back to article Government data protection standards are protected data

As yet another laptop full of confidential data goes up for sale on Ebay – this one belonging to Charnwood Borough Council - the government's failure to set and publicise standards for wiping data makes it inevitable that there will be many more, and worse, incidents of this kind. “Wiping data” may sound easy – to the non- …

COMMENTS

This topic is closed for new posts.
Paris Hilton

It's easy

All these gummint people must have contracts for secure disposal of their waste paper (or am I being hopelessly naïf?) Most such contractors will happily (for an extra fee) shred optical and magnetic media (on-site if required).

This is nothing new - GCHQ (for example) have always adopted this approach. Mainframe suppliers used to love their maintenance contracts, because every disk that failed, rather than being PXed, was scrapped on site and replaced by a new unit (with more profit for the manufacturer).

Paris, because she'd never let her personal data get into the public domain.

0
0
Anonymous Coward

Your phone around

Shows how secret it is, even local councils can't telling you they do know what to do,

Pity they don't apply it

0
0
Stop

Data 'Sanitisation' Standard.

In five easy steps

1) Don appropriate PPE.

2) Remove hard drive(s) from PC/laptop being disposed of.

3) Remove casing of said drives.

4) Reduce drive platters to 5mm fragments using 1kg hammer.

5) Install new, clean replacement drive into equipment for disposal by sale, if required.

0
0
Paris Hilton

What about "shred"???

Jus' pop an Ubuntu live CD in there, and tell it to shred the entire drive. /dev/hda? Aint that to the quoted standard?

Child of 10 could do it. Buttock 'course, that'd be child labour....

(So could Paris - I needed to use that logo at least once in my life!)

0
0
Silver badge
Paris Hilton

How difficult is this....?

Look...this is easy. If you have an old computer, before it goes to eBay/the council tip or wherever, you take a couple of screws out and remove the hard drive. You then take a large and solid screwdriver (or similar) and a lump hammer, and use the hammer to smash the screwdriver straight through the drive. Then put remains of drive into recycling - NO-ONE is going to read that now! SSD drive? Try the shredder!

Face it, with the price of new drives so low, there is no need to hand over a working second-hand drive to anyone. For the cost of doing a thorough erase on the drive you can buy a new one! If a council wants to be charitable with its old computers then go out and buy a new drive to fit into its old computers before it gives them away.

Hmmm....I wonder if I could get a US patent on this process?

Paris 'cos even she could manage to follow these instructions.

0
0
Linux

“Wiping data” may sound easy...

It's not hard guys:

1) Boot Linux CD

2) Open console F12

3) sudo -i

4) shred -f -v -z /dev/sda

If local authorities employed professionals instead of numpties this wouldn't happen.

0
0
Happy

So it's on a need to know basis?

Bernard Woolley: "I'm not sure I can do that, Sir Humphrey. It might be confidential."

Sir Humphrey: "Bernard, the matter at issue is the defence of the realm and the stability of the government."

Bernard Woolley: "But you only need to know things on a need to know basis."

Sir Humphrey: "I need to know everything! How else can I judge whether or not I need to know it?"

Bernard Woolley: "So that means you need to know things even when you don't need to know. You need to know them not because you need to know them, but because you need to know whether or not you need to know. And if you don't need to know you still need to know, so that you know there is no need to know."

Shamelessly stolen from http://www.yes-minister.com/ypmseas2a.htm

0
0
Black Helicopters

New Zealand

seems to have let the cat out of the bag:

http://www.security.govt.nz/sigs/

albeit it has been translated into Ozzy/NewZealandese so we Brits can't understand it.

Is that MI5 knocking on the door I wonder?

0
0
Black Helicopters

CESG

Well, in a little over 60 seconds of web browsing, I found that CESG stands for Communications - Electronics Security Group. It's in their web site, in the About Us - History section.

It's hardly "serious spook territory" if it's published on their web site!!

Oops, is that the sound of a black helicopter approaching ....

0
0
Go

Perghaps you should speak to these guys

Who seem to have their erasing software accredited by CESG:

http://www.blancco.com/eng/home/

0
0

why not just require full disk encryption?

All this and more would have been avoided by simply requiring that all computers use encrypted disks - and since tools such as Truecrypt are free, the costs are minimal!

0
0
Silver badge

It's been done

The government have prepared detailed guidelines for securing data.

But they lost them.

0
0
Black Helicopters

Aye it is

Yup at local level it's piss poor.

0
0
Paris Hilton

@ Nigel Callaghan - re: How difficult is this....?

Paris Hilton's Lawyer just called, apparently she just smacked her hand with a Lump Hammer and wanted a quick word with you.

0
0
Stop

You can't just hammer hard drives in big companies

Can everyone suggesting the hammer tactic for old disks please shut up.

It just isn't feasible in a large company. We probably get through a few hard drives per day, so someone needs to be pretty much employed purely for opening boxes removing disks and hammering them. They'll need training, career development, holiday cover as well as all the proper safety equipment etc.

And when you're finished, what standard can you say applies to that hunk of metal. If my disk hammerer has had an off day, there might be platters unbent.

As for the nuts suggesting "shred". Just how much spare hardware/time do you have that you can make a linux distro that runs on all possible storage types. I've got at least 4 different types of SCSI disk nearby with several different proprietary mounting brackets. Along with IDE/ SATA/ SAS disks and CDs, videos 3 different tape formats and an assortment of USB and other flash memory devices. (e.g. Cisco internal flash memory. They don't have a PC interface for those)

The only way to be sure is a big, expensive, industrial shredder chopping down to about 3-5mm squares. It should be capable of chopping steel, aluminium, paper, hands or whatever else gets dropped in. Or a blast furnace like device to melt it all down to slag, then mix the slag, then put it through a shredder.

0
0
Dan
Flame

Restricted

The Restricted classification gets added to pretty much everything. Even kids joining the Air/Army/Sea Cadets get to see stuff with 'Restricted' on it, i.e. basic security information and procedures. Stuff of higher classification ends up in The Sun newspaper anyway, so it'll be available somewhere.

Flames cos they could always burn the drives...

0
0
Coat

Don't worry...

We'll find out their methods soon enough, someone's bound to leave the documents on the train again.

0
0
Flame

Thermite the drives

Title says it all really.

0
0
Black Helicopters

Not so hard to find...

Here you are: http://apec.isu.edu/pdf/nzsit207.pdf

0
0
Paris Hilton

AC: Hammering hard drives

Even paying someone to open boxes and smash the HDDs is going to be a lot cheaper than £980,000 http://news.bbc.co.uk/1/hi/business/6360715.stm

0
0
Paris Hilton

re: You can't just hammer hard drives in big companies

I work in the education sector and we have over the last few weeks replaced about a hundred desktops and disposed of a handful of old servers. I know that's not a massive scale but it's not insignificant. In most cases Shred worked fine, with a few we had to use other tools and there were a dozen or so failed drives that had to be physical destroyed.

Yes it is a pain and it takes time but it has to be done*. Its the "too much time" attitude that cause these leaks.

*Think of the Children** :P

** Actually its people thinking of the Children that cause us to have to wipe everything :D

0
0
Boffin

Not rocket science

A quick web search would turn up plenty of open-source apps that would do the trick, but I guess that would be far too simple. Besides, it's irrelevant that no standards exist regarding the best methods of wiping data, when most data losses occur without any attempt to delete the data having taken place. If the data was encrypted in the first place, it would be rather less critical whether it was securely wiped or not.

0
0
Thumb Down

Err...

...write random crap over the disc a few times (3, 7, 20, whatever).

Or, just take the HDD out and have it destroyed.

Of course, sensitive data shouldn't be stored in the clear in the first bloody place!

Labour - Failing the British public one disaster at a time

0
0
Dead Vulture

Degaussers are cheap as chips

3 seconds on google led me to this:

http://www.mediaduplicationsystems.com/Degausser_Hard_Drive_Degaussers_s/103.htm

$7K - £3.5K - About the same as ONE DESKTOP PC - actually for a bank, one desktop is charged at about £15K/year.

Its so fucking cheap you should be locked up for not using one.

Its just the government/labour party is so in hock to (not to mention in the pockets of) big business they can't tell them anything otherwise they will call in all their loans.

Sick as a parrot cos the ICO are so fucking weak, and the government couldn't give a shit.

0
0
Happy

We use one of these.

10 - 15 seconds per drive,

Sorted.

http://www.screwfix.com/search.do;jsessionid=NLPXBGPLEPSSSCSTHZOCFFA?_dyncharset=UTF-8&fh_search=54072&x=0&y=0

0
0
Black Helicopters

Govenrment Data Protection Standards

There are standards within UK Government covering this area. As you mention CESG does develop guidance in this area and does make an effort to distribute it, for instance HMG InfoSec Standard No. 5 (Secure Sanitisation of Protectively Marked or Sensitive Information). This publication aims to provide guidance on the management of these issues and includes useful information on some of the technical pitfalls of devices such as solidstate data storage media, for instance data leveling and downgrading of storage circuitry during manufacture, e.g. classing a defecive 1GByte chip as a 512MByte device, making data held on the device invisible to the operating system and standard file deletion applications. These publications tend to be exempt from Freedom of Information legislation, but are available to UK Government bodies. The trouble is, there is an awful lot of information available, not all of it is easy to find and not everyone thinks to look for it. Disclosure requests from non-UK Government bodies should be directed to infoleg@gchq.gsi.gov.uk

0
0
Alert

Let the flames commence

As always happens, as soon as the article with "data loss" in the first paragraph appears, everyone jumps on the bandwagon - "they should do X", "they should use Y", etc. etc.

Policy is a great thing; but only if it is understood and adhered to; I'd bet that there are still a lot of organisations that have no policy, and in those that do, the majority of staff don't know about it. Even in those that do have a policy, and where the staff know about it, there's a fairly good chance that it's not actually followed that well.

In this case, the item may have been stolen, so policy on destruction of data wouldn't have mattered a great deal (where it's located would be more appropriate).

Add to that, a lot of policy may have been written 3-4 years ago (or more) and could possibly be out of date as the hardware / practices have changed.

It also should be pointed out that any process for disposing of equipment has to satisfy the WEEE directives amongst others.

We none of us work in splendid isolation; but it's clear that many people have limited understanding of the challenges that other people in the industry have to face.

0
0
Happy

CESG Standards

The CESG standards are already in the public domain. ComputerAid International use Blancco software which the charities website says.....

"Blancco is widely accepted as the industry-leading data destruction software. It was the first software to receive CESG-certification to InfoSec 5 standard and meets all recognised international data destruction standards, including standards set by the UK's Communications Electronics Security Group (CESG) and by the US Department of Defence."

Maybe the councils don't know that a charity exists that takes their old computers does all the wiping/data destruction and then puts them to good use.

******slaps head in frustration

0
0
Thumb Up

Smashing hard disks, government style!

Step 1. Send disks to National Data Disposal Centre (second class post)

Step 2. Oh, hmm...

0
0
Flame

@AC "You can't just hammer hard drives in big companies"

Why not use Darik's Boot & Nuke then? perfectly capable of standardised industry and government requirements for secure data destruction, and cheap too (try free if you only swing that way).

And if you're going to whine about needing proprietary brackets and having 3 different kinds of everything, then you just waited too long to get rid of those things and should be sacked for negligence if you can't hook that kit up reliably any more!

Industry standard in many (if not all) business environments demands you replace your hardware every 4-5 years to avoid unnecessary downtime, you have had PLENTY of time to find a technically and financially feasible way to maul those data carriers at the end of that time frame.

0
0
Black Helicopters

destruction

Ive seen the lump hammer scenario in use, but no screwdriver, anyone with experience of doing this will know the platters shatter like glass when thumped correctly. Success can be detected by tipping said drive from side to side, and listening for a noise not unlike sand pouring around inside...

There is also some nice boyo's in welsh wales running a furnace called "Secure destruction", that send you nice red heavy duty bin sized bags, and for a set fee per sack, guarantee said bags are tipped into their blast furnace furnace under protective guard. Any magnetic media, used tape drives with buffer chips and anything else that can retain a magnetic memory of the data can be dropped into the red bags and get sent off for gov assured destruction. Its how some very sensitive equipment is sanitized.

There will be someone at the council who has clearance for looking at "restrictive" marked documentation. Or one would hope they have someone. I believe being sc and needing to know is the requirements for this, although restrictively marked documentation can be made available to a none sc cleared individual to read on a need to know basis, provided they cannot take said documents away with them.

Its just sloppy as they have the tools, and there is british doc's available to them via channels I am not at liberty to discuss, poor IT, endless quango's and the computer decisions being steered by someone who had a spectrum once when they were a spotty oik but is in favor with the councilors. Councils are always the lowest of the low on the talent ladder, because anyone with any real knowledge is off being a grabbing contractor for a proper company ;)

- A grabbing contractor ;)

0
0
Coat

(byeline) "If we tell you, we'd have to shoot you"

For Fuc*ks sake, then tell my mother-in-law...Christ-on-a-bike!

<gorrit already. I'm off to t' pub. Oh, I'm already there. Must be t' curtains.>

0
0

Why don't they...

Chuck them in storage (Disk drives are not that big. You could fit a few in the space of a lever arch file) then get them securly distroyed once the data is no longer needed? Why treat them any diffrently to other data?

0
0

At the risk of being accused of advertising...

if you need to physically destroy HD's etc. the PHB won't let you play with thermite and a lump hammer is too hard work for weedy PFY's then get a

http://www.mmco.uk.com/products1.html

0
0
Paris Hilton

Crap, I live in Charnwood!

...errr....now of course thanks to the council everyone knows that already! Complete and utter thick b*stards.

I didnt see this mentioned in the "How we are doing" council brochure.

I suspect that most if not all councils around the UK have lost data - or at least could not say for sure whether or not data 'has left the building' illegally.

* = a

Paris, cos I reckon she would make a great IT Security Strategist!

0
0

Its not difficult - it really isn't.

From what I read, applying a wiping standard (or a sledgehammer) would not have helped in this case 'cos the implication is that the PC was stolen

Considering the sensitive nature of the information, the more important question was - why was the information not encrypted? Even Vista has it build in, and there are may vendors who will offer third party applications.

Once you have that in place, you have a secure environment and restricted access, then you can start worrying about applying wiping standards. Get the basics right, then start worrying about the complicated stuff.

0
0
Anonymous Coward

Ironic

"Government data protection standards are protected data".

It's nice to know the government protects *something*.

0
1

Idiots rule ok

"Government data protection standards are protected data".

It's nice to know the government protects *something*.

I wouldn't hold yer breath. Only incentive that would work on these tossers is loss of job and pension rights.

0
0
This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2018