The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers. The risk that sensitive documents might make their way into the hands of undesirables was neatly …
This is not new...
It is said that among Xerox employees, there were CIA agents. CIA even had an office inside Xerox. The reason was, photocopiers used on embassies or sold to USSR were jacked with CIA equipment that could keep a copy of everything reproduced in them. All they had to do was to replace the secretive storage along regular copier maintenance, and it's been happening ever since the '60s. Lets face it, real large copiers have enough physical space to get anything inside it. Even a microfilm roll and an extra pair of lenses.
Or a midget, for that matter.
By the way, you didn´t hear it from me.
Well-known Xerox folklore, that
the idea being that a microfilm camera was incorporated into the optical path, so capturing everything that went through the machine. Arguably such an exercise would be more easily accomplished these days by emailing it out (nobody actually makes copiers any more, they're just printers with a scanner parked on top and some gubbins out the back to work out where to send the images). Hence truly security-conscious companies never even plug their MFDs into the network.
As it says, nothing new
After many years, I still recall the look of glee on the face of one of the penetration testers in my company when I told her that the new copiers installed around the company ran Windows NT4, and that each had its own IP address and browser-based interface.
She practically ran off to start hacking.
I never did ask her what she found...
"She practically ran off to start hacking."
Ahhhhh... Why can't I meet somebody like that!
mmm ... penetration tester
with a look of glee.... that's the kind of woman I like
Have to admit I didn't realise either
I thought these photocopiers and fax machines were using volatile RAM for the scanned images, rather than a hard disk.
Should have realised of course - magnetic storage is much cheaper than RAM.
So what other surprising things have non-volatile memory?
It's worth pointing out that many machines have two drives
one for image data, one for its operating system, although network data such as share paths for scanned documents and email configurations, including any relevant passwords, can also live in there.
A feature that can help enormously with your image data security is running a standard overwriting pass over the disk to securely erase it and can, in many cases, be regularly scheduled, but ideally you need to be aware of the existence of such drives and deal with them just as you would any other under your security policy.
You do have a security policy, right?
Copier hard drives don't show up on the network and they have firmware
First problem is in order to clear a copier hard drive you have to remove it from the machine. The hard drive is not accessable via the network. Many copiers have numerious hard drives not just one. Some have as many as 5 and they can be very hard to find them. But the main problem is unlike computers the copiers contain the firmware or special partitioning that is not available to the public. If you clear the drive you also clear this information and the copier won't work.
hence most vendors will turn the drives over to you to do as you will. Installing fresh software to a new drive is a reasonably trivial exercise, should the device be deployed elsewhere.
If a vendor won't allow you total control over this sort of data, don't use their products.
Car crushers are the answer
A large Canadian company in Toronto, Ontario securely warehouses all discarded hardware and periodically moves the collection, under security guard control, to a local car crusher where two members of the companies accounting office witness the destruction and disposal.
Another company I'm familiar with places all their electronics surplus in a sizeable tank at which point conductive foam, in a liquid form, is poured in and the foam generates destructive voltages killing the electronics as it solidifies.
Bring back Madame La Guillotine
The problem with crushing is that you have to kill the hard disc. If they dumped computers into the crusher there's a chance that the hard disc may well escape.
The only way is to remove a hard disc and literally fold it in half. Dropping a heavy spike on it, a-la guillotine, right in it's spindle chuff would proper fuck it. Or an oxy-acetylene torch. Or a disc cutter. Or even a 10lb sledge hammer. Ooh, torturing hard discs, what a great job.
It's surprising that there aren't mobile disc breaking services like there are for paper shredding. Tenner a disc?
... a very careful sysadmin who uses boot 'n' nuke on all our old systems before they go anywhere didn't realise that copiers had hard drives... I thought they stored it all in volatile RAM, makes sense for a networked machine capable of large jobs though to have something more capacious I suppose!
See, el Reg is a useful business tool, and me spending an hour a day reading is a good thing!
"While the risk involved in mobile phone are better understood,..."
Wipe that photocopier!
Okay, message received.
But where on earth am I supposed to insert my DBAN CD ???
My company rented several copiers to various delegations during the recent G20 meeting in Toronto. The Mounties supervised the removal and destruction of the hard drives. The cost of replacing the hard drives was factored into the rental cost.
Office party comes back to haunt
... just checking the disk for the date of last year's Xmas bash :-)
copiers and only 8 years
No, not quite....
As Canon UK's first ever systems support engineer/senior systems support engineer this has been going on for much longer.
I supported all departments, including over 100 engineers and thousands of customers from Sole traders to MOD sites and financial institutions.
As early as 1996 I had a senior officer call me up without announcing who he was and wanted to know everything the machine could do. After 45 minutes, he thanked me, informed exactly who he was and then said. Now I know what it can do, how do I stop it from doing so.
On early FIERY RIPS and GP controllers it was quite frequent to get requests from the MOD or simply MOD contractors stipulating they wanted to have the drives removable completely every day on a caddy, failing that which they couldn't have they insisted on the drives being handed over to them on the machine departing location and being ground to dust!
They were more than happy to pay over £1000 for a 500MB or less SCSI drive in some cases than to have any chance of the data obtained by an unauthorised source.
If defence contractors are not doing so nowadays it is because they are being less careful, in 1996 and earlier even on GP215 Mk1's with only battery backed up FAX board memory they were far more cautious. Even GP55F and GP30's with a hard drive for FAX inside the MDC were dismantled and the drives destroyed before they were ever allowed to leave site.
I never had a problem with requests for that to be done, one time even passing a hard drive that had to be used for test purposes over, even though they had stood and watched everything I had done. ------ Why should I they paid the bills for the replacement parts without question. and I could understand the precautions.------- If they don't do it now then someone needs a kick up the bum - extremely hard.
Especially as we started sourcing the parts from other than FIERY and the savings made on the costs of drives was passed directly to the customer, MOD or commercial!
Xerox have a great system
Look at ANY printout from a Xerox machine and you will see (with the use of a Loupe) tiny yellow spots all over the printout. These are unique to your printer, and mean any printouts (for example, fake banknotes) can be traced back to your machine.
This has been in place since Xerox started selling copying machines.
Didn't Apple sell a LaserPrinter II with a hard disk at phenomenal expense in the late 1980's? I think I printed my PhD out on one (not the choicest material for a hacker).
Arguably such an exercise would be more easily accomplished these days by emailing it out (nobody actually makes copiers any more, they're just printers with a scanner parked on top and some gubbins out the back to work out where to send the images). Hence truly security-conscious companies never even plug their MFDs into the network.
Um encryption . They have been available for the past 5 years on copiers. I know both Rico , HP ,lexmark,xerox make secure MFD that have a secure erase options and encrypt the hard drive ., The Rico and Xerox run linux. For the Rico and Xerox, Lemark you can lock it down to the point were you need a user name and password to retrieve prints and faxes. You can remove the email option to. I know they log every time you e-mail something from them. You can set it up so it logs the user and the email it was sent to.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- VMware reveals 27-patch Heartbleed fix plan