It doesn’t surprise me that many people fail to understand
the basic workings of computer systems, and yet they can still use them
effectively every day. But it does disturb me that there are so many people
using complex machinery that they know nothing about—or even care to learn.

I’ve generally found that computer users fall into two
general categories: Those who are aware of the components of a computer system,
and those who don’t want to know the details. Of course, knowing the details of
computer systems can mean the difference between a potential issue and a
disaster.

We’re all painfully aware of how many people fall into the
“don’t care” category—those are typically the folks that get hacked
systems, virus or worm infestations, or botched software installations. But
this isn’t the only result of such ambivalence. Another potential issue is
information left on old hard drives.

I’ve avoided selling my old hard drives for this reason. But
I thought most companies were aware of the risks and already used a
data-erasure program such as MediaWiper. If the old data was really sensitive,
I assumed companies would take steps to physically destroy the old hard drives.

I thought everyone knew that deleting a file doesn’t erase
the file data. Of course, we all know that old saying about making assumptions.

After reading a number of articles about the presence of
sensitive data on old hard drives, I decided that I would investigate the
matter myself. I found an older machine with a working IDE hard drive and
installed it into another system as the secondary drive. Then, using the WinHex
program, I started browsing around the drive.

I decided to visit data sectors in the middle of the hard
drive, and sure enough, I found a lot of information. The hard drive was part
of a computer used by a former employee—and I found enough damaging information
that would have led to this employee’s termination long before he quit on his
own.

After looking around for a bit more, I decided I had seen
enough. That was all it took to convince me that there really is a serious
security issue with old hard drives. How serious depends on what’s on the hard
drive itself, but I would say that the majority of companies don’t sufficiently
address this risk.

Organizations replace computers for all kinds of reasons,
and the machines often end up in yard sales, auctions, or local computer
resellers’ shops. Identity theft and misuse of personal information is often an
unexpected consequence of failing to effectively erase the data on old hard
drives. Although this may sound unlikely, it’s even feasible to continue to
read the “signature” of old hard drive data after someone has
overwritten it.

There are a number of free data-wiping utilities on the Internet.
One of the most ingenious programs I’ve found is Darik’s Boot and Nuke (DBAN).

This is a complete, self-contained Linux boot floppy that
does exactly what it says: It erases the data on any hard drive connected to
the system you boot it on. After returning the hard drive that I had inspected
with WinHex to its computer, I booted DBAN, and away it went.

The bottom line: Before you relegate that old system to the
storage room, donate your old home computer to charity, or sell it, use a
data-erasure program to wipe that hard drive clean. If you really want to
destroy the data, you’d be amazed how flat you can pound an IDE hard drive with
a sledgehammer. Haven’t you always wanted to do that just once? If you have an
old hard drive, now is the perfect time.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.