In a dusty plastic bin under my bed lies at least four laptops, six cellphones, and a half-dozen hard drives. I have no idea what’s on any of them. Most of these devices predate the cloud-storage era, and so likely contain solitary copies of photos, texts, and emails, among other confidential files (porn?) that I’d probably be horrified to learn had fallen into the hands of strangers.
In retrospect, I should’ve taken a sledgehammer to my pile of electronic garbage long ago, or maybe tossed it into a burn barrel before soaking the charred remains in a bath of hydrochloric acid. Overkill? Maybe not.
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII)—the bread and butter of identity theft.
Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you’d imagine. “I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600,” he said.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good.
The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver’s license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails. (...)
A similar study at the University of Hertfordshire recent found that more than two-thirds of used USB drives sold in the U.S. and U.K. still contained the data of their previous owners. Out of 100 drives purchased in the U.S., 64 had data that was deleted deleted, but could easily be recovered.
The important thing to remember is that when a file appears to be deleted, it may not be. On a desktop or laptop computer, when a user deletes a file, the operating system mere flags the space that the data occupies as available to be overwritten. Without this, the workflow would get bogged down, as data erasure is actually more time consuming than you might think. Fifty gigabytes of space, for instance, could take up to an hour or more to properly wipe. Unless the space is overwritten, deleted files can be easily recovered.
There are a lot of tools available to help users properly sanitize a hard disk, such as BitRaser and BitBleach. Used properly, these will generally overwrite data thoroughly enough that most commercial forensic data-recovery tools will be fairly useless. (More authoritative methodologies can be read here.) Frantz recommends using DBAN, also known as Darik’s Boot and Nuke.
by Dell Cameron, Gizmodo | Read more:
In retrospect, I should’ve taken a sledgehammer to my pile of electronic garbage long ago, or maybe tossed it into a burn barrel before soaking the charred remains in a bath of hydrochloric acid. Overkill? Maybe not.
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII)—the bread and butter of identity theft.Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you’d imagine. “I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600,” he said.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good.
The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver’s license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails. (...)
A similar study at the University of Hertfordshire recent found that more than two-thirds of used USB drives sold in the U.S. and U.K. still contained the data of their previous owners. Out of 100 drives purchased in the U.S., 64 had data that was deleted deleted, but could easily be recovered.
The important thing to remember is that when a file appears to be deleted, it may not be. On a desktop or laptop computer, when a user deletes a file, the operating system mere flags the space that the data occupies as available to be overwritten. Without this, the workflow would get bogged down, as data erasure is actually more time consuming than you might think. Fifty gigabytes of space, for instance, could take up to an hour or more to properly wipe. Unless the space is overwritten, deleted files can be easily recovered.
There are a lot of tools available to help users properly sanitize a hard disk, such as BitRaser and BitBleach. Used properly, these will generally overwrite data thoroughly enough that most commercial forensic data-recovery tools will be fairly useless. (More authoritative methodologies can be read here.) Frantz recommends using DBAN, also known as Darik’s Boot and Nuke.
by Dell Cameron, Gizmodo | Read more:
Image: Jason Rollette (YouTube)
[ed. And thumb drives and memory cards. See also: Please, for the Love of God, Make Sure You Delete Things Properly (Gizmodo).]
