[ISN] Junked PCs Offer Data for Taking

From: InfoSec News (isnat_private)
Date: Wed Sep 25 2002 - 23:35:01 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, September 25, 2002"

    [Data destruction doesn't have to be tedious, with some specialized 
    tools: http://www.23.org/~chs/gallery/defconx/shoot/pict2159f.jpeg
    Good clear conditions, and few good friends, you can get the desired
    effect, and guarantee that **NO ONE** is going to be able to read the
    information on your former drives:
    http://www.23.org/~chs/gallery/defconx/shoot/pict2205f.jpeg  :)  - WK] 
    By Elliot Borin 
    2:00 a.m. Sep. 25, 2002 PDT 
    Who is Bob Knowles and why does he claim that "if the right terrorist 
    got the right 10 or 15 or 20 (surplus) computers, this country could 
    be bankrupt?" 
    Among other things, Knowles is the founder and CEO of Technology 
    Recycling. And he would much rather people pay him $37.50 per 
    component to break their old PCs down to tin, glass and molten hard 
    drives than have them sell the machines intact to someone else. 
    But that doesn't invalidate his claim that "the true toxicity in 
    recycled computers is the data ... the lead and mercury are small 
    Citing a Gartner report that the only way to truly protect computer 
    data from pirates is to destroy a system, Knowles said that selling 
    the units without hard drives is not an adequate solution. Critical 
    bits of information can be reclaimed from the RAM chips and CPU core. 
    "I can't name any government agencies that are doing a good job at 
    this," he said. "Banks, insurance companies, hospitals -- they're all 
    clueless. The FAA, IRS, Federal Reserve (Board) all sell their 
    computers. Charles Schwab, all the major hospitals, sell their 
    "One day they're spending millions on firewalls and encryption to 
    protect these computers and the next they're selling them to the 
    highest bidder. You say, 'You shred your documents, why don't you 
    shred your computers,' and they go, 'Ooohhhh, my god.'" 
    Many security experts agree that "dustbin computer" data poses a 
    legitimate threat, if not to the fate of the nation, then to 
    individuals' privacy rights. 
    Consider pop icon Paul McCartney. His manager once sold some old PCs 
    with financial records still intact on the hard drive, revealing to a 
    not terribly surprised world that the ex-Beatle is not, in fact, a 
    "You can find used drives on the cheap in bulk from any number of 
    sources," said security consultant Richard Forno. "Anyone selling used 
    hard drives should sanitize them thoroughly. Absent that, you will 
    always have information getting out.... (It's) a very bad problem." 
    Computer swap-meet vendor Jim Jensen relies on the General Services 
    Administration's auction site for a consistent supply of spare parts 
    for orphaned or obsolete machines. 
    "Normally I boot them up, make sure the CPUs, RAM, hard drives, 
    motherboards and power supplies are OK, strip them and sell the 
    parts," he says. "Occasionally I do read a few files ... the most 
    interesting so far was e-mail about a failed missile test that was on 
    a NASA unit." 
    Jensen suggests the GSA could make life more difficult for snoopers if 
    it were more circumspect in describing its wares. 
    "They tell you exactly who used it and where," he noted. "Who wouldn't 
    fire up a data-recovery program to see what was on a drive labeled 
    'CIA, Langley, Virginia'?" 
    Techno-junk disposal is an 800-going-on-800,000-pound gorilla. EPA 
    regulations severely limit what can go into landfills because of toxic 
    materials. The 2001 Gramm-Leach-Bliley Act requires companies 
    collecting personal financial data to provide cradle-to-grave security 
    for it. 
    One solution is donating used, but functional, computers to 
    organizations trying to bridge the digital divide. 
    As far as Knowles is concerned, even that approach is fraught with 
    "Some states give obsolete equipment to prisons for training inmates," 
    he said. "There have been a lot of identity thefts and even cases of 
    ex-cons stalking state employees." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 02:19:00 PDT