In an age when groups of anonymous attackers are targeting credit card companies and confidential U.S. diplomatic cables are being posted to the public Internet, U.S. space agency NASA has managed an embarrassing gaffe: it’s been selling PCs from the space shuttle program without first confirming all data had been wiped from the systems. According to NASA’s report on the incidents (PDF), there’s no way to know what potentially sensitive data may have been on the systems, but data found on similar equipment raises “serious concerns” information subject to U.S. export control might have walked out the door.
A NASA internal investigation found 10 cases where agency PCs were sold even though they failed data removal procedures. Another four PCs that were on the verge of being sold were found to still contain data subject to export restrictions under arms control regulations, and dozens of other PCs at a disposal facility still had labels and other markings that revealed details of NASA’s internal network configuration—potentially valuable information to anyone looking to infiltrate NASA’s network. In other incidents, NASA found that technicians did not property keep track of removed hard drives during the agency’s teardown process.
The issues spanned four NASA facilities at Kennedy and Johnson space centers, as well as the Ames and Langley research centers.
NASA is currently winding down the space shuttle program, with only two scheduled shuttle flights remaining. The final shuttle flight is currently scheduled for June 2011. The agency says it is reviewing and updating its equipment disposal procedures.
Everyday computer users can take a lesson from NASA: if you decide to resell a PC, at the very least completely wipe the system’s hard drive before turning the system over to a new owner. To be reasonably secure from sophisticated prying, that means repeatedly overwriting every sector of the drive with garbage data—and, yes, the process can take a long time. With hard drives being comparatively inexpensive these days, it might be more time efficient to remove and destroy drives before selling a system.