back to article eBay photocopier data risk ignored

The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers. The risk that sensitive documents might make their way into the hands of undesirables was neatly …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    This is not new...

    It is said that among Xerox employees, there were CIA agents. CIA even had an office inside Xerox. The reason was, photocopiers used on embassies or sold to USSR were jacked with CIA equipment that could keep a copy of everything reproduced in them. All they had to do was to replace the secretive storage along regular copier maintenance, and it's been happening ever since the '60s. Lets face it, real large copiers have enough physical space to get anything inside it. Even a microfilm roll and an extra pair of lenses.

    Or a midget, for that matter.

    By the way, you didn´t hear it from me.

    1. Anonymous Coward
      Anonymous Coward

      Well-known Xerox folklore, that

      the idea being that a microfilm camera was incorporated into the optical path, so capturing everything that went through the machine. Arguably such an exercise would be more easily accomplished these days by emailing it out (nobody actually makes copiers any more, they're just printers with a scanner parked on top and some gubbins out the back to work out where to send the images). Hence truly security-conscious companies never even plug their MFDs into the network.

  2. smudge
    Gates Horns

    As it says, nothing new

    After many years, I still recall the look of glee on the face of one of the penetration testers in my company when I told her that the new copiers installed around the company ran Windows NT4, and that each had its own IP address and browser-based interface.

    She practically ran off to start hacking.

    I never did ask her what she found...

    1. heyrick Silver badge
      Heart

      @ smudge

      "She practically ran off to start hacking."

      Ahhhhh... Why can't I meet somebody like that!

    2. Roger Merrick
      Happy

      mmm ... penetration tester

      with a look of glee.... that's the kind of woman I like

  3. Richard 12 Silver badge

    Have to admit I didn't realise either

    I thought these photocopiers and fax machines were using volatile RAM for the scanned images, rather than a hard disk.

    Should have realised of course - magnetic storage is much cheaper than RAM.

    So what other surprising things have non-volatile memory?

  4. JaitcH
    Happy

    Car crushers are the answer

    A large Canadian company in Toronto, Ontario securely warehouses all discarded hardware and periodically moves the collection, under security guard control, to a local car crusher where two members of the companies accounting office witness the destruction and disposal.

    Another company I'm familiar with places all their electronics surplus in a sizeable tank at which point conductive foam, in a liquid form, is poured in and the foam generates destructive voltages killing the electronics as it solidifies.

    1. Wibble

      Bring back Madame La Guillotine

      The problem with crushing is that you have to kill the hard disc. If they dumped computers into the crusher there's a chance that the hard disc may well escape.

      The only way is to remove a hard disc and literally fold it in half. Dropping a heavy spike on it, a-la guillotine, right in it's spindle chuff would proper fuck it. Or an oxy-acetylene torch. Or a disc cutter. Or even a 10lb sledge hammer. Ooh, torturing hard discs, what a great job.

      It's surprising that there aren't mobile disc breaking services like there are for paper shredding. Tenner a disc?

  5. Anonymous Coward
    Black Helicopters

    It's worth pointing out that many machines have two drives

    one for image data, one for its operating system, although network data such as share paths for scanned documents and email configurations, including any relevant passwords, can also live in there.

    A feature that can help enormously with your image data security is running a standard overwriting pass over the disk to securely erase it and can, in many cases, be regularly scheduled, but ideally you need to be aware of the existence of such drives and deal with them just as you would any other under your security policy.

    You do have a security policy, right?

    1. Copier John
      Stop

      Copier hard drives don't show up on the network and they have firmware

      First problem is in order to clear a copier hard drive you have to remove it from the machine. The hard drive is not accessable via the network. Many copiers have numerious hard drives not just one. Some have as many as 5 and they can be very hard to find them. But the main problem is unlike computers the copiers contain the firmware or special partitioning that is not available to the public. If you clear the drive you also clear this information and the copier won't work.

      1. Anonymous Coward
        Anonymous Coward

        Quite so

        hence most vendors will turn the drives over to you to do as you will. Installing fresh software to a new drive is a reasonably trivial exercise, should the device be deployed elsewhere.

        If a vendor won't allow you total control over this sort of data, don't use their products.

  6. Anonymous Coward
    Flame

    "While the risk involved in mobile phone are better understood,..."

    Bell end.

  7. Anonymous Coward
    Thumb Up

    Even me...

    ... a very careful sysadmin who uses boot 'n' nuke on all our old systems before they go anywhere didn't realise that copiers had hard drives... I thought they stored it all in volatile RAM, makes sense for a networked machine capable of large jobs though to have something more capacious I suppose!

    See, el Reg is a useful business tool, and me spending an hour a day reading is a good thing!

  8. 0765794e08
    Joke

    Wipe that photocopier!

    Okay, message received.

    But where on earth am I supposed to insert my DBAN CD ???

  9. Johnny Canuck

    G20

    My company rented several copiers to various delegations during the recent G20 meeting in Toronto. The Mounties supervised the removal and destruction of the hard drives. The cost of replacing the hard drives was factored into the rental cost.

  10. Toxic_Overdraft

    Office party comes back to haunt

    ... just checking the disk for the date of last year's Xmas bash :-)

  11. Anonymous Coward
    Linux

    copiers and only 8 years

    No, not quite....

    As Canon UK's first ever systems support engineer/senior systems support engineer this has been going on for much longer.

    I supported all departments, including over 100 engineers and thousands of customers from Sole traders to MOD sites and financial institutions.

    As early as 1996 I had a senior officer call me up without announcing who he was and wanted to know everything the machine could do. After 45 minutes, he thanked me, informed exactly who he was and then said. Now I know what it can do, how do I stop it from doing so.

    On early FIERY RIPS and GP controllers it was quite frequent to get requests from the MOD or simply MOD contractors stipulating they wanted to have the drives removable completely every day on a caddy, failing that which they couldn't have they insisted on the drives being handed over to them on the machine departing location and being ground to dust!

    They were more than happy to pay over £1000 for a 500MB or less SCSI drive in some cases than to have any chance of the data obtained by an unauthorised source.

    If defence contractors are not doing so nowadays it is because they are being less careful, in 1996 and earlier even on GP215 Mk1's with only battery backed up FAX board memory they were far more cautious. Even GP55F and GP30's with a hard drive for FAX inside the MDC were dismantled and the drives destroyed before they were ever allowed to leave site.

    I never had a problem with requests for that to be done, one time even passing a hard drive that had to be used for test purposes over, even though they had stood and watched everything I had done. ------ Why should I they paid the bills for the replacement parts without question. and I could understand the precautions.------- If they don't do it now then someone needs a kick up the bum - extremely hard.

    Especially as we started sourcing the parts from other than FIERY and the savings made on the costs of drives was passed directly to the customer, MOD or commercial!

  12. JayKay
    Thumb Up

    Xerox have a great system

    Look at ANY printout from a Xerox machine and you will see (with the use of a Loupe) tiny yellow spots all over the printout. These are unique to your printer, and mean any printouts (for example, fake banknotes) can be traced back to your machine.

    This has been in place since Xerox started selling copying machines.

  13. Bob Kentridge

    Ancient history

    Didn't Apple sell a LaserPrinter II with a hard disk at phenomenal expense in the late 1980's? I think I printed my PhD out on one (not the choicest material for a hacker).

  14. Anonymous Coward
    Anonymous Coward

    encyption

    Arguably such an exercise would be more easily accomplished these days by emailing it out (nobody actually makes copiers any more, they're just printers with a scanner parked on top and some gubbins out the back to work out where to send the images). Hence truly security-conscious companies never even plug their MFDs into the network.

    Um encryption . They have been available for the past 5 years on copiers. I know both Rico , HP ,lexmark,xerox make secure MFD that have a secure erase options and encrypt the hard drive ., The Rico and Xerox run linux. For the Rico and Xerox, Lemark you can lock it down to the point were you need a user name and password to retrieve prints and faxes. You can remove the email option to. I know they log every time you e-mail something from them. You can set it up so it logs the user and the email it was sent to.

This topic is closed for new posts.