http://cnews.canoe.ca/CNEWS/Canada/2005/03/20/967337-cp.html By JUDY MONCHUK March 20, 2005 CALGARY (CP) - In the realm of high-tech dangers, few would consider the lowly fax machine or photocopier a security risk. That would be naive, says Tim Chander, research manager of Alberta's Office of Information and Privacy. "It's not your grandfather's printer anymore - these things are computers with hard drives that can be connected to the Internet," said Chander. "Anything you're photocopying (is) copied and stored on the hard drives unless they are overwritten." Chander said most businesses, government offices and health authorities lease their office equipment without considering the security ramifications. "We haven't had a complaint come to our office. We just want organizations to be aware that anyone photocopying personal, business or health information to realize that when your lease is up, your information is going out the door," he said. The government of Alberta recently put together a policy stipulating that any leased machine with a hard drive must have its memory wiped clean when its lease is up. Departments also have the option of purchasing the hard drive - a cost of about $300. Josh Ryder, manager of computer security at the University of Alberta in Edmonton says few people think of printers as a security threat. "If you explain that every document you've ever photocopied on this machine is walking out the door when this machine walks out, that's probably plain enough that most people would sit up and pay attention," said Ryder. "But I don't think it's being explained that way." Most office equipment with digital technology now has multi-tasking capabilities and memory to queue up jobs from a number of computers as well as taking information from outside sources. "Now the fax machine is essentially a printer," said Ryder. And while most companies have firewalls set up to protect their computer networks from hackers or viruses, Ryder noted that printers or fax machines generally sit outside that layer of protection. "The issue is that these devices are not secure. Generally, you can't say 'only allow these computers to listen to you.' " Unauthorized access or disclosure of personal information is a breach of privacy legislation. Alberta's privacy commission's office notes that both the organization that puts the information on the machine and the vendor are responsible for the information on it. "Some of these older machines get refurbished and sold again," said Chander. "Some companies we've spoken with wipe the data themselves. But those are the large companies like Xerox and Hewlett Packard." Chander suggests that anyone handling sensitive information stipulate in leasing agreements that the memory must be wiped clean or that they have the option of purchasing the hard drive to destroy it themselves. Federally, the Department of National Defence has a policy where they retain the hard drive of any fax machine or photocopier when a lease is up. So could someone hack into a fax or photocopier and hijack a networked computer system? Both Ryder and Chander say it's technologically possible. "It's a logical conclusion," said Chander. "We haven't heard of it, but I'm not ruling it out." Although hard drives and the information they hold are not easily accessible on most machines, Chander says it's important to be vigilant. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Mar 21 2005 - 04:56:37 PST