Slashdot Mirror


Not-So-Clean Hard Drives For Sale

Saeed al-Sahaf writes "The Register is running a story about a security consulting company that as part of a study bought hard drives and laptops on eBay, and then was able to recover highly sensitive data including customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. This is a bit scary considering all of these drives were supposedly formatted and sold for surplus by major companies (although few of us actually use the multiple formatting standards of the DoD). Looks like it's hardly necessary for crooks to get at your private information, although I sure industrial espionage spooks have probably done this for awhile." Shades of the recent post about recovering sensitive contents from swap partitions.

12 of 436 comments (clear)

  1. Re:Low level it. by crackshoe · · Score: 4, Interesting

    Dumpster diving ( just doing to my local dump and pulling shit from the stack of electronics) i've gotten social security numbers, credit card data, grading data from various area High Schools...

    --
    Don't worry - its just stigmata. Pass me a napkin and don't you dare tell my mother.
  2. Similar to MIT students in Jan 2003 by Amgine007 · · Score: 5, Interesting

    This reminds me a lot of this story.

    Simplified summary of both: buy some hard drives on eBay and you could end up with some cool data!

  3. Re:Oh no... by erucsbo · · Score: 5, Interesting

    Next time you might get more for it by advertising it as a hard drive with hidden flash.
    BTW, try doing a data recovery on some of the little flash drives that get given out as promos. A few I've seen look like they've been used by the sales staff, before being given out to clients :-)

  4. shred floppy by wirzcat · · Score: 4, Interesting

    http://staff.washington.edu/jdlarios/autoclave/

    Works like a charm. And it has various levels of paranoia to choose from.

  5. A Large Multinational Bank had this problem by sabinm · · Score: 4, Interesting

    Happened to me once. My brother in law worked for a Large Multinational Bank and he new that I liked old computer junk. So he gave me a bunch of old 2/3/486 computers that were surplused from his job. They gave them to him because they didn't know how to get rid of them. Here was the catch . . . they didn't even format the things

    So I had their FedEx programs, account numbers, their in-house banking programs and a sweet little windows 3.1 interface. Needless to say I disposed of the information properly. But I told my brother in law. He said "Oh, really" and just forgot about it. Go figure.

    It is far too easy for those who would take advantage of sensitive information to exploit it for their own gain. They are quite fortunate someone like me got their hard drives and not someone bent on robbing them blind.

    --
    http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
  6. We break them! by MightyJB · · Score: 4, Interesting

    I work for a large manufacturing company in the US. The facility I'm in has an interesting approach. First they format... Then they drop a 20 pound weight on it. Usually a few times. I'm sure if someone really wanted the data they could get it, but it's raises the bar a little.

  7. Little bits of metal == the only way to go by Gunfighter · · Score: 4, Interesting

    I was lucky enough to never have to worry about this sort of problem when I worked for Uncle Sam. We had to take the actual platters out of our discarded hard disks and grind them down with a belt sander. No recyling either. Once we had a pile of dust, we had to dump the remains in a drum of some sort of acidic crap (usually used to destroy reams of sensitive print material). I always found it funny to see a few nice, shiny disks in the bottom of the safe with a classification label on them awaiting their demise.

    Perhaps there's money to be made in performing this sort of destructive service for banks and other entities handling sensitive customer information.

    --
    -- Stu

    /. ID under 2,000. I feel old now.
  8. In a police environement by Chip7 · · Score: 5, Interesting
    I work in a police force environement. They have a strict policy on hard drives: No hard drives ever leaves the HQ, unless it is sealed it it's original bag or to be used by a employee. If a PC or laptop has to be shipped to be repaired, we remove the drives. When we give our PCs to charity, they're HDless. Even faulty drives aren't thrown away. They're kept until someone decides to head to the incinerator and throw'em in themselves. Even if they're under warranty (and needs to be returned to be honored) we don't. We buy a new drive and that's it!

    It'd figure other industries would do the same. Heck it's your business, your data, your life (well, only of part of it hopefully!) you have on these disk. Why bother with selling them? To get 20$ 50$? The way i see it, selling hard drives is equal to selling random filing cabinet without making sure they're empty.

    slightly off-topic side note:
    Some officers here are so tight about security: One of out tech went out to replace a fried power supply. When walking out with the roasted one, one guy asked: "Hey couldn't there be data on there?" the tech answered a polite "no" with a smile. The guy handed him a pair of cutter and said:"Well why don't you cut-off those wires just to make sure" !! :-D
    /slightly off-topic side note

    --
    -- If you actually say LOL instead of laughing, maybe it's time to go outside! --
  9. The chinese army... by Trogre · · Score: 5, Interesting

    ... had this problem with military laptops. What to do if they get invaded and need to dump their data before getting captured lest their tactical data fall into enemy hands?

    They tried hotkey combinations, which would trigger a script to delete the hard drive, but they were either too complex to remember, or too easy to accidentally hit.

    In the end, they painted a big red 'X' on the underside of the laptop right where the hard drive sits, and instructed the operator "point gun here".

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  10. Re:Low level it. by Awptimus+Prime · · Score: 5, Interesting

    Yeah, back about 20 years ago I got so much stuff doing the same thing. My friend and I had a large moving box full of floppies we recoverd, stacks of drives, old backup tapes, credit card numbers, SSNs, vendor statements and account numbers, complete and functional PCs, etc.

    For others who plan on trying this out: Don't worry, dumpsters for your average company is clean with no gross shit in it. Oh, and regarding the police.. Wear nasty looking clothes.. I mean, really look like a dirt bag. If you go looking like geekboy from a middle income family, you'll get a trespassing charge against you. If you look like a rat, they will leave you alone. We only had a couple of run-ins with the cops and tenants. They all went pretty well, as we said we were looking for things to sell at the pawn shop.

    The key, I have found, when performing a social hack is to always pretend like you recognize authority. Cops will quit caring about pointing out your trespass, real fast, when they manage to get a self-esteem boost by picking on a poor person. The little guilty voice in the back of their head will say "Leave the poor slob alone.. AlooOoone!"

    Warning: This will not work if you park your new Volvo next to the dumpster. Park around other cars, if there are any, and be prepared to abandon your vehicle a few hours if you are told to leave by the cops. Oh, and get some strong fabric laundry bags to carry your loot.

  11. ATA/SATA drives can Secure Erase by themselves! by Anonymous Coward · · Score: 5, Interesting

    This guy who does research on hard drive technology gives away a freeware Secure Erase HDDerase utility that just calls the HARDWARE-BASED Secure Erase capability that is ALREADY BUILT INTO all recent ATA-type hard drives!

    We just need to figure out how to get Linux/*BSD/*NIX/Apple/Microsoft to make this an option at the OS or fdisk/format/Disk Utility/Volume Manager utility level so we can all use it easily.

  12. Even the East German STASI ... by Savage-Rabbit · · Score: 5, Interesting

    ... fell on its face on this count. After the German reunification the Bundesnachrichtendienst, (German Intelligence sercvice, BND for short) combed East Germany for hard drives because the STASI used to pass used ones on to state businesses and institutions. Apparently they were able to recover a fair amount of documentation this way. But the real score was that they found a set of tapes (the famous SIRA tapes) with backups of among other things an index linking agents to the STASI's library of coded agent activity reports which somebody had forgotten to flag for deletion. The problem was of course that the CIA had stolen the directory containing the codename key ie. directory of codename=agents-real-name (aka. "Rosenholz" files) before the BND got to it. So now the CIA knew who all the agents were but no more and the Germans knew how to find out what they were upto. Of course the CIA insisted that the BND hand over the database but refused to trade it for the codename key. Last I knew that request was flatly denied they have now settled on some sort of tit for tat exchange.

    So the lesson is, after you whipe your disk, DON'T FORGET THE BACKUP MEDIA!

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow