Security researchers have found personal records of Sun newspaper and MoD staff on the hard drives of discarded or resold computers. The study, The ghosts from the machines: A history of 10 years of carelessly discarded data, found that both businesses and consumers are getting rid of old PCs without wiping them clean. …
Masonry nail and a hammer
Just take out the hard drive, drive a masonry nail through the platter, and try and read it now. Just ware a mask when your doing this.
Who wants these old disks anyway, when storage needs are increasing (just look at any commercial bloatware and you just know that there has to collusion between software companies and dism manufacturers).
I do the same, punch a hole through it with a nail, chip off/bend all the pins and snap any visible circuit boards. To answer who wants them, I'm sure I read somewhere the other day that ID thieves are paying a huge price for stolen mobile phones, something like £40 or £50 for models that are 5 years old just because the data on them can be so valuable, I'd guess buying up hard drives could bring in a similar price.
Can't see why you would need a mask? Goggles might be appropriate if using a hardened nail like an oboe perhaps just in case it shatters. Doubt it would though.
Hard drives contain some wickedly strong magnets. About 2 minutes with a screwdriver will have you inside the innards of the beast, extract the magnets. Once its been open like that, its unlikely to be able to recover any data from it, unless you work for the NSA.
Hit it with a hammer, and even they will have a hard time getting much off there.
Also, you end up with loads of magnets. Magnets are fun.
I agree completely - those magnets are awesome and fun to try and pull apart once stuck :)
Also the platters themselves make nice coasters.
An angle grinder with a diamond wheel to cut them in half
Thermite. Accept no substitutes.
Think again, if "The Man" really wants your data:
a) They probably have it before you dispose of the HDD
b) Even hitting it with a hammer after opening it up, you can get a lot of data from it.
If you want some PI or ID thefting scrote not to get it, that will do the trick, but far better to shred it if you can.
Vertical drill press + bend pins for physical destruction.
Mind how you go...
A colleague thought it would be a good idea to drill holes through broken hard drives, much to our amusement as the hard disk he had "secured" to his desk slipped out of the clutches of his g-clamp as he was drilling into it. As the hole was off centre it span quite uncontrollably towards his crown jewels while he, in a panic, was unable to switch off the drill. At this point, I pulled out the plug, saving his future offspring. There was much pointing and laughing. We went back to using the lump hammer.
Incidentally, laptop drives are very fragile. You only have to bend them slightly and the entire platter will shatter like glass...
with the benefit of waving the magnet over the platter a few times :¬)
You prevented a Darwin award :(
You do realize that if that hard disk would have ripped off his gonards he would have become one of the few to win a Darwin award whilst still alive?
If you let it happen you would have done both the world and him a favour.
Honestly, what were you thinking?
Wasted hard drives
The amount of hardware that is wasted by this sort of thinking is ridiculous! It is a simple job to erase data with easily available propriety tools allowing second hand hardware to filter down to people who would be more than happy to use it for some time or until the end of it's life. Stop nailing hard drives and just erase them correctly and stop this waste.
Shame it wasn't
"It could even have been used to hack their staff members’ phones"
Shame it wasn't - that would have been *sweet*...
That's an easy problem to solve.
I gave my hard disk and various small screwdrivers to my eight year old lad. Then asked him how many parts does it have?
Solid state storage? Hammer. I had considered poaching them in boiling water for while (disrupts the eproms without releasing harmful fumes), but in the end the hammer won the day.
It does reduce their secondhand value a bit though, they're not much good on eBay after that.
"Solid state storage? Hammer."
"Carelessness disposal of data exposes firms to fines by the Information Commissioner"
"Carelessness disposal of data exposes firms to a mildly worded letter by the Information Commissioner"
"All our drives are encrypted"
I call BS.
I'd guess just their misunderstanding of the word encrypted.
"But all our Windows machines require a password to log in to them" may have been a more accurate statement.
The BS-o-meter was triggered by the subsequent statement of how they securely erase them afterwards too - you'd think option 1 or option 2 would be enough for only mildly sensitive data.
"We thought all our drives were encrypted"
See how the pointy-haired boss complained until someone relented.
No, it's double ROT-13 encryption, sitting over a Pig Latin encoding algorithm.
Oh God please. "Rebekah Wade's naughty bits"
Get that image out of my head, aaargh.
You mean a bush fire?
Fire is passe, this is a job for mind bleach (tm).
Re2: "All our drives are encrypted"
But none of out iPhones are.
Its not like Clarkson's address in the Cotswolds in a big secret - there was even a Google PoI floating around a few years ago.
But wait, WHICH house
in the Cotswalds is it? Oh, it's the one with the jet fighter on the lawn and, no doubt, a thick layer of rubber just outside the gate...
I'm pretty sure that last time I went past (I know exactly where his house is, and I don't even live in the area) he'd got rid of it.
After El Reg's recent email snafu.
I expect them to report that someone has bought one of its old :PCs with Sarah Bee's personal info on its unwiped hard drive in the near future.
Moderatrix's personal info?
I'll start the bidding!
Come on world and dog ...
... admit it, this attitude is common place.
We are living in a hyper-connected digital age, what could possibly go wrong!
My guess is that maybe as many as 2% of the worlds population actually consider a thorough wipe or physical destruction of data / disks in such / any cases.
It's an added cost, who wants it any way - WAKE UP YOU NUMPTIES !
Give me some goggles, a mask, some masonry nails and a large hammer and I'll do it for you for c. £8.00 per hour.
"third-party disposal firm"
So did they paid this firm to securely dispose of their data, or just take the machines off their hands?
If #1, I'd think there's a serious lawsuit here for failing to do their jobs.
It couldn't happen to a more deserving bunch than "News" International.
"All our drives are encrypted"
and all your old drives are belong to us...
If you don't have an employee that can do this, you also don't have any employees who are qualified to keep an eye on those to whom you have outsourced it. Unless you outsource that too, and that's probably going to be more expensive than doing it yourself.
News International doesn't outsource everything...
...but they have certainly tried, and will keep trying. They believe in the "market", after all.
legal aspects and caution
Given that some were resold without clearing would make them legal and open the company reselling to legal recourse from the previous owners. Now ones obtained via dumpstering is it is known, would be opening the companies going thru and publicly outing such data open to legal recourse of what is known as stealing.
Personaly dumpstering ex-MOD kit would not be wise on many levels, heck one day those storage modules for milatary could very well have tampering explosives in which if connected to a normal controller would cause the storage module to explode. Not that I'm aware of such items, but they are certainly not beyond the realms of reality in some MOD situations.
Most companies have a policey that dictates any ex-storage media that has been used by a company be destroyed without exceptions. This would also include routers with backup memory/firmware stored profiles, which covers pretty much all of them.
But there again a companies securty is only as good as the weakest link and if you recycle hardware, then you are expossed to such issues down the line. Indeed the costs involved to properly secure ex kit from leaked information due to the time and effort involved and indipendant verfication does make the option of having it destroyed and raw material recycled a much cheaper option.
Personaly I'd load up a HD with a lot of false information and dump that in the skip for laughs and giggles, but thats just me and my humour showing.
"Personaly dumpstering ex-MOD kit would not be wise on many levels, heck one day those storage modules for milatary could very well have tampering explosives in which if connected to a normal controller would cause the storage module to explode. Not that I'm aware of such items, but they are certainly not beyond the realms of reality in some MOD situations."
You've seen too many movies, I think. Data storage devices are taken out of the machines and send to the shredder, the rest is recycled or junked.
And, have none of you heard of DBAN? http://www.dban.org/
dban is great, IF you have the time to run it and then to verify it has cleared everything out. Most companies won't bother investing that level of time, and also assumes the drive still functions. you can have a drive die in a way were alot of the data is recoverable (though most people think data recovery is just about running a program).
Also can you honestly say there has never been a hd with inbuilt self-destruct outside of the movies, coz I can't, though caddies with electromagnets more likely for magnetic media. But flash storage does make things more colourful. But it only takes one person to print out 1 or two inventory labels more than is needed to cause enough panic for people to do such things to protect data.
But nomatter what you do if you have a human anywere in the equation then there is always the potentual for something to go wrong. You can also get more meaningful data from a human down the pub than some encrypted disc anyhow.
It's not just computers
We have other technology today that can contain sensitive information.
For example last week I replaced my home phone system, replacing a base station and 4 hand sets. My wife was going to recycle the old equipment.
First we went to the garage and I destroyed the old equipment with a chipping hammer.
This may seem trivial, but those phones contained sensitive call records. The destruction was was fun and the data is destroyed.
Definitely not just computers
We just bought a 2nd hand photocopier/network scanner/printer. While checking out the machine which had supposedly been fully refurbished before resale, I found some old scans on the internal hard drive. Out of curiosity I printed the first scan only to find a nice full colour copy of someone's driving license and National Insurance card.
All sorts of stuff out there. Its more common than you think
The father in law picks up bits and pieces from the recycling area of the local dump. I helped him build a cheap PC to run linux on for simple stuff like email and web surfing. He wasn't after anything fancy like a quad core full on gaming machine by any means.
One of the drives he got hold of hadn't been wiped either. Unfortunately the previous owners who weren't either attractive or in their first flush of youth were into "Ahem" making their own movies.
That drive was destroyed pretty quickly, and another substituted that had had a re-install of XP before disposal. Much better
Its not exactly rocket science to either format the disk or do a re-install from the CD that came with the computer. For most purposes that 's good enough
im so glad...
that i don't work for MI5 like all you guys.
i just low level the disk, fill it with 1's then low level it again.
mostly cos i cant find my hammer or spell obo nail :-)
I have used many inventive ways of destroying hard drives.
I call BS on the hammer on the platters method. You just get a frigging huge "WHANGGGG" with metal platters if you hit it with a hammer. When I tried that method at work, after the first strike I moved outside and repeatedly tried to smash the platters. Not only did it not work, the racket attracted the landlord who was wondering WTH was causing the noise penetrating his soundproofed office. After having it explained, he suggested another method.
I can certify that running over hard drive platters with a tank works acceptably well as a secure destruction method, however it's slow and requires access to machinery difficult to get hold of. Running over them with one of those press things that roadworks use also works pretty well, and a pack of beer can unlock the possibility of adding the mangled remains to the foundations of the road. Again though, difficult for some people and ultimately these measures are only really suitable for small scale disposals since dissembling the drives and affording the beer required is beyond most of us for several thousand drives.
The solution is a four phase process.
1) Multi layer writing random bits all over the drive. That alone should make life interesting for people trying to recover stuff from it.
2) individual degaussing of each drive to 4X the manufacturers guideline for utter destruction of the drive. However, there is some possibility that two bytes of data remain on the drive connected to each other, and you may be able to recover more with appropriate data recovery stuff. So...
3) Physical destruction, courtesy of an external supplier which reduces the drives to chunks of mangled scrap. That would mean you'd need a clean room environment to get anything off of the drives, and in combination with stages one and two, I think it's secure enough to let off site for the trip to...
4) Being melted down in a furnace. Apparently they contain a fair amount of valuable metal. Which is fair enough really, lots more aluminium in a HDD than a drink can and it's reasonably secure as destruction methods go.
I'm pretty confident that the drives I have dealt with are well beyond recovery, and won't be seen in the newspapers in these sort of stories! The worst case scenario is that the van gets hijacked after 3, and I think I could live with "only" the previous 3 levels of destruction.
I don't use a hammer, but I do have some fun with an HSS bit.
Hacking the privates of Sun staffers
Ahhhh... What a nice idea...
It's worth mentioning that many SSDs on the market now have anti-wear leveling tech, so that the individual sectors of the "disk" are not in fixed locations in the SSD and are dynamically re-assigned in such a way that the SSD wear is level over all sectors. The OS can't see this, it appears like a fixed location on a standard disk, so even doing a 0s then random then 1s won't erase everything unless you do it a very large amount of times.
Some SSDs (and HDDs) have a low level secure erase function. Personally, for an SSD, if I really wanted to get rid of everything, I'd go for a drill bit through the chips.
Darik's Boot and Nuke?
That not good enough these days?
Data Destruction Reviews
I seem to recall that a PC magazine did a review of data destruction software (presumably mostly random bit writers), and the item that won the editors choice award with five stars was...
One overwrite with almost-random data is all it takes, and every Linux distribution already has that built in.
My preferred solution would be to shift the responsibility onto the person who *acquires* a used storage device, not to disclose anything that they found on it to a third party nor make any decision based on anything they discovered on it (analogous to what the law already says about listening to radio signals not meant for you).
And beside which, it will all get overwritten during the full surface scan you run as a matter of course on any used HDD.