Upload File

when is a ‘delete’ not an ‘erase’?

2
Vol. 11, No. 2 Page 15 there is a firm commitment to IT security from the top of an organization down”. WHEN IS A ‘DELETE’ NOT AN ‘ERASE’? Introduction The ‘DELETE’ command used to purge file contents has often caused confusion to both DP and office users. Unless we can explain the purpose of the DELETE command properly and how it works in practice, file users could sometimes find themselves seriously exposed in extraneous circumstances. In some cases, they may even be in breach of the Data Protection Act for failing to give due care to adequate protection of personal data. The background The organization which found itself exposed was a multinational giant using Wang VS computers for its office and word processing systems spanning several geographical locations and covering a user population of over 750 staff. Under the Wang Office System, each user has a unique ID and a self-generated password. To protect a sensitive document from unauthorized access, the owner can provide an additional ‘document password’ to control access to that document. The incident The Comptrollers Department of the organization handles many sensitive business functions, including company takeovers, obtaining insurance cover and handling insurance claims. All sensitive office documents are given document password protection by the security-conscious managers. Imagine their surprise when the following incident happened in March this year after a power failure hit the area housing the corporate headquarters. An employee was using a public access terminal to edit a 30-page document on the Wang Office System at the time the power was disrupted. The building was equipped with an uninterruptible power supply (UPS) unit to provide continuous power to the Wang VS computer’s central processor and main disk drives, but not to the multiplexors or office terminals. When power was restored to the building, the user re-entered the document she was editing and caused it to be printed out at her terminal. She found an 89-page document belonging to another department (i.e. Comptrollers) which was added to the end of her own document. The contents of the other document were of an extremely sensitive nature and she reported it to the security staff. This led to an internal investigation, with help from Wang and other outside security specialists. The 89-page document turned out to be the composite of a mixture of insurance claims and mergers and acquisitions, most of which were individually protected by document passwords. The documents were deleted by the document owners some two weeks prior to the power failure. Since then the disk file had gone through a full volume backup and restore process and everyone thought that the documents would have been completely erased through the system initializing the file area. This was found not to be the case. It emerged that when the DELETE command is used on the VS system, the operating system merely sets a delete marker on the file directory or VTOC (volume table of contents) to indicate that the file space may now be released for reuse by others. This facility ensures the file can no longer be located by any user accessing the file directory even though the file is still intact in the storage area, until such time that the storage area has been overwritten by another user to store another document. Equally, the full volume backup and restore process merely initialized the file directory and not the file area. One possible explanation of the security 0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 COMPUTER FRAUD & No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any SECURITY BULLETIN means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)

Upload: ken-wong

Post on 21-Jun-2016

213 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: When is a ‘delete’ not an ‘erase’?

Vol. 11, No. 2 Page 15

there is a firm commitment to IT security from

the top of an organization down”.

WHEN IS A ‘DELETE’ NOT AN

‘ERASE’?

Introduction

The ‘DELETE’ command used to purge file

contents has often caused confusion to both DP and office users. Unless we can explain the purpose of the DELETE command properly and how it works in practice, file users could

sometimes find themselves seriously exposed in extraneous circumstances. In some cases,

they may even be in breach of the Data Protection Act for failing to give due care to

adequate protection of personal data.

The background

The organization which found itself

exposed was a multinational giant using Wang VS computers for its office and word processing systems spanning several geographical locations and covering a user population of over 750 staff. Under the Wang Office System, each user has a unique ID and a self-generated password. To protect a sensitive document from unauthorized access, the owner can provide an additional ‘document

password’ to control access to that document.

The incident

The Comptrollers Department of the organization handles many sensitive business functions, including company takeovers, obtaining insurance cover and handling

insurance claims. All sensitive office documents are given document password protection by the security-conscious managers. Imagine their surprise when the

following incident happened in March this year after a power failure hit the area housing the

corporate headquarters.

An employee was using a public access

terminal to edit a 30-page document on the

Wang Office System at the time the power was

disrupted. The building was equipped with an

uninterruptible power supply (UPS) unit to

provide continuous power to the Wang VS

computer’s central processor and main disk

drives, but not to the multiplexors or office

terminals. When power was restored to the

building, the user re-entered the document she

was editing and caused it to be printed out at

her terminal. She found an 89-page document

belonging to another department (i.e.

Comptrollers) which was added to the end of

her own document. The contents of the other

document were of an extremely sensitive

nature and she reported it to the security staff.

This led to an internal investigation, with help

from Wang and other outside security

specialists.

The 89-page document turned out to be

the composite of a mixture of insurance claims

and mergers and acquisitions, most of which

were individually protected by document

passwords. The documents were deleted by

the document owners some two weeks prior to

the power failure. Since then the disk file had

gone through a full volume backup and restore

process and everyone thought that the

documents would have been completely

erased through the system initializing the file

area. This was found not to be the case.

It emerged that when the DELETE

command is used on the VS system, the operating system merely sets a delete marker

on the file directory or VTOC (volume table of

contents) to indicate that the file space may now be released for reuse by others. This facility ensures the file can no longer be located by any user accessing the file directory

even though the file is still intact in the storage

area, until such time that the storage area has been overwritten by another user to store another document. Equally, the full volume

backup and restore process merely initialized the file directory and not the file area.

One possible explanation of the security

0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20

COMPUTER FRAUD & No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any

SECURITY BULLETIN means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)

Page 2: When is a ‘delete’ not an ‘erase’?

vol. 11, No. 2 Page 16

incident was that, when the system was

interrupted by a power loss, the disk heads

lost track of their location on the VTOC. When

the disk drive recovered, it arbitrarily read a file

that was closest to the heads when power was

restored, while ignoring the delete flag tied to that file.

The solution

The Wang VS system has a utility called

SECURE ERASE to erase a document by

positive overwriting of the file storage. So

instead of using the DELETE command,

SECURE ERASE should be used instead to

obliterate any obsolete sensitive electronic

office documents.

Wang engineers have also suggested the

use of disk initializations during the normal full

volume backup and restoration periods to

remove sensitive files or documents from disk

storage. There are two types of disk

initialization on the VS system, ‘Brief’ and

‘Normal’. ‘Brief’ is the default and will perform

one pass over the disk. ‘Normal’ will overwrite

the disk storage three times.

Lessons learnt

The above exposure, whether through

accidental or deliberate access to residual file

data, is an area not many of us have given due

care to, more through oversight than deliberate

negligence. Positive overwriting of file storage

can be extremely time-consuming and should

only be used to dispose of extremely sensitive

data. Such safeguards may be best stipulated

by the file owners to operations staff and

performed on a charged basis. Degaussing of

magnetic tapes and diskettes holding obsolete

sensitive data, on the other hand, is relatively

inexpensive and should be made a part of the

normal operational duties before releasing the

magnetic media for general reuse.

We have several cases on file relating to

hard disks being sent out to maintenance

engineers for repair which were found to

contain details of a business acquisition and other sensitive corporate data, or the

replacement disk containing research results of a competitor’s experimental efforts for a

wonder drug to cure a certain disease. Others

have reported cases of deliberately reading file

data in storage areas beyond the ‘end of file’

marker to discover sensitive corporate data

still remaining on the magnetic media.

Prevention is better than cure. Public

exposure of such security lapses can cause

acute embarrassment to the organization, and

can even be directly detrimental to confidential business dealings in hand.

Dr Ken Wong

BIS Applied Systems Ltd

UK

LOGICA DEVELOPS NEW SPEAKER VERIFICATION TECHNIQUE FOR SECURITY APPLICATIONS

Preventing unauthorized persons from being where they shouldn’t be, or doing what they shouldn’t be doing, is the most fundamental problem facing any security operation. However, the basic practical difficulty confronting any designer of a secure

system is not simply how to keep persons with malicious intentions out, as to keep such persons out while letting authorized persons in.

Solving this difficulty is of particular importance for the world of finance, where the cost of a breach in security can easily run into many thousands of pounds. However, if bona fide personnel cannot easily and rapidly reach the rooms and terminals where they earn money for the firm, the profitability of the firm will diminish. Similarly, where a financial institution is selling personal financial services to the public, the need to protect against unauthorized persons gaining access to bona fide customers’ accounts must be tempered by

0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20

COMPUTER FRAUD & No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any

SECURITY BULLETIN means. electronic, mechanical. photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. ~ please see special regulations listed on back cover.)


WriteyBoard Dry Erase Paint

WIN1038 How to Securely Delete Electronic Information in ... · When you delete a file or folder using ... How to Securely Delete Electronic Information in Windows ... How to Securely

NX Drafting Commands II - CAE Usershomepages.cae.wisc.edu/~me231/online_notes/ug/ug_drafting2.pdf · NX Drafting Commands II ... Erase versus Delete: Common terminology in modeling

ERASE A2 NEW

Delete from Master Slide when required FY 2018 Results Fixed income presentation/media/Files/R/... · 2019-02-15 · Delete from Master Slide when required 3 FY 2018 update on progress

Red eye & smart erase

How to customize this presentation (delete this slide when done) Select the products the association is endorsing. Delete the products that are not applicable

1. DELETED FILES...1.5 “Shift+Delete” Another popular keyboard command which users perform is the “Shift+Delete”. The following message is shown when the “Shift+Delete”

Instructions #1 - Delete this slide when presentation is - Oracle

Presentation Title 1 (Delete any unused sample slides when

91-001093-040-100 E58XX CIB · erphone. Press again to resume normal handset use (page 14). CHAN/DELETE When on a call, press CHAN/DELETE to scan for a clearer channel when there

SERIES-D (FxDxxx) Product Specification · Block Erase 6 XXXXH AAH XXXXH 55H XXXXH 80H XXXXH AAH XXXXH 55H SA 30H Block Erase Suspend Erase can be suspended during Block erase with

Smart erase

Red Eyes Smart Erase

Hitachi Gigabit Fibre Channel Adapter User's Guide ... · However, it is not easy to erase data written on the hard disk. When you "erase data", you generally do one or more of the

55GSR3000FA USER MANUAL · 2019. 4. 4. · In FAV display mode, press to increase or delete the highlighted channel. 8. ADD/ERASE 9. FAV. Show the list of favorite channels aspect

erase - cisco.com · Class A Flash file systems cannot be erased. You can delete individual files using the delete command ... delete (refer to the Cisco ... undelete (refer to the

Information Assurance Capraro Technologies, Inc. (CTI) · – corrupt or delete data on your computer, – use your email program to spread itself to other computers, – erase everything

smart erase & red eye

ERASE FOLDER/ MENU ()

Red eye smart erase

Erase Your Fear Patterns

Resource Sheet - Pea - SoundStartHe can’t play in a band, if you erase his hand! He doesn’t wear a tie, erase his eye. He does care, erase his hair. Don’t ask why, erase his

EX8650, EX8650A QUICK TART UIDEfirstweb.promise.com/upload/Support/Manual/SuperTrak_EX... · 2007. 12. 14. · Press the Delete or Backspace keys to erase the current capacity. Type

HITACHI Gigabit Fibre Channel Adapter INSTALLATION AND ... · However, it is not easy to erase data writtenon the hard disk. When you “erase data”, you generally do one or more

Erase Negative Body Image

Delete vs Erase: How Are Companies Wiping Active Files

B CWipe - BestCrypt CWipe Help File. 2 ... delete’ files from your computer, the operating system does not erase the contents ... of wiping process by reading results directly from

Dry erase girl jenny

Dot and Line + Stereopsis - WordPress.com · Digital art Virtual artworks New vocabulary: erase # delete Zerasure is to line what stains is to drawing _ = Zdeleting [ is to algorithm

SERIES-C (FxCxxx) Product Specification...Block Erase 6 AAABH AAH 5555H 55H AAABH 80H AAABH AAH 5555H 55H SA 30H Block Erase Suspend Erase can be suspended during Block erase with

How to Erase Yourself From the Internet - SOUTECH Ventures · your Google Account homepage, click Close account and delete all services and info associated with it , and kiss Gmail

Claridge dry erase boards

System Software For Security TargetThe Data Delete Function, which is a TOE’s security function, provides a function to permanently erase user document data deleted by the operation

Redeye&smart erase