[Infowarrior] - High-tech copy machines a gold mine for data thieves

[Richard Forno]

Begin forwarded message:

> From: Simon Taplin <simon.taplin at gmail.com>
> Date: March 21, 2010 3:09:18 PM EDT
> 
> High-tech copy machines a gold mine for data thieves
> Noor Javed
> Staff Reporter
> 
> http://www.thestar.com/news/gta/article/781567--high-tech-copy-machines-a-gold-mine-for-data-thieves#article
> 
> 
> Want to know what expenses your boss claimed last month? How much your
> colleague makes? What the co-worker down the hall is really working
> on? Forget about hacking their computers – you might want to hit the
> nearest photocopier instead.
> 
> Turns out the newfangled, multi-purpose copy machines in your office
> keep a wealth of copied data on a hard drive that anyone can hack.
> 
> In the age of everything digital, the photocopier is probably the one
> workplace item you never thought to worry about. It's just making a
> copy of a document, right? How risky could that be?
> 
> Very risky, as it turns out. You might want to press cancel on the
> copy machine right about now.
> 
> Victor Beitner, a security expert who reconfigures photocopy machines
> destined for resale in Toronto, says businesses are completely unaware
> of the potential information security breach when the office
> photocopier is replaced.
> 
> They think the copier is just headed for a junkyard but, in most
> cases, when the machine goes, so does sensitive data that have been
> stored on the copier's hard drive for years.
> 
> "If I was the kind of person looking for certain information, this
> would be a gold mine," said Beitner, founder of Cyber Security Canada,
> a security, privacy and threat management company. "People have no
> clue of what the risks are."
> 
> Of the dozens of multi-purpose copiers Beitner has cleaned out in the
> past two years, he has seen hundreds of scanned documents that would
> be considered confidential. As a personal policy, he never reads them,
> but can easily tell where they are by the file names and sizes.
> 
> "In almost all the machines I have seen, the files, phone numbers, fax
> numbers and email addresses are left there as if it was still in the
> office," said Beitner. "There are files from insurance companies,
> medical facilities, pharmaceutical and regular office-type documents,"
> he said.
> 
> Even though high-volume photocopy machines with hard drives have been
> around for more than five years – most large offices today would have
> them, the kind that photocopy 35 to 60 pages a minute – people rarely
> think of them as computers, said University of Toronto computer
> science professor Graeme Hirst.
> 
> "Modern, large, office-type photocopiers are computers. The whole
> system is controlled by a computer, it has a hard disk. It scans
> images and they are stored on the disc," said Hirst. "They are also
> networked computers, and they have all the same security issues that a
> computer does, so all the same security issues arise," he said.
> 
> Such as being targeted by hackers, said Beitner. Any web-savvy,
> techno-whiz kid could easily access the hard drive, or send all scans
> to email or, if they have the password, retrieve copies of
> confidential documents by simply hooking their laptop up to the
> copier.
> 
> And, as a few Google searches will show you, you don't even need to
> leave the comfort of your home. The activity of photocopiers linked to
> an unsecure network can be seen and tracked online. With a few clicks
> of a mouse, and no knowledge of how to hack, we could see the latest
> activity of a photocopier in Korea, which included copies of invoices
> and employee expenses.
> 
> "I am at the administrator level of the network," said Hirst. "If the
> password is changed, I can't get in and change any of the settings.
> But sometimes, all the logins and passwords are easily found online."
> 
> In Toronto, most rented photocopiers are picked up when the lease is
> almost over, usually anywhere from two to five years. If the copiers
> are in good shape, they are often destined for auction, where they are
> bought to be resold. Some end up with dealers, who ensure confidential
> information is erased. Others can be found on Kijiji or Craigslist,
> and likely still have crucial data on them.
> 
> Some companies, like Rite Copy Service, tell their clients to remove
> the hard drives and purge them before they are picked up for resale.
> Or they replace the hard drives. But that costs extra time and money.
> 
> The cheaper thing to do, says Beitner, is to make the data
> inaccessible, clear the memory on the machine and change the pass
> codes through the machine panel. It doesn't completely wipe the hard
> drive, but renders it unusable to the average person.
> 
> "Ninety-nine per cent of the population can't get to it. But it's the
> one per cent, the guy who is going to come in the middle of the night,
> take the hard drive out and scrub all the data off it," said Beitner.
> "There is still that risk."
> 
> It's an issue that first came to light five years ago, and larger copy
> companies also came up with solutions, said Dr. Avner Levin, the
> director of the Privacy and Cyber Crime Institute at Ryerson
> University. Companies like Xerox now have enhanced security measures
> that enable an office to remove the hard drive and do digital
> shredding.
> 
> Levin says this is really part of a larger issue – the lack of
> awareness about technology in the everyday work environment.
> 
> "People in general aren't very good about storing their data, but here
> is a case where they don't even know their data is being stored," he
> said. "I think few people think about the consequences of the
> technology they are using."
>