Dumpster-diving for e-data

Discarded flash drives, laptops, and PCs could be leaking critical information to a competitor

Dumpster-diving -- going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans -- is alive and well in the age of USB flash drives and portable music players.

Every user who throws away (or loses) a keychain-size flash drive could be unintentionally leaking critical information to a competitor. Any of the tens of millions of desktop and notebook computers disposed of each year in landfills, junkyards, and yard sales could be a rich trove of corporate data left on a hard drive by lazy users or IT departments.

Dumpster-diving remains "an extremely effective way of gathering a lot of information quickly," says Dennis Szerszen, senior vice president at patch management and security software vendor PatchLink. "It's become even more  of a threat with the added dynamic that removable media brings to the table."

But any IT manager who lets sensitive data get out the door into the trash can  -- or anywhere else PCs or mobile devices are disposed of -- has only himself  to blame. Tools ranging from low-cost or free disk-wiping software to low-cost encryption and more-expensive "disintegration" machines for disk drives are available for any IT manager with the will and awareness to use them.

Risk Factors "Dumpster-diving" originally referred to going through the trash looking for paper records that might hold valuable information such as customer names, product plans or budget projections. Paper records still pose a challenge, of course.

As an estimated 50 million or more PCs, notebooks and servers are disposed of each year, the information they hold also poses a new and growing risk for their former owners. New portable storage devices, such as USB flash drives and portable music players, can store gigabytes of data and make it easier for a disgruntled insider to download and walk out the door with sensitive information. Moreover, handheld computing and communications devices such as BlackBerries and PDAs can, via e-mail, funnel sensitive data out of the organization -- or let viruses or other malware in.

Converge Global Trading Exchange in Peabody, Mass., offers an IT asset disposal service called NextPhase. Chris Adam, director of NextPhase says "the hot topic now is portable devices, BlackBerries and other PDAs, cell phones and even USB drives. We get requests all the time [asking] 'How do we secure those?'"

Lines of defense

The easiest, least expensive technology for protecting digital information is encryption. Observers say modern encryption software is inexpensive and easy to use and is capable of protecting virtually any organization against the theft  of data on devices after they are disposed of -- or if they are lost or stolen.

Among the vendors offering free or low-cost encryption, are TrueCrypt Foundation, PGP, and Voltage Security, according to Paul Kocher, president and lead scientist at Cryptography Research, a security consulting and technology licensing firm in San Francisco. "In a lot of cases organizations already have the software they need," he says, citing the BitLocker encryption included in some versions of Microsoft's Windows Vista operating system. "It's just a question of getting the configuration right and the policies right and training users."

"Encryption," says Szerszen, "is far too available not to be making use of it."

Kocher notes that modern notebooks and desktops are powerful enough that encryption won't significantly slow down other applications. The larger obstacle, he says, is that encryption creates "one more password for somebody to remember," and that the IT staff must create processes to recover encrypted data "if somebody loses their password or leaves" the organization.

Encryption is so widely available and easy to use that the loss of unprotected  ata "speaks loud words" about the IT policies of the company involved, says  Neel Mehta, team leader of X-Force Advanced Research & Development at IBM  Internet Security Systems. His group strongly recommends that its customers encrypt sensitive data wherever it resides, whether it's at rest on a hard drive or being transmitted over a private or public network.

To prevent, or at least detect,  insider data theft, many vendors offer software that can restrict the use of physical ports on a computer or even dictate what types of files they can download to which types of devices.

USB-Defender from TriGeo Network Security, for example, detects the insertion of devices such as flash drives into USB ports, captures details about the device and logs every file copied to or from the device, according to  a company spokesman.

Jeff Fuhler, information security officer at the Nevada Office of Veterans Services, uses Sanctuary device control software from PatchLink (formerly SecureWave) to protect sensitive information. Because Windows will automatically configure portable storage devices such as USB drives, allowing them to upload or download data, he has configured Sanctuary to deny access to such mobile storage devices except for users to whom he has specifically granted access.

Credant Technologies' Mobile Guardian provides server-based control over portable devices, enforcing policies covering areas such as what data can be transferred to or from the devices and the strength of the encryption and the passwords used on them.

Mobile phones and PDAs such as BlackBerries also pose a risk because of their ability to receive and store e-mail. But observers say most of them support encryption and note that administration tools allow administrators to automatically deny access or even wipe the data from them if anyone repeatedly enters an incorrect user name or password.

End of life protection

After a device is disposed of, the Dumpster becomes the greatest risk. Depending on the sensitivity of the data on the drive, IT managers can rely on anything from low-cost manual processes and commercial software to physical destruction to be sure no data can be taken from a disposed-of device.

As most IT managers know, simply reformatting a hard drive just erases the directory information that indicates where data is stored, but doesn't erase the data itself, says Kocher. A wide variety of tools, ranging from freeware and shareware to commercial software do an effective job wiping data from hard drives. Just completely filling a drive with meaningless data does "a reasonably good job of erasing the content," says Kocher. Some users pass a powerful magnet over a disk drive (or magnetic tapes) to scramble the magnetic orientation of bits and bytes that stores the actual data on the media in a process known as degaussing.

For data whose loss would be catastrophic, the ultimate step is to physically destroy the drive, including the magnetic platters that hold the data.  NextPhase can reduce hard drive platters to fragments of a quarter inch or less. That's the minimum size, says Adam, from which a really determined expert could still retrieve data. "We call it disintegrating, as opposed to shredding," he says. "It comes out looking like cereal." The cost of such destruction: $4 to $15, depending on whether the customer wants NextPhase to record the serial number of the drive and document its destruction. The company can also destroy PDAs and personal communicators such as BlackBerries.

When it comes to USB or flash drives, filling the device with junk data and deleting it is enough to stop a casual hacker, says Kocher, but a more sophisticated adversary might be able to find data in a memory sector that is marked as bad or that is stored as part of the error-correction code in the device. Physical destruction may not be the ultimate answer for discarded flash drives, he says, because the chip within the drive that holds the data is quite small and might escape even a thorough shredding.

Before disposing of server hard drives that held sensitive information, Fuhler uses a commercial product to erase data from them. Before disposing of the RAID arrays, he "scrambles" the physical location of the hard drives that make any surviving partition tables useless. He then reformats the RAID array and reinstalls the operating system to prepare it for the next agency within state government that will use the array.

The human factor

Whatever you do to prevent Dumpster-diving, any security policy that gets in the way of users doing their jobs simply won't work, says Richard Stone, vice president of marketing at Credant Technologies, a mobile data protection software vendor in Addison, Texas. "A security process that says 'don't plug in USB drives' is not realistic," he says. A realistic policy, he argues, is one that allows users only to attach USB drives to devices that are protected by control software such as Credant's.

Finally, says Kocher, "the most important thing isn't even technology." Rather, he says, "it's making sure you hire people you trust and you educate them properly." He points out that 40 percent of security breaches are caused by current or former employees rather than outside hackers. And if malicious employees have access to sensitive data, he says, "there's not really any technical solution you can rely on to ensure nothing bad ever happens."

In other words, no matter how finely you shred your old hard drives, he says, "if you have a culture where employees are unhappy, that is a security threat."

This story, "Dumpster-diving for e-data" was originally published by Computerworld.

Copyright © 2007 IDG Communications, Inc.