Re: Quick Survey: How do you "dispose" of outbound hard drives??

["Perry, Jeff" <perry () KU EDU>]

For disks that will be reused we have a certified hardware wipe system.
We also allows admins to use DBAN with an approved configuration for
systems bound for inter-office/department transfer.

For systems destined for our E-Waste program the drives are removed from
the cases by technicians, checked in to a tracking system, and then
degaussed with a very heavy duty hard drive degausser.  It's fast,
exceeds specs, and we have an agreement with our e-waste recyclers that
allow us to send them systems without disks in them.  The disks are then
recycled for materials by a third party.

We found through many years of this that the commodity value of the used
hard disk (at this point typically 3-5 years old) is low enough that it
doesn't make sense for us to reuse all but the nicer/newer disks.  Those
disk are typically bought with a "keep your hard disk" warranty so when
we see nice ones it's usually physically dead and goes straight in to
the degausser.

We have looked at computers that support ATA wipe but since 1.) only a
few do as of yet and 2.) they are typically in machines that are too new
for us to see in the waste stream, we've stuck w/ hardware/dban wipe or
a compliant degausser (which we have installed at our ewaste handling
center).  A side benefit of the large format degaussers is that they are
rated to do multiple hard disks at a time and are large enough to do
tapes, odd shaped disks, and other mag media that falls in to the
"strange junk" category.  We'd been paying a lot of money to have our
document shredding company do the odd stuff so it became cost effective
for us to buy a machine that was large enough to do all but the oddest
of media (like double height disks which we still see a few that people
drag out of a closet in a research center).

Jeff Perry, CISSP
Director, Enterprise Infrastructure & Operations
The University of Kansas

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Solem, Vik P.
Sent: Tuesday, September 28, 2010 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound
hard drives??

Hehe - Yeah - I've seen a few of these decorating cubicle walls around
Tufts.

-Vik

Vik Solem, CISSP, Sr. Applications Risk Consultant Tufts University,
Information Security, vik.solem () tufts edu / 617-627-4326 InfoSec Team:
information_security () tufts edu / 617-627-6070

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/


________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Himes, Daniel Jay
[dhimes () LIBERTY EDU]
Sent: Tuesday, September 28, 2010 16:37
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound
hard drives??

Open the drive, destroy the disks, and mount the magnets on your cube to
play with later.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Auclair
Sent: Tuesday, September 28, 2010 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound
hard drives??

FYI, DoD 5220-22M has been deprecated... They now require physical
destruction of disks.

Regards,
David Auclair
Information Security Group
Information and Technology Services
University of Toronto


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Tuesday, September 28, 2010 2:32 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: Quick Survey: How do you "dispose" of outbound hard
drives??
> On Tue, 28 Sep 2010 08:54:53 CDT, "Doty, Timothy T." said:
>
> > Still, for anyone using DBAN it is IMO worth considering wiping with

> > the ATA secure erase command where possible. The drive I wiped had
> > ~3600 reallocated sectors (and was still "good" according to SMART) 
> > which represents ~1.8MB of data DBAN would not have erased.
>
> Something to keep in mind is that usually a drive won't reallocate a 
> sector unless it encounters a write error - which means that physical 
> block probably has a physical defect, and almost certainly will return

> a read error due to the aborted (and now short) write - and that's 
> *if* you can convince the drive to read from the previous location of 
> a reallocated block.  As a result, those blocks are not going to be 
> uncovered by any sort of normal user-level snooping on the drive - in 
> fact, it's going to take some heavy duty diagnostics simply to
convince the drive to try to read the old block and not the reallocated
location. (On most drives, it will be a challenge to even get the list
of relocated blocks - SMART data usually only includes the total number
of reallocated blocks).
> Still, I guess some sites might have "people will take apparently 
> zero'ed disk drives and send them off to data recovery shops at $2K+ a

> pop hoping that something valuable will be recoverable off the
relocated blocks that probably have physical defects which will prohibit
recovery".
> For the record - the wording in DOD 5220-22M regarding sanitizing
drives:
> "Non-Removable Rigid Disks" or hard drives must be sanitized for reuse

> by overwriting all addressable locations with a character, its
complement, then a random character and verify."
> Remapped blocks are no longer addressable locations, and thus aren't
covered.
> If the DoD isn't worried about national secrets leaking out on the bad

> blocks, I'm not going to lose sleep over it either...