Fax machines can expose personal information

Posted in: Security, blog by CW on 9 November 2010 | No Comments

We have quite a few customers who use fax machine that take the type of film roll shown below.

Film is a fairly common medium used in fax machines. There are machines that use ink or toner cartridges but they are less common. Panasonic and Brother both still use film in their fax machines.

The film rolls are convenient and easy to install. You can either buy them as a single roll mounted on a frame or two rolls with no frame. The frames are reusable, so once you’ve purchased a frame and roll combo save the frame and buy the 2-pack from then on. This is more economical since both the one-roll-plus-frame and the two-roll pack are usually the same price.

There is one serious problem with film fax machines that users of ink or laser-based fax machines don’t have to worry about, and that’s the potential of these films to compromise your personal information.

Think of this film as a roll of carbon paper. Those of you too young to remember what carbon paper is, ask someone from my generation. While fax film isn’t composed of the same materials as carbon paper, the manner in which it transfers an image onto paper is nearly identical. The black coating on the film is transfered to the paper to create the faxed image or words. This means that everywhere the coating has been transfered to the paper the clear film backing is exposed. This produces what in effect is a negative image of every fax your machine has printed out. Read from the back the film preserves a perfectly readable copy of each printed fax. If you have ever exchanged faxes with your mortgage broker or bank your account numbers, Social Security number, address, phone number, the names of your family members, all sorts of personal information will be easily readable on the film. Fished out of your trash, this would be a goldmine of information to a would-be identity thief.

We are still looking into methods to destroy these rolls of film once they have been used completely. So far we haven’t come up with a fool-proof method. If you have any suggestions we’d love to hear them in the comments. For now our best advice is to keep the used rolls in a bag or shoebox, stored away from the prying eyes of crooks.

Related articles

• threatpost: Anti-Phishing Group Targeting Fax-Based Scams (boxofmeat.net)
• Thermal vs. Laser Printing: Which is Greener? (brighthub.com)

Digital copiers put personal information at risk

Posted in: Security, blog by CW on 23 April 2010 | 1 Comment

We’ve mentioned on our blog how fax machines that use a film roll, primarily Brother and Panasonic fax machines that use film in place of a laser or ink cartridge, keep what is essentially a carbon copy of every fax that goes through the machine. This can put personal information, both yours and your customer’s, at risk of exposure to identity thieves.

Now CBS News shows how digital copiers can pose a similar risk.

At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.

In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

If you’re in the identity theft business it seems this would be a pot of gold.

“The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms,” John Juntunen said, “that information would be very valuable.”

“Nobody wants to step up and say, ‘we see the problem, and we need to solve it,’” Juntunen said.

This past February, CBS News went with Juntunen to a warehouse in New Jersey, one of 25 across the country, to see how hard it would be to buy a used copier loaded with documents. It turns out … it’s pretty easy.

Juntunen picked four machines based on price and the number of pages printed. In less than two hours his selections were packed and loaded onto a truck. The cost? About $300 each.

Until we unpacked and plugged them in, we had no idea where the copiers came from or what we’d find.

We didn’t even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division.

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

“You’re talking about potentially ruining someone’s life,” said Ira Winkler. “Where they could suffer serious social repercussions.”

Winkler is a former analyst for the National Security Agency and a leading expert on digital security.

“You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up,” Winkler said.

If you own a digital copier you owe it to yourself and your customers to read the full article. Don’t let your electronics compromise your security.

Related articles by Zemanta

• 409,000 Members Notified of Potential Security Breach – Copy Machine Hard Drive (ducknetweb.blogspot.com)
• Oh Goody, A New Security Threat (minx.cc)
• Copiers make more copies than you think (feldmanfile.blogspot.com)
• The Danger of Digital Copiers – Who Knew? (cbsnews.com)
• Second-hand copiers can spill secrets (news.cnet.com)

Recycle Safely

Posted in: Security, blog by CW on 30 December 2009 | 1 Comment

Image via Wikipedia

Did Santa bring you a new fax machine or computer for Christmas? Are you planning on recycling or donating your old machine?

Here are a couple of security-related issues for your consideration.

Fax machines that use a film, as opposed to an ink or toner cartridge, retain an image of every fax the machine has reproduced. Think of the film as a long roll of carbon paper (those of you, like me, old enough to remember carbon paper). A perfectly readable image of every received fax is preserved on that roll of film. A discarded fax film is a goldmine for identity thieves.

We strongly recommend you destroy the used fax film. However, we have not yet identified the most effective way to do that. I’m not sure that feeding it through a paper shredder would work; in fact it may jam the cutting teeth of the shredder. Burning it is probably not an option, at least in the incorporated parts of San Diego. If your business uses the services of a document destruction company, I would suggest adding your fax roll to the bags of documents awaiting destruction. If that is not an option, perhaps soaking the roll of film in a can of gasoline or bleach will make it unreadable.

If anyone can offer a better or more practical solution, please let us all know in the comments.

It is perhaps more obvious that if you plan on recycling your old computer, you should first remove and then destroy the hard drive, unless you plan on using that drive again in your new computer or as an external drive (cases for this can be purchased from retailers like geeks.com for less than $20).

What may not be as obvious is that simply deleting the content on your hard drive isn’t sufficient. It’s not all that hard to reconstruct deleted data from a hard drive.

This is because when you delete something, you aren’t actually erasing that content. You’re merely erasing the marker that tells the operating system where to find that data on the disk. It’s as if you removed all the house numbers from a block of houses. The houses are still there but an individual house would now be hard to find if all you had to go on was the address. Forensic software can even recover data that has been over-written. There are software companies that sell applications that promise to delete your data “to military specifications”. Sounds pretty good, but the military doesn’t have a single set of specifications for data destruction.

• Clearing: Eradicating data to the extent that information cannot be retrieved through normal operation but may be salvaged in a laboratory.

•Sanitizing/purging: Removing data to a degree that it is beyond the reach of all ordinary and most laboratory recovery methods. This includes degaussing, which employs a special coil tool to demagnetize a drive’s magnetic media, scrambling all contents in the disk.

•Destroying: Disintegrate, incinerate, pulverize, shred, or melt.

Software and/or hardware can perform either of the first two types of deletion, but why spend $30 or more when you can perform that last type of data destruction yourself? All you need is a hammer. The other advantage to this technique is that it’s a great stress reliever. Remove the hard drive from the computer, place it on concrete or some other resistant material and smash the case as much as you can. Your goal is to break the disks inside the case. That should make the drive completely unreadable by even the most advanced forensic software. Then the drive should be safe to recycle with other electronics.

One last suggestion for protecting your information as 2010 rolls around: I know several people who celebrate New Years by shredding all their old paperwork, receipts, bills and correspondence. They keep 3-5 years of archived paperwork and everything older gets shredded. But even shredded paper can be reconstructed by someone determined to do so. If you throw shredded documents out in the trash, consider pouring some liquid into the bag with it to cause the ink to run and make each strip harder to read, or use that bag for used kitty litter. Put the trash out just before pickup to deny someone the chance to get access to it. In most states, once you put your trash can on the curb you no longer have property rights over it. Anyone can go through your trash looking for personal data that will let them borrow your identity.

Related articles by Zemanta

• Grab Your Old Statements, We’re Going To The Shred-A-Thon! [Identity Theft] (consumerist.com)
• PostNet partners with Shred-it to provide industry-leading document destruction business solutions (newswire.ca)

Malware alert: Gumblar

Posted in: Security, blog by CW on 4 June 2009 | 1 Comment

More than 1,500 Web Sites have been Attacked.
Severity: High Risk

What is it?
Gumblar is currently targeting users of IE and Google search, delivering malware through compromised sites that infect a user’s PC and subsequently intercepts traffic between the user and the visited sites. This means that once infected, anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, passwords or other sensitive data. Visitors encountering the compromised website also risk having their subsequent search results replaced with links that point to other malicious websites. The malware can also steal FTP credentials from the victim’s computer and use them to infect more sites, thus increasing the spread of this threat.

Who is at risk?
Users of Internet Explorer and Google’s search engine.

Prevention
Make sure you anti-virus definitions are up-to-date and practice caution when sharing your personal information online. Make sure you only do so on secure sites (https://)

(information courtesy of Zone Alarm via Gmail)

Related articles by Zemanta

• Managing your Passwords: Protection from Phishing / Identity Theft (chris.pirillo.com)
• Google serves up the Top 10 sites to avoid at all costs (thenextweb.com)