when is a ‘delete’ not an ‘erase’?
TRANSCRIPT
Vol. 11, No. 2 Page 15
there is a firm commitment to IT security from
the top of an organization down”.
WHEN IS A ‘DELETE’ NOT AN
‘ERASE’?
Introduction
The ‘DELETE’ command used to purge file
contents has often caused confusion to both DP and office users. Unless we can explain the purpose of the DELETE command properly and how it works in practice, file users could
sometimes find themselves seriously exposed in extraneous circumstances. In some cases,
they may even be in breach of the Data Protection Act for failing to give due care to
adequate protection of personal data.
The background
The organization which found itself
exposed was a multinational giant using Wang VS computers for its office and word processing systems spanning several geographical locations and covering a user population of over 750 staff. Under the Wang Office System, each user has a unique ID and a self-generated password. To protect a sensitive document from unauthorized access, the owner can provide an additional ‘document
password’ to control access to that document.
The incident
The Comptrollers Department of the organization handles many sensitive business functions, including company takeovers, obtaining insurance cover and handling
insurance claims. All sensitive office documents are given document password protection by the security-conscious managers. Imagine their surprise when the
following incident happened in March this year after a power failure hit the area housing the
corporate headquarters.
An employee was using a public access
terminal to edit a 30-page document on the
Wang Office System at the time the power was
disrupted. The building was equipped with an
uninterruptible power supply (UPS) unit to
provide continuous power to the Wang VS
computer’s central processor and main disk
drives, but not to the multiplexors or office
terminals. When power was restored to the
building, the user re-entered the document she
was editing and caused it to be printed out at
her terminal. She found an 89-page document
belonging to another department (i.e.
Comptrollers) which was added to the end of
her own document. The contents of the other
document were of an extremely sensitive
nature and she reported it to the security staff.
This led to an internal investigation, with help
from Wang and other outside security
specialists.
The 89-page document turned out to be
the composite of a mixture of insurance claims
and mergers and acquisitions, most of which
were individually protected by document
passwords. The documents were deleted by
the document owners some two weeks prior to
the power failure. Since then the disk file had
gone through a full volume backup and restore
process and everyone thought that the
documents would have been completely
erased through the system initializing the file
area. This was found not to be the case.
It emerged that when the DELETE
command is used on the VS system, the operating system merely sets a delete marker
on the file directory or VTOC (volume table of
contents) to indicate that the file space may now be released for reuse by others. This facility ensures the file can no longer be located by any user accessing the file directory
even though the file is still intact in the storage
area, until such time that the storage area has been overwritten by another user to store another document. Equally, the full volume
backup and restore process merely initialized the file directory and not the file area.
One possible explanation of the security
0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20
COMPUTER FRAUD & No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any
SECURITY BULLETIN means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)
vol. 11, No. 2 Page 16
incident was that, when the system was
interrupted by a power loss, the disk heads
lost track of their location on the VTOC. When
the disk drive recovered, it arbitrarily read a file
that was closest to the heads when power was
restored, while ignoring the delete flag tied to that file.
The solution
The Wang VS system has a utility called
SECURE ERASE to erase a document by
positive overwriting of the file storage. So
instead of using the DELETE command,
SECURE ERASE should be used instead to
obliterate any obsolete sensitive electronic
office documents.
Wang engineers have also suggested the
use of disk initializations during the normal full
volume backup and restoration periods to
remove sensitive files or documents from disk
storage. There are two types of disk
initialization on the VS system, ‘Brief’ and
‘Normal’. ‘Brief’ is the default and will perform
one pass over the disk. ‘Normal’ will overwrite
the disk storage three times.
Lessons learnt
The above exposure, whether through
accidental or deliberate access to residual file
data, is an area not many of us have given due
care to, more through oversight than deliberate
negligence. Positive overwriting of file storage
can be extremely time-consuming and should
only be used to dispose of extremely sensitive
data. Such safeguards may be best stipulated
by the file owners to operations staff and
performed on a charged basis. Degaussing of
magnetic tapes and diskettes holding obsolete
sensitive data, on the other hand, is relatively
inexpensive and should be made a part of the
normal operational duties before releasing the
magnetic media for general reuse.
We have several cases on file relating to
hard disks being sent out to maintenance
engineers for repair which were found to
contain details of a business acquisition and other sensitive corporate data, or the
replacement disk containing research results of a competitor’s experimental efforts for a
wonder drug to cure a certain disease. Others
have reported cases of deliberately reading file
data in storage areas beyond the ‘end of file’
marker to discover sensitive corporate data
still remaining on the magnetic media.
Prevention is better than cure. Public
exposure of such security lapses can cause
acute embarrassment to the organization, and
can even be directly detrimental to confidential business dealings in hand.
Dr Ken Wong
BIS Applied Systems Ltd
UK
LOGICA DEVELOPS NEW SPEAKER VERIFICATION TECHNIQUE FOR SECURITY APPLICATIONS
Preventing unauthorized persons from being where they shouldn’t be, or doing what they shouldn’t be doing, is the most fundamental problem facing any security operation. However, the basic practical difficulty confronting any designer of a secure
system is not simply how to keep persons with malicious intentions out, as to keep such persons out while letting authorized persons in.
Solving this difficulty is of particular importance for the world of finance, where the cost of a breach in security can easily run into many thousands of pounds. However, if bona fide personnel cannot easily and rapidly reach the rooms and terminals where they earn money for the firm, the profitability of the firm will diminish. Similarly, where a financial institution is selling personal financial services to the public, the need to protect against unauthorized persons gaining access to bona fide customers’ accounts must be tempered by
0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20
COMPUTER FRAUD & No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any
SECURITY BULLETIN means. electronic, mechanical. photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. ~ please see special regulations listed on back cover.)