Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /var/www/hosts/cases/inc/refcount.php on line 23
CASEScontact - solutions, tools & skills against latest security, cybercrime, hacking & malware threats
Just the facts
     
Title   CASEScontact.org guide - protecting data confidentiality and privacy by disposing of an old notebook, iPod, smartphpone & memory stick the smart way
Description   The complete guide for removing, deleting and wiping all data from your notebook, hard-disk, cell phone or mobile - free tools and checklist for achieving legal compliance
CyTRAP LABs ID   CT210018
Date   2006-04-05
Systems affected  
  • Windows/2000/NT/XP etc.
  • Mac OS 10.xx (Jaguar, Panther)
  • iPod - including iPod Shuffle and the iPod Nano
Version number   1.0
ISSN   1603-9866
Verify tip   http://casescontact.org/tips/210018
Risk assessment   High
Impact/Severity   High
Audio/Podcast files   CyTRAP PodCast show - Protecting your digital assets - Wednesday, April 5, 2006 (available in 72 hours)
 

Why not get new tips and alerts by e-mail directly to your in-box? It's much more convenient:

Your email: or press here.
 

What's up?
     
   
Real life scenario Internet & PC scenario
What is the threat or vulnerability?    
In the good old days at the office, whenever confidential papers were no longer needed, we put them through the paper shredder.

At home, we may recycle newspapers but when it comes to bank statements, we put them through a shredder or else rip them apart in as many tiny pieces of paper we are able to.

Thereafter, we put them in the garbage. If we are a bit careful, we might even try to distribute the pieces amongst several garbage bags. This will make it even more difficult for a noisy person or a criminal, to ever figure out what information was printed on our bank statement.

Today, things are vastly different because more than 90% of our documents are probably in electronic form (even our bank statements) and over 75% we will never ever print. Or put differently, when was the last time you printed an eMail message? So what are we supposed to do with our most personal Emails, pictures, love letters, business documents all stored on our smartphone, notebook or home or office PC once we we decide to get rid of the equipment, i.e. recycle it?

We may decide to recycle the PC by bringing it to a store that sells such equipment (many European countries allow users to get rid of equipment this way). Or even better, we may donate the compuer to our favorite charity or local school. How can we make sure that no confidential information can be restored on the PC's hard-drive, memory stick or external disk?
 
 

Problem & Solution
     
Admin  

4 golden rules for getting the most out of our tips:

  1. except if you are on CASEScontact.org, click on the URL or link above to make sure you have the latest version in front of you - to reduce your inbound traffic we do not always send updates unless they are REALLY necessary,
  2. browse the tip and check for FREE tools (below) ... invest 10 minutes it's definitely worth your time,
  3. do something good today, share the tip with one of your friends, because she will probably appreciate the help and support you have given her by doing this and finally,
  4. unless you got this via e-mail, how about doing yourself a favor while making your life a bit less complicated by subscribing yourself to receive these tips via e-mail - you will be glad you did.
PS. Save time and hassles by using an e-mail address to which you have access to from home as well as after you may have changed employer or completed your university studies?
     
What does it mean to me? Am I vulnerable?  
So why should you care about security when you intend to get rid of a hard disk, memory stick or PC anyway? Because: With little effort you can protect yourself against the risk of identity theft, privacy violations and other hassles because of data and information found on the storage device you threw out or donated to a charity (e.g., imagine somebody discovers your private phone list on your cell phone and starts harassing your friends?).

  1. The Threat May come in a variety of forms, for instance, another person may discover some confidential files that you forgot to delete properly before you donated the equipment.

  2. Vulnerability Is that such mishaps can happen to all of us. Unfortunately, when we delete a file from a storage device it is not really deleted. Paris Hilton recovered her SMS messages and her address book with the help of a CASEScontact tip. However, in some cases Paris Hilton may want to make sure that her pictures have actually been deleted from a storage device (e.g., her mobile phone), this tip provides the tips and tricks that help her and you do this properly.

  3. Impact Is severe, since a person might get access to the email you sent to your lover a while back as a husband found out during divorce proceedings in Florida.
Moreover, identiy theft may occur based on the information recovered from a piece of equipment you could have sold on E-bay or Riccardo.

Removing personal data from hard drives, is a haphazard affair. Estimates vary but data are erased from less than a quarter of discarded PCs. Moreover, purchasing used equipment on the eBay auction website reveals that about 60 per cent of the memory cards and 40 per cent of hard drives still contain data that can be recovered quite easily. Hence, the next user may discover your personal letters, CV, phone numbers, email addresses, temporary files from net browsers which contain login details and passwords for websites and online bank accounts, and so on. So better safe than sorry.

     
If I fix the problem - will it help me?
How		  
Please remember, a deleted file or picture is essentially an area on a disk or memory stick designated as free and ready to accept data (such as contents of some other file or picture). Unfortunately, unless the area has already been overwritten, it still holds the contents of the deleted file. Due to this fact it is possible to undelete files or images which could be embarrassing to say the least.

Moreover, even reformatting your hard-drive will not be good enough to make sure that all data you ever stored are truly gone and cannot be recoverd by somebody trying hard enough (Electronic evidence must be destroyed thoroughly and properly to avoid litigation).

     
How can one describe the solution?  

CASEScontact.org advises taking necessary steps until you are confident that all data that you don’t want to be passed on to someone else is removed.

For financial, health care or defense industries, however, destroying the media should be mandatory because it is really the only way to completely ensure that data cannot be recovered from it.

For private users and small- and medium-sized enterprises (SMEs) such a drastic way is is not necessary. Follow the steps outlined below and good use can still be made of discarded hard drives by charities.

     
Does Microsoft offer me a solution?  
There is not a specific solution offered by Microsoft but several options are open for machines running on Windows, of course.
     
Where can I get more help?  
If you want a more detailed description about what file shredding is and how it works if it is done properly, please see here:
 


What is the solution to this problem ?
     
Tip 1   The CASESContact.org - WinCurity blog addresses the danger with cell phones, regarding privacy and identity theft or what people can find once you have thrown away the old piece of equipment. So reduce the risk and follow these hands-on suggestions:    
     
Tip 2   This is our FIRST choice for doing the job for your PC, memory stick, etc.:
     
Tip 3   Another 3 software tools that can do the trick:   
 


Take another 2 minutes - More tricks to safeguard your information better
     
Tidbit 1   Once you have deleted all the files, directories and pictures properly, however, three additional steps must be taken, in order to make this computer a useful tool for your charity. These are:
  1. re-format the disk properly as suggested in CT210005: CASEScontact.org tip: New PC or Hard Drive - Partitioning - Improve Performance and Security in Windows XP 2005-03-15
  2. re-install all software which you will pass on including Windows Operating System (OS), Office, etc. and
  3. do not forget to pass on the CD including the covers with the license numbers (why not - since you puchased these but will most likely pay for new versions when you purchase your new PC or celluar phone - so why waste it?), a computer without an OS and the necessary software licenses is not of much use, is it?
   
Tidbit 2   Darik's Boot and Nuke is an Open Source program that's used to construct a floppy disk or CD that will automatically wipe all hard drives of any PC booted from the disk. This is a great tool for bulk disk cleaning of PCs. It is also very useful as an emergency tool for quickly removing sensitive information so be careful: The disadvantage of Darik's Boot and Nuke is its greatest advantage. Accordingly, all these features can make things dangerous in the hands of beginners. In most cases, if you use the Tools listed under Tip 1 and 2 (see above), these will do the job for you.

   
Tidbit 3   For Apple users: Apple Computer's OS X has a built-in feature called:
  • Secure Empty Trash.
Using this option will make sure the information has truly vanished.

   
Watch out   If you use an iPod - what can you do?.

Like with a PC, if you do not want your friends' addresses and phone numbers in an easy to access form on your iPod, disable that feature in iTunes (Win or Mac) and iSync (Mac only). Same goes for pictures and calendars.

To be sure the data is gone, WIPE it. Access it as a harddrive and delete all the files on it. Then use a wiping utility (Apple's Diskutility, or WinPT) and then you should be okay.

A single pass of filling the drive with 1's & 0's is a good start, doing it three to five times is better. Anything overwritten cannot be read by the HD's own read head. To figure out what was there before being overwritten requires an electron microscope or similar specialized equiptment to read the disk directly.

   
 


CYTRAP resources - check it out - because it will help you better protect yourself
     
Related tips  
Glossary   Please either sign in by clicking on 'Login as a guest' to get the definition, no registration required or else get a free registration to get access, its worth it.

Additional risk minimization   Legal Compliance

For corporate users, file-disposition and -retention policies should be based on the degree of active reference and long-term value of the data.

Typical compliance requirements will generally involve the following features and functions:

  • file-level retention period,
  • file disposition/shredding after retention period,
  • proof of no missing file - this means serialization and time stamp is a must,
  • privacy with encryption, and user-access audit-log

A good explanation what legal compliance means in what shredding techniques are used is given by:

Del.icio.us  

Was this tip helpful to you? If yes, why not bookmark it at Del.icio.us

     
Technorati tags   , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Administrative
     
Author   Urs E. Gattiker - CyTRAP Labs
     
Revisions  
  • 1.0 - 2006-04-05 - First Version
    • Contact details   Web: http://CASEScontact.org
    E-mail: support01@CASEScontact.org

    Tel: +41(0)76-200-7778 or + 44(0)70-9237-6036
    Fax: +44(0)70-9237-6036, dial 3 send fax
     

    --END of ADVISORY - Important Info Below--
     
    We recommend that you VERIFY ALL ADVISORIES you receive IMMEDIATELY, by clicking on the link provided at the top of this alert.

    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    Ride the rollercoaster successfully by subscribing to our alerts, tips, tools and skills training receiving them either via:

    1) e-mail
    2) RSS feeds, or else, just get a
    3) free skills tune-up


    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    CASES writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
    Full DISCLAIMER notice at: http://www.casescontact.org/terms.php

    UNSUBSCRIBE
    If you no longer wish to receive this TIP ADVISORY, please Unsubscribe at:
    http://www.casescontact.org/unsubscribe.php

    QUESTIONS, comments, ideas? Cheer us up at:Tips-Comments at CASEScontact.org

    CASEScontact.org -- Threat Alerts and Security Notices --clear and precise, no compromise -
    --currently hosted by Flashcable
    -- END of TIP & Tricks ADVISORY--
    Copyright (c) 2007 by CyTRAP labs - Urs E. Gattiker. All rights reserved.