Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Thursday, August 21, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Clean out Old Computers Before Selling/Donating

 A 1997 article in the New York Times ("Patient Files Turn Up in Used Computer," 4/4/97, John Markoff) describes how C.J. Prime, of San Franciscio, booted up the used IBM computer she purchased at an auction and found 2,000 patient records from Smitty's Supermarkets pharmacy in Tempe, Arizona. Included were "prescriptions for AZT for AIDS patients, Antabuse for alchoholics as well as numerous antidepressants." Prime speculates that with the software left installed on the computer, she might have been able to connect to the pharmacy's main office and change coverage or create new prescriptions.

When selling or donating old computers, be sure to remove any sensitive data, and make sure that by leaving any commercial software on the machine you are not violating the terms of any software license agreements. Note that files deleted through ordinary means (e.g. dragging to the trash on Windows or Macintosh) can usually be recovered. Use a secure file deletion utility which ensures that the data can not be recovered by successively writing binary ones and zeros over files to be deleted (See Note below).  Pretty Good Privacy (PGP) includes a secure delete function and Norton Utilities' Wipe Info feature will also securely delete files.

In recent years it has become a popular practice to sell used (but still functional) hard drives via online "auction" sites like eBay. Before disposing of hard drives in this or any other manner in which one or more subsequent owners of the drive will have access to any data remaining on the drives, it is essential that the drive(s) be wiped clean of data as mentioned above. There are many, many reported and confirmed instances of sensitive data found on drives purchased through eBay. .

Under existing law, the purchaser of a second-hand drive owns not only the drive itself, but also any data on the drive. If you improperly dispose of a drive in a way that permits sensitive data to fall into the hands of someone who exploits it for their own purposes, you will likely have little or no legal recourse.

DO NOT SIMPLY THROW AWAY "DEAD" DRIVES. The platters can be removed from non-functional drives and all data retrieved. Before disposing of drives that no longer work, DESTROY THE PLATTERS. A large hammer comes in handy for this, though some find more satisfaction in drilling completely through the drive casing with a large (1/2 inch or larger) bit.

The same advice applies to storage media like computer tapes, disks, diskettes, etc. Be sure to completely remove any sensitive information before disposing of electronic storage media. University Archives and Records offers a standard service for secure destruction of confidential electronic records.  For further details, see http://www.archives.upenn.edu/urc/urc.html
If you need further help finding tools or services to do this, contact security@isc.upenn.edu.

 Before transferring computers containing any software, first make sure that Penn is properly licensed to transfer it, that it was not obtained illegally or in violation of license terms, and that the software was never copied illegally or in violation of license terms. Also, make sure that the transfer conforms with terms of the software license. For instance, the license for Microsoft Office Version 4.21 include this clause:

 "Software Transfer: You may permanently transfer all of your rights under this EULA, provided you retain no copies, you transfer all of the SOFTWARE PRODUCT (including all component parts, the media and printed materials, any upgrades, this EULA, and, if applicable, the Certificate of Authenticity), and the recipient agrees to the terms of this EULA. If the SOFTWARE PRODUCT is an upgrade, any transfer must include all prior versions of the SOFTWARE PRODUCT"

The only way to be sure the transfer complies with all licenses is to read them all. For software licenses with "transfer" clauses like above, have the recipient(s) acknowledge in writing their acceptance of the terms of the license, and their receipt of all materials required by the license. It's important to consider licensing issues not only for application software like Word and Excel, but also for operating system software like MacOS and Windows.

Note: There are, however, problems with the conventional secure deletion method of overwriting binary ones and zeros.  Someone with technical knowledge and access to specialized equipment may be able to recover data from files deleted with this method.  Use of magnets (degaussing) or physical destruction may be required for especially sensitive data, but be sure that such procedures conform to published standards for secure data destruction.  For further details, see Peter Guttman's paper "Secure Deletion of Data from Magnetic and Solid-State Memory"
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

If you have questions about secure deletion procedures, contact Penn Information Security at security@isc.upenn.edu.

Last updated: Wednesday, January 3, 2007

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania