Loss of Privacy

Modern, high tech photocopiers come with hard drives and they’re easy to hack. You probably never thought twice about making a copy of your paycheck or insurance claim, but, if you do it at work, you might want to think twice.

Victor Beitner, a security expert who reconfigures photocopy machines destined for resale in Toronto, says businesses are completely unaware of the potential information security breach when the office photocopier is replaced.

They think the copier is just headed for a junkyard but, in most cases, when the machine goes, so does sensitive data that have been stored on the copier’s hard drive for years.

“If I was the kind of person looking for certain information, this would be a gold mine,” said Beitner, founder of Cyber Security Canada, a security, privacy and threat management company. “People have no clue of what the risks are.”

Of the dozens of multi-purpose copiers Beitner has cleaned out in the past two years, he has seen hundreds of scanned documents that would be considered confidential. As a personal policy, he never reads them, but can easily tell where they are by the file names and sizes.

“In almost all the machines I have seen, the files, phone numbers, fax numbers and email addresses are left there as if it was still in the office,” said Beitner. “There are files from insurance companies, medical facilities, pharmaceutical and regular office-type documents,” he said.

So, just how easy is it to access the information?

Any web-savvy, techno-whiz kid could easily access the hard drive, or send all scans to email or, if they have the password, retrieve copies of confidential documents by simply hooking their laptop up to the copier.

And, as a few Google searches will show you, you don’t even need to leave the comfort of your home. The activity of photocopiers linked to an unsecure network can be seen and tracked online. With a few clicks of a mouse, and no knowledge of how to hack, we could see the latest activity of a photocopier in Korea, which included copies of invoices and employee expenses.

If your company has one of these newer copiers there are several options to take to ensure the data is removed. If it’s to be resold at auction, erasing the hard drive is a good start. Clearing the memory and changing the passcodes make it inaccessible to most people. Removing the hard drive and replacing it with a new one is an even better option.

The flaw in the system consists of the fact that photocopiers were designed to not erase data as soon as the copy was made. There are some machines that do this, such as Xerox, but not all copiers are designed this way. It would be a good idea to ask your vendor before making such a crucial purchase. There is never a legitimate reason to keep photocopied data for years.

It appears that whois.com has been hacked. A message at the website states that NetDevilz has hacked their site. Screenshot below.

While still incarcerated, Francis “Frank” Janosko hacked into the prison system’s computer that had been provided for inmates to perform legal research. He obtained sensitive information on prison employees, including their dates of birth, Social Security Numbers, telephone numbers, home addresses and employment records.

The computer he used was a so-called thin client computer that simply connected to another machine on the network and did not store any data itself, prosecutors said in Janosko’s indictment. The only program it was supposed to run was the prison’s legal research application.

However, Janosko found a way of “exploiting an idiosyncrasy in the legal research software” so he could access other programs via the terminal. He even found a way of downloading Internet video, prosecutors said.

Janosko plead guilty, will serve 18 months in prison, followed by three years supervision, which includes a prohibition of computers.

Corsaire has released their white paper [pdf] on hacking magstripe gift cards.

This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”, which was delivered at the EUSecWest security conference in London in May 2009. It concentrates on magnetic stripe (magstripe) gift card attack techniques and also provides a series of guidelines and tips for developers and systems architects who are involved in the process of implementing their own gift card technology.

What Star Trek Predicts About The Future of Information Security from ha.ckers.org is an insightful look at how, in the future, we’ll still be screwing things up.  Even with the best intentions, we’ll probably never get information security 100% right.