Junked PCs Offer Data for Taking

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,54986,00.html

[Data destruction doesn't have to be tedious, with some specialized 
tools: http://www.23.org/~chs/gallery/defconx/shoot/pict2159f.jpeg
http://www.23.org/~chs/gallery/defconx/shoot/pict2170f.jpeg

Good clear conditions, and few good friends, you can get the desired
effect, and guarantee that **NO ONE** is going to be able to read the
information on your former drives:

http://www.23.org/~chs/gallery/defconx/shoot/pict2206f.jpeg
http://www.23.org/~chs/gallery/defconx/shoot/pict2205f.jpeg  :)  - WK] 


-=-


By Elliot Borin 
2:00 a.m. Sep. 25, 2002 PDT 

Who is Bob Knowles and why does he claim that "if the right terrorist 
got the right 10 or 15 or 20 (surplus) computers, this country could 
be bankrupt?" 

Among other things, Knowles is the founder and CEO of Technology 
Recycling. And he would much rather people pay him $37.50 per 
component to break their old PCs down to tin, glass and molten hard 
drives than have them sell the machines intact to someone else. 

But that doesn't invalidate his claim that "the true toxicity in 
recycled computers is the data ... the lead and mercury are small 
potatoes." 

Citing a Gartner report that the only way to truly protect computer 
data from pirates is to destroy a system, Knowles said that selling 
the units without hard drives is not an adequate solution. Critical 
bits of information can be reclaimed from the RAM chips and CPU core. 

"I can't name any government agencies that are doing a good job at 
this," he said. "Banks, insurance companies, hospitals -- they're all 
clueless. The FAA, IRS, Federal Reserve (Board) all sell their 
computers. Charles Schwab, all the major hospitals, sell their 
computers. 

"One day they're spending millions on firewalls and encryption to 
protect these computers and the next they're selling them to the 
highest bidder. You say, 'You shred your documents, why don't you 
shred your computers,' and they go, 'Ooohhhh, my god.'" 

Many security experts agree that "dustbin computer" data poses a 
legitimate threat, if not to the fate of the nation, then to 
individuals' privacy rights. 

Consider pop icon Paul McCartney. His manager once sold some old PCs 
with financial records still intact on the hard drive, revealing to a 
not terribly surprised world that the ex-Beatle is not, in fact, a 
pauper. 

"You can find used drives on the cheap in bulk from any number of 
sources," said security consultant Richard Forno. "Anyone selling used 
hard drives should sanitize them thoroughly. Absent that, you will 
always have information getting out.... (It's) a very bad problem." 

Computer swap-meet vendor Jim Jensen relies on the General Services 
Administration's auction site for a consistent supply of spare parts 
for orphaned or obsolete machines. 

"Normally I boot them up, make sure the CPUs, RAM, hard drives, 
motherboards and power supplies are OK, strip them and sell the 
parts," he says. "Occasionally I do read a few files ... the most 
interesting so far was e-mail about a failed missile test that was on 
a NASA unit." 

Jensen suggests the GSA could make life more difficult for snoopers if 
it were more circumspect in describing its wares. 

"They tell you exactly who used it and where," he noted. "Who wouldn't 
fire up a data-recovery program to see what was on a drive labeled 
'CIA, Langley, Virginia'?" 

Techno-junk disposal is an 800-going-on-800,000-pound gorilla. EPA 
regulations severely limit what can go into landfills because of toxic 
materials. The 2001 Gramm-Leach-Bliley Act requires companies 
collecting personal financial data to provide cradle-to-grave security 
for it. 

One solution is donating used, but functional, computers to 
organizations trying to bridge the digital divide. 

As far as Knowles is concerned, even that approach is fraught with 
peril. 

"Some states give obsolete equipment to prisons for training inmates," 
he said. "There have been a lot of identity thefts and even cases of 
ex-cons stalking state employees." 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.