Bye-bye, data

Today's focus: Bye-bye, data

By M.E. Kabay 

It is best to obliterate sensitive hard disk data at the time 
you discard the files. File shredder programs (use any search 
engine with keywords "file shredder program review" for plenty 
of suggestions) can substitute for the normal delete function 
or wastebasket.

These tools overwrite the contents of a file to be discarded 
before deleting it with the operating system. However, a 
single-pass shredder may allow data to be recovered using 
special equipment; to make data recovery impossible, use 
military-grade obliteration that uses seven passes of random 
data.

Unfortunately, even shredder programs may not solve the problem 
for ultrahighly sensitive data. Because file systems generally 
allocate space in whole number of clusters, an end-of-file that 
falls anywhere short of the end of a cluster leaves "slack 
space" between the EOF and the end of the cluster. The file 
system does not normally overwrite slack space, so it is 
extremely difficult to get rid of these fragments unless you 
use shredder programs that specifically take this problem into 
account.

One tool that is used by the U.S. Department of Defense for 
wiping disks is CleanDrive:

http://www.whitecanyon.com/cleandrive_main_fdisk.htm

The documentation specifies that the product genuinely wipes 
all data from a hard drive, regardless of operating system and 
format. The tool can even be run from a boot disk. It is 
licensed to individual technicians rather than to specific PCs, 
thus making it ideal for corporate use.  (I have no involvement 
with CleanDrive or its makers, and this reference does not 
constitute an endorsement.)

File shredder programs are a double-edged sword. They allow 
honest employees to obliterate company-confidential data from 
disks, but they also allow dishonest employees to obliterate 
incriminating information from disks. One program review 
includes the words, "The program's even got a trial copy you 
can download for free. So try it out and get those... ummm... 
errr... personal files off your work PC before the boss sends 
his computer gurus out to check your machine." This advice is 
clearly not directed at system administrators or to honest 
employees.

Telling the difference between the good guys and the bad guys 
is a management issue and has been discussed in previous 
articles published in this newsletter. However, as a 
precaution, I recommend that corporate policies specifically 
forbid the installation of file-shredder programs on corporate 
systems without authorization.

One quick note about magnetic tapes: Beware the scratch tape. 
In older environments where batch processing still uses tapes 
as intermediate storage space during jobs, it is customary to 
have a rack of "scratch" tapes that can be used on demand by 
any application or job. There have been documented cases in 
which data thieves regularly read scratch tapes to scavenge 
leftover data from competitors or for industrial espionage.  
Scratch tapes should be erased before being re-used.

As for broken or obsolete magnetic media, such as worn-out 
diskettes, used-up magnetic tapes and dead disk drives, the 
worst thing to do is just to throw this stuff into the regular 
garbage.

Security experts recommend physical destruction of such media 
using band saws, industrial incineration services capable of 
handling potentially toxic emissions, and even sledgehammers.

In conclusion, all of us need to think about the data residues 
that are exposed to scavengers. Whether you work in a mainframe 
shop or a PC environment, whether your organization is a 
university or a vulture capitalist firm, it's hard to carrion 
when data scavengers steal our secrets.

______________________________________________________________
To contact M. E. Kabay: 

M. E. Kabay, PhD, CISSP is Associate Professor in the 
Department of Computer Information Systems at Norwich 
University in Northfield, Vt. Mich can be reached by e-mail at 
mailto:mkabay@compuserve.com  He invites inquiries about his 
information security and operations management courses and 
consulting services. For papers and course materials on 
information technology, security and management, visit his Web 
site at http://www2.norwich.edu/mkabay/index.htm