[nflug] Wiping hard drive sensitive personal data
Cyber Source
peter at thecybersource.com
Thu Jul 20 11:54:04 EDT 2006
anthonyriga wrote:
> This company I am doing work for uses pgp Safeguard
> Lancrypt encryption for eveything including emails.
> They need to meet all these compliances in order to
> continue to do work for the banks and credit card
> companys they service. Encryption security is a good
> thing. I know too there is gpg for Linux too. I still
> think a *nix box is more secure then an windows xp
> box. I have heard of some security flaws in Windows XP
> that render it from being HIPPA compliant. Whos really
> checks for these compliances? It can get costly too.
>
> --- Brad Bartram <brad.bartram at gmail.com> wrote:
>
>
>> For the most part, the core ideas remain the same.
>> It's really about common
>> sense if you want to protect data...just like it was
>> in the olden days. ;-)
>>
>> In the days of floppies and tape, which I
>> grundgingly admit that I do have
>> more than a passing memory of, it was easy enough to
>> destroy the media.
>> Magnets and fire were good, and did the job pretty
>> good as long as you were
>> thorough. Of course a big magnet was usually pretty
>> good for a casual
>> cleaning.
>>
>> Now, with the abundance of much more resilient
>> media, data destruction
>> becomes more tedious and difficult. I do tend to
>> find this highly ironic,
>> especially when considering how if you don't have it
>> backed up, it's gone by
>> sneezing too close; but if you want to get rid of
>> it, you almost need
>> nuclear weapons to do it.
>>
>> I've seen demonstrations, read the works of, and
>> talked to researchers
>> involved in recoving all sorts of fun data at levels
>> that really makes a
>> person paranoid. Especially in the arena of law
>> enforcement and
>> counter-terrorism.
>>
>> As I kind of said in my first post however, it comes
>> down to risk
>> assessment. You have to use a method that lines up
>> with the level of risk
>> you face. If you skimp on prevention, you run the
>> risk of exposing
>> confidential data, which could result in privacy
>> lawsuits, loss of contracts
>> for business partners, embarassment for the
>> organization, or loss of
>> intellectual property protections. If you go over
>> board, you are expending
>> more resources than the data is worth and therefore
>> operating at a
>> functional loss, which of course is bad for
>> business. In the real world,
>> something is better than nothing - just look at all
>> the various stories that
>> come out each year about companies and government
>> agencies doing stupid
>> things with confidential files and computers that
>> allow people to see the
>> "protected" data. The recent hulla-balloo about
>> improperly redacted pdfs
>> come to mind.
>>
>> brad
>>
>> On 7/20/06, Mark Robson <markrobson at yahoo.com>
>> wrote:
>>
>>> I admire your focus on the physics, Brad. I have
>>>
>> no experience in current
>>
>>> hardware, but back in the days of magnetic tape,
>>>
>> it was useful to have some
>>
>>> very large magnets. Probably couldn't re-use the
>>>
>> drive, though.
>>
>>>
>>> *Brad Bartram <brad.bartram at gmail.com>* wrote:
>>>
>>> As with everything, it comes down to a cost /
>>>
>> benefit analysis. What is
>>
>>> the maximum amount that data is worth in
>>>
>> comparison to the price it would
>>
>>> cost to recover? Is it worth enough to have a
>>>
>> specific data recovery
>>
>>> company, or well equipped independent take a
>>>
>> serious interest in it? Is it
>>
>>> somthing that the government would be interested
>>>
>> in tracking down as part of
>>
>>> an anti-terrorism investigation where the budget
>>>
>> goes beyond what we have as
>>
>>> mere mortals?
>>>
>>> The ultimate question comes down to the
>>>
>> disposition of the drive once
>>
>>> you're done. If you are trying to reuse the drive
>>>
>> after securely removing
>>
>>> the data, then appropriate measures of data
>>>
>> destruction should be taken.
>>
>>> Example, if the systems will be redeployed
>>>
>> internally within the same
>>
>>> organization and at the same level of
>>>
>> confidentiality, then use whatever
>>
>>> methods you are most comfortable. If the systems
>>>
>> are to be wiped and
>>
>>> redeployed to a level of lesser trust, then use a
>>>
>> stronger wipe. If the
>>
>>> system is going to be taken completely out of
>>>
>> service, then depending on the
>>
>>> data whether it be customer information or trade
>>>
>> secrets or whatever, you
>>
>>> have to decide whether to wipe the drive and hope
>>>
>> for the best or destroy
>>
>>> the drive safely.
>>>
>>> The only way to be certain that the data on a hard
>>>
>> drive is truly wiped is
>>
>>> to disassemble the drive, chisel the coating from
>>>
>> the platters, remove the
>>
>>> controller from the drive, and burn the case,
>>>
>> platters, platter dust, and
>>
>>> controllers in seperate incinerators. But then
>>>
>> that just gets a little
>>
>>> paranoid. Then again, never underestimate the
>>>
>> abilities of well funded
>>
>>> organizations to recover data, even when you think
>>>
>> it's destroyed.
>>
>>> brad
>>>
>>> On 7/20/06, Darin Perusich
>>>
>> <Darin.Perusich at cognigencorp.com> wrote:
>>
>>>> i believe it depends on the type of wiping
>>>>
>> method you use. if you use
>>
>>>> the Canadian RCPM and American DoD standard
>>>>
>> methods the data is pertty
>>
>>>> much irrecoverable.
>>>>
>>>> eric wrote:
>>>>
>>>>> Can Sleuth Kit recover data after using one or
>>>>>
>> many of the methods
>>
>>>> DBAN
>>>>
>>>>> has to offer?
>>>>>
>>>>>
>>>> --
>>>> Darin Perusich
>>>> Unix Systems Administrator
>>>> Cognigen Corporation
>>>> 395 Youngs Rd.
>>>> Williamsville, NY 14221
>>>> darinper at cognigencorp.com
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>>>
>>>
>>>
>>> Mark Robson
>>>
>>> ------------------------------
>>> Do you Yahoo!?
>>> Everyone is raving about the all-new Yahoo! Mail
>>>
> Beta.<http://us.rd.yahoo.com/evt=42297/*http://advision.webevents.yahoo.com/handraisers>
>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>>>
>>>
>>> _______________________________________________
>>>
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
>
As far as HIPPA compliance on ANY windows box, I don't see how this is
possible! One quick read of the EULA for windows should show glaring
problems like.....
* Consent to Use of Data.? You agree that Microsoft and its
????? affiliates may collect and use technical information
????? gathered in any manner as part of the product support
????? services provided to you, if any, related to the Product.
????? Microsoft may use this information solely to improve
????? our products or to provide customized services or
????? technologies to you.? Microsoft may disclose this
????? information to others, but not in a form that personally
????? identifies you.??
I would think that technically the HIPPA rules would have a problem with
this but they look the other way of course for windows.
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list