Giving Securely
Author: Virgil Vaduva
October 2007
In May 2007, two laptops belonging to Pfizer Inc. were stolen from an employee’s locked car. They contained the names and social security numbers of about 17,000 Pfizer employees and health-care professionals. Since May, Pfizer suffered two more security incidents in which 34,000 employees’ names, social security numbers, addresses, dates of birth, bank account numbers and signatures have been accessed. And how can we forget the incident in which backup tapes containing the social security numbers and names of 859,000 people were stolen from the car trunk of an intern working for the State of Ohio?
So what is the big deal, you may ask? It was malicious…someone looking to steal sensitive data. It’s not like Pfizer willingly handed over confidential corporate data to strangers. But ultimately, is there a difference between willingly handing over confidential data and someone stealing it from you?
Many companies and IT professionals today find themselves in the position of being able to donate used computer equipment to charities, churches and school districts which desire and are in desperate need of such equipment. While making donations to charities is certainly commendable and admirable, very few IT professionals consider the security implication of donating equipment, especially computers, to third parties, and ever worse, to third parties which are almost never vetted. The justification is that they are well-known schools or well-known organizations. But the problem is that once a donated computer leaves your building, it is difficult to know who will use it and for what purpose.
The fundamental security problem with donated computers is one rooted in misunderstanding how a computer stores information. Simply reinstalling Microsoft Windows on a computer will not erase all confidential data or files stored on it. “Formatting” a hard disk for example will not remove the data on it. Also, many companies are in the habit of running “fdisk” in order to remove the partitions; again the data is not being removed from the disk. Files and directories which have been “deleted” will also continue to reside on the hard disk long after the user believes they have been removed.
IT professionals need to be aware of the fact that a dedicated and skilled individual can easily recover confidential information from computers which have been “formatted” or “reinstalled” with Microsoft Windows. This can be done with off the shelf software, dedication and time; the attacker only needs access to a computer donated to charity, which perhaps has been previously used by the CEO, CFO or Payroll manager of a company.
Unless you are absolutely certain that computers being donated or disposed of have not been used to store any confidential data, you should reconsider the practice of including hard disks with donated computers. Recently hard disk drives have become extremely affordable, and charities should consider picking up the cost of a new disk in exchange for protecting the confidentiality of the donor. Hard disks should be disposed of by shredding them and recycling the metal. Forensic experts have suggested that it may be nearly impossible to recover useful data from hard disk pieces smaller than the size of a quarter, therefore shredding seems to be the only secure way of disposing of obsolete hard disks.
If you still consider including hard disks with the computers you are donating, you should “wipe” the disks using tools specifically created for that purpose, or consult a security specialist regarding best practices and policies for the secure disposal of computer equipment. If you do not, you may be willingly handing over confidential data to strangers.
About the author: Virgil Vaduva (CISSP) is a Romanian-born security consultant, trainer and analyst with experience in forensics, security architecture and human-factor security implementation and analysis. Virgil works as a Security Analyst for WinWholesale Inc, a private $2.6 billion company based in Kettering, Ohio.
