Protecting Information Privacy When Retiring Old Computers

By Dale L. Lunsford, Walter A. Robbins, and Pascal A. Bizarro

E-mail Story Print Story

This fiasco is not the only incident of confidential information being inadvertently made available through the retiring of old computers. Consider the following cases:

• The Pennsylvania Department of Labor and Industry sold old computers that contained “thousands of files of information about state employees.”
• The consulting firm of Dovebid auctioned off old computers that contained confidential client information.
• A used computer sold in Purdue University’s surplus equipment exchange facility still had a database containing the names and demographic information of applicants to the school’s Entomology Department.
• In Pahrump, Nevada, someone purchased a used computer system and discovered that the prescription records of over 2,000 patients from a local pharmacy were still on the hard disk. Included were the patients’ names, addresses, Social Security numbers, diagnoses, and medications.

It is important for organizations to understand that if sensitive or confidential data are not properly removed from computers prior to disposal, the organizations risk unauthorized information disclosure that can lead to economic loss, a damaged reputation, civil liability, and even criminal liability. Rapid advances in technology have magnified this risk by requiring companies to replace computer systems, both desktop and notebook computers, more frequently. A recent study found that approximately 150 million hard-disk drives were retired in 2002, up from 130 million in 2001. Unfortunately, the techniques most people use to remove information from computer equipment before retirement are inadequate and fail to ensure information privacy.

Areas of Danger

Cyber-criminals generally look for information in five areas of a salvaged computer: deleted files, recovery partitions, configuration files, password storage, and special hardware devices.

Deleted files. When disposing of an old computer, users will often delete all files containing confidential information. Deleting files, however, does not actually remove a file’s information from the hard disk; it only rewrites the metadata pointing to the file’s location. The disk blocks containing the file’s contents remain intact and vulnerable to cyber-theft.

A cyber-criminal will often use file recovery software to undelete files and then examine the contents for confidential information. Even if the computer user has reformatted the disk or removed the drive partitions, the cyber-criminal can use simple, inexpensive unformatting and partition recovery software to recover data considered destroyed.

In addition to user-maintained files, confidential data may also exist in cached files and application-generated backup files. These are files that are often overlooked when retiring old computers. File caches are located in operating system directories or hidden locations to prevent accidental deletion. Many computer users are not aware that application programs often store backup files in the same directories where the applications are located. Most cyber-criminals, however, know exactly where to look.

Recovery partitions. In personal computers, the operating system organizes a hard disk into logical units called partitions. Some data recovery tools, such as IBM Rapid Restore, use hidden partitions to store backup copies of personal files to protect them from unexpected data loss. Because these recovery partitions are generally hidden, users may forget to delete the backup copies of files contained in them, leaving them available to future users.

Configuration files. All software includes a number of configuration options that determine how the software works, which features are available, and other information intended to simplify the user’s life. Microsoft Windows 95 consolidated all operating system configuration information in a central database called the registry; application configuration information is stored in initialization files. Ideally, by putting this configuration information in one database, configuration settings common to all applications need be stored only once, installation of applications is simplified, and the system is more stable.

Unfortunately, the registry and initialization files provide substantial details about the configuration of the hardware, the operating system, and applications, as well as the location of application files and network resources. Consequently, these files serve as a rich source of useful information. More important, information in the registry and initialization files can provide information about the security measures employed by the company and about the organization of files on servers.

Passwords. Many users find it difficult to remember all of the login information (e.g., usernames, passwords) needed to access e-mail, applications, databases, and websites. To relieve users of this burden, many programs allow users to store login information so that they won’t have to remember it. Often the operating system or applications store identifiers and password data in the operating system’s registry or application-specific configuration files. Popular web browsers offer to remember passwords to websites, which can include the password to the company’s intranet. Many applications encrypt passwords, but developers often do not use strong encryption techniques to protect passwords. If the encryption technique used is weak, or the user selects a poor password, cyber-criminals can use password recovery software to access sensitive information.

Special hardware devices. Hardware installed in a computer can provide a cyber-criminal with important information about the network architecture and security measures used by a company. For example, a wireless network card or authentication hardware might alert a cyber-criminal to special security measures or encryption keys.

Preventive Measures

Measures can be taken to prevent future users of retired or discarded computer systems from accessing a company’s sensitive or confidential information, as well as information about its network architecture and security measures. Individual users can use this process when moving to a new computer. An information technology department can implement the process as a standard procedure each time the department retires a computer from service. The process consists of four steps: archiving of data; file transfer; sanitization; and hardware removal. (See the Exhibit.)

Archive data files. The first step is to make a backup copy of all data files contained on the computer. This task can be difficult because of how applications store data. By default, most Microsoft applications store files in a directory called “My Documents.” Other applications use this directory, create their own directories, or save files to the location where the application is installed. Because files are located in different areas on the hard drive, tracking them can be a challenge. Backing up files can provide an occasion to reorganize data storage in a more efficient way. When backing up files, use a disk-imaging program to make a copy of all files to a high-capacity removable disc (e.g., a CD or DVD). Applications for performing this task include Norton Ghost, Paragon Drive Backup, Novastor InstantRecovery, and Acronis True Image, as well as other commercial, shareware, and freeware products.

File transfer. After backing up the files, the next step is copying them to the new computer. There are packages that provide all of the software and hardware necessary to transfer all computer settings and data, along with personal files and folders. Once the copy process is finished, all files, including operating system files, must be deleted from the old computer. Deleting is only the first step, however; the computer drive must now be sanitized.

Sanitization. Sanitization is the process of wiping clean all data stored on a computer hard drive. There are three methods for sanitizing a computer: disk shredding, disk degaussing, and disk wiping.

Disk shredding. Disk shredding is the process of physically shredding a disk to render it unusable. This method is the most secure way of destroying data on a disk, but it requires a technician with special equipment to carry it out.

Disk degaussing. Disk degaussing is the process of exposing the disk to strong magnetic fields to destroy its contents. This method eliminates any data still on the disk. A technician must disassemble the disk before degaussing it, using special equipment that can damage or destroy other components if improperly used or stored. The disk must also be reformatted by a manufacturer before reuse.

Disk wiping. The final method, disk wiping, sanitizes the hard disk by removing its current data and replacing it with random characters. Using this method requires special but inexpensive software. The method is appropriate for most kinds of data, though perhaps not top-secret information. It can be performed by most users or in-house IT personnel.

As shown in the Exhibit, disk wiping consists of two major steps: booting the computer from a diskette, and wiping the disk clean. Before starting the disk sanitation process, all necessary files must be successfully copied either to a new computer or to a permanent archive.

Microsoft Windows and other operating systems generally do not permit the deletion of critical operating system files. Deleting these files requires booting the computer from a diskette. In some cases, the disk-wiping software includes a utility to create a bootable diskette with all of the necessary software; if not, Windows can format a diskette as a start-up disk. The instructions included with the wipe-disk product selected should identify any files that must be copied to a start-up diskette. (This disk should be clearly labeled so that it is not accidentally misused on an active computer.)

After the computer has been booted from the diskette (not the hard drive to be erased; most machines will automatically boot from a start-up diskette if one is inserted), the wipe-disk program must be run. Wipe-disk programs are generally either command driven or menu driven. Either way, the user will have to specify the drive to be wiped. The time required for the program to execute the wipe can vary substantially depending upon the age and capacity of the drive.

Remove sensitive hardware. Because the disk-wiping program removes all files from the computer—including data files, applications, and operating system files—this significantly reduces the likelihood of a cyber-criminal gaining access to sensitive information. For extra security, the IT department should remove any add-in hardware related to the company’s local area network and security systems before disposing of the computer.