Home > IT Blogs > Security Corner > Paranoid About Hard Drive Security? Try This
>>VIEW ALL POSTS  

Security Corner

« Turn Off Message Preview in Your Email Client
Encrypt, You Must, But Do It Right! »
Mar 20 2008   1:23AM GMT

Paranoid About Hard Drive Security? Try This



Posted by: Ken Harthun
Security, Data destruction, Encryption

My company serves as the IT department for several medical, legal, social service, and banking organizations in our area. I don’t have to tell you that every one of these organizations deals with information that falls under various government data security and privacy acts. Every one of these organizations depends on and expects us to put in place measures to protect their data. In other words, if they suffer a breach, they’re going to assign responsibility to us on some level. So, when I decommission a server or PC, I take steps to make sure that no one is going to be able to read anything off the hard drives. Call me paranoid, but consider this: seven in 10 secondhand hard drives still have data. What’s one to do?

It’s well known that simply wiping out partitions and re-formatting drives doesn’t erase anything. It’s equally well known that overwriting every sector with pseudo-random data is considered a secure method of erasure. I give you a two-step approach that may be overkill, but is certainly a procedure that any court would consider a mitigating factor if I or my company is accused of negligence. (I work in a Microsoft environment, so that is the context here.)

Step one is to install TrueCrypt 5, (my hands-down favorite) or another full-drive encryption program, and perform the steps for full-drive encryption; this effectively writes pseudo-random noise to every sector of the hard drive. (Don’t fret about the 20-character password TrueCrypt warns you about–just type “password.” You’re not worried about logon security; you just want to encrypt the hard drive.) This one-pass encryption is probably sufficient for a home PC hard drive, but not for anything else.

Step two is to run a disk erase program that overwrites every sector with pseudo-random bits. I use Darik’s Boot and Nuke (DBAN), without question a best-of-breed open source program. One pass auto-wipe should be sufficient since you’re overwriting what already amounts to pseudo-random noise (created by TrueCrypt) on the hard disk.

After this treatment, any adversary would find it virtually impossible to recover anything usable off of the drive. Give it away, sell it on eBay, do whatever.

And have a good night’s sleep.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Fedelst  |   Mar 20 2008   5:50AM GMT

The process you are using has clearly had thought put in to it, and is definitely better practice than many bay currently be using. And, you are correct about the ignorance of many who believe that formatting a drive or deleting a file eliminates the data. This is like playing hide and seek, and attempting to hide by throwing a towel over your head. Because you can’t see them, does not mean they can’t see you…

However, there are a few concerns about the process. First, you make reference to filling all sectors as being know as a Secure Erase. Be careful with this term, Secure Erase is in fact a data purge protocol developed by the University of California San Diego’s Center for Magnetic recording Research which is in fact embedded in the microcode of all SATA, ATA, PATA and lap top hard drives since 2002 and as early as 1999. I appreciate that you were referring to a general term of ‘a secure erase’, but these terms can be confused.

Your process will address most accessible user data sectors, but will not protect any unencrypted data that is in locked sectors or tracks that are in the P-List or G-List (or bad block table). Yes, these sectors are flagged as bad by the drive, but there is a possibility that for sectors blocked by the G-List that during the initial write cycle, when the sector was determined as bad, that personally identifiable data may have been written to these sectors before being marked bad.

Another consideration is that neither utility will touch the Protected Service Areas of the drive. So, the Host Protected Area which can contain information will still be fully retreivable, as would any information in the DCO region of the drive.

The NIST 800-88 is an excellent resource for data destruction protocol on a wide range of storage devices. The techniques you employ would be considered CLEAR level protection, meaning that the process is susceptible to laboratory data recovery efforts. Purge level technologies such as Degaussing and Secure Erase are NOT susceptible to laboratory recovery efforts. Degaussing being the application of magnetic flux of a magnitude sufficient to cause coercion of the device media rendering the media and the drive unusable, and Secure Erase being an efficient embedded purge utility, rendering the drive reusable at the completion of the process.

Secure Erase was created at the request and with the participation of the NSA and other government agencies, and most major hard drive manufacturers as a common efficient and reliable purge technology. This technology is a standard in the ATA spec, and is present in every modern hard drive except for SCSI and SCSI derivatives. Secure Erase has limitations in that it is inhibited by many computers at the BIOS level. It is for this very reason that commercial software makers have a difficult time creating a reliable software product that benefits from Secure Erase.

The way around this has been accompished by some folks in New Hampshire at EDT who produce the Dead on Demand Digital Shredder. An appliance that delivers users the ability to insert their drives in the appliance, and using Secure Erase, purge their hard drives in less than 1/18th the time it takes to use software based overwrite technology. The next time you do a triple overwrite on a 100 Gig drive, consider whether you would prefer waiting the 8-12 hours to process or if you would rather have the drive purged and ready to re-purposed in 17-42 minutes (based on drive speed).

Unlike software based overwrite technology, Secure Erase purges all user accessible regions of hte drive including the P-List, G-List, HPA, and DCO assuring you that the entire drive is purged of any possible traces of user data. Rendering the device properly decommissioned.

If I were processing devices containing medical data, I would not want to take any chances. A simple reference to Attrition.org clearly indicates the impact of recoverable PII and is not a risk I think any one would want to bear.

Just my 2 cents.


 

Wrobinson  |   Mar 23 2008   6:52AM GMT

There is only one sure fire method of destroying a hard drive and ensuring that the data is not recoverable and that is to give it an acid bath. The same applies to mobile devices which are now commonly sold, traded and handed down with residual data on them in the form of text messages, call logs, e-mail and so on.


 

The Geek  |   Mar 24 2008   9:12PM GMT

Thanks for the excellent comments, gentlemen. I do appreciate the feedback.