Articles
|
|
qcred11
Jun 24 2004, 03:05 PM
| QUOTE |
"Even laptops with hard drives that had been erased and defragged were easily hacked to reveal company secrets"
Five pounds sterling (about $9) is all it took for Stockholm-based Pointsec Mobile Technologies, a data encryption vendor, to buy a laptop on eBay which still contained, it says, the access codes needed to gain administrator rights to "the secure intranet of one of Europe's largest financial services groups."
As part of an experiment to see how well companies protect information on their laptops, Pointsec purchased laptops at Internet and public auctions-including auctions of laptops lost and never reclaimed in airports, or turned into police stations-in Britain, Germany, Sweden, and the United States.
Of the 100 laptops acquired, the company was able to read information on 7 out of 10 hard disks, sometimes using easily available or off-the-shelf password cracking tools.
"Dozens of Web sites . offer password-cracking software or [recovery] software which criminals, hackers, and opportunists use when they want to break into laptops or Web sites," notes Peter Larsson, CEO of Pointsec Mobile Technologies. Such tools make it easy to recover information from a laptop, even if all files have been erased and the hard drive defragmented.
Just take the aforementioned financial services firm's laptop. Beyond passwords, there were also 77 Microsoft Excel documents containing such things as customer e-mail addresses, dates of birth, home addresses, and telephone numbers. If a competitor procured such data, the results could be devastating; someone might try to blackmail the company into paying hush money.
Despite those potential threats, however, Pointsec says the unnamed company in question is already in violation of Britain's Data Protection Act, which mandates safeguarding citizens' private information. Any of those threats could adversely affect a company's stock price, if made public.
Pointsec says companies obviously need to do a better job of wiping data from computers to be sold. "Even when companies or individuals believe they have wiped the hard drive clean, it is blatantly clear how easy it is to retrieve sensitive information from them both during their current lifetime and beyond it," says Larsson.
For laptops lost in transit, which Pointsec tested at lost-property auctions for such airports as Britain's Gatwick, researchers were able to access information on one in three laptops' hard drives. When performing the experiment on laptops at an auction in Sweden, Pointsec even found sensitive information from "a large food manufacturer," including "four Microsoft Access databases containing company and customer-related information, 15 Microsoft PowerPoint presentations containing highly sensitive company information, and 1512 JPEG pictures of both a company and private nature."
Evidently many companies aren't protecting in-use laptops with strong encryption in case the laptops are lost or stolen. Yet "Pointsec's research demonstrates just how easy it is to access information which is not adequately protected," notes Tony Neate, the tactical and technical industry liaison at the UK National Hi-Tech Crime Unit. His recommendation: "Encryption and other security measures are vital to ensure that security is not compromised-something as simple as a hard disk drive password can deter the opportunist."
Pointsec recommends companies follow four steps to better secure their employees' mobile devices: centrally manage mobile device security technology, removing responsibility from employees; mandate access control and encryption use; create a company-wide policy for mobile-device use, and educate staff on it; and encrypt hard disks (this "protects the information during the laptop's life and beyond its active service").
For those enamored by a new calling in used hard drives and corporate blackmail, Larsson recommends against it. Despite the relative bargain-corporate secrets for little money-"you could be facing a very long stretch at Her Majesty's pleasure," he notes.
Pointsec says it will destroy all laptops procured for its experiment.
|
D3ADLiN3
Jun 25 2004, 06:02 PM
ahhh yes the even better ones are where they dont even bother to erase the data on the machine, an example of this is a pc I bought from a certain railway company in the UK which gave me access to there internal network via a VPN. Dont you just love the save password tick box 
exp0sed
Aug 9 2005, 06:34 AM
i dont know what is more dangerous.. the fact that this can be done or the fact that people are drawing attention to it. making this common knowledge puts even more companies at risk because hackerwannabes will start snatching up old laptops and trying to steal secrets... I mean, i guess it is good because people will not be forced to find ways to do acutally permanent file deletions..... maybe this is gonna be the next big thing in IS?
Xcaliber
Aug 13 2005, 04:56 PM
QUOTE(exp0sed @ Aug 9 2005, 12:34 AM) maybe this is gonna be the next big thing in IS? No, it's actually an old problem easily remedied by removing the hard drive and any other proprietary products attached. Carelessness isn't the beginning, it's more likely an awareness and/or policy enforcement problem. This is one of the reasons i spend extra hours destroying hard drives than i would care to at work--opposed to the lugheads at D**M who think reformatting is enough. 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
