'Cleaned' hard drives reveal secrets

New Scientist ^ | 14:32 16 January 03 | Will Knight

[vannrox]

'Cleaned' hard drives reveal secrets

14:32 16 January 03

Will Knight

Discarded and recycled computer drives can reveal financial and personal information even when apparently wiped clean, MIT researchers have found.

Simson Garfinkel and Abhi Shelat, graduate students at the Massachusetts Institute of Technology, analysed 158 second hand hard drives bought over the internet between November 2000 and August 2002. They were able to recover over 6000 credit card numbers, as well as email messages and pornographic images.

The pair wrote a program to scour the disk drives for any trace of credit card information. They found card numbers on 42 drives of the drives they bought.

One drive had previously been used in an ATM cash machine and contained 2868 different numbers, as well as account and transaction information. Another drive contained a credit card number within a cached web page.

Privacy failure

Much of the information the researchers found had been "deleted" before the disks were sold. But simply deleting a file with most computer operating systems does not remove it from the hard drive, it only removes a tag pointing to the file.

Furthermore, even re-formatting the disk does not properly remove the contents of files.

"Most techniques that people use to assure information privacy fail when data storage equipment is sold onto the secondary market," the researchers write in an article to appear in the IEEE magazine Security and Privacy. "The results of even this limited initial analysis indicate that there are no standard practices in the industry [for sanitizing disks]."

Data remembrance

The study, entitled Remembrance of data passed: a study of disk sanitization practices, concludes that overwriting disks with random data, preferably more than once, should be sufficient to wipe them clean. But only 12 per cent of the drives they bought had been cleaned in this way.

They also note that it may be possible to recover information even when it has been overwritten with random data. This would require the use of magnetic force microscopy to measure the subtle magnetic changes that occur during each overwrite.

Finally, the researchers add that cryptographic file systems would improve hard drive security by requiring authentication before revealing data. But they say this type of system is very rarely used.

14:32 16 January 03

Return to news story

  © Copyright Reed Business Information Ltd.

 

[dennisw]

To clean a hard drive completely you have to write zeros to it ...  AKA low level formatting.

I like Western Digital. Their new LifeGuard 10.0 software writes zeros to large Western Digital hard drive in ~30 minutes. Fastest I've ever seen.
http://support.wdc.com/download/#dlgtools

This program, GWSCAN, will write zeros to any hard drive. By any manufacturer. So they say.
http://support.gateway.com/support/drivers/search.asp?strSearch=gwscan&searchType=all&chkWord=1

 

[M. Peach]

You're kidding, right?

[Apple Pan Dowdy]

"My checkbook balance is on my computer. Hard for anyone to get in too much trouble with that"

Lasy week I had occaission to call my bank's customer service department. They tried to point me to their online banking at their web site to find the answer to my question and I told the rep that I did not use online banking services.

When he asked why I said that I work in the web development industry and I know too much about how unsecure the Internet is to allow my financial info to even be on the same hard drive that also accesses the Internet for any reason, much less to acually allow that data to travel online if I can help it.

He asked if I made purchases online... I said, "sure. Because my credit card has guarantees in place to cover usage fraud."

Then he went on to say, "You know most of us here at the bank feel the same way!"

Interesting, huh? They KNOW it is unsecure and yet they advertise otherwise and incourage the public to participate? Why is this, I asked myself over and over that day. I really believe that security is not a priority. Rather the priority is the ability to one day access every iota of our life from a giant data base... Big Brother style, if you will. Once that is possible total control, total power will be in someone's hands. The final question is, "who's?"

[steve-b]

So what's happened to the Clinton White House's computers?

I think they may have turned up in this study:

They were able to recover over 6000 credit card numbers, as well as email messages and pornographic images

[dennisw]

To clean a hard drive completely you have to write zeros to it ...  AKA low level formatting.

I like Western Digital. Their new LifeGuard 10.0 software writes zeros to large Western Digital hard drive in ~30 minutes. Fastest I've ever seen.
http://support.wdc.com/download/#dlgtools

This program, GWSCAN, will write zeros to any hard drive. By any manufacturer. So they say.
http://support.gateway.com/support/drivers/search.asp?strSearch=gwscan&searchType=all&chkWord=1

 

[adx]

For high security, I prefer the sledge-o-matic approach to hard drives.

Hammers? Try THERMITE! Lots more fun.

[M. Peach]

If you think about it, the earth will inevitably fall under one government who will monitor everything we do. Terrorism will enable (or give the reason for) our governments to unite for the purpose of survival. The only way to guarantee survival is to have absolute control over everything the populace does.

This requires total vigilance. Frankly, I don't think the human race will ever see that day. I believe we will self destruct before then. One or the other is inevitable - I see no other future.

Comments?

[blackdog]

His dad does not wear shoes. One of the really odd things about simson I remember was that horses hated him. He was terrified of anything which could not be calculated. Shooting a gun, shooting an arrow, even weaving gimp keychains was fine. The thought of riding a horse which he had no method of calculating was primal fear for him. Even his movements and voice would drive a dead broke horse to become spooky.

You are right about his personal conduct. He was well liked despite his funny mannerism's. He was from a well off family but never behaved spoiled or selfishly. Kids can be brutal toward each other. For some reason Simson was given a free pass. I still remember him playing the piano and telling another kid his lines in a play while never missing a note.

I hope MIT get's their pound of flesh out of him. On a separate angle, if Simson was not from an educated family and did not have mature, patient parents, he would have been destroyed in public school, drugged, and stuck in special education classes due to his "emotional problems" It makes one wonder how many Simsons we have flushed down the toilet in the past thirty years?

[gridlock]

Try THERMITE! Lots more fun.

Well, Everything's more fun with Thermite!

[oldcomputerguy]

To clean a hard drive completely you have to write zeros to it ..

This is somewhat simplistic. If you want the guy next store to be unable to read your drive, then write zeros to it, if you want the govt to be unable to read your drive then you have to do a lot more.

[Apple Pan Dowdy]

"One or the other is inevitable - I see no other future. Comments? "

Which then leads one to seriously consider pondering whether or not one's "future" is actually in the "life after" rather than here on earth. Anyway, doing so is the only thing that keeps me sane. :)

[blackdog]

No, I am not kidding. He was like a Harpo Marx, The guy in A Beautiful Mind, and Good Will Hunting all rolled into one. He did look like Harpo too! His family is of the Jewish faith, but sent their child to a YMCA camp. His parents were real good people with both oars in the water. They knew what was best for him. I suppose they wanted to get him a break from the Hebrew School/private school crowd he spent way too much time with during the rest of the year and get a chance to mingle with the less gifted.

One does not get to trap shoot, gallop horses, shoot rifles, rock climb, cook over a fire, and clean toilets at the B'nai Brith(sp?) summer camp.

[TheLurkerX]

DOD regulation requires a pattern overwrite of at least 3 passes. The German's require 7.

[blackdog]

Where does one obtain thermite? I remember I had a similar substance as a little kid called bangsite. You would squeeze it from a tube like toothpaste and when impacted it would explode. (Ah the good kids toys from yesteryear)

[70times7]

Reminds me of something I witnessed back in the days when an IBM AT was a very fast machine, floppies were actually floppy and Symphony spread-sheets displayed green on a black screen...

An overpriced desk jockey in our work group was having big troubles with her PC; she couldn't get it to access some vital files. The computer "guru" came and spent at least 20 to 30 minutes trying to extract her data. When he was unsuccessful he handed her the floppy. She was fuming and criticizing his incompetence as she placed the disk back into its usual storage location: on the side of her file cabinet held in place by a magnet.

[70times7]

DOD regulation requires a pattern overwrite of at least 3 passes. The German's require 7.

Vee haf vays of making it not talk!

[Liberal Classic]

Back in college my wife worked at the help desk. She said that sometimes people would either fold up 5 1/4" disks, or trim them with some sissors to fit. ;)

[HoustonCurmudgeon]

Please do not worry yourself, you are way down on the list of things that bother me.... and now that I won, you're off the list entirely! ;-)

[George W. Bush]

I think for military drives, they also require 7-pass wipes too for the lowest security classification. At least, that's where the 7-pass standard comes from.

There are some utilities that do a 7-pass (or more) random rewrite of any deleted file space when you delete the file. Convenient for removing the info from the disk on a steady basis and not just waiting to do a multipass erase when you sell/dispose of it.

There is also encrypted virtual drives that reside in a single file on your partition. These utilities give you another drive letter but it is heavily encrpyted storage that is accessed with a strong password system. So no one gets at that data casually. You can park your web cache and sensitive documents (porno, restricting hacking, illicit passwords, etc) in such a virtual drive pretty securely.

And for the Linux folk, they can run entire filesystems that are fully encrypted start to finish. I think the BSD family is probably the best at this.

[cruiserman]

They sure can, but not when you smash them into little pieces with a heavy duty hammer, which is what happens to all my hard-drives when I have no further use for them.

I prefer to take them to the local gun range.