Hard drive loot
Hard drive loot
A project by two University students in the United States has highlighted the insecurity of personal information stored on hard-drives.
Simson Garfinkel and Abbi Shelat, of the Massachusetts Institute of Technology (MIT), bought 158 disk drives for less than US$1000 on the Web. When they searched through the drives they found over 5,000 credit card numbers, medical reports, detailed personal and corporate financial information and several gigabytes worth of personal email and pornography.
The students' alarming research will be published in the January/February 2003 issue of the IEEE Security and Privacy, a journal published by the US-based IEEE Computer Society.
The data uncovered highlights the insecurity of personal information on the Internet and computers. According to the students, even some files that had been deleted from the hard drives could be recovered using the "undelete" facility. Only 12 of the 158 drives they bought had been properly sanitised.
The confidential details found by the students could easily be used to assume someone's identity, as well as for a multitude of other fraudulent activities. Said Garfinkel, "the industry has known this is a problem, but our contribution is to show the pervasiveness of the problem."
Peter Sandilands, Director of Australian consulting company Better Development Skills, believes the story reveals a global problem, "Because it's typical example of people not treating data as an asset." Sandilands says apathy on the part of companies poses a big security risk when it comes to information stored on hard drives.
"People need a clearer idea of information as an asset…magnetic information [on hard drives] remains buried underneath other information…..if a disk drive leaves the building, it should be fully re-formatted or have drive diagnostics run over it." Sandliands likens the situation of companies selling off or dumping old hard drives full of information, to mailing out items packed in confidential personnel files.
He recommends the example of the Australian Department of Defence, which destroys all its old or broken hard drives, thereby leaving nothing to chance. Although Sandilands says there is no real fool-proof way to delete information on a hard drive, "in general, companies should re-format all disks before they leave the building. Preferably they should use one of the facilities available that attempt to obscure the data on the disk."
"I don't think that many companies think about it, it's not something they consider", he says.
MIT student Garfinkel expressed a similar sentiment. "Right now there is no way to erase the information on the drive without plugging it in and spending dozens and dozens of minutes erasing it - and that is an expensive process", he said. "In many cases it is going to cost more to (cleanse) the drive than the drive is even worth."
Related Articles: