Brad Feld writes about valid data retained in used disk drives based on findings from Simson Garfinel of MIT. Excerpts with edits :
Simson bought 235 used hard drives between 11/2000 and 1/2003 from eBay, computer stores, and swap meets. He set up a technical infrastructure to mount the drives, image them (using FreeBSD), store the images on a RAID server, store the metadata in a MySQL database, and then mine the data. Simson Garfinel found a huge amount of data, including confidential information such as medical records, HR correspondence, and financial data including a hardidsk from an ATM.It contained one year’s worth of transactions, including over 3,000 card numbers. In this case, the drives weren’t sanitized correctly and the data was still on them for Simson to play around with.
In addition to explaining the problem and substantiating it with real data, Simson makes a number of suggestions for how to address the issue. Two of his more severe (but logical) suggestions for cleaning all the data off of used drives are :
(a) to degauss them with a Type 1 or Type II degausser or
(b) destroy, disintegrate, incinerate, pulverize, shred, or melt the drive. For less than $1,000 and working part time, he was able to collect thousands of credit cards, detailed financial records on hundreds of people, and confidential corporate files. He concludes by asking – "who else is doing this?". Simson's presentation is available here. Every system administrator, IS security expert, CIO's and business manager must read this excellent presentation.
|
