On Computers

Some Thoughts and Ideas on Securing Your Data

Jack 'daWabbit' Imsdahl jack@oncomputers.info

31 August 2003

I've been thinking this last week about securing data. I recently had an experience which brought the need for this to the fore and felt I should tell you about it.

As many of you know, I run and also rehabilitate a fair amount of old hardware for the use of others. Lots of friends send me parts, even entire computers, for which they no longer have a need, in the hopes I might provide or find them a good home and continue their useful life.

In one such instance, a friend gave me a hard drive which I promptly installed in a box I was putting together from salvaged parts. The operating system and core applications were already installed on another drive and I added this one to increase storage available for the new owner. Upon rebooting the box, I was surprised to be confronted with the data contained on the drive, left there by the previous owner and/or the tech who replaced the drive.

The contents of the drive were obviously medical information; patient records, financial records and things related to a medical practice of some kind. I didn't look any further and promptly wiped the drive repeatedly with an application meant to ensure secure and complete data erasure. Afterwards, the person who gave the drive to me and I had a heart-to-heart talk and I gave that person a CD with several freeware data erasure and encryption applications recorded on it.

It turned out that the drive had been copied to a newer, more capacious drive in the course of regular upgrades/maintenance at the place where my friend procured it. No one had thought about the consequences of simply passing on the drive until I (through my friend) brought them to their attention.

The experience got me to thinking, though.

There are myriad reasons to take steps to secure your data. Perhaps what is on your hard drives and backup CDs (or whatever medium you choose for that purpose) is your confidential financial information which you would not want revealed or which would leave you open to identity theft or fraud were it to fall into the wrong hands. Perhaps it is information relating to others which has been entrusted to your business, professional or medical practice. In any case, it deserves, indeed requires, being held closely. There are simply too many consequences to not doing this to ignore. Credit card information, bank passwords and all sorts of potentially damaging data are on our machines, waiting for the unscrupulous to take advantage of them, should the machine come into their hands.

Disclaimer

I am not a security expert. I am relating here my own experiences and what steps we have taken at my home in defense. Before taking the steps I propose, you would do well to examine them in detail, research them on the Internet and/or in books and test the applications and utilities listed below on a fully backed-up system (at the least) or (better yet) a system dedicated to testing upon which no critical or important data resides.

This is really important stuff and when you stop to think about it, you'll see that. But that's still no reason to dive in without careful thought and planning. As with any addition of software or processes to a working system, you must take care.

Use Strong Passwords

Yes, I know it's a pain in the butt to be having to log in and log out all the time. But should some unsophisticated user gain possession of your computer, this may be enough to stop them getting into your stuff. There are utilities available on the web to break/steal Windows passwords, but the person who gains unauthorized access to your computer may not know this or be skilled enough to use them. Passwords are your first line of defense and, while they may well be of only limited utility on some systems, they will discourage many sufficiently to simply go on to something else.

Be sure to use a mix of alpha-numeric and special characters in your passwords and make them reasonably long (8 characters or, better yet, more). Should the password be related to any aspect of your life (your marriage anniversary or dog's name, etc.) it is especially easy for someone dedicated to the purpose to crack. Avoid those at all costs.

Good password protection (including use of a password to access the machine after the screensaver is activated) will also keep a casual visitor (whether child or adult) from simply sitting at your machine and inadvertently spoiling the last day's work by deleting something or closing an application with unsaved data. Don't laugh. This has happened to more folks than I can count.

(It happened to me when our cat chose to walk across the keyboard while I was away from the machine but the screensaver/password had not yet kicked in. This was Windows 9x days and her little stroll crashed the machine, costing me many hours of effort. Our current feline denizen loves to type because of the beeping sounds made when the cursor hits the end of a line. Thankfully, she likes to type on one particular Linux box and because of password protection, can do no harm. She has her own user account on that machine, too.)

Take Care of What you Store on Your Computer and How You Store It

Do not allow browsers to store critical passwords. Bank and brokerage account passwords, credit card, passport and driver's license numbers and such should all be remembered or referred to and typed in at each use. Do not mark these pages in Favorites or Bookmark files or lists. Also, the browser history and temporary files should be deleted after making such transactions.

Encrypt any directories that contain sensitive information using an application for the purpose. Links to some of these are given below. There are many such. The ones I have listed are freeware or at least free to individuals to use. There are also many affordable proprietary programs for this purpose. You have a LOT of choice in what you use and much of that choice is available free or at exceptionally reasonable cost (especially considering what is at stake). Again; use a real password.

Lock Up Those Backups

Remember; they contain all the good stuff. Don't just toss them in a desk drawer. Hide them well, put them in the safe deposit box or lock them up securely, preferably in an area not associated with the computer.

When a backup is obsolete, thoroughly erase the medium or destroy it. Lots of folks burn old backup CDs. This is not the best idea because the chemicals so released are not good for our environment. However, breaking them up thoroughly should do the trick. So will running the data side across a coarse sanding belt or similar device and then breaking them up. If you use a tape cartridge, format or erase it with a utility for that purpose when it's useful life is over.

You can also encrypt your backups. We do not do this, here, beyond those directories already encrypted. Nor do we compress our backups. The encoding and unencoding of so much data takes a tremendous amount of time, if it is done with strong encryption or compression, and we have chosen not to do it for that reason alone.

(I should also mention that our physical location is probably more secure than most. Not because of what it is but because we are almost constantly home. It would be awfully hard for a thief to find the joint unoccupied. Our disabilities make getting out a real chore and we do it as little as possible. We also have strong ties to our neighbors and we all watch each other's homes carefully. We still lock things up, though, and take steps to secure our data.)

Laptops Are a Special Case

A laptop is an especially vulnerable repository of data. Laptops are taken all over by their owners and frequently enough lost or stolen. It seems to me that laptops are especially vulnerable to data thievery because they so often contain proprietary or financial information relating to one's own business or that of an employer. So even if you may choose to disregard these cautions on your home computer, it is my opinion that you should take all the appropriate special steps with a laptop, unless it contains absolutely no potentially dangerous information. You might well decide to do more than I've already outlined, if you learn anything I haven't covered here, which is highly possible (see disclaimer above).

Though strongly encrypting and unencrypting directories on a laptop may use up some of your precious battery reserves and take some time due to a slower processor and/or lack of memory, it is well worth the while and should be done religiously.

When You Change Hard Drives

Erase the contents of a drive completely, with a utility intended for the purpose. A simple format is not enough to ensure safety. Should the drive be non-functional (too many bad clusters to reuse or simply not working) I take it apart and smash the platters lest someone extract them and mine the data contained therein. It's amazing how much damage one can do to a hard drive platter with a few hammer blows using a brick as an anvil and, at the end, I'm confident the contents are safe. I'm often told a strong magnet will suffice to corrupt whatever is on the drive, but have not tested this myself and so opt for physical destruction.

Detailed, thorough and competent forensic analysis can recover data from most intact platters, even after erasure applications have been used extensively. But most thieves will simply not have the equipment, expertise or motivation to do this sort of thing, so the safety factor is quite large, even though data is still possibly recoverable.

Some Useful Utilities You Might Want to Check Out for Use Under Windows

File Encryption tools

CryptoMathic File2File
http://www.cryptomathic.com/file2file/index.html
Though often less highly rated than some other utilities of the type, this is the on my wife and I use. It has served us well.

AxCrypt
http://axcrypt.sourceforge.net/
Note that axcrypt.com is a fraudulent site, according to the url above.

Zero Footprint Crypt
http://users.hol.gr/~kabriel/

PowerCrypt
http://www.ovsoft.com

MaxCrypt
http://www.kinocode.com/

File Buddy
http://www.jcmatt.com/filebuddy.html

includes secure file deletion utility Site does not mention XP support, but app seems to run fine under XP Home, at least in the two cases I've seen.

Secure File Deletion Utilities

PC Inspector e-maxx
http://www.pcinspector.de/emaxx/uk/welcome.htm
Especially suitable for wiping a drive when selling or otherwise transferring a used PC
Runs from bootable floppy or cdrom

Eraser
http://www.heidi.ie/eraser/
THE classic deletion tool. My favorite and the one I most recommend.

AnalogX Super Shredder
http://www.analogx.com/contents/download/system/shred.htm
AnalogX is always a source of quality software so though I have not personally tried this one, I have no hesitation in recommending you at least check it out.

Jack

© 2003 Jack Imsdahl

Back • Home • Up • Next


© 2002 - 2004 by On Computers and the Videotex Services Coalition.