Site icon Easy Prey Podcast

Data Destruction with Paul Katzoff

Easy Prey
“We recommend taking the time, addressing it properly, getting all that data securely erased and then on your side, the headache is gone.” - Paul Katzoff Click To Tweet

In the past, deleting a file was considered safe data destruction. But we know that it only clears the pointer to the file and not the data itself. Today there are many options when it comes to destroying data even though some hard drives seem almost indestructible. 

Today’s guest is Paul Katzoff. Paul is the CEO of WhiteCanyon Software where they specialize in data erasure for businesses both corporate and government. These customers need secure data destruction that meets HIPAA and other compliance standards for hard drive and mobile device erasure.

“Data erasure is looked at as a cost. We’re not helping earn more revenue. We’re not helping anyone be more efficient. We’re just removing that data and liability but it is worth the cost.” - Paul Katzoff Click To Tweet

Show Notes:

“I recommend pushing for harsher legislation to protect your data. Ten years from now, we’ll realize how important our data is. Let’s protect it now so that we don’t have to realize the mistake later.” - Paul Katzoff Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Let's jump into it. Can you tell me your background with respect to data security in the media?

Absolutely. My name is Paul Katzoff. I'm the CEO of WhiteCanyon Software. We're a data erasure software company based here in Utah. We've been in business for 23 years, providing the WipeDrive software tool platform to military, government, commercial, enterprise, and home users. We started off way back in 1998 with a 3 ½-inch floppy diskette. Do you remember those days?

Proper data destruction is vital

I do.

It went from there. We got Air Force-approved and we went around the globe. Every Air Force base globally used WipeDrive to erase their desktop computers back then. Since that time, we've moved into the commercial market, enterprise market, and had to do a whole bunch of different types of deployments to erase data securely on any data-bearing device. That's where we sit today.

Awesome. Before we start talking about how to properly dispose of media, can we talk about what some of the risks are that you've encountered, or your clients are concerned about, when it comes to what's on the media?

Yes. Data is becoming more and more important every year. GDPR was the big first legislation that addressed this out in the EU. Since that time, HIPAA has enforced financial penalties, and the same with Pfizer. On the corporate side, there's now a financial incentive to make sure there are no data breaches, and data doesn't leave your facility. On that side, it's moved that way.

On the state level, California has the strictest California data privacy law in the nation, but we also know with our contacts at the federal government that a US federal data privacy law is in the works. It's in committee right now. It's upcoming. That's going to address some issues, probably not to the extent of the GDPR, but it is going to address a lot of the data issues that we have out there today.

I remember a news story—and this is probably further back than maybe I want to remember. There was a company that was buying photocopiers from police departments, law offices, and hospitals. The odd thing is that they were buying these used printers from them below market value. Let's say you could sell your corporate printer for $5000 used. These guys were paying $6000 or $7000 for it. Then on the back end, they were turning around and selling them for less than they bought them for. The question was, how are these guys making money? It turned out that most of these entities weren't even aware that there were hard drives in these photocopiers that had digital images of the last 10,000 pages that were copied. There was a criminal organization that was going around getting police records, medical records.

All sorts of information. This was 2011, 2012. I remember it was a shock to the nation because all of a sudden, everyone said, “Our copiers have hard drives in them?” Ricoh and the other manufacturers were like, “Yeah, every photocopy you make, we save it to the hard drive, and then we print from that image.” It was a shock—even the leasers. Everyone was like, “Uh-oh.” On the healthcare side, they're like, “Every document we've scanned, everything we've printed off the printers on these hard drives?” The answer is, “Yes, exactly.” It was a big data exposure, and everyone had to adjust to properly erase those drives in a short amount of time because of the risk with that. That was shocking to everyone.

I remember seeing that news story. That was the first thing that went through my mind. It was like, “They've got a hard drive on it? Why do you need a hard drive? But how else would you store the image that you're copying?” It makes sense when you think about it.

The technology they have there, it’s just natural on their side that says, “Hey, let's put a drive in this.” No one on either side—the manufacturer’s side or any side. It's been addressed now. The manufacturers now erase the image as soon as it's been created on there, as soon as it's done being used. But at that time, of course, we want to print it that way, and it's the simplest methodology. Everyone was just shocked. It was a good experience for the market to see the risk there.

Have there been other surprises that you're aware of in the media, that people just weren't thinking about being used for criminal practices?

For the most part, people have gotten on board with where the data is stored and how it's stored, and how it could be accessed by bad actors. We used to get calls. This was always shocking to us. It's better now.

Many companies haven't properly erased the data from old computers.

But about a decade ago, or eight years ago, we'd get calls from Fortune 100 companies. The guy at the other end of the line would say, “I'm going to tell you this, but don't tell anyone. We haven't been erasing any computers here for the last 50 years. We donate them, we resell them. Whatever we do, we never erase. We've realized internally there's a huge risk here. Let's address it.”

On most of the process level, it wasn't a part of what most corporations did. Now, it's being enacted. Now, it's being required by the data security policies for corporations. That's solving a lot of these big headaches.

Got you. If you had a hard drive, and you're like, “OK, I can't use the computer anymore,” what are some of the historic ways that we used to get rid of the media?

Data erasure, data destruction has been around for ages. We used to have tapes. Then, we had floppy diskettes. Then, we had the zip disks, the zip drives. Now we have, of course, platter-based drives as well. They were usually all just shredded, incinerated, drilled with a drill press, take them out back, hit them with a hammer, or whatever you could do to destroy the drive, and then throw it away. It's been the typical go-to for most corporations.

Even right now—the federal government—the NSA just came out with their December best practices, and there's no data erasure in there. They want every device destroyed, every data-bearing device destroyed inside the NSA. There are still some entities saying, “Hey, this is the best practice. This is what we want to do.” On our side we're saying, “Hey, there are some issues with physical destruction.” Those need to be addressed in many ways, as far as the circular economy goes, as well as the chain of custody. There are some major issues. Let's address those with software-based erasure as well.

I guess a lot of people thought, “I just need to delete my files.” We all know that deleting files doesn't actually delete files, it just deletes the reference to the file.

Hopefully, most of us know that. I'd say 80% of the public doesn't know that part.

We'll make it very clear here that if you are on your computer, you hit delete on a file, it doesn't actually delete the file, it just deletes the reference to the file. The file stays there and can be fairly easily recovered by a recovery program, even recovery software, let alone having to send it off to a forensic analysis to get it.

The other part of that is the reference to it is gone, but also, our drives are so large now that that space on the drive isn't overwritten for a long length of time. It could just sit there ready to be recovered for two or three years. But a long time ago with smaller drives, you would use all the space over and over again with different files and videos and get overwritten naturally. Now, that file could sit there for who knows how long.

The next method was—if you're a home user—you get some drive-erase software. It just does a single pass, writes zeros and ones to the drive, and you’re like, “OK, everything is good.” I remember in all those software packages, there were a couple of different settings. There was the quick delete, the secure delete, and then the I work for a government institution; I need to spend the next three days writing zeros and ones over the drives.

How do we know if the data has been erased from our computer?

First off, those are the different data erasure patterns that are out there. The biggest one was Gutmann’s 13 overwrite patterns. There's a DoD-7 pass. There's a DoD-5 pass. There's a DoD-3 pass. There are all these multiple erasure patterns where you'd have to go through that full drive 3, 5, 7, 13 times in order to get the certificate saying, “Hey, everything has been erased from that drive.” That's how it was. Until 2014, 2015, the DoD-3 was a go-to. It was just what everyone used to erase any device out there.

Is that what conventional wisdom is today on current technology?

It's changed because of the NIST 800-88 document. They've come up with some new requirements. Let me speak of the DoD issue there. The multi-pass was required because on these platter-based drives, it's like a record player. The heads going around writing and reading. As it did it, there was a little bit of a wobble. A research paper came out in the early 2000s that said if you take off that platter and examine it with an electron microscope—this is very expensive and almost impossible to do anyway, as far as resources go—but you may be able to see where the wobble has left the zeros and ones from the last pass. You could pull that information off. Since 2011, the technology and drives have gone to a point where there's no wobble. That's hard for us to say because it's so small. I don’t even know the micro size of this on the Western Digital and other manufacturers’ side, but that's been taken away.

NIST looked at this and said, “Hey, we're doing this DoD-3 pass that was recommended back in ‘03 and ‘06. Let's update this first off for platter-based drives, but also for SSDs because there's flash storage in those devices. We need to address that as well. NIST 800-88 came out, and pretty much what it said is a single overwrite pass is enough to securely erase any device, and on flash media, you need to use a sanitized disk or secure erase command, ATA Command. If you do that, all the data on that device has been securely erased and, forensically, you can't recover any information.

Is that what most consumers should be doing then, three passes if they're going to donate their computer somewhere, or throw away their hard drives?

The single pass is enough for them now. That's all they need to do now. That's the de facto accepted kind of methodology. There are still some old-school IT managers and others out there saying, “Hey, I’ve got to do the DoD-3. That's what my data security doc says for my corporation. For my corporation, that's our requirement. That's what we need to do.”

But in that case, we're educating. I’m saying, “Hey, read this information on NIST 800. Figure out what you need to do.” But on your side, a missed single overwrite is compliant enough. It's been tested. On our side, we've been erasing drives here for 23 years. A lot of our corporations are IT asset disposition companies. They take secondhand computers from corporations, process them, erase them, and resell them. Part of their certification is they have to get 1% of their devices forensically examined. They ship these off to get tested. They're all doing the NIST 800 wipe or compliant wipe, and then they go on forensically examined. None of them have had any other drives failed. On the actual use case, and examination level, it's also successful. Single overwrite’s all you need on your side.

That's good to know. I suppose it becomes more problematic with the pandemic, that you now have people working on computers that are outside the company’s control. The person is working on their home computer. It gets a little bit messy.

First off, bravo to all of us going remote so quickly. In the 90s, companies would have stopped. Would you have gotten paid from just being at home, not doing anything? How would you be able to work remotely?

First off, we pushed everyone remotely within two or three weeks. We had school children go remote within three weeks, which I think if that was actually implemented, it would have taken 9 years or 15 years to actually get that done. Bravo to all the corporations that keep the business going. They have to work from home, the Internet, and all that to help that be achieved. But that brought up that major issue. You send your employees home, those that had work laptops, for the most part, they're safe. That's a different use case.

For the rest of us, I'd say 70% of corporations or employees went home. They logged into their company networks with their home computer. You're right. What issues does this bring up? Their home network, how secure is that? How secure is their home computer, then also, the files that they access? Hopefully, they're using a VPN to access their network. They're pulling down those files, and they're stored on that home computer. We just talked about data erasure. They're still thereafter they're deleted. Are they being securely erased to the end of life and what happens after that?

It's going to be curious to see corporations when someone leaves the company, it's like, “We want your personal computer back because you worked on it during the pandemic.” I could see this getting really messy, but some companies just might choose to, “We will buy your computer from you when you quit the company.”

But then you're buying an old, outdated computer, and spending resources on that. Then, you have to turn around and resell it. One of our products that we've come out with—we call it WipeDrive Prime. It's a file that you can send out to your employees. First off, you’ve got to get their permission: “Hey, we want to erase your home computer.” They can push that out. The home user can go and download it, erase their home computer. Then when it's done, we have a QR code that pops up on the screen that has the error report, or a link to the log report—the certificate of destruction.

More people are working from home now, how can a company be sure the home computers are not saving data that should have been cleared?

On their side, they can scan it and say, “OK, this device has been securely erased.” Then, they can go from there and provide that proof back to their company. But you’re right. Can you imagine if your company told you to erase your phone or erase your computer? That's not going to be a good discussion.

There will be some interesting discussions in the upcoming months as people start going back into the office. I know you guys primarily deal with physical hard drives, but you talked about phones. There’s memory on our phones. You have flash drives. You've got all sorts of other types of media. How do we deal with those types of things?

First off, the data is on those devices. The manufacturers all, for the most part, do an encryption reset. That's why it happens like that. If you ever reset your phone or erase it, and it happens in four or five seconds, it's an encryption code reset. They go into the encryption, they say, “Create a new encryption key.” Then they say, “OK, you're clean. There's no more data left on this.” The concern we have on this side as a data security company is that you have this phone, you've reset the encryption key, but how long until that encryption is broken? We have encryption from 2010, 2011, we can break. This phone has data on there. It moves into storage, under warehouses, it goes to different places.

Let's say it just ends up in someone's drawer. Then a decade from now, they go and they open it up, and they address  it. They can find corporate information or private health information because it can break that encryption. Our concern on our side is encryption keys are great. It's a great methodology to quickly erase or quickly deny access to that device. But on SSDs and flash media, you can still recover that information later on if that encryption is compromised. That's a big concern on our side. We let people know, encryption key resets are great. We do that with WipeDrive, and then it will overwrite it as well. You get the double protection.

Do most phones and operating systems allow you to wipe SSDs with that full pass, or is that something that you really have to get an additional software package to do, or jump through hoops to do?

You typically have to get an additional software package to do it because those manufacturers don't want to be liable for the data still on there. That’s a big vulnerability they have on their side. They're going to say, “Hey, we reset it. We do this.” If you look into it, they're going to say, “We're not here saying all your data is gone. We're not promising you anything.” That's the third-party providers like ourselves. We've been doing this for 23 years. We have cybersecurity insurance. We do all that, popular in all that area so that you on your side can know when you run WipeDrive, you get that certificate of destruction or that log report that all the data is gone.

That also helps with your audit process as well. You have proof saying devices A through 2000 have all been securely erased on this date and time with this software package. Now, we've resold them or donated them to charity, or whatever we want to do on our side.

That's probably a good point is that as a company, you don't want accusations that you were just throwing drives into the trashcan out back, yet, you want a documented process where, “Look, we have documentation of when we took drives out of service, how we took them out of service, when we wiped them, and where they went afterward,” as opposed to, “I don't know where it went.”

That's part of the data security policy. One of the huge issues with data is once it leaves your facility and it's sitting on a device, it could pop up, like I said, a decade later, or five years later. This is just theoretical. Let's say that the federal data privacy law eventually has teeth in it, where it's $50,000 a data breach or something like that. You have all these devices that are sitting in a warehouse—someone else’s warehouse—and a decade from now or 15 years from now, they come out, and it's a data breach. You didn't address them today, but you're risking it later. There's a mindset where most corporations have to say, “Hey, this is important. We have to address it immediately, otherwise, we're going to be at risk.” It's hard to see that far down really.

Sometimes, it's a hard sell for IT managers to say, “We need to spend the money now to do something to prevent a future risk that isn't a current risk.”

Data erasure is seen as a cost. It’s hard for IT managers to argue for it, but budgets are getting there for most corporations.-Paul Katzoff Click To Tweet

Data erasure is looked at as a cost, let’s be honest. We're not helping earn more revenue. We’re not helping anything be more efficient. We're just removing that data and that liability. It's hard for IT managers to argue for it. But it's gotten better. The acceptance has passed that curve of acceptance, and it's worth the cost. The budgeting is getting there for most corporations.

It just becomes a cost to doing business.

It is. It's built into the full IT life cycle, and that cost is associated with which tool they're going to use, and where those reports go, and who manages the audit on those reports—all that's built into it now for most corporations.

I know hard drives have gotten smarter in a sense. There are more chips on them. You have drives that are combinations of a spinning platter, in addition to solid-state. You get the price and the performance all working together. What happens if you have a drive that has failed in terms of your operating system? It can't interact with the drive. You have data that's on the drive, but you can't issue that one pass. You can't tell the flash drive, “Write zeros or ones.” You can't tell it to reset the encryption key. What do you do in those situations?

There's verification at the end of every overwrite. If we can't address a drive, or if that drive has a lot of bad sectors—there's a lot of different levels where we say with some corporations, they want zero bad sectors—we fail it, we spit it out. On your side we say, “Hey, shred it, destroy it. Do what you need to do on your side, but we can't address this on the software-based level.”

The recommendation there is to destroy those drives with SSDs. The NSA requires—I forget the size now—it's 0.01-cm shred size to get down there and make sure that every chip is completely obliterated. You would need to do that.

For consumers, what's the best if they've done the drive wipe, and they've lost control of the drive. They can't access it. They don't want to spend—how much does it cost to shred a drive—$20, $40, $50? If it's a consumer and you don't have a contract, $100? What's the best thing that the consumer does, just go out and grab a nail trying to pound it through?

Do we physically need to destroy the computer at some point?

That's a tough one on their side because most of these drives are pretty sturdy nowadays. In order to drill through it or destroy it, it's going to be a little bit of a headache. But we do recommend that on physical or on platter-based hard drives—a drill press, or a sledgehammer if you have to crush and destroy—that's a great way to go.

If you have an SSD, it's a little more difficult. There are little chips inside of the SSD and you have to destroy each one of those. It's a little bit of a headache, but on their side, I would do it. Tax documents, videos, pictures, everything on that drive—you don't want that getting out. The idea that things stick around for so long nowadays. It's not just a blip and it disappears. If it gets out there, it's out there for good as a consumer. That's a big issue as well.

I know from personal experience that it's getting harder and harder to physically destroy drives. It used to be that you drop a hard drive off your desk and it's almost like glass, and it shatters. A few years ago, I was out there with a hammer, just trying to even put a dent in the external structure of the hard drive. I was surprised at how much effort it took to just even dent the darn thing. If I could barely dent the outside, have I even crushed the platter? Have I caused anything to even break?

What most consumers can do is they can search for, if at least for those home computers they want to get shredded, they can search for ITADs in their area or e-stewards.org. These are the associations of IT asset disposition companies. The ones that process secondhand computers. They have shredders and everything on site. These companies have no problem. There are probably 200 or 300 throughout the US. There's probably one within half an hour or an hour of wherever you are. I'm sure you can call them up and say, “Hey, I have five drives I'd like to get shredded.” You can stop by and I'm sure they'll work something out with you. They want to help you on their side as well.

I remember the days of big giant magnets, electromagnets, and things like that.

Degaussers don't work on SSDs and flash media. There's a whole avenue there. You have all these degaussers out there, and they work perfectly on hard drives and platter-based drives. They destroy and make them unusable. Right after degaussing, you couldn't use that drive again, which is a big e-waste issue. But on SSDs, the data was still there. Now you have to shred them. It was the only way to physically destroy those chips. You had to get it down to that small size as well.

Here's an operational question, I suppose, for companies that do drive removal or drive wiping in-house, or people that are wanting to do it themselves, as drives are hitting this multiple-terabyte—I just bought an eight-terabyte drive the other day to replace one of the NAS—how long does it now take to wipe a 16-terabyte drive with a single pass?

What’s nice is it is with a single-pass down. Can you imagine DoD-3 on those ones? It did take three or four times the time. What's really nice with SSDs is their speed to erase per gigabyte is so much faster. Let's say, an eight-terabyte drive, on the hard drive side, it's still the speed of that device—7200 RPM or whatever the RPM is—in order to erase it. We have to address every sector. It's going to take hours to erase that eight-terabyte drive, probably somewhere around the neighborhood of 20, maybe more for that, if it's a platter-based drive. What's nice on the SSD side is it can be addressed so much faster. We have one-terabyte drives that can be erased in about 20-22 minutes.

Oh, wow.

That's not the encryption key. That's going through every area of that device, and erasing the data on that device as well. In 8-terabyte, 160 minutes, we're looking at 2 hours to 2 1/2 hours to erase that device. It is a length of time. Everyone loves it to be instantaneous. All the data is gone. That's where the encryption key is. They're like, “Hey, just erase with the encryption key and you're good, you're all set.” Thirty-five seconds later, but your data is still sitting there. We recommend taking the time, addressing it properly, getting all that data securely erased. On your side, the headache, hopefully, is gone on your side.

I suppose we should always be mindful of SD cards and cameras when we get rid of cameras. Most of the current cameras don’t have them physically installed. They're hot-swappable. Remember, the old digital cameras, they hard wired in.

What about TVs? What about IoT devices? There's a whole area we're getting into where there are devices—washer-dryers, fridges. Your fridge can now have a screen there with pictures on it. How do you erase that so that when the next person gets it, they don't see your pictures, or download your pictures, or have access to your pictures?

There's a whole area here where I think as IoT keeps progressing to where the natural state is, they’re going to be data-bearing devices. That's why everyone refers to DVDs. Everything is going to have data pretty soon stored on it, and you have to address all that data wherever it’s at.

I could think of people like, “You're moving out of the country, and how many devices do we have that potentially have data on them? I've got old laptops in the safe. I've got a couple of old phones lying around. I've got some smart cameras. Oh, gosh. There's just tons of data everywhere.”

There is. On our side, to help the consumers, we actually provide our WipeDrive Home version for free, for one or two licenses. Just use the code HOMEFREE.  You can download it from our website, and erase one or two computers on us because we know everyone has two or three laptops in the closet, four or five hard drives stored away, and they're sitting there going, “I don't want to let these go. I am too worried about it.” But at the same time, what's happening there is we're storing all these devices that could go into the secondhand market, maybe go to third world countries, or to charities, or people that need to have computers.

To help consumers, we provide our WipeDrive Home version for free, for one or two licenses. Just use the code HOMEFREE. -Paul Katzoff Click To Tweet

We're actually holding onto a bunch of devices, that if we process them correctly, they could go into this circular economy, help others, and be used. Before they're just e-waste, and we just dump them in the trash.

I'm sure some people, out of fear of not knowing what to do with it, just store it. They might have a closet full of old hard drives that haven't been wiped, that someone could come along and steal those drives, and have all the content on them.

That's why they're stored there. They're worried about it. We know a lot of corporations that have a storage area in their basement just full of old devices. Once a year, every other year they say, “OK, you're the tech. Go down there, start erasing computers.”

The chain of custody there is they’re locked up by a locker code or locked doors. But what if someone gains access to it and there's value? An SSD is worth $50, $80. What if they start stealing those and sell them on eBay, someone buys them on eBay, runs a data recovery tool that is free online and they can see all the videos, pictures, and files on that device. They start pulling off Excel docs and PDFs from your corporation, and you have bad actors that are ruining your chain of custody. That's why on our side, we say erase first.

When an employee leaves, have your tech show up or push out WipeDrive remotely, erase that device, get that report back, and then on the screen, you’ll have the QR code so you know it's been erased. Then it doesn't matter where it goes. Your data is safe, which is the most important part.

It's just part of the exit interview process. As soon as the person is done, someone pulls whatever data we need off the machine. We pull it off, reset it, and put it back into service as a fresh machine.

What's nice is that most of our computers are thin clients—everything’s on the network. We're not really storing major information on our computers or items that are vital to get off before we erase it. Typically, we can erase any device, and that information is backed up or stored elsewhere.

There's always a copy of something elsewhere, whether you like it or not. There's a copy.

It has to be out there somewhere.

We'll definitely make sure that we put a link to the website where they can use that coupon code to wipe a machine of their own. Is there any parting advice that you have for consumers?

That's the unknown item to most consumers is the value of their data, the risk that if it gets out, and also the permanent risk of that data. Just changing your Social Security Numbers is a big headache. But there's a whole bunch of other things that happen there if your birthdate gets out and other information. What we recommend on their side is to talk to your political representatives and say, “Hey, we need legislation that has teeth because once corporations have to protect consumer data, they will start protecting consumer data.”

They can. The processes are there. There's just no financial incentive to incorporate it or implement it. On our side, we recommend pushing for that. Ten years from now, we realize how important our data is. Let's protect it now so that we don't have to realize later what mistake we haven't solved now.

That's the challenging thing, is to figure out what the risk is 10 years from now for stuff that's happening today.

Exactly.

Paul, thank you so much for coming on the podcast today.

Thanks, Chris. It's a pleasure to be on the Easy Prey Podcast. I appreciate talking to you and your listeners. If there are any questions, please reach out to us at whitecanyon.com. My name is Paul Katzoff. You can reach me on Twitter @PaulKatzoff. Tweet me. Tweet my company. We're happy to answer any questions you have on data security on the consumer side, the corporation side, whatever you're doing on your side. We're experts. We'd love to help you.

Exit mobile version