Jun 25 2008

Scan your drive for PII

Published by at 6:03 am under Privacy,Simple Security

Most people have no idea how much personally identifiable information (PII) they have on their hard drives. To be honest, the average consumer has no idea that they might be in danger by having PII on their drives in the first place. They don’t realize that many of the viruses today aren’t looking to do anything other than scan their hard drives looking for their credit card numbers so they can be sent back to the mothership. But now, thanks to Sensitive Number Finder (SENF) from the University of Texas, you can scan your hard drive to look for all those files that might have PII in them.

SENF is a Java applet that you download and run, no installation required. When I ran it against my “My Documents” folder, it turned up 65 files that might have PII in them. I really liked the fact that I don’t have to open the files themselves, a simple mouse click on the file in the SENF app shows me what strings triggered the match. Most of what I saw were game saves and configuration files, none of which had PII in them, but then I’m a security professional and have never to the best of my knowledge included my SSN or credit card number in a Word document.

This is a program worth keeping on your USB drive. It only takes a few minutes and while it has a high number of false positives, it will give you a good idea of what’s on your hard drive. Or what’s on your parents drive when you go over there for the 4th of July and get roped in to doing a little computer maintenance.

Found via LifeHacker
Update:Tim Krabec pointed out an alternative program, called Firefly. The only problem is it requires the .Net framework and the site doesn’t like Firefox.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “Scan your drive for PII”

  1. Justin Klein Keaneon 26 Jun 2008 at 4:39 am

    We did an extensive evaluation of PII discovery tools, including several open source tools such as University of Texas’ SENF and Cornell’s Spider but found that all of them turned up way too many false positives to be useful for most users. Imagine the 63 false positives you got multiplied by the number of folders in your C: drive. We wanted users to be able to pull up PII in cache files and stowed AIM conversations so we couldn’t just limit them to the ‘My Documents’ folder. In our evaluation we actually found that IdentityFinder was pretty amazing software. They’re an up and coming player in the PII space and have yet to get swallowed up by the big anti-virus companies so they’re still really receptive to customer feedback. The IdentityFinder tool found fewer false positives and presented users with a much easier to use interface. It also includes options to securely shred or encrypt the material that it does find. Although it isn’t free at $20 IdentityFinder is certainly worth the investment given the harm that lost PII could cause.

  2. Dave B.on 21 Mar 2012 at 2:24 pm

    Not much help.
    I tried the community version.
    It only looks for passwords and credit card numbers, does not seem to look at all files on system.

    From reading the usage agreement looks like for the commercial edition they want job descriptions of all users and function descriptions of all the devices that it is used on because you cannot easily change users. Can you imagine using this on 20 computers let alone 100 or more!?
    This is from the installation agreement:
    “If the License is issued on a Per-Employee basis, then the License may only be transferred to a new Employee whose job responsibilities are identical or substantially similar to the original authorized Employee’s job responsibilities,”

    I recommend looking at OpenDLP first.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: