Rossander’s Security Reader

A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

After the last impressive sophistication of the last two scams we’ve talked about, the one I got today is laughable. Note the poor grammar, absurd payout claim, lack of personalized address, generic reply address and, of course, the inevitable request for a copy of your drivers license. There’s been a significant uptick in these classic phishes in the past few months. It’s embarrassing that people still fall for these scams.

Unfortunately, the statistics still show that we do fall for these scams at an appalling rate. Ironically, this one will probably do better than average because it alleges to offer compensation for being the victim of a prior scam. Clearly, the scammers are thinking that if you fell for the earlier scam (and with a massive spam blast, they’re sure to get some), you might be emotionally vested enough to want revenge and won’t look at the details in this “offer”.

Never reply to a spammer. And please do everything you can to help teach your co-workers, family members and friends how to avoid these scams. If it sounds too good to be true, it is.

I just read two security articles with some interesting implications when you take them together. The first noted that anti-virus software, while still vitally important to your computer, only stops 35-40% of malware attacks – down from about 47% last year. The second described a “sexy Candid Camera Prank” attack being currently launched against Facebook users.

In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.

I got two spam messages today that I just have to share. (example 1 and example 2) They are such blatant examples of the Nigerian 419 scams that I laughed out loud.

Sadly the answer is “yes”, these scams do still work. The FBI continues to report hundreds of millions of dollars in losses to these frauds each year. Some are this blatant but some are quite a bit more subtle. Variant scams target non-profits. One recent wave alleged that the charity was the beneficiary in an unnamed donor’s will. A surprising number of charities let blind hope get in the way of common sense. Wikipedia has an extensive list of the variants.

So what can you do about it? Some people retaliate. There are whole organizations dedicated to wasting the scammers’ time. They respond with equally false stories about how they are “excited to be notified about the windfall” but because of a religious tenet, need a picture of you (the scammer) “in white robes balancing a loaf of bread on your head while holding a fish under each arm” before they can send the money. Here is one group that collects and publishes the ‘trophy’ pictures of scammed scammers.

While it’s emotionally satisfying to think about retaliation, I strongly recommend that you just delete them. I also encourage you to think about friends and family who might not be as aware of these scams as you are. Do you have a dependent elder who is more trusting than he/she should be? Do you have a friend or co-worker who is a great person but a bit gullible? Send them copies of these scams so they learn what to look for. Help them to set up the spam filters and other computer protections. These scams are amazingly profitiable. They will continue as long as we continue to fall for them.

Some background: The broader name for this kind of scam is the “advance-fee fraud”. Following the collapse of Nigerian economy in the 1980s, a large portion of the educated and computer-savvy population were unable to find gainful employment and turned their skills to crime in order to feed their families. The preponderance of such scam emails coming from Nigeria’s 419 area code led to the current name even though the same scam has also been found originating from England, Spain, Ireland, USA, Canada, The Netherlands, Australia, etc. An older version of this scam was carried out by regular mail in the early 1900s under the Spanish Prisoner name.

Cybercrime is no longer the realm of pimply-faced pizza-eating nerds and computer wizards. If you need proof, read this article about a recent breach notice from Lexis/Nexis where they describe the connections to an old-school mafia family.

Why are they doing it? Because it works. Hacking, phishing and identity theft make money and lots of it. Don’t let yourself become a victim.