May

8

Old Hard Drives Never Die (or Even Fade Away)


Posted by at 8:43 am on May 8, 2009
Category: BISDDTC

Thermite Destruction MethondAccording to an article that appeared yesterday in the Daily Mail, a London daily, test launch procedures for Lockheed Martin’s Terminal High Altitude Area Defense (THAAD ) ground-to-air missile defense system were found on a hard drive purchased on eBay. The disk also contained security policies, blueprints of facilities and social security numbers for individual employees

The disk was purchased by British researchers as part of a research project which scrutinized 300 hard drives purchased from public sources such as computer auctions and eBay. The researchers found that Lockheed Martin may not have been alone in disposing of insufficiently sanitized hard drives. Thirty-four percent of the 300 hard drives examined had identifiable personal or company data. Among the discoveries was a hard-drive with security logs from the German Embassy in Paris.

The article cited a spokesman from Lockheed Martin who stated:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense programe. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

A good point and, it should be remembered, it’s possible that the hard drive was not one disposed of by Lockheed Martin but rather was a hard-drive from an employee’s home computer, although that would raise a different set of issues.

But the point here is not really whether THAAD program details were or were not on hard disk drives, or even what steps the researchers took to recover data, but rather to ask this question: “What does your compliance program say about disposal of hard-drives that may have ITAR-controlled or ECCN-controlled data? And what steps does your company take when disposing of hard-drives? Most companies probably contract those responsibilities to third-party contractors who promise to wipe or destroy the drives, a promise that, as this case may illustrate, may not always be kept.

The National Industrial Security Procedures Operating Manual, DoD 5220.22-M (“NISPOM”), which contains DoD procedures for protection of classified data, requires that disks with such data be “sanitized” prior to disposal, but the NISPOM doesn’t provide a description of satisfactory sanitization techniques. Vendors who sell disk-wiping programs, such as this one, describe the NISPOM procedure as requiring multiple overwrites of all sectors of the drive with random data, but this appears to be a reference to a 1997 version of a separate DoD document entitled “Cleaning and Sanitization Matrix.” The January 2007 edition of that matrix stated: “Overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction.” (The matrix appears to have disappeared from the Internet; if anyone has a current link, please let me know.)

There are no standard procedures mandated by DDTC or BIS for pre-disposal sanitization of hard disks containing non-classified, but ITAR-controlled or ECCN-controlled, technical data. However, a good resource for developing these procedures is a document released by the Department of Commerce’s National Institute of Standards and Technology entitled “Guidelines for Media Sanitization.” The document indicates that encryption is not a sufficient sanitization technique and recommends various other methods, including multiple overwrites, degaussing and physical destruction.

This gives companies a variety of options. Companies that would rather be safe than sorry can destroy magnetic media, and companies that would rather be green can degauss such media. And, at a very minimum, there is no excuse for not downloading a disk-wiping program and overwriting magnetic media prior to disposal or sale if the company is not going to destroy or degauss it. My personal favorite method for destroying hard drives is blowing them up with thermite, but that might not be feasible in most corporate settings.

Permalink

Bookmark and Share

Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


7 Comments:


Sometimes destruction of media can be the bottleneck to good security procedures. Paper media is so easy to destroy with burning or pulping methods. I know of a defense contractor who had to change hard drive destruction methods because the approved burned method became an environmental issue. This caused a backlog until they figured out how to disassemble the hard drives and burn only the vital parts.

Comment by Jeffrey W. Bennett, ISP on May 9th, 2009 @ 9:12 am

If you look on the ODAA page, (here https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/odaa_links.html) the clearing and sanititization link directs you to the current version of the ODAA Manual. Follow the link and you will see that you can request the document via email.

Comment by Bill the Cat on May 9th, 2009 @ 9:03 pm

Having worked for a computer manufacturer I can confirm that there’s often material on the drive that shouldn’t be. We found everything from medical records to maintenance manuals for a fighter jet.

Expecting to get a detailed procedure, I asked our tech guys what to do with my old computer drive. Their advice was to use a hammer and smash it to smithereens. Not an elegant solution but it was fun.

Comment by ldm on May 11th, 2009 @ 6:53 pm

In a large organization like Lockheed, there are most probably several systemic issues with data-destruction policies. First, they probably de-install systems and then wipe them, opening up risk areas such as cannibalization. Secondly, they are manual, decentralized erasure processes, that permit non-technical staff to do the erasures. THE SOLUTION: use a networked data-erasure software to automate and centralize the process.

Comment by Robert Davie - Venderis on May 12th, 2009 @ 10:45 am

Wow Mr. Davie, what a great idea! Do you know anyone who sells such software and/or services?

Comment by Bill D. Cat on May 12th, 2009 @ 4:08 pm

Bill… but of course… I’m involved in this type of thing all day every day. Feel free to contact me at rdavie((at))venderis(((dot)))c0m.

Rgds,
Robert

[Comment edited by Clif to “munge” the email address so that it won’t be scraped from the site by spambots]

Comment by Robert Davie on May 13th, 2009 @ 3:34 pm

I find it amazing that these stores continue to appear in the news. We have been selling data destruction services for over 5 years now and while many potential customers are educated to the risks, there are still many in the dark.

Robert Davie: I completely agree that a networked solution is the way to go, and our drive wiping method of choice. It is too easy to misplace a single hard drive and if you do the results can be catastrophic – particularly if in the healthcare, legal or banking industries. We even developed a mobile wiping server that could be brought to a customer’s facility so that the data destruction services could be performed without transporting the equipment off-site.

Comment by Brian Wahoff - EPC on May 14th, 2009 @ 9:46 am