Re: Failed Disk Data Exposure

Sat, 09 Jun 2012 02:10:29 -0700 

W dniu 2012-06-08 23:15, Grinsell, Don pisze:

Here's a Friday topic:  With modern disk arrays, e.g. DS8000, what is
the real exposure of meaningful residual data being recovered from a
single drive out of the array.  I can't seem to find anything
definitive other than a lot of "data may be recoverable" statements
from vendors selling secure erase services.  Just curious if anybody
has any hard data to demonstrate an exposure or not.



1. Any disk from array do *contain data*. In case of RAID1 it's obvious, 
in case of RAID5 or RAID6 there are still some data on it.
Is it hard to read it? There are EBCDIC conversion issues, 3390 
emulations etc. etc. Usually it's very hard, but not impossible. Last, 
but not least: this is political issue. If someone read any string of 
characters, for example SMITH, then it's your fault, newspapers shout 
about security breach, etc. Nevermind that nobody knows who is SMITH and 
any further detail about him (her).



2. How to manage it.

First, you have to remember that failed disk can be really FAILED. Not 
working. In such case any security erase software will not help. BTW: 
such software is available os DASD box feature (all big manufacturers do 
offer it). So, in some cases you cannot use a software.
2.1. You can pay your vendor for failed disks. Regular service contract 
assumes that failed disks are replaced and taken off by serviceman. You 
can pay and keep failed disk.
2.2. You can sign "NDA contract" (it's free of charge) that failed disks 
are kept in secure locations and no one would try to recover any data. 
In simple words DASD vendor promises you some security. Is it enough? 
It's matter of your company rules.



Ad 2.1. Method used by Google (presented on Youtube) is nice, impressive 
but overkill. For example step one is not necessare when you intend to 
totally shred disk in step two. You can also buy degausser (severla 
hundreds $ AFAIK) or pay some company for degaussing as a service (in 
your premises - disks do not leave secure area).
BTW: Some company in Poland patented a method - they dissolve whole 
disks in some acid mixture. Quite impressive and overkill IMHO.


--
Radoslaw Skorupka
Lodz, Poland






--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.


This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. 


BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax 
+48 (22) 829 00 33, www.brebank.pl, e-mail: [email protected]

Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to