MetBlogger - Information Technology in Education

« July 2006 | Main | September 2006 »

Data Deletion Done Right

What to Delete, How, and When?             

By: Eric Durrand

We all know at least one of those people who refuse to ever throw anything away. They live surrounded by boxes. Old papers, old clothes, memorabilia from high school, and broken gadgets are all stored somewhere in their apartment, leaving very little room for actual living. Their place is always cramped, but they can always locate that first high school diploma, or that first love poem. Another type of person we all know is the throwaway fanatic: she lives in a clean, organized space – with nothing but the bare necessities that serve an active purpose in her daily life. Occasionally, however, she is overcome with nostalgia for an object, a book, or a photograph long gone. The same things she ruthlessly discarded as unimportant, not useful, and cumbersome – she sometimes discovers had some value after all.

 Humanity, it seems, has always been divided into those who keep everything, and those who throw away everything they can. The two mindsets play an important role in the virtual world of computers too, with data and storage management experts arguing about what should be saved and what deleted, what should be backed up – and what discarded.

While legal departments in many companies encourage routine deletion of old materials to avoid furnishing potential litigations, it is illegal to delete anything potentially useful when litigation is reasonably foreseeable. Also – various documents can actually help a company’s legal case, making it harder to decide whether or not to embrace a policy of deletion. The same is true of old engineering projects, old client information, and old e-mail communication. These files take up a lot of storage space, make it harder to find actual relevant information, and are hardly ever opened.

So what to do with all this old information? One popular solution is – to move it around. Many organizations have found it useful to create several “storage tiers”, ranging in accessibility, security, cost of media, etc. They gradually migrate old information to cheaper and less accessible storage solutions. In a small office, for instance, the information is migrated from a storage server to an external drive, and from the external drive to backup tapes. Or it can be moved from a hard drive to a CD-R, etc.

 After all, storage space prices continue to drop: The price per 1 megabyte dropped from $9 in 1990, to a little less than 1 cent in 2000, to a ratio of 8.7 megabytes for a single cent in 2004. Indeed, a whole Gigabyte of storage costs much less today  than a megabyte (1/1000^th of a Gigabyte) cost only 16 years ago. While prices continue to drop – why delete anything?

 The answer is: deleting, or at least moving files away, is still financially wise. It saves space on the fastest, most expensive machines, it shortens searching time, and removes the clutter of irrelevant information that serves no purpose.

 Before deleting a file or e-mail message completely, ask yourself the following questions:

1. Would this be needed in the foreseeable future?

2. If not, is there a chance that it would ever be needed?

3. If so, what might it be needed for? Who in the company might need it?

 These questions will help you determine whether to keep a file, move it to a designated storage device, send it to another person in the organization, or truly delete it.

 Another challenge of data deletion is handling information that is useless to the company, but could prove damaging if falling into the wrong hands. Simply deleting a file does not make it truly disappear forever: experts can recover a file even after a deletion and several rewrites (meaning that you deleted the file, put something new in its place, but the electromagnetic “fingerprint” of the old file is still there, allowing expert hackers to recreate it).

 Simon Garfinkel, a privacy expert and MIT grad student, did an experiment in 2003: He bought 158 old hard drives on eBay, to see how much data was recoverable. Their findings: More than 5,000 credit card numbers, financial and medical records, personal e-mail and pornography were easily obtainable on the drives. The solution? When getting rid of an old hard drive, or an old storage device – sanitize it using special “erasure” tools. Morgud’s Erasure Suite, O&O SafeErase V2, and Blancco Data Cleaner+, are a few such tools. In cases of truly vital classified information – services like EMC’s Certified Data Erasure will provide you with even greater peace of mind.

 Data deletion, like many aspects of successful computing, requires planning. To avoid overcrowding on the one hand and information loss on the other, your organization needs to define what to delete, when, and how. Spending some time on defining a clear procedure will assist you in achieving an organized, efficient, and secure information storage system.

Posted on August 31, 2006 at 11:44 AM in Information Security | Permalink | Comments (0)

DoS, Vishing, and SPIT – Oh My!

Meet the Dark Side of Internet Telephony

By: Eric Durrand

 

Internet Telephony, or VoIP (Voice over Internet Protocol), is quickly replacing traditional telephony, as more organizational and home users opt to use their broadband connections for phone communication. The number of VoIP phone lines in the US has grown from 1.8 million in 2002, to 9.9 million in 2005, and is projected to go up to 26 million by 2008, according to a research by the Telecommunications Industry Association (TIA). Providers like Cablevision, Vonage and others turn VoIP to a reality for many, providing quality telephone services for a fraction of the cost, or sometimes for a fixed price.

But not all bodes well for early adopters making the transition into Internet Telephony. As prices of calls plummet, spammers who are used to send millions of junk messages over E-Mail for free, start eyeing the new medium, dreaming of the potential to one day be able to make millions of pre-recorded commercial calls! Experts call this new threat SPIT: Spam over Internet Telephony, and unlike regular E-Mail spam, there is currently no simple filtering solution.

Qovia, a telecom company based in Frederick, Maryland, ran a simulation showing how a single PC can make 1,000 calls a minute using VoIP. In VoIP networks with unlimited calling or “peering”, where there is no financial penalty for making thousands of calls, a spammer (or, rather, SPITer) might find it profitable to make infinite calls even with a very small percentage of response.

   Another threat involving VoIP is dubbed Vishing, a paraphrase of Phishing, a common type of E-Mail fraud. In an ingenious fraud perpetrated recently for the first time, individuals got a scam call from what appeared to be the number of a respected financial institution, and told that their credit card had been used illegally. They were then asked to call a fake 1-800- number, and when they did an automated system collected their credit card details and promised to take care of the problem. In fact, the numbers went into the criminal’s database of stolen credit cards, which they could later use to empty their victim’s account.             

Denial of Service attacks (DoS), is a final scary scenario to consider. If SPIT spammers can make a thousand calls a minute using a single PC dialing to different locations, what can they do if they keep calling the same number? The answer: temporarily take down the phone line, which could mean considerable disruption to an organization, and potential loss of income.

    As with any new medium of communications, VoIP too will inevitably be abused by those who seek to profit at the expense of others. The solution, as always, is not to avoid new technologies, but to embrace them with open eyes and stay wary of the risks involved. As certain nuisances become more acute, various solutions will undoubtedly be developed to fight them. We’ll keep you up to date with what you need to know.

Posted on August 14, 2006 at 02:05 PM in Telecomm | Permalink | Comments (0) | TrackBack