Unclean Military Hard Drives Sold On eBay

An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay. The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.' Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."

Unclean?

[Nerdfest]

I guess we'll need to format them in a purifying fire then.

DoD wiping standards

[mati.stankiewicz]

"which I believe is wiping the whole disk and then writing 1010 all over it."

Taken from DoD 5220.22-M Wipe Standard:

"[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."

Financial Firms Do the Same

[__aajwxe560]

I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.

So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.

Little OT Anecdote

[rodrigoandrade]

I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.

What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.

Re:Unclean?

[auric_dude]

Or use http://www.dban.org/node/68 [dban.org] - good enough for The Government Of Canada so good enough for these disks?

Re:Scary that they sold the disk at all

[s0litaire]

i'd use "dd if=/dev/urandom of=/dev/sda" Urandom is slower but better..

For Highly Classified Data, it's more than a wipe

[sirwired]

I worked in a highly classified facility once. The wipe "standard" was to hire a lowly intern (such as myself), remove the platters from the case, take them out back, and sandblast them. The agencies scientists had decided degaussing wasn't good enough.

SirWired

Re:Scary that they sold the disk at all

[rongage]

Modern drives have "servo tracks" on them - used for setting the head position. If you use an eraser powerful enough to wipe the drive, then the servo track is most likely also wiped - rendering the drive totally useless to most folk.

How to dispose of SECRET media

[Anonymous Coward]

First, everything that is SECRET must be serialized and fully accounted for at all times. Paperwork must be done when it is decommissioned.

It must be physically destroyed. If it's a CD, then it must be broken or otherwise scratched to the point where reading any data off it becomes not only unlikely, but impossible. Fire is good.

Hard drives (I had one fail on my in Iraq) must be double packaged, clearly labeled SECRET, and escorted by authorized personnel the entire way to somewhere a lot higher than the infantry battalion I am in to get properly destroyed.

Since it's got Lockheed Martin employee information on it, it's a Lockheed Martin hard drive, and their accountability is probably not as demanding as the Marine Corps...probably a guy in the tech department wanting to make some extra money.

Does the IRS do it better or worse?

[BenEnglishAtHome]

I work for the IRS and we supposedly use the DOD standard. Our wiping software actually has a "/DOD" switch. However, unlike the standard quoted in another post, our software just reinitializes the MBR and then does 7 random overwrites. Is that better or worse than writing patterns? I dunno.

I do know, however, that we never let a drive out of our inventory without a wipe. If the drive has failed completely, we have a big magnetic blanker we use. (Local option - in my office, we then take those drives apart, abuse the platters, and one of our techs makes sculptures from them. Neat stuff.)

As an aside, we never RMA drives, either. If a drive in our possession fails, we call for a warranty replacement and send back in the return box a signed statement swearing that we destroyed the old drive. If a laptop has a failure that requires a contractor tech to replace parts, we make them come on-site then have someone stand over them the whole time to make sure they don't try to actually read anything off the drive.

I would expect the military to do at least as well. Am I wrong?

Re:Scary that they sold the disk at all

[A beautiful mind]

You've got it backwards. Urandom reuses the entrophy pool, so it will not block, but will be slower. /dev/random is the real deal.

Re:Scary that they sold the disk at all

[samos69]

Yup, we just purchased a Verity degausser to wipe some drives before donating them to charity and have found that the servo track is wiped and they become completely useless... £1800 wasted, but it's damn fun to wipe things with!

Re:Unclean?

[Nimey]

Since you apparently don't know what you're talking about: the 35-pass wipe is bullshit, and even the author says so.

http://en.wikipedia.org/wiki/Gutmann_method#Criticism [wikipedia.org]

Essentially some of those patterns are specifically for obsolete MFM drives, and others are specifically for equally obsolete RLL drives. Nowadays you should just use random patterns, and even the DoD is fine with 7 passes.

Re:Scary that they sold the disk at all

[multisync]

i'd use "dd if=/dev/urandom of=/dev/sda" Urandom is slower but better..

If you have access to dd, you probably have access to shred. It makes several passes using different patterns (25 by default), and has the option of zeroing the drive on the last pass. I believe it meets DOD standards. I'm not sure how effective it is with slack space, which often holds recoverable data even after running utilities that are supposed to wipe data off drives, but dd wouldn't be any better.

This doesn't make sense...

[LoneAdmin]

I worked for a government contractor at Tinker AFB in Oklahoma back in 2005-2006. I was on a contract doing server/desktop support for a wing on the base. Whenever we had a failed drive in a desktop, laptop or server there were certain protocols that we had to follow to make sure the data was compromised. We had to remove the drive and then take it apart completely. Once it was dismantled we had to scratch the platters to make sure they couldn't be reassembled in a different drive. I was also in on a server upgrade and they were going to sell the old server in a surplus auction. We were told to run a wipe of the drives and then REMOVE THEM because DOD regulations stated that the drives couldn't be sold at all. Then we had to destroy the drives in the same way I described above. Obviously this situation is someone not doing their job or just taking drives to make money.

Re:I have to wonder

[MikeBabcock]

First off, blackmail doesn't hit the news, that's the whole point. You tell the company what you've got and threaten to use it against them and get paid off.

Personally I wouldn't blackmail a defence contractor, all things considered but there are those with larger gonads than I though.

Secondly, a lot of criminals go with what they're good at. Just because a new avenue of crime exists doesn't mean it will be taken advantage of immediately.

Just think how long the Internet was a big open place before we started getting inundated with scams and before online database theft started hitting the news.

It seems to me that you give criminals way too much credit, and should also take security more seriously.

Re:DoD standards

[Sancho]

Note that document only covers unclassified data.

Re:Scary that they sold the disk at all

[Anonymous Coward]

Every single-pass pattern is "predictable": Just read it. In fact, if you can recover data from a single pass wipe, you also have the generation before the current data, so you can theoretically recover data further back. The patterns don't matter. What matters is the signal to noise ratio.

Dedicated forensic experts can read overwritten data

That is a myth. Granted, there is a theoretical possibility due to magnetization processes not being 100%, tracks having widths and heads not always being in the same position over the track. If you believe in any of these effects making recovery of overwritten data possible, then the number of overwrites is just a matter of how paranoid you are. If that possibility bothers you, your adversaries must have technology which is unavailable to all commercial data recovery businesses (and probably doesn't even exist). If that is the case, destroy the drive: It's the only way to be sure. For everyone else, "dd if=/dev/zero of=/dev/sda" is exactly as good as specialized wiping software. (Beware of people hawking 35-pass overwrite software: These patterns are historic and have no relevance to modern hard disk technology. Touting this procedure as somehow better than a single pass zeroing proves that the person does not understand the topic at hand.)

Re:Scary that they sold the disk at all

[systemeng]

The mistake in thinking that it's a bad thing to never have the data be the same is roughly speaking part of how the Germans lost WWII. The British broke the Enigma cypher by figuring out that a given letter was _NEVER_ encoded as the same letter. That tiny blip in the probability function allowed breaking many coded messages if they could get a small amount of cleartext such as the weather report.