RE: [suse-security] Securely wiping external usb hard drive
There is nothing particularly sensitive on the drive - unless you count the annual personnel reviews of my team - other than that it's just apt/rpm/deb archives and install disk iso's for several Linux distros in use here. However the US military does require secure wiping of all hard drives before transfer, turn in, etc... just in case. You never know what someone might find useful or interesting... the term used is OPSEC (Operations Security). Windoze programs like bcwipe and eraser (http://www.dirfile.com/eraser.htm) can do the job to military specs - I was just hoping to find a SUSE based solution so I don't have to track down a windoze system I can use for a while. I'm not sure if it's the drive or the laptop but so far "dd if=/dev/urandom of=/dev/sda" has been running for about 8 hours - first pass. I may just have to fall back to a windoze solution - bcwipe only takes a few hours to make 7 passes of varying patterns. This was somewhat of an evaluation/experiment - I don't think we'll be using this make/model of external drive any more. Thanks, Eric Eric Baenen Program Manager - Scientific Network Environments General Dynamics - Advanced Information Systems Phone: 937-255-8180 FAX: 937-255-8845 2255 H Street (AFRL/HEC) Area B Bldg 248 Rm 108 Wright Patterson AFB, OH 45433 -----Original Message----- From: Mike Tierney [mailto:miket@marketview.co.nz] Sent: Monday, April 25, 2005 5:35 PM To: 'Baenen Eric P Contr AFRL/HEC'; 'Suse-Security List (E-mail)' Subject: RE: [suse-security] Securely wiping external usb hard drive Given that you work for the Military, I'd recommend that you have a talk to your local IT people about what they recommend. No doubt they'd have quite stringent rules and regulations for disposing of storage devices that held sensitive information. That's if you are using this drive to transfer information between work and home! In which case I'd hope it was all encrypted as well! However if it's just your own personal hard-drive (that's never held sensitive Air Force information) then running "dd i=/dev/urandom o=/dev/sda" a few times would probably do it. Having said that, I read once that hi-tech hardware data recovery devices can still retrieve "old" information from a hard-drive from its lingering magnetic imprint even AFTER its been wiped over with new data. But those devices are probably only routinely employed by foreign governments, competitors engaging in industrial esponiage and of course data retrievel specialists :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Baenen Eric P Contr AFRL/HEC wrote: | However the US military does require secure wiping of all hard drives before transfer, turn in, etc... just in case. You never know what someone might find useful or interesting... the term used is OPSEC (Operations Security). | | Windoze programs like bcwipe and eraser (http://www.dirfile.com/eraser.htm) can do the job to military specs - I was just hoping to find a SUSE based solution so I don't have to track down a windoze system I can use for a while. What about Darik's Boot and Nuke (http://dban.sourceforge.net/features.html)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbkdjWW28UPiAJ/oRAl3GAJ43+iIQ1R1iW95TjXRVYgZM/vEs3ACgh2Q2 6CphbxdYF8Y5IOMUWZc+RNg= =QEpa -----END PGP SIGNATURE-----
Hello Eric, Jetico BCWipe will destroy data on SuSE. Heck, they even provide RPM's. http://www.jetico.com I have verified the effectiveness of BCwipe on SuSE (reiserfs and ext3), RedHat(ext3 anf JFS) and Slackware (ext2) against EnCase Enterprise edition, Forensic Tool Kit and Recovery Pro in our labs. During "whole disk" linux erasures, BCwipe performed flawlessly. If you are looking to satisfy OPSEC or COMSEC standards for wiping a Linux drive, BCwipe will meet your needs. There are other wiping programs available('srm' at sf.net comes to mind..), but so far none of them have satisfied my Security Engineers like BCwipe for destroying sensitive or controversial data. Hope that helps. Craig Rodenberg, GIAC Director, Information Security MyTek Managed Security Services www.mytek.net - Eric Baenen wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Baenen Eric P Contr AFRL/HEC wrote: | However the US military does require secure wiping of all hard drives before transfer, turn in, etc... just in case. You never know what someone might find useful or interesting... the term used is OPSEC (Operations Security). | | Windoze programs like bcwipe and eraser (http://www.dirfile.com/eraser.htm) can do the job to military specs - I was just hoping to find a SUSE based solution so I don't have to track down a windoze system I can use for a while. What about Darik's Boot and Nuke (http://dban.sourceforge.net/features.html)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbkdjWW28UPiAJ/oRAl3GAJ43+iIQ1R1iW95TjXRVYgZM/vEs3ACgh2Q2 6CphbxdYF8Y5IOMUWZc+RNg= =QEpa -----END PGP SIGNATURE-----
John wrote:
What about Darik's Boot and Nuke (<http://dban.sourceforge.net/features.html>)?
dban is pretty useful, but i dont know if it can handle usb devices.
What about wipe? wipe-2.2.0-21 on SuSE 9.2 NAME wipe - secure file deletion utility SYNOPSIS wipe [-ucwsiIhfFdDnNvVzZrRtTkKaA] [-B(count)] [-S(size)] [-C(size)] [-o[size] -O] [-l[0-2]] [-x[1-32] -X] [-p(1-32)] [-b(0-255)] [files] DEFAULT wipe -ZdntVAkO -S512 -C4096 -l1 -x8 -p1 DESCRIPTION Wipe is a secure file wiping utility. There are some low level issues that must be taken into consideration. One of these is that there must be some sort of write barrier between passes. Wipe uses fdatasync(2) (or fsync(2)) as a write barrier, or if fsync(2) isn't available, the file is opened with the O_DSYNC or O_SYNC flag. For wipe to be effec‐ tive, each pass must be completely written. To ensure this, the drive must support some form of a write barrier, write cache flush, or write cache disabling. SCSI supports ordered command tags, has a force media access bit for commands, and write cache can be disable on mode page 8. IDE/ATA drives support write cache flushes and write cache disabling. Unfor‐ tunetly, not all drives actually disable write cache when asked to. Those drives are broken. Write caching should always be disabled, unless your system is battery backed and always powers down cleanly -- Richard Ems Tel: +49 40 65803 312 Fax: +49 40 65803 392 Richard.Ems@mtg-marinetechnik.de MTG Marinetechnik GmbH - Wandsbeker Koenigstr. 62 - D 22041 Hamburg GF Dipl.-Ing. Ullrich Keil Handelsregister: Abt. B Nr. 11 500 - Amtsgericht Hamburg Abt. 66 USt.-IdNr.: DE 1186 70571
participants (5)
-
Andreas Bittner -
Baenen Eric P Contr AFRL/HEC -
Craig Rodenberg -
John -
Richard Ems