Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Warranty void if seal shredded? - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Warranty void if seal shredded?

Fellow ISC handler Patrick Nolan commented earlier on the changes to HIPAA requirements that the recent HITECH act brings to hospitals and health care providers in the U.S. The portion that I want to dive into with a bit more detail is

"Electronic media [must be] cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that [sensitive information cannot] be retrieved."

NIST 800-88  is pretty succinct and explicit in its demands on how media and harddisks are to be purged or destroyed. "Purging" refers to making the contents unreadable by "degaussing" the disk or using the "secure erase" command in the drive's firmware. "Destroying" in the words of NIST includes "Disintegration, Pulverization, Melting, and Incineration".

So far, so good. But there's a catch. Let's assume that you have a hard drive which contains sensitive data. It doesn't really matter if you are a bank or a hospital or a cutting-edge research shop: The data on the disk is vital. And the disk just snuffs it one day and refuses to spin. Let's further assume that - not uncommon for servers - the disk is still under warranty, and if you ship it back to your vendor, you'll get it replaced for free.

Now what? According to NIST 800-88, a disk with sensitive content which leaves your organization's control has to be destroyed. I strongly suspect though that shipping a baggie of metal confetti back to your vendor could slightly impair your warranty rights. Shipping the disk as-is, on the other hand, exposes your data to all sorts of nightmares, not the least of which being your vendor getting it back to spin and reselling it on eBay as "used, in working condition".

How do you deal with this problem? Do you shred all the disks that leave your shop, forgoing the warranty? Do you degauss the disks before returning, hoping that the degausser actually does its job and the vendor's check doesn't mind? Did you carefully vet your vendor's media handling and have full traceability for all disks returned? Or do you simply take the plunge and hope that your old disk vanishes in the sea of disks offered for resale?

Please let us know by participating in the poll to the right!



367 Posts
ISC Handler
My company has a deal with HP. If a drive fails we fill out a form to confirm that the drive has failed and has been destroyed and they send a replacement. We locally destroy the drive by pulverizing it. That's the fun part!

5 Posts
One way to solve such a problem is to use encryption. Many commercial DB will allow you to fully encrypt your data and store the key on a separate location (for instance, a USB stick inside your machine). Full disk encryption for DAS is still problematic, but it's another worthwhile solution and there are product that works with SANs at various level that will ensure all data in store is encrypted. All these solution will pretty much make sure no one can recover data off failed hard drive. And as a poor man's solution, you can always use hardware RAID5 which will make sure no single disk contains more than a fraction of your complete data, usually in a pretty useless way.
16 Posts
Most large vendors (in my experience) will either sell you a "keep your bad disks" rider on your warranty or will allow you to certify the destruction of a disk for warranty replacements. Alternatively, a degaussed disk is externally indistinguishable from a non-degaussed disk...
RAID5 isn't much of a solution. Most RAID5 approaches default to a chunk size of at least 64K, and my personal experience is that performance is roughly optimal when the chunk size is roughly equal to (avg_seek_time + avg_rotational_latency) * physical_transfer_rate (that is to say, when the time to get to a random piece of data on the disk is roughly equal to how long it takes to read a chunk from the disk). For modern drives, that's 512K or larger. That means you're looking at pretty big chunks, so while you're not going to reconstruct a file system or large files in whole, a inquisitive adversary will find plenty of large chunks of your data . . .
In addition to large vendors that already offer a "keep your bad disks" support plan, there is also at least one vendor that will accept the top cover of the drive as evidence that it has been destroyed.

Sign Up for Free or Log In to start participating in the conversation!