Digital copiers put personal information at risk

Posted in: Security, blog by Jack on 23 April 2010 | View Comments

We’ve mentioned on our blog how fax machines that use a film roll, primarily Brother and Panasonic fax machines that use film in place of a laser or ink cartridge, keep what is essentially a carbon copy of every fax that goes through the machine. This can put personal information, both yours and your customer’s, at risk of exposure to identity thieves.

Now CBS News shows how digital copiers can pose a similar risk.

At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.

In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

If you’re in the identity theft business it seems this would be a pot of gold.

“The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms,” John Juntunen said, “that information would be very valuable.”

“Nobody wants to step up and say, ‘we see the problem, and we need to solve it,’” Juntunen said.

This past February, CBS News went with Juntunen to a warehouse in New Jersey, one of 25 across the country, to see how hard it would be to buy a used copier loaded with documents. It turns out … it’s pretty easy.

Juntunen picked four machines based on price and the number of pages printed. In less than two hours his selections were packed and loaded onto a truck. The cost? About $300 each.

Until we unpacked and plugged them in, we had no idea where the copiers came from or what we’d find.

We didn’t even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division.

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

“You’re talking about potentially ruining someone’s life,” said Ira Winkler. “Where they could suffer serious social repercussions.”

Winkler is a former analyst for the National Security Agency and a leading expert on digital security.

“You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up,” Winkler said.

If you own a digital copier you owe it to yourself and your customers to read the full article. Don’t let your electronics compromise your security.

Related articles by Zemanta

• 409,000 Members Notified of Potential Security Breach – Copy Machine Hard Drive (ducknetweb.blogspot.com)
• Oh Goody, A New Security Threat (minx.cc)
• Copiers make more copies than you think (feldmanfile.blogspot.com)
• The Danger of Digital Copiers – Who Knew? (cbsnews.com)
• Second-hand copiers can spill secrets (news.cnet.com)

Recycle Safely

Posted in: Security, blog by Jack on 30 December 2009 | View Comments

Image via Wikipedia

Did Santa bring you a new fax machine or computer for Christmas? Are you planning on recycling or donating your old machine?

Here are a couple of security-related issues for your consideration.

Fax machines that use a film, as opposed to an ink or toner cartridge, retain an image of every fax the machine has reproduced. Think of the film as a long roll of carbon paper (those of you, like me, old enough to remember carbon paper). A perfectly readable image of every received fax is preserved on that roll of film. A discarded fax film is a goldmine for identity thieves.

We strongly recommend you destroy the used fax film. However, we have not yet identified the most effective way to do that. I’m not sure that feeding it through a paper shredder would work; in fact it may jam the cutting teeth of the shredder. Burning it is probably not an option, at least in the incorporated parts of San Diego. If your business uses the services of a document destruction company, I would suggest adding your fax roll to the bags of documents awaiting destruction. If that is not an option, perhaps soaking the roll of film in a can of gasoline or bleach will make it unreadable.

If anyone can offer a better or more practical solution, please let us all know in the comments.

It is perhaps more obvious that if you plan on recycling your old computer, you should first remove and then destroy the hard drive, unless you plan on using that drive again in your new computer or as an external drive (cases for this can be purchased from retailers like geeks.com for less than $20).

What may not be as obvious is that simply deleting the content on your hard drive isn’t sufficient. It’s not all that hard to reconstruct deleted data from a hard drive.

This is because when you delete something, you aren’t actually erasing that content. You’re merely erasing the marker that tells the operating system where to find that data on the disk. It’s as if you removed all the house numbers from a block of houses. The houses are still there but an individual house would now be hard to find if all you had to go on was the address. Forensic software can even recover data that has been over-written. There are software companies that sell applications that promise to delete your data “to military specifications”. Sounds pretty good, but the military doesn’t have a single set of specifications for data destruction.

• Clearing: Eradicating data to the extent that information cannot be retrieved through normal operation but may be salvaged in a laboratory.

•Sanitizing/purging: Removing data to a degree that it is beyond the reach of all ordinary and most laboratory recovery methods. This includes degaussing, which employs a special coil tool to demagnetize a drive’s magnetic media, scrambling all contents in the disk.

•Destroying: Disintegrate, incinerate, pulverize, shred, or melt.

Software and/or hardware can perform either of the first two types of deletion, but why spend $30 or more when you can perform that last type of data destruction yourself? All you need is a hammer. The other advantage to this technique is that it’s a great stress reliever. Remove the hard drive from the computer, place it on concrete or some other resistant material and smash the case as much as you can. Your goal is to break the disks inside the case. That should make the drive completely unreadable by even the most advanced forensic software. Then the drive should be safe to recycle with other electronics.

One last suggestion for protecting your information as 2010 rolls around: I know several people who celebrate New Years by shredding all their old paperwork, receipts, bills and correspondence. They keep 3-5 years of archived paperwork and everything older gets shredded. But even shredded paper can be reconstructed by someone determined to do so. If you throw shredded documents out in the trash, consider pouring some liquid into the bag with it to cause the ink to run and make each strip harder to read, or use that bag for used kitty litter. Put the trash out just before pickup to deny someone the chance to get access to it. In most states, once you put your trash can on the curb you no longer have property rights over it. Anyone can go through your trash looking for personal data that will let them borrow your identity.

Related articles by Zemanta

• Grab Your Old Statements, We’re Going To The Shred-A-Thon! [Identity Theft] (consumerist.com)
• PostNet partners with Shred-it to provide industry-leading document destruction business solutions (newswire.ca)

Malware alert: Gumblar

Posted in: Security, blog by Jack on 4 June 2009 | View Comments

More than 1,500 Web Sites have been Attacked.
Severity: High Risk

What is it?
Gumblar is currently targeting users of IE and Google search, delivering malware through compromised sites that infect a user’s PC and subsequently intercepts traffic between the user and the visited sites. This means that once infected, anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, passwords or other sensitive data. Visitors encountering the compromised website also risk having their subsequent search results replaced with links that point to other malicious websites. The malware can also steal FTP credentials from the victim’s computer and use them to infect more sites, thus increasing the spread of this threat.

Who is at risk?
Users of Internet Explorer and Google’s search engine.

Prevention
Make sure you anti-virus definitions are up-to-date and practice caution when sharing your personal information online. Make sure you only do so on secure sites (https://)

(information courtesy of Zone Alarm via Gmail)

Related articles by Zemanta

• Managing your Passwords: Protection from Phishing / Identity Theft (chris.pirillo.com)
• Google serves up the Top 10 sites to avoid at all costs (thenextweb.com)