Are <i>we</i> the weakest link?
So many people seem to be paranoid about computer security. But, argues Peter Cochrane, they may be getting their priorities all wrong. The human race seems to pay attention to security in inverse proportion to the value or the risk involved. People will worry about their telephone and mobile phone calls being tapped and their email being intercepted, while installing a three-lever mortise lock on their $500,000 house to save $30. More foolishly they leave their car in the drive with the keys still in the ignition. Perhaps it is a basic human failing to worry about the wrong things. A recent report cited two students at the MIT Laboratory of Computer Science who had purchased 158 disk drives for a scrap value of less than $1,000. Examining the drives they found more than 5,000 credit card numbers, numerous medical reports, corporate and financial information from a myriad of sources, personal email and an unmeasured amount of pornography. Individuals and corporations just remove hard drives and scrap systems without taking the trouble to recover or clean out their data. For less than $1,000 two students recovered sufficient information to keep them in the blackmail and coercion business for decades – had they been dishonest, that is. Instead they published their results in a professional journal (IEEE Security and Privacy, Jan/Feb 03) to bring this lunatic practice to light. They concluded that buying any 10 drives on the used market sees a 30 per cent chance of finding confidential and useful information. This is staggering. It is also a huge opportunity for dishonesty. What a great advertisement for human fallibility and stupidity. Hard drives are expanding their capability far faster than RAM or data processing and people are increasingly installing additional hard drives or upgrading before they trade in their old box. In just one year the standard PC purchased on the high street has moved from a 60GB hard drive to 120GB at more or less the same price. But 160 and 200GB are also available and soon they will be the norm. The opportunity presented to the criminal is getting bigger very fast. There is plenty of software to scrub and clean out hard drives before discarding them but if they have become worthless or such a security risk that a software scrub still leaves you feeling nervous, it is well worth locking old drives in a secure safe. Alternatively, data eradication with large hammer works well and ensures 100 per cent security (if done properly). These students found that 129 of the 158 purchased disks were still functional and 28 had seen no attempt to erase any information. One drive had been recovered from an ATM with one year's worth of financial transactions recorded. This is insane, irresponsible and a far greater risk than online examination by some unseen electronic burglar. It would appear that most do not realise that when they drag a document or a folder into the wastebasket or hit delete, it only removes the document header and the data remains on the disk undamaged. To remove the data requires a secure delete application of which there are numerous on the market including: Cyber Scrub, Data Gone, Eraser, Secure Clean and Wipe. Defragging will achieve a similar end but it is worth checking by using and un-delete utility or disk doctor/toolbox type application before discarding. My personal policy is to retain all hard drives in a fire-proof safe. After five years my inclination is to put them under the hammer and dispatch them as scrap rather than trying to re-use. After that time they offer an insignificant storage capacity compared to their time of purchase. I have no idea why people and organisations are so lax about security but there is a tendency to assume someone else is taking care of the problem. The reality is we all have a responsibility to not only look after our own information and data but that of those around us too. If you are using a PC on a broadband network you need to install a hardware or a software firewall to prevent attacks and potential damage. There seem to be thousands of web crawlers out there and I see tens of hits on my home network every day. For corporate networks with even more bandwidth and a huge potential for meaningful theft and damage, I suspect it is even greater. If you have no firewall I recommend you install one and if you have a firewall it is worth keeping the software up to date. Cyber-criminals never sleep and never stop in their efforts to encroach into our data world. To date there has not been a single instance of anyone, anywhere having their credit card number maliciously used after being intercepted over the net. Every recorded instance of card crime involves the intervention of a human being at the beginning or end of the process - looking over a shoulder at an ATM or taking a copy of the card and signature at a restaurant or making a spoof transaction. The discarding of a hard drive full of data or indeed any other document, electronic or paper gives the dishonest a wonderful opportunity to perpetuate even more card crimes. So far the net appears to be the safest environment we have created for finical transactions but like our homes and automobiles we ought not to jeopardize that safety by being foolish. This column dictated to tape and physically collected from my home. My PA typed and despatched it via a DSL connection. I picked it up in Singapore over a conference Wi-Fi link. It was edited and dispatched to silicon.com on a wideband connection from my hotel bedroom later that same day. What do you think? You can contact Peter by emailing firstname.lastname@example.org . Peter Cochrane is a co-founder of ConceptLabs CA, where he acts as a mentor, advisor, consultant and business angel to a wide range of companies. He is the former CTO and Head of Research at BT, as part of a career at the telco spanning 38 years. He holds a number of prominent posts as a technologist, entrepreneur, writer and humanist, and is the UK's first Professor for the Public Understanding of Science and Technology. For more about Peter, see: www.cochrane.org.uk . For all Peter's columns for silicon.com, see: www.silicon.com/petercochrane .