Ensuring Data Security During Hardware Disposal


After our recent story about the trading of BlackBerries for data theft the issue has emerged again this time more towards the secure disposal of data stored on PC hard disks.

If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

Posted in: Cryptography, Hardware Hacking, Privacy

, , , ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


One Response to Ensuring Data Security During Hardware Disposal

  1. cbrp1r8 May 12, 2009 at 2:11 pm #

    “how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

    Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?”

    Well in the 1st place, I used to work directly with a similar project. The entity isn’t government at all and the only oversight is 1 to a few Military (i.e. air force) officers who generally don’t have anymore knowledge of security then the average ground slug. Their primary mission is SAC and are thrown into other “related” programs based on their job/skill. These jobs, in this case related missile test technology really isn’t their forte’ so there isn’t a miiltary oversight.

    This being the case, this incident actually happened with Lockheed Martin…a “PRIMARY” missile defense contractor..but it could have just as easily been any other contract company since they’re all about the same (Raytheon, Boeing, CACI you name it). They have a few guys (in their mis-management structure) that are overseeing several million to multi-billion dollar projects and have teams that work in the field, on the actual mission/facility or location where this work is conducted, this could be 100s to 1000’s of miles of way from any kind of oversight from management or any other corporate staff. In this case, Kwajelein is 1000’s of miles away from the mainland U.S. where everyone knows now they tested THAAD.

    They might be, in this case, This group tasked with doing the removal of equipment and disposing of it, MOST lack the proper equipment and procedures (nearly non-existant) to conduct it properly.