Storage vulnerabilities

The subject line of a recent unsolicited e-mail I received read: “Recover your lost data.” In the message body, I was promised guaranteed data recovery from just about any media, even for volumes with completely damaged or missing directory information. 

Reading further, I learned that the company has only one office. That office is in India. And yes it offers its service overseas, at the great price of $33, roughly 1,500 rupees.

As I zapped that e-mail I asked myself who would ever send media or computers from here to India for data recovery. Even though the price is very competitive, the shipping costs will probably make it just as expensive as doing it locally.

Only later did I realize I was being naïve. The ad wasn't just about data recovery, but about having the ability to obtain data from disks -- disks that may not belong to you. And later, I thought maybe the company is trying to lift personal data about the disk owners themselves in the process of repairing that disk. As you know, erasing a file doesn’t make data disappear; in the same way that throwing a piece of paper into the trash can doesn't make that information vanish. And like digging through the trash, a relatively simple and inexpensive service such as the one offered in the aforementioned e-mail can make data on a disk reappear.

So obviously, any malfeasant wanting to pry into someone else’s computer data would probably choose a foreign, rather than a domestic, recovery outlet for the simple reason that the former is under a different legal system, hence less within reach of local authorities.

Is this paranoia? Not quite. According to a survey commissioned by the FTC, last year’s fraudulent transactions derived from identity thefts amounted to about $50 billion in the United States alone.

It’s very disturbing that 50 percent of the victims don’t have a clue about how the thief acquired their personal data, and that only 25 percent know that a stolen wallet or mail document was the culprit. 

Of course, we cannot blame all those unexplained cases of identity theft on disclosures of computer data, can we? Granted, rummaging through one’s garbage can is probably still the most effective way of stealing a social security or an account number. Nevertheless, trash scavenging will become less attractive as more people start storing personal financial data such as bank transactions on their computers. In addition, to cut costs, many financial and utility companies talk their customers into using online bill-payment systems and renouncing paper-based statements in favor of online versions.

It’s reasonable to predict that in time similar practices will turn user computers, machines that offer little or no data protection, into a gold mine for identity thieves.

The problem is that storage security is an oxymoron: data protection is often deployed as an afterthought across different layers such as OS, general purpose, and point applications. If you remove or bypass those layers by taking out the physical disk or other means, then nothing will stand between the miscreant and your data.

Until storage and PC vendors make some drastic data security improvements, I would suggest thinking long and hard before storing sensitive information on your PC. After all, they are after you even if you are not paranoid.