.e. the point at which metal looses its magnetic memory). An added bonus is a nice shiny aluminum paperweight!
Javier Kohen - If the drive doesn't work reliably, you (obviously) can't use a sw utility to overwrite it. Use heat instead. At one manufacturing facility, we used a curing oven to heat a rack of drives to 400F for a few hours. That was warm enough to erase everything without setting them on fire. At home I've used a propane torch to heat the drive's casing til it glows.
See page 18 of this document for US mil details on overwriting, degausing, sanitizing, and destroying media (DoD 5220.22-M-SUP-1, Chap8):
I could not find it in the DoD docs, but I seem to remember that media starts deteriorating above 50 degrees Celsius (122 degrees Fahrenheit) or humidity above 85 percent.
I prefer heating above the melting point instead of the Curie point... Much more fun, and you get to choose the shape of your new paperweight too! :-)
For anyone planning to try jethro's sledgehammer method, remember to be very careful. You'll probably wind up with some sharp pieces - I know from experience destroying computers with the legendary ORB.
You need to read the article more thoroughly - Bruce got it right in his summary. If you read the article, it does mention NI numbers, but it also mentions a drive from a Swedish insurance company.
I am searching for a technical paper discussing Mr. Schneier's algorithm (7 passes) for hard drive sanitize. Please help.
I did a fair bit of research on this when I was contracting for a police department. A few comments:
No, that's slightly too paranoid. While deletion alone is useless, a simple overwrite with zeroes (or anything, in fact) will definitely defeat the "average citizen"; as soon as you have even one full overwrite, the data cannot be recovered without special hardware. Multiple cryptographic overwrites will defeat everyone except national intelligence agencies or large hi-tech companies. Physical destruction is really only necessary if your opponents are very powerful and the data is worth at least hundreds of thousands.
In our case, we knew that most of the machines we were disposing of had nothing of very great value, but a small percentage had very sensitive information about stuff like narcotics informants. But we had no budget for wiping. So we created a bootable "death disk" floppy which did a format /u (to unmark bad blocks), then ran a cryptographic, whole-of-disk overwriter continuously until stopped. Just before quitting time we would set up a 20 or so doomed boxes on the workbench, give each one a "death disk", reboot, quickly swap the video cable around to check they were all working, then go home. Number of overwrites achieved by the next morning varied of course but was typically over 100.
"IT groups, especially higher education and most non-profits, probably only think about the total security picture when management forces them to"
Actually, that's the exact opposite of my experience at several employers. It's IT that wants to do the job right, management thinking is the cause of 90% of security problems because they can't authorise resources unless they can show the "bottom line benefit". Of course with security, you can only show the bottom line benefit *after* you've been screwed. Thus we see the same pattern happening again and again, companies fail to implement obvious security practices until they get bitten, then go into CYA mode. It's management's fault, not IT. In the case of my police contract, we had a senior officer arrive in a panic after seeing a TV cop show (!!) where this exploit was used. He was so delighted to discover we had been secretly dealing with it in our own time that he approved the next *TWO* security-related procurements!
It's a nice point that it reinforces things in people's minds, but it *is* a waste of money. When I did the police contract, we were required by law to make reasonable efforts to recover public funds when disposing of old equipment. Many private companies would have similar rules, and it certainly applies to corporate liquidators. We auctioned them, and usually got between 10 and 25% of the as-new price. We did, however, destroy defective drives. Later, we moved to a leasing arrangement, which meant they later had to be returned in best possible condition, and all defective components were returned for a warranty swap. We never got a satisfactory resolution to that one; the finance department talked louder than security, so the only concession we got was that the defective drives were taken back to the contractor by an armed, uniformed officer.
@Javier and others:
Our method of disposing of defective drives was as follows: we would open the casing of the drive (requires nothing more than a Torx driver--does void the warranty, though 8^). Inside, there are lots of bits that make great toys for the IT staff, especially the extremely powerful voice coil magnets. Hand out all that stuff, and transfer the actual platters to the safe. Next time the IT department has a barbecue, remove the accumulated platters from the safe (rarely so much as half a dozen, and they take up hardly any room), and they go in the middle of the bonfire. We made big bonfires, no trouble reaching the Curie point 8^)
Various people: the approved military "field expedient" method for emergency declassification of hard drives is a thermite grenade, not a tank. A thermite grenade is designed for equipment destruction, and is intended to be placed on the target object, not thrown. After a short delay for the operator to get clear, it emits a stream of molten iron at somewhere around 2500�C (4500 �F). Obviously, you need to do this somewhere there isn't a risk of fire.
I thought that one can re-format the old hard drive and that would clean it out totally....
Sensitive Information on Used Hard
Quote:A research team from Glamorgan University analysed 111 supposedly clean hard drives, bought for less than �1,000, and found that more than half still contained personal information. This included national insurance numbers, evidence of a married woman�s affair and detailed biographical information about children.
In a word, no.
In the old days, low-level formatting was available and might actually erase some of the data, or at least render it unreadable without special hardware, although even this process was not really reliable for security.
However since about MS-DOS 5.0 (1991), most disk formatting, even when it pretends to be low level, actually writes only to the boot sector and FAT, and does *nothing* to the data section of the disk; thus your data can be recovered quite easily provided nothing else gets written to the disk before attempting recovery. If you reinstall an OS after formatting, you will overwrite some of the data (and thus delete it more-or-less securely), but exactly what gets overwritten, and what doesn't, is a hit-and-miss affair. And you only get one overwrite, which may not be enough if you have a very resourceful opponent.
It's much better to just use an overwriter (a.k.a. shredder), examples of which are freely available for pretty well every OS. The only cost is that they do take quite a while to run on a big modern disk but that's no big deal; just do it overnight.
There is one benefit in doing a format, though. A (pretend) low-level format (format /u in DOS) will delete the logical bad sectors map, so that your overwriter can attempt to write to bad sectors. Usually, only a certain percentage of writes to bad sectors will fail, so if you do multiple overwites there is a good chance of getting some overwriting of even the bad sectors. Of course you will later need to remap your bad sectors (scandisk, in DOS/Win32). Unfortunately, some HDD controllers keep their own bad sectors maps, and there appears to be nothing one can do about that except hope there is no sensitive data on them, or physically destroy the disk.
Regarding drive formatting:
It's nothing to do with DOS 5.0, it's the drive technology that changed. The DOS Format command never did anything to drive content but the older MFM/RLL hard drives could be low level formatted and the low level format would overwrite the entire surface including parts marked "bad".
Older drives were much more vulnerable to leaving traces of old data in track margins though.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..