Careful not to dump a data-loaded PC
Thinking of selling your old computer or donating
it to claim a healthy tax deduction? Think again. You could be giving
away the keys to your business.
"The thing is that computers don't work the intuitive
way people think they do," says Chris Wysopal, director of
research and development for @stake Inc., a digital security consulting
company based in Cambridge, Mass.
"When you remove files, the computer doesn't
really remove the file. The data is still there."
That means anything you put into the computer -- tax
returns, credit card numbers, electronic bill paying data, client
information -- is ready and waiting for the person who knows how
to find it.
So what are you supposed to do with the 50-pound paperweight
that used to be your business's most-valued tool? Relax. You have
a couple of options.
Wipe it clean
If the machine in question is used mainly as a word processor and
the material in question is a collection of document files, you
can delete the files and then follow up with a program to obliterate
Called "wiping the files," this involves
using specially designed software such as SecureClean. The program
writes several layers of computer code over your data, making it
impossible to read. Windows XP has a built in wiping feature. Many
times, these programs are bundled with virus protection software,
so you might already own one.
But if you use the computer to connect to the Internet,
especially for online banking, electronic bill paying or customer-service
work, this may not be the best option. Your Internet browser will
store all that data, and not necessarily in places where you might
think to look.
"Sometimes even the people who wrote the software
don't know exactly how it works," says Wysopal.
What's where on your PC
Wondering what's where on your computer? Here's a quick list from
James Whittaker, computer science professor at the Florida Institute
of Technology and author of "How to Break Software":
- Browser: You'll
find cookies and favorites files here.
- E-mail program: The
home of address books and sent and deleted e-mail.
- Anti-virus scan logs:
These track Internet sites visited and documents that have been
scanned. "A lot of people don't realize how much information
these contain," says Whittaker.
- Registry entries:
This operating system component manages information shared between
programs. If you cut and paste anything from the Internet or move
data from an accounting program into an e-mail or data file, it
will be here.
- Temp files, the recycle bin:
These areas track where you've been on the Internet and what information
you recently deleted.
Even if you successfully destroy all of your documents,
your operating system might have stored a few on other places in
the machine, for example under a "recently viewed" feature.
This might be fine if the computer contains nothing but old inventory
rosters, but it could get a little tricky if the data is a list
of your most valued customers, their home addresses and their credit
And don't rely on a third party to clear your computer
of sensitive data. Wysopal recalls an incident where a company sold
its computers through an auction, assured by the auction firm that
the machines would be wiped clean before they changed hands. Much
to the surprise of the seller and the competitor that bought the
PCs, they were not.
Whittaker's advice: Minimize the personal information
you store on your computer, especially passwords and cookies. "When
you go to a Web site that says 'do you want to store your password?'
say 'no.' That way, you don't have those things sitting around on
your hard drive."
Reformat the hard drive
If your computer is an integral part of your business, loaded with
budgets, banking transactions and client data, your best bet might
be to reformat the hard drive.
This is "the most clean way" to remove your
data, says Whittaker.
The downside: if you want to sell the operating system
and any of your software, you have to reinstall it when you're done.
Corey D. Schou, director of the National Information
Assurance Training and Education Center at Idaho State University,
even recommends reformatting the hard drive twice. "It makes
a little more work" says Schou. "However, it does protect
your information asset."
Destroy the drive
If you are concerned about your data, especially if it could help
a crook steal your identity or that of your customers, don't sell
the box. It's not worth junking the reputation of your business
to recoup the cost of a secondhand computer.
"It's a judgment call," says Michael Erbschloe,
vice president of research with Computer Economics Inc., a computer
research firm in Carlsbad, Calif. "Have I put something on
this computer that could cause me damage or result in identity theft?
"We've really been taking the position lately
that the best thing to do is destroy the hard disk. I'm more than
willing to donate the box. That's a good thing to do.
"But realistically," says Erbschloe, "if
you are really, really concerned about security, if you've got a
lot of information on there that is sensitive to your business,
we're definitely taking the position to destroy the hard disk."
Dana Dratch is a freelance
writer based in Georgia.
-- Posted: Nov. 12, 2001