ensure proper data management with discarded it assetswuf/drives-retail.pdf · ensure proper data...
TRANSCRIPT
![Page 1: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/1.jpg)
Ensure Proper Data Management with Discarded IT Assets
Simson L. GarfinkelCenter for Research on Computation and SocietyHarvard UniversityThursday, November 3, 9:45am
1
![Page 2: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/2.jpg)
Ten used computers were purchased in August 1998.
This is computer #1.
2
![Page 3: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/3.jpg)
Computer #1 was a file server for a 15-attorney law firm.
Contents:
• client documents
• billing records
• correspondence
Computers #2 through #10 had:
• Mental health records
• Home finances
• Draft of a novel
Was this a chance accident or common occurrence?
3
![Page 4: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/4.jpg)
This talk explores the problem of data on discardedcomputers and presents real, practical solutions.
• Scale of the problem 0
500
1, 000
1, 500
2, 000
2, 500
Meg
abyte
s
Data in the file system (level 0)
Data not in the file system (level 2 and 3)
No Data (blocks cleared)
• The Traceback Study
• Applicable Legislation
• Answers and Technology Choices
4
![Page 5: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/5.jpg)
Data confidentiality is an important business goal.
Data can be:
• In flight
• Stored
Data spends most of its life in storage.Therefore, stored data must be protected.
5
![Page 6: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/6.jpg)
There are three techniques for assuring data confidentiality.
1. Physical security.
2. Logical access controls. (operating system)
3. Cryptography (disk & link)
6
![Page 7: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/7.jpg)
When a disk is retired, techniques #1 and #2 don’t work.
1. ///////////////////////////////////////////////Physical///////////////////////////////////////////////////security.
2. /////////////////////////////////////////Logical///////////////////////////////////////////access////////////////////////////////////////////////////controls.//////////////////////////////////////////////////////////////(operating////////////////////////////////////////////////system)
3. Cryptography (disk & link)
Most organizations don’t encrypt their stored data.
7
![Page 8: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/8.jpg)
Hard drives pose special problem for computer security.
Do not forget data when power is removed.
Contain data that is not immediately visible.
Today’s computers can read hard drives thatare 15 years old!
• Electrically compatible (IDE/ATA)• Logically compatible
(FAT16/32 file systems)• Very different from tape systems
8
![Page 9: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/9.jpg)
The problem: 210 million drives will be retired this year.
50M
100M
150M
200M
250M
300M
350M
400M
1996 1998 2000 2002 2004 2006
Drives Shipped
Drives Retired
This is a staggering amount of data!
9
![Page 10: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/10.jpg)
“Retire?”
Deckard (Harrison Ford) retiring a replicant.“Blade Runner” (1982)
10
![Page 11: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/11.jpg)
Many “retired” hard drives are actually resold orrepurposed.
Retired drives are:
• Re-used withinorganizations
• Given to charities
• Sold at auction
About 1000 used drives/day sold on eBay.
11
![Page 12: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/12.jpg)
Bad news:FORMAT C: doesn’t erase the hard drive.
FORMAT just writes a new root directory.
12
![Page 13: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/13.jpg)
More bad news:DEL doesn’t delete files.
DEL simply removes the file’s name from the directory.
13
![Page 14: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/14.jpg)
Between January 1999 and April 2002,I acquired 236 hard drives on the secondary market.
14
![Page 15: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/15.jpg)
Drives arrived by UPS
15
![Page 16: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/16.jpg)
Data on drives “imaged” using FreeBSD
dd if=/dev/ad0 of=file.img bs=65536 conv=noerror,sync16
![Page 17: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/17.jpg)
Images stored on a RAID
17
![Page 18: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/18.jpg)
Example: Disk #70: IBM-DALA-3540/81B70E32
Purchased for $5 from a Mass retail store on eBay
Copied the data off: 541MB
Initial analysis:
Total disk sectors: 1,057,392Sectors with data: 989,514Sectors all zero: 67,878Total files: 3
The files:
drwxrwxrwx 0 root 0 Dec 31 1979 ./-r-xr-xr-x 0 root 222390 May 11 1998 IO.SYS-r-xr-xr-x 0 root 9 May 11 1998 MSDOS.SYS-rwxrwxrwx 0 root 93880 May 11 1998 COMMAND.COM
18
![Page 19: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/19.jpg)
Clearly, this disk had been FORMATed...
Windows FORMAT doesn’t erase the disk...FORMAT just writes a new root directory.
19
![Page 20: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/20.jpg)
UNIX “strings” reveals the disk’s previous contents...
Insert diskette for driveand press any key when ready
Your program caused a divide overflow error.If the problem persists, contact your program vendor.Windows has disabled direct disk access to protect your long filenames.To override this protection, see the LOCK /? command for more information.The system has been halted. Press Ctrl+Alt+Del to restart your computer.You started your computer with a version of MS-DOS incompatible with thisversion of Windows. Insert a Startup diskette matching this version of
OEMString = "NCR 14 inch Analog Color Display Enchanced SVGA, NCR Corporation"Graphics Mode: 640 x 480 at 72Hz vertical refresh.XResolution = 640YResolution = 480VerticalRefresh = 72
20
![Page 21: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/21.jpg)
70.img con’t...
ling the Trial Edition----------------------------IBM AntiVirus Trial Edition is a full-function but time-limitedevaluation version of the IBM AntiVirus Desktop Edition product. Youmay have received the Trial Edition on a promotional CD-ROM or as asingle-file installation program over a network. The Trial Editionis available in seven national languages, and each language isprovided on a separate CC-ROM or as a separaEAS.STCmEET.STCELR.STCqELS.STC
21
![Page 22: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/22.jpg)
70.img con’t...
MAB-DEDUCTIBLEMAB-MOOPMAB-MOOP-DEDMETHIMAZOLEINSULIN (HUMAN)COUMARIN ANTICOAGULANTSCARBAMATE DERIVATIVESAMANTADINEMANNITOLMAPROTILINECARBAMAZEPINECHLORPHENESIN CARBAMATEETHINAMATEFORMALDEHYDEMAFENIDE ACETATE
22
![Page 23: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/23.jpg)
[Garfinkel & Shelat 03] established the scale of the problem.
We found:
• Thousands of credit cardnumbers (many disks)
• Financial records
• Medical information
• Trade secrets
• Highly personalinformation
We did not determine why the data had been left behind.
23
![Page 24: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/24.jpg)
There are roughly a dozen documented cases of peoplepurchasing old PCs and finding sensitive data.
• A woman in Pahrump, NV bought aused PC with pharmacy records[Markoff 97]
• Pennsylvania sold PCs with“thousands of files” on stateemployees [Villano 02]
• Paul McCartney’s bank records soldby his bank [Leyden 04]
• O&O Software GmbH – 200drives.[O&O 05]
24
![Page 25: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/25.jpg)
Information is even left behind on USB drives...
A “new” drive contained images from a previous owner.25
![Page 26: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/26.jpg)
Why don’t we hear more stories?
Hypothesis #1: Disclosure of “data passed” is exceedinglyrare because most systems are properlycleared.
Hypothesis #2: Disclosures are so common that they are notnewsworthy.
Hypothesis #3: Systems aren’t properly cleared, but fewpeople notice the data.
26
![Page 27: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/27.jpg)
How could people not notice the data?
DEL removes the file’s name; doesn’t delete the data.
27
![Page 28: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/28.jpg)
Weird Stuff, Sunnyvale California,January 1999
10GB drive: $19 “tested”
500 MB drive: $3 “as is”
Q: “How do you sanitize them?”
A: “We FDISK them!”
28
![Page 29: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/29.jpg)
FDISK does not sanitize disks
10 GB drive: 20,044,160 sectors
SectorsCommand Written %FORMAT 21,541 0.11%FDISK 2,563 0.01%
FORMAT erases the FAT,complicating the recovery of fragmented files.
29
![Page 30: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/30.jpg)
Data on a hard drive is arranged in sectors.
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
The white sectors indicate directories and files that arevisible to the user. 30
![Page 31: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/31.jpg)
Data on a hard drive is arranged in sectors.
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
x5 x4
x3 x2
x1
x6
x7
x8
The brown sectors indicate files that were deleted.31
![Page 32: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/32.jpg)
Data on a hard drive is arranged in sectors.
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
x5 x4
x3 x2
x1
x6
x7
x8
The green sectors indicate sectors that were never used (orthat were wiped clean).
32
![Page 33: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/33.jpg)
Stack the disk sectors:
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
x5 x4
x3 x2
x1
x6
x7
x8
.
.
Files
Deleted Files
Zero Blocks
33
![Page 34: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/34.jpg)
NO DATA: The disk is factory fresh.
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
34
![Page 35: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/35.jpg)
FORMATTED: The disk has an empty file system
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
BlankBlocks
File System Structures
35
![Page 36: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/36.jpg)
AFTER OS INSTALL: Temp. files have been deleted
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
BlankBlocks
File System Structures
Free Blocks
OS and Applications
Deleted temporary files
36
![Page 37: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/37.jpg)
AFTER A YEAR OF SERVICE
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
BlankBlocks
File System Structures
Free Blocks
OS and Applications
Deleted temporary files
... 1 year ...
OS, Applications,and user files
Deleted files
Blocks never written
37
![Page 38: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/38.jpg)
DISK NEARLY FULL!
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
BlankBlocks
File System Structures
Free Blocks
OS and Applications
Deleted temporary files
... 1 year ...
OS, Applications,and user files
Deleted files
Blocks never written
OS, Apps,user files,and lots of
MP3s!
38
![Page 39: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/39.jpg)
FORMAT C:\ (to sell the computer.)
.
.
Files
Deleted Files
Zero Blocks
time
All Blocks are Zero
BlankBlocks
File System Structures
Free Blocks
OS and Applications
Deleted temporary files
... 1 year ...
OS, Applications,and user files
Deleted files
Blocks never written
OS, Apps,user files,and lots of
MP3s!Recoverable
Data
39
![Page 40: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/40.jpg)
We can use forensics to reconstruct motivations:
.
. time
OS, Apps,user files,and lots of
MP3s!Recoverable
Data
Training failure
Usability failure
40
![Page 41: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/41.jpg)
The drives are dominated by failed sanitization attempts...
0
500
1, 000
1, 500
2, 000
2, 500
Meg
abyte
s
Data in the file system (level 0)
Data not in the file system (level 2 and 3)
No Data (blocks cleared)
..but training failures are also important.
41
![Page 42: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/42.jpg)
Overall numbers
Drives Acquired: 236Drives DOA: 60Drives Images: 176Drives Zeroed: 11Drives “Clean Formatted:” 22
Total files: 168,459Total data: 125G
42
![Page 43: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/43.jpg)
Only 33 out of 176 working drives were properly cleared!
• 1 from Driveguys — but 2 others had lots of data.
• 18 from pcjunkyard — but 7 others had data.
• 1 from a VA reseller — 1 DOA; 3 dirty formats.
• 1 from an unknown source — 1 DOA, 1 dirty format.
• 1 from Mr. M. who sold his 2GB drive on eBay.
43
![Page 44: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/44.jpg)
But what really happened?
?I needed to contact the original drive owners.
44
![Page 45: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/45.jpg)
The Remembrance of Data Passed Traceback Study.[Garfinkel 05]
1. Find data on hard drive
2. Determine the owner
3. Get contact informationfor organization
4. Find the right personinside the organization
5. Set up interviews
6. Follow guidelines forhuman subjects work
06/19/1999 /:dir216/Four H Resume.doc03/31/1999 /:dir216/U.M. Markets & Society.doc08/27/1999 /:dir270/Resume-Deb.doc03/31/1999 /:dir270/Deb-Marymount Letter.doc03/31/1999 /:dir270/Links App. Ltr..doc08/27/1999 /:dir270/Resume=Marymount U..doc03/31/1999 /:dir270/NCR App. Ltr..doc03/31/1999 /:dir270/Admissions counselor, NCR.doc08/27/1999 /:dir270/Resume, Deb.doc03/31/1999 /:dir270/UMUC App. Ltr..doc03/31/1999 /:dir270/Ed. Coordinator Ltr..doc03/31/1999 /:dir270/American College ...doc04/01/1999 /:dir270/Am. U. Admin. Dir..doc04/05/1999 /:dir270/IR Unknown Lab.doc04/06/1999 /:dir270/Admit Slip for Modernism.doc04/07/1999 /:dir270/Your Honor.doc
This was a lot harder than I thought it would be.
45
![Page 46: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/46.jpg)
Ultimately, I contacted 20 organizations between April 2003and April 2005.
46
![Page 47: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/47.jpg)
The leading cause: betrayed trust.
Trust Failure: 5 cases
4 Home computer; woman’s son took to “PC Recycle”4 Community college; no procedures in place4 Church in South Dakota; administrator “kind of crazy”4 Auto dealership; consultant sold drives he “upgraded”4 Home computer, financial records; same consultant
This specific failure wasn’t considered in [GS 03];it was the most common failure.
47
![Page 48: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/48.jpg)
Second leading cause: Poor training and supervision
Trust Failure: 5 cases
Lack of Training: 3 cases
4 California electronic manufacturer4 Supermarket credit-card processing terminal4 ATM machine from a Chicago bank
Alignment between the interface and the underlyingrepresentation would overcome this problem.
48
![Page 49: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/49.jpg)
Sometimes the data custodians just don’t care.
Trust Failure: 5 casesLack of Training: 3 cases
Lack of Concern: 2 cases
4 Bankrupt Internet software developer4 Layoffs at a computer magazine
Regulation on resellers might have prevented these cases.
49
![Page 50: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/50.jpg)
In seven cases, no cause could be determined.
Trust Failure: 5 casesLack of Training: 3 casesLack of Concern: 2 cases
Unknown Reason: 7 cases
8 Bankrupt biotech startup8 Another major electronics manufacturer8 Primary school principal’s office8 Mail order pharmacy8 Major telecommunications provider8 Minnesota food company8 State Corporation Commission
Regulation might have helped here, too.
50
![Page 51: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/51.jpg)
Legislative reactions to this research:“Fair and Accurate Credit Transactions Act of 2003” (US)
• Introduced in July 2003. Signed December2003.
• Regulations adopted in 2004, effectiveJune 2005.
• Amends the FCRA to standardizeconsumer reports.
• Requires destruction of paper or electronic“consumer records.”
The adopted rules specifically exempt resellers.
51
![Page 52: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/52.jpg)
There are three options for solving this problem.
1. Encrypt stored data.
2. Clear drives before discarding them.
3. Physically destroy drives when discarding.
Of these options, encryption is the best alternative.
52
![Page 53: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/53.jpg)
Encryption protects protects data against anyone whodoesn’t have the key
Options:
• Record-level encryption
• Database encryption
• Encrypted file systems
Apple’s File Vault is aneasy-to-use encrypted filesystem.
53
![Page 54: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/54.jpg)
Drives can be individually “cleared” before they arerepurposed or retired.
Commercial Software
• Wipe Drive, White Canyon Software.http://www.whitecanyon.com/
• Blancco Data Cleanerhttp://www.blancco.com/
Free Software:
• DBANhttp://www.dban.sourceforget.net
DBAN
Wiping an entire drive is easy.Selectively wiping is hard.
54
![Page 55: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/55.jpg)
Features to look for in a wiping program:
• Cost: Free? Per copy? Per use?
• Bootable disk?
• Wipe whole drive?
• Wipe slack space?
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
x5 x4
x3 x2
x1
x6
x7
x8
usr bin
ls cp mv
tmp
slg
/
ba
mail junkbeth
Program that wipe slack space can be installed on everydesktop.
55
![Page 56: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/56.jpg)
Physical destruction offers the most security.
Destruction is the only technique approved for use withclassified information. 56
![Page 57: Ensure Proper Data Management with Discarded IT Assetswuf/drives-retail.pdf · Ensure Proper Data Management with Discarded IT Assets Simson L. Garfinkel Center for Research on Computation](https://reader034.vdocuments.net/reader034/viewer/2022042808/5f839c6ce05f2d3094596c8c/html5/thumbnails/57.jpg)
Summary
Information left on hard drives:
• is a serious problem.
• is invisible
• violates Federal law
• is easily address
This is largely the fault of Microsoft, Apple, and Linux.
Destroying this information is your organization’s legal and moralobligation.
Questions?57