Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
When it comes time to purchase new computers, how do you decide what to do with the old hardware? This is a growing concern for organizations, particularly when you consider the rate at which new technology makes its way to the market. The problem has even spawned its own buzzword—e-waste.
For many companies, the best solution is to recycle old personal computers, donating them to schools, churches, or other organizations. While this approach is good for the environment, your corporate image, and a worthy cause, that doesn't necessarily mean your corporate security will fare as well.
Donating old desktops to tax-exempt organizations is a great idea, but donating your corporate data isn't. Before donating or trashing your old computers, you need to take several steps to make sure that's all you're discarding.
Unless you've been using your computers to store nuclear secrets, trademark secrets, or some other top-secret data, the following steps should be sufficient to ensure your own corporate secrets stay safe. First, let's look at what you don't need to worry about.
You don't need to crush or destroy the computer's memory. Turning off the computer automatically clears the random access memory (RAM).
At one time, people used to degauss (i.e., neutralize the magnetic field) the computer's monitor to ensure the removal of any remnant images. With today's monitors, however, this is no longer necessary.
If your printer uses a ribbon, you can throw it away or burn it if you're really paranoid. Otherwise, there's no need to disassemble the printer and throw away good ink cartridges.
Now let's look at the area that deserves your concentration—the hard drive. This is the only area that requires special attention.
Several excellent software methods are available that can ensure your privacy regardless of the operating system running on the computer. The best of these offerings is free: Darik's Boot and Nuke (DBAN).
You can download DBAN from the SourceForge Web site. Using DBAN, you can create a floppy or CD-ROM, which you can boot and run on the computer to remove all traces of data on the hard drive.
Let's look at some of DBAN's main features:
- Ease of use: There are no manuals to read. Start your computer with the DBAN media as the boot option (floppy drive or CD-ROM), and press [Enter].
- Compatibility: The boot media includes all SCSI, IDE, and SATA drivers necessary to run on any machine with at least 8 MB of RAM.
- O/S support: It supports all versions of DOS, Microsoft platforms, and all UNIX-based platforms.
In addition, DBAN meets the following disk-wiping standards: Canadian RCMP TSSIT OPS-II, American DoD 5220-22.M, Gutmann, PRNG Stream, and Mersenne Twister. While most of these standards won't mean much to the average administrator, they're the heavyweights of the security industry when it comes to erasing disks.
However, I do have one warning: Depending on the size of your hard drive, it could take significant time to complete the disk-wiping process. But after booting up and running your copy of DBAN, the hard drive will be free of your personal information and ready for donation.
DBAN and others like it do an excellent job of removing information from a hard drive. But could someone still recover that information? In some cases, the answer is yes! However, the time and money that someone would need to spend (we're talking hundreds of thousands of dollars) usually just isn't worth the effort.
That said, if you're super-paranoid about someone retrieving personal information from your hard drive, then drill open the drive, remove the magnetic platters, and grind them to dust. Otherwise, using a good program to erase your drives should be all you need before donating that PC.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.