Selling Your Old Computers?
Make Sure Your Important Data Isn't Part of the Deal
by Chris Noyes
|
In the age where just about everything about you is recorded somewhere on a hard drive at a governmental agency, hospital, financial institution or the local YMCA, you might just be stunned at how available this information is to anyone who wants it. When old computers are discarded or sold to make way for newer computer systems, something has to happen to the data that used to reside on the old hard drive. Usually, during an upgrade, data is merely copied from the old to the new. That’s great – except that the data which was on the old hard drive may still be there, and moves to the next owner. If steps were not taken to safely remove all of your data before the computer’s hard drive was sold, given away or handed down, you could be in for some discouraging news.
In a recent study from the Massachusetts Institute of Technology, “A Remembrance of Data Passed: A Study of Disk Sanitization Practices” (January 2003 issue of IEEE Security & Privacy), it was observed that about three out of four hard drives acquired from sales of old computers or auctions contained sensitive data. These drives are sold for pennies of what they originally cost – often between five and 30 dollars. Many of these drives contain sensitive medical information about patients, confidential e-mails and letters, as well as sensitive financial information including thousands of credit-card numbers. Hundreds of thousands of hard drives are purchased each year to replace older drives with limited capacity. Something has to happen to all these replaced hard drives. They are either sold, donated or thrown away. Do you know where the hard drive from your last computer is now?
Often in Florida local government, we tend to have an attitude that all data is public record. However, as we know, this is not always the case. There are exemptions to the public-records laws, which include but are not limited to the following:
|
|
Copyrighted software created by the governmental agency, or software that is used to process exempt data.
Computer licensing agreements that prohibit disclosure to parties outside of the agreement.
Active criminal investigations.
Unresolved complaints against police officers or school-system employees.
Drug-test results for Drug Free Workplace programs.
Home addresses, phone numbers and photos of certain employees.
Medically sensitive information covered under HIPAA.
Social Security numbers.
If someone requests information that is deemed public, the responsibility rests on them to go through the proper channels to get the information, not stumble upon it through a sold or discarded hard drive.
Billions of dollars are invested into technologies that keep prying eyes off of data. These technologies include firewalls, biometrics, heavy-duty encryption, and continuously changing passwords. Governmental agencies use this line of defense; however, criminals who legally buy auctioned-off hard drives and examine their contents can easily foil these strategies. All the technology in the world is worthless unless hard-drive data is properly decommissioned before it leaves your organization. It usually comes down to the old owner of the drive not knowing (or caring) about the underlying technology of the hard drive and operating system.
Unfortunately, many people are under the assumption that deleting files from their computer through the operating system (usually Microsoft Windows 98 or XP) automatically gets rid of that data forever. You watched it as it was emptied out of the Recycle Bin, right? On the contrary, you’re not deleting the files at all – you are just deleting references to these files. The actual data still resides on the hard drive, and the operating system marks that space as “free space”where it may or may not be overwritten. Even formatting these drives in DOS using the Format and Fdisk command overwrites less than 10 percent of the disk, while the remaining data stays intact. Using data-recovery tools that are freely available, anyone with basic knowledge of data retrieval can easily scan the drive and recover the data.
|
|
As your computers come to the end of their useful life cycle, you need to look seriously at implementing policies and procedures to ensure that the data contained on these hard drives is sanitized before it leaves your organization. You shred important documents before they go in the trash, right? Why not do something similar for the data residing on the hard drive? Simply formatting the hard drive before it’s sent to its next owner is not good enough.
Tools that conform to U.S. Department of Defense NISPOM (National Industrial Security Program Operating Manual), DoD 5220.22-M, should be sufficient to deter the prying eyes of those searching through your discarded hard drives. These tools are readily available to anyone who needs them for very low or no cost. These tools basically write data to each sector of the hard drive multiple times, then verify this data. Some will argue that you need to make six passes over the drive, while others have theorized that 22 passes is your best bet. Theoretically, there are methods of extracting data off drives sanitized in this method, but these are not available to most people outside the Federal Bureau of Investigation and the National Security Agency. How many of you have a high-quality digital sampling oscilloscope? Me neither.
Chris Noyes is a technology services support specialist for the Florida League of Cities Technology Services Department. If you would like to know more about how to implement disk-sanitizing procedures in your organization, please contact him via e-mail, or by phone at (407) 835-3471.
Reprinted from Quality Cities May/June 2004
Back to Top
Back to Quality Cities Resource Library Listing
|
|
