« But it looks so shiny! | Main | Paging Mr. Shaw »

Don't offer up your identity

posted by Zed on April 14 2005 09:09

The Federal Trade Commission sez:

How can I prevent identity theft from happening to me?

[…] Before you dispose of a computer, delete all the personal information it stored. Deleting files using the keyboard or mouse commands or reformatting your hard drive may not be enough because the files may stay on the computer’s hard drive, where they may be retrieved easily. Use a “wipe” utility program to overwrite the entire hard drive.

A couple of years ago, Simson Garfinkel and Abhi Shelat bought up a bunch of used hard drives to see what they could see. What they could see were a lot of things the previous owners wouldn’t have wanted seen. Here’s Garfinkel’s PowerPoint presentation giving an overview of the issues and the data, including this disturbing example:

Disk #134
  • Chicago bank
  • Drive removed from an ATM machine.
  • One year’s worth of transactions; 3000+ card numbers
  • Bank had hired contractor to upgrade machines; contractor had hired a sub-contractor.
  • Bank and contractor assumed disks would be properly sanitized, but procedures were not specified in the contract.

I don’t know of any cases of identity theft due to data from used hard drives, but if it hasn’t happened yet, it’s only a matter of time. If you get rid of a hard drive, wipe the whole disk. Just deleting files, reformatting the drive, or re-installing the OS (or installing a new one) are all ineffective against a more than casual search. An excellent free program is Darik’s Boot and Nuke, included in the free package Eraser. There’s also a raftload of commercial software for it, but I have absolutely no reason to think any of them would do any better.

Secure Deletion of Data from Magnetic and Solid-State Memory offers a lot of detail on why erasing data is a hard problem. It’s generally accepted that the only way to be really sure your data is irrecoverable is to thoroughly physically destroy the data medium. But unless you think the NSA has a keen interest in your data, drive-wiping with software is good enough.

Of course, all of this is for hard drives you’re parting with on purpose. It’s no use if your computer is stolen. But that scenario needn’t be a crisis if everything significant was encrypted. I’ll write more about that later.

|

Comments

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)