Never heard this. Thanks.

That's an interesting story. It's kind of like buying information on eBay rather than hanging out in the alley going through the trash. Fax Machines and Computer based fax machines would probably have similar data. I had studied information security for a while and had not seen this flagged as a risk.

I'd be interested to see if Kev has...

(05-12-2010 10:25 AM)I45owl Wrote:  Fax Machines and Computer based fax machines would probably have similar data. I had studied information security for a while and had not seen this flagged as a risk.

This has been a security problem for quite a while now. Part of the problem is that most customers don't want to believe that it's a problem (or they're too trusting of the copier industry) so they don't get devices or services that can erase the stored data, plus the industry treats this as a customer problem and don't put forth any real effort to educate their customers about the risks.

And the risk is the same for modern faxes, and higher quality printers. Some have actual hard drives and some have built in flash memory.

Good find...That is scary as hell.

(05-12-2010 10:25 AM)I45owl Wrote:  That's an interesting story. It's kind of like buying information on eBay rather than hanging out in the alley going through the trash. Fax Machines and Computer based fax machines would probably have similar data. I had studied information security for a while and had not seen this flagged as a risk.

I'd be interested to see if Kev has...

Has anyone ever heard of a copy machine hard drive failure? Is the operating software embedded in the machine or is it on the HD also?

(05-12-2010 01:52 PM)SumOfAllFears Wrote:  

(05-12-2010 10:25 AM)I45owl Wrote:  That's an interesting story. It's kind of like buying information on eBay rather than hanging out in the alley going through the trash. Fax Machines and Computer based fax machines would probably have similar data. I had studied information security for a while and had not seen this flagged as a risk.

I'd be interested to see if Kev has...

Has anyone ever heard of a copy machine hard drive failure? Is the operating software embedded in the machine or is it on the HD also?

I asked that question of our IT guy. He said the OS was on the HD, but was fairly easy to load. He told us that our company was very aware of this issue, and we shelled out the extra $ so that the docs are erased from the HD each night.

Good questions. My expectation would be that they would not need the HD for the operating system and that it would only need to cache data, but my friend showed me that on the copier he has at his business can scan paperwork and send the resulting scan in PDF form to the email inbox of their employees. That may require too much of an OS to store in firmware. But, I'm just speculating.

It occurs to me that one solution for this problem - given the nature of the problem in this case - would be to store an encryption key on the local network. If the copier is then taken off-premises, the user-data would then be encrypted and useless to anyone that may come across it.

The downside is that it would be too complicated for most people to configure...

What scares me the most is nearly every where I have worked, we have leased our copy machines.

Hah. The public is a n00b farm ripe for plunder.

Better check to make sure that ATM/gas station doesn't have a fake credit card extension that grabs your info and makes you think the machine is broken.

Better check to make sure when you go to your banking site that there isn't a man in the middle stripping the SSL connection.

Better check to make sure you're not using your NCAAbbs login somewhere else as something secure, seeing as how it is transmitted in clear text unless, like me, you have root access to the server and can SSH tunnel your traffic when you don't trust the network you're on.

Anybody on your wifi network or who is a man in the middle on your wired network can read your Facebook IMs, Facebook PMs, MySpace IMs, Skype IMs, AIM IMs, Yahoo IMs, MSN IMs, ....

How many of you use your ISP's email address? (@bellsouth, @sbcglobal, @charter, etc) Now how many of you setup your email using their default instructions? Congrats -- the same that I said about IMs above applies.

Anybody who hops on a wired network can execute a DHCP exhaustion attack, run their own rogue DHCP server, and effectively take over the entire wired network as the man in the middle in about 24 hours, without once sending ARP traffic that normally triggers red flags of suspicious activity.

You think your smartphone is secure? Uncle Sam can enable the mic, webcam, and GPS remotely without you knowing, and even with the phone turned off. You can only close their back door by pulling out the battery.

Well surely documents you print aren't traceable right? WRONG. The vast majority of high resolution printers print out barely visible yellow dot coding denoting the make, manufacturer, model, and serial number of the printer. They can literally trace the printer back to the store it was sold at, then go through their records to find you. This was originally put in place to stop counterfeiting, but if you give the government a power....

Using Windows? Redmond is watching you if you use Vista or Windows 7. The OS watches what you're doing silently in the background. If it even so much as suspects you're trying to circumvent copyright protection (particularly on HD content) it can silently report you to Remond and/or the authorities, and even permanently revoke the graphics card driver and disable your entire video subsystem.

But the weakest link of all? The one that defeats security the most often? The one that is an almost inescapable reality of a dumb*** public? The end user. Famous hacker Kevin Mitnick didn't discover some unpublished exploit through some remote protocol to hack into big companies. He simply had someone take him on a tour in that company as though he was a potential customer, and during the tour he'd put a floppy disk labeled "salaries.xls" on a random table someone. And of course a dumb and nosey employee would see it, quietly swipe it, and pop that in their computer. Owned. And even better, said employee will be inclined not to say a word about it, because they'll reveal their own guilt in doing so.

It just happens to be that the hardcore security people are very similar to locksmiths. They are open about the philosophy of the trade, but do so (usually) under a banner of ethics and professionalism. This, however, does not apply to foreign nationals engaged in cyberwarfare.

(05-12-2010 01:52 PM)SumOfAllFears Wrote:  Has anyone ever heard of a copy machine hard drive failure? Is the operating software embedded in the machine or is it on the HD also?

Depends on the machine. You find really dumb*** design decisions by engineers who think MSCE is the be all end all of development education.

Say ... ATMs ... running Windows. And giant ad billboards ... running Windows. And grocery checkouts ... running Windows. And airport flight information screens .... running Windows. Etc. All of the following represent incompetent software engineers:















Olympics anyone?




In case you weren't sure that they should be bankrupt.....

Great post. Why is there a drive to keep records of the copies/faxes? Why isn't there a copy and delete function? TIA.

Why? Performance and functionality.

The basic idea is that it takes a lot longer to print the pages than it does to scan in 100 pages. Plus if the copier screws up 1/2 way through, you don't have to rescan. You can email copies of the scan in PDF form. You can "monitor compliance" with policies if the business has a need to do so.

There should be a retention policy and option to securely delete ... a default retention policy should probably be in place.

Back when I had a fax machine and 800 number in place at home, I'd get medical records sent to the house from some company. I had to track down the office that sent the records to make sure they could correct their mistake. The HIPPA implications of errant fax calls alone is staggering.

Interesting links:

http://agsci.psu.edu/it/news/2010/05/sec...py-machine

https://docs.google.com/viewer?url=http:..._41107.pdf

(05-15-2010 04:40 AM)georgia_tech_swagger Wrote:  

(05-12-2010 01:52 PM)SumOfAllFears Wrote:  Has anyone ever heard of a copy machine hard drive failure? Is the operating software embedded in the machine or is it on the HD also?

Depends on the machine. You find really dumb*** design decisions by engineers who think MSCE is the be all end all of development education.

And a bunch of funny pictures

I was at the Susquehanna Symphony on Sat nite, and they had a projection on the back drop. In the middle of the concert, a big Windows error function popped up on the screen. I immediately thought of you, GTS.

Not exactly the same thing, b/c I believe it was a pic on a computer being sent to a projector, and it was the computer running Windoze.

I thought about taking a pic of it, but figured that would distract the other concert goers.

Funny tho.