«
BACK TO PRESS ROOM
Precautions When Selling, Trading, or Sending a PC to Salvage
or to a Repair Shop
August 3, 2005
Article by H.D. Knoble as published by Penn State University
View the original article on the Penn State web site by clicking
here
Introduction
Sensitive data is confidential, private, personal data on any digital
media. Experience has shown that many if not most PC’s to be transferred
out of production, still contain data which is considered sensitive
related to University business. This includes passwords, employee/student
private and/or personal data, financial, health, banking information,
personnel documents, proposals, contractual records, etc. Thus when
a University Microcomputer sent to University Salvage and Surplus,
or transferred between departments, sent for repair, or otherwise
disposed of, such sensitive data on any related media should be
permanently and securely overwritten or destroyed.
Recommendations for Microcomputers
Since manual removal of individual occurrences of sensitive data
has been shown to be unreliably incomplete, this author recommends
using a professional disk sanitation algorithm ( http://www.versiontracker.com/php/feedback/article.php?
story=20035301448520630144) or wiping tool software that supports
DoD 5220.22-M disk overwriting Standard (http://www.usaid.gov/policy/ads/500/d522022m.doc)
to completely overwrite fixed disk(s) of PC’s that are being transferred
out of production: sold/traded between departments, or sent to University
Salvage and Surplus or sent out for repair.
Methods (detailed algorithms) to completely securely overwrite
fixed disks are well documented. For example, see: http://wipe.sourceforge.net/secure_del.html.
An excellent overview and list of software is given at IEEE Secure
Disk Wiping: http://www.computer.org/security/v1n1/garfinkel3.htm
Hard Disk Data Erasure Product Functionality Test results: http://www.veritest.com/clients/reports/redemtech/redemtech.pdf
- If a fixed drive or other media device cannot be sanitized or
wiped, or economically repaired, it should be physically destroyed.
This must not be done by individuals as there can be serious physical
danger involved. DO NOT ATTEMPT TO DESTROY MEDIA YOURSELF; rather
at this point contact Penn State Maintenance and Operations for
this task.
- PC's that contain sensitive/personal/private University data
when sent for repair should either have their fixed disk(s) removed,
or a spare generic-OS fixed disk temporarily installed. On-site
supervised repair may be another option.
- Also, before overwriting a fixed disk, remember to move or back
up (e.g., to CD-R/RW) any valuable data. Also record PC's serial
numbers, date, and sanitation method before they are sold or transferred.
You may wish to encrypt such backed up data with PGP; see "Where
to Get PGP" section of http://ftp.aset.psu.edu/pub/ger/documents/pgpmail.html
or use other strong encryption: http://www.pcguardiantechnologies.com/
or physically secure the backed up data.
- After sanitizing (wiping) a PC's fixed disk(s), you should remove
any BIOS passwords (e.g., power up, BIOS administrative passwords).
This makes the system accessible and usable when the unit is again
sold or put into use. Likewise installing a generic licensed operating
system (that came on the PC in question) will enhance its salability.
Other Media and Devices
Finally, in addition to overwriting PC fixed disks, floppy and
zip disks, CD's, there are other media that pose privacy/security
risks. For example, network devices, like routers, PDA's (hand held
Personal Digital Assistants) can have departmental information stored
as personal data or configuration information. Prior to transfer
or disposal this data or configuration information should be cleared
manually and by someone who understands the device(s) in question.
Some Available Software
Evidence/Local
Activity Eliminator (Windows) and for the Macintosh, MacWasher.
The following software completely destroys (overwrites; wipes)
ALL data on fixed disk(s), including the operating system. Actual
MS Windows and Linux software that support secure (DoD
5220.22-M disk overwriting Standard) complete wiping of fixed
disks may be found at:
Commercial disk wiping software for PC's may be found at:
Solutions for Macintoshes:
For MAC OS 10, boot from the MAC OS 10 Install CD that came with
the system; Choose the ipeInfo Utility to wipe the fixed drive.
This may or may not conform to the DoD Standard.
- OSX FAQ ShredITX
- Norton Antivirus Pro includes the WIPEINFO utility, which can
be activated by booting from the NAV PRO CD.
- WIPEINFO includes the DoD Standard for disk wiping. This will
work for PC's and MAC OS9.
Free PC disk wiping software may be found at:
Making/copying a PC hard disk image: Power Quest/Symantec's Drive
Image or Drive Copy: http://www.powerquest.com/v2i/builder/
Summary
Departmental computer professionals, (ultimately Administrative
Department heads), have the responsibility to secure departmental,
college, and University sensitive data. This responsibility includes
following University Policies on Disk Sanitation and data archival,
as well as touching base with related department people, and then
clearing or overwriting all sensitive data on PC fixed disks and
other devices before the they are traded/sold/salvaged/repaired.
Acknowledgment
Thanks to Pete Weiss and Todd Litzinger (who heads up the on-going
Penn State Committee on this topic), Penn State Administrative Information
Services for helping to review and improve this document. Thanks
to Bill Verity and Jonathan Siegle, Penn State Information Technology
Servicees, for Solutions for Macintoshes.
Source: Academic
Services and Emerging Technologies (ASET)
Call
us now on +44 (0)1342 301 001
|
