[ISN] Data dangers dog hard drive sales

InfoSec News isn at c4i.org
Wed Sep 14 04:30:01 EDT 2005


12 September 2005

Many people are taking risks with data on hard drives and memory cards
which they are selling via eBay, say experts.

Letters, resumes, spreadsheets, phone numbers and e-mail addresses
were all found on storage hardware bought and analysed by forensics
firm Disklabs.

Also recoverable were temporary files from net browsers which
contained login details and passwords for websites and even online
bank accounts.

The problems arose because sellers were only taking basic steps to
delete data.

Key change

In its test of how good users were at destroying data, Disklabs bought
100 hard drives and 50 memory cards - which included SD cards, flash
drives, sim cards and memory sticks - from the auction site.

Simon Steggles, director of Disklabs, said the drives and memory cards
were probably being sold by people upgrading home PCs or changing
their mobile phone.

"Most people made only cursory attempts to erase the data," said Mr
Steggles, "and some had not done even that."

During its investigation, Disklabs found large amounts of personal and
confidential business data on storage hardware.

Most worryingly, said Mr Steggles, it was possible to extract the
temporary files that Microsoft's Internet Explorer browser uses to
keep track of what people do when they are using the web.

With a little work, it was possible to reconstruct almost everything
that some users did online, and to grab cookies and login details for
sites they visited.

"With not a massive amount of work we could go in there and help
ourselves to whatever we want," he told the BBC website.

In many cases, only the delete key was used to remove data. However,
in PCs and many other digital devices all this does is apply a label
that says these sections of storage can be over-written.

On large disk drives this can mean the supposedly deleted data remains
intact for a long time.

In such cases, said Mr Steggles, recovering data is very
straight-forward for forensic firms and, perhaps, technically-aware

What users needed to realise, he said, was how hard it was to destroy
data. Even formatting hard drives and other memory cards would not
irrevocably remove information stored on them.

If users were worried about potentially sensitive data, said Mr
Steggles, they should use a professional forensics firm to erase it

"Alternatively," he said "they could smash it to bits."

More information about the ISN mailing list