Ensuring Data Security During Hardware Disposal


After our recent story about the trading of BlackBerries for data theft the issue has emerged again this time more towards the secure disposal of data stored on PC hard disks.

If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

Posted in: Cryptography, Hardware Hacking, Privacy

, , , ,


Latest Posts:


ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.
RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.


One Response to Ensuring Data Security During Hardware Disposal

  1. cbrp1r8 May 12, 2009 at 2:11 pm #

    “how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

    Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?”

    Well in the 1st place, I used to work directly with a similar project. The entity isn’t government at all and the only oversight is 1 to a few Military (i.e. air force) officers who generally don’t have anymore knowledge of security then the average ground slug. Their primary mission is SAC and are thrown into other “related” programs based on their job/skill. These jobs, in this case related missile test technology really isn’t their forte’ so there isn’t a miiltary oversight.

    This being the case, this incident actually happened with Lockheed Martin…a “PRIMARY” missile defense contractor..but it could have just as easily been any other contract company since they’re all about the same (Raytheon, Boeing, CACI you name it). They have a few guys (in their mis-management structure) that are overseeing several million to multi-billion dollar projects and have teams that work in the field, on the actual mission/facility or location where this work is conducted, this could be 100s to 1000’s of miles of way from any kind of oversight from management or any other corporate staff. In this case, Kwajelein is 1000’s of miles away from the mainland U.S. where everyone knows now they tested THAAD.

    They might be, in this case, This group tasked with doing the removal of equipment and disposing of it, MOST lack the proper equipment and procedures (nearly non-existant) to conduct it properly.