How many of you knew this, and what's your opinion of the risk?

[StatFreak]

This is disturbing to me, not only because the copy machine industry has kept quiet about this Big Brother aspect of their technology, but because it appears that many large companies that deal with secure data and who's business it is to have IT security personnel who should know of, and be prepared to deal with this security hole, are also unaware of it and are taking no precautions when disposing of old electronic equipment.

Of course, the story is almost a year old, so maybe companies have cleaned up their act since then...      but don't bet your private medical data and social security number on it!


<a href="http://www.youtube.com/v/iC38D5am7go&rel=0" target="_blank">http://www.youtube.com/v/iC38D5am7go&rel=0</a>

[stayouttadabunker]

They said 60% knew that there was a hard drive on them.
I don't believe that figure...I'll bet it was closer to 2% that knew there was a hard drive...
especially the ones that are on a container ship to Singapore...lol


I wonder if I can buy a used copier that was at the Pentagon?   

[StatFreak]

They said 60% knew that there was a hard drive on them.
I don't believe that figure...I'll bet it was closer to 2% that knew there was a hard drive...
especially the ones that are on a container ship to Singapore...lol


I wonder if I can buy a used copier that was at the Pentagon?   

Actually, they said the opposite: that 60% DIDN'T know there was a hard drive on digital copiers. However, I agree with you. I also doubt that anywhere near 40% know this, and I suspect that your 2% figure is closer to the truth than their 40% figure.

By what right do they put these drives in the copiers in the first place?! So that law enforcement or the government can confiscate your copier and use evidence of actions that you thought were private against you in court? Do any other good reasons come to mind?! 

And forget your personal copier, unless you bought a business model laser printer like I did. Most smaller copiers don't have hard drives -- yet. But what about all the copies made of personal information in every personnel department of every large and medium sized company? What about copied bank records, medical records, again, all made by copy machines within supposedly secure areas of banks, hospitals, insurance companies, and on and on.

I used to work for banks and dealt with losses and security issues. I personally held in my hand and made a copy of a check written by Heidi Fleiss's company (and signed by her personally) to one of our customers, who shall remain nameless, but whom some of you might know. That is just one small example of information that could be have been used to ruin someone at the time.

You know what they say: You're not paranoid if they really are out to get you. 


 
I find this practice (by the copy machine manufacturers) despicable. A machine does not need to store data beyond the life of the job, or perhaps the most recent 4 or 5 jobs, in order to allow the information to be reprinted in the event of a malfunction. There is no reason to store every single piece of information imparted to the machine permanently.

[StatFreak]

Something else to consider: Any printer connected to the network and assigned an IP address is subject to the same possibility of being hacked for the data on its hard drive as any computer on the network, and probably isn't nearly as well secured or watched.

Just a thought.

[jay]

I find this practice (by the copy machine manufacturers) despicable. A machine does not need to store data beyond the life of the job, or perhaps the most recent 4 or 5 jobs, in order to allow the information to be reprinted in the event of a malfunction. There is no reason to store every single piece of information imparted to the machine permanently.

Like most journalistic reporting i feel that this is somewhat sensationalized.
On the admin settings of Ricoh copiers you have the option to retain job history and there is a time setting for this retention or to purge after every job.

With this said when the copier finishes its service life I would bet dollars to dognuts that I could take the drive out, slave it to a PC and start extracting information. I do however believe that I would not be pulling information back from day1 of service life but rather the oldest information I would get would come from the highwater mark with more recent information being the most available.

There should be a function on the copiers to format the drive and there should be a practice in which the lease company guarentees destruction. (Most big copiers are leased due to the high maint requirements).

Assuming the drive is used to hold information while the actual output mech is busy - the highwater mark is the point in which the drive was most full.

[StatFreak]

Like most journalistic reporting i feel that this is somewhat sensationalized.
... 

...   I do however believe that I would not be pulling information back from day1 of service life but rather the oldest information I would get would come from the highwater mark with more recent information being the most available.

...

Assuming the drive is used to hold information while the actual output mech is busy - the highwater mark is the point in which the drive was most full.

Perhaps. How do you explain the statement that they downloaded "tens of thousands of documents in less than twelve hours." ?  That doesn't sound like only high watermark data to me.

...
On the admin settings of Ricoh copiers you have the option to retain job history and there is a time setting for this retention or to purge after every job.
...

There should be a function on the copiers to format the drive and there should be a practice in which the lease company guarentees destruction. (Most big copiers are leased due to the high maint requirements).
...

I agree that the copiers should have a function to SECURELY format the drive (since a normal format won't remove the data.) I also believe that the industry should have been open and forthcoming to its customers that such drives were in the machines in the first place, since printers and copiers are not devices which the average end user would associate with long-term storage of information. I also believe that the drives should be easily accessible and DOCUMENTED in the manual, so that companies concerned about the security of their data can remove them completely before returning the machines. The new owner or the leasing company would then have to put new drives into the machines before reuse, an inexpensive and reasonable solution whose cost would be passed on to the new lessee.


The fact remains that the manufacturers were NOT honest or forthcoming about it until journalists uncovered the truth, sensationalized or not.


I am also not convinced that Ricoh's job history function is evidence that a hard drive on one of their machines does not keep records of past data. I have used many high end copiers, and none generally display more than a few cached jobs that can be re-initiated. That certainly doesn't jive with the number of documents that these journalists were able to download from these drives, nor does a high watermark theory, nor does it excuse the industry from hiding the truth about their machines.

[brichter]

These are business class machines and the IT folks know they have hard drives (or the IT folks need to be replaced with clueful people, i.e. they shouldn't be IT folks in the first place). The hard drive size is listed plainly in the specifications of the copier. These aren't home machines. The 60% they refer to are cluelesss citizens, the same folks who stuff envelopes with checks in them into the mailbox at home before leaving for work, ASSuming nobody will steal the contents before the mailman picks it up.

These devices do have security measures but it's up to the business to either purchase that option (as it may not be necessary in many situations) or justify not purchasing it.

The most useful piece of information I pulled from this video is that the Buffalo PD's IT department folks are the dimmest bulbs in the chandelier.

As Jay stated, the drives are to hold the jobs while the machine is busy. You can only send one fax at a time, and there's no way a business can afford to have folks waiting around while images get sent at 14.4kbps, especially when the document is 10 pages long.

[brichter]

Something else to consider: Any printer connected to the network and assigned an IP address is subject to the same possibility of being hacked for the data on its hard drive as any computer on the network, and probably isn't nearly as well secured or watched.

Just a thought.

Network printer protocols aren't designed to send print jobs, only to receive them. The only thing sent are ACKs to data packets and status info like toner levels back to the printer driver if bidirectional communication is implemented. The business class printers may have SNMP functionality, but once again, that's status information, not documents.. It's not like they've implemented FTP to transfer documents.

You'd have better luck sniffing the wire and trying to decode the PCL or PostScript encoding as it gets sent to the printer. Even better would be if it's a wireless interface on the printer, rather than a hard wired connection.

[StatFreak]

Something else to consider: Any printer connected to the network and assigned an IP address is subject to the same possibility of being hacked for the data on its hard drive as any computer on the network, and probably isn't nearly as well secured or watched.

Just a thought.

Network printer protocols aren't designed to send print jobs, only to receive them. The only thing sent are ACKs to data packets and status info like toner levels back to the printer driver if bidirectional communication is implemented. The business class printers may have SNMP functionality, but once again, that's status information, not documents.. It's not like they've implemented FTP to transfer documents.

You'd have better luck sniffing the wire and trying to decode the PCL or PostScript encoding as it gets sent to the printer. Even better would be if it's a wireless interface on the printer, rather than a hard wired connection.

I beg to differ with you. My printer has an FTP server, acts as a print server, using the pre-defined machine range of 169.254.*.* (APIPA) to assign DHCP addresses, can do so over a wireless connection, and will also email scanned items and incoming faxes as well as FTP them.

While it is not designed to forward print jobs, it certainly can and will forward scans and incoming faxes. How much of a stretch is it to think that a talented hacker could get the machine to dump some or all of the contents of the drive to an email or FTP address?


<EDIT> Not to forget that the news article's stated security threat is from the physical extraction of data from a hard drive in the possession of someone unscrupulous, not through hacking into the printer over the net, so this line of discussion is a side bar only.

[StatFreak]

...
The most useful piece of information I pulled from this video is that the Buffalo PD's IT department folks are the dimmest bulbs in the chandelier.
...

    I agree about the PD.

So how does that explain the data from the insurance company and the other copiers they bought? Are you saying that these journalists just hit the jackpot and managed to pick the only used machines coming from companies with unqualified IT specialists?


P.S. Remember that you work for an IT company -- that is, a company who's business is IT. It's a different ballpark when you work for IT in a company that doesn't value IT because it produces widgets. My former boss found that out the hard way after we left a company devoted to the internet space and he went to work for a law firm. He's been there for some time and is now their top database guy, but he's still just a peon in the company structure with very little clout or say because the lawyers come before everyone else in that firm, since they bring in the money. The company's view is that IT's only purpose for being is to serve the whims and needs of the attorneys.

[brichter]

While it is not designed to forward print jobs, it certainly can and will forward scans and incoming faxes.

It's not a printer, it's an all-in-one device.The defense rests.  

[brichter]

...
The most useful piece of information I pulled from this video is that the Buffalo PD's IT department folks are the dimmest bulbs in the chandelier.
...

   I agree about the PD.

So how does that explain the data from the insurance company and the other copiers they bought? Are you saying that these journalists just hit the jackpot and managed to pick the only used machines coming from companies with unqualified IT specialists?

Ok, here comes the "War and Peace" response...


Please note my comment about Buffalo PD is due to the fact that their initial security breach wasn't even on the hard drive of the copier, they left the originals on the scanning bed of the machine.  

 I think your outrage is misplaced, your comment about the manufacturers not revealing that they store data on hard drives is contradicted by the video. Armen clearly stated that every single one of the manufacturers they contacted said they offer security and encryption packages for their machines, so exactly what are you basing your statement on that they're keeping this quiet? I don't think their sales forces are purposely not offering these moneymaking options to their customers so as to hide the fact that there are hard drives contained in the machines. I find it more than a little suspicious that the only individual with the viewpoint that the manufacturers are trying to hide the existence of hard drives in these machines just happens to be the guy that's making money by offering a service to destroy the data on those hard drives.  

As far as the survey, turn it around and say that 40% of Americans are aware that these devices have hard drives. If you look at this number in relation to how many Americans are end users or providing the services of these machines, it would seem that the knowledge is pretty well widespread. Remember, we're not discussing copiers and scanners that an individual buys for a home or small office, these are enterprise business class machines with price tags to match. Add to that the fact that knowledge of this has only gotten better since the clip you posted was originally aired and I'd imagine the numbers would be reversed now.

As far as Affinity goes, they were lit up like Christmas Trees due to that violation. If you take a look, you'll see just how hard they got hit by HHS and how big a ripple it caused in that industry. This is ancient news for the medical world and regulations have been enacted to cover data on these devices. If you can find a single healthcare provider or affiliate that lets data leak in this manner now, I'll give you $50   and buy the first next time we meet. They lose far more data due to theft than they do to old copiers with hard drives in them.

On to the architect company. They say they got 95 pages of names and SS numbers, but that's not true in the strict sense. It was not 95 pages of discrete names and SS numbers, those were pay records for the same employees covering a large period of time. I'd be willing to bet it would have been a lot easier to harvest that same data from their trash can than off their copier because I'll lay dollars to donuts they didn't own a shredder. No forensic software or computers needed, nor any money to buy the old copiers, all you need is 4 fingers and an opposable thumb to grab the docs out of the Dumpster, as well as a pair of eyes (or even a single eye ) to get the same data. Sometimes the simplest solution is the best...  

[poppo]

If you look at this number in relation to how many Americans are end users or providing the services of these machines, it would seem that the knowledge is pretty well widespread. Remember, we're not discussing copiers and scanners that an individual buys for a home or small office, these are enterprise business class machines with price tags to match.

I agree (partly). I was the only IT guy at my job in CA (ugh). When we got new Xerox copiers/print servers, I was given a thorough explanation of the machine by Xerox, including the fact that it had a hard drive.

Now on the flip side.... I doubt that I remembered to tell my replacement about it. I have no idea if he is/was aware of it or not. Seeing how he was relatively new to the field, I would say probably not.

[PLUNGER BOY]

IT sounds to me a though a warning label  (sticker) needed to be on the outside of the machine. For future references   

[poppo]

IT sounds to me a though a warning label  (sticker) needed to be on the outside of the machine. For future references   

Ugh. Just what we need, even more warning lables.

 

[brichter]

I'll call your chainsaw, and raise you a vending machine. 

[StatFreak]

  Bill for the detailed explanation.

I'll call your chainsaw, and raise you a vending machine. 

...Now, could someone pop by and get this vending machine off of me?  
I was trying to get a free bag of Cheetoes by cutting into the machine with my chainsaw and the machine fell over!  

[Jim]

the sad truth to the labels!  Pepsi actually got sued because someone tried to rock the machine and get a free one, they failed to understand that when you get a 600lb. machine rocking ,physics takes over and the person never finished telling the story about what happened next.  the reason, it killed them. Pepsi lost the suit.

we had to put these stickers on ever machine we placed, some we had to bolt to the wall, others we had to add external hardened pad locks to the machine, and some of the machines we never found!! 

Everyday was an adventure, it was hard to imagine how many ways and to what degree people would go to, to get a free drink or a snack. Just when you thought you saw everything---something new would come along. 

Jim

[poppo]

Pepsi lost the suit.

One of my biggest gripes is people winning lawsuits for doing stupid things. We all end up paying for this stuff in the end.

My biggest peeve with warning stickers in general are these that for whatever reason have to be plastered right on the visible side of the visor with glue that is nearly impossible to remove. Nice new car - ulgy dang sticker.

[PLUNGER BOY]

THE WARNING STICKERS ARE THERE BECAUSE PEAPLE ARE STUPID .AND LAWYERS ARE  OPPORTUNIST AND GREEDY   

[knagl]

I knew about this from the news reports a year or two ago.  I don't understand why they have a hard drive, and why there isn't an option to (and why leasing companies don't) erase its contents at the end of its service life at a location.

[poppo]

I don't understand why they have a hard drive, .....

Most of these copiers also act as print servers and the print jobs need to be queued up. Hence the hard drive. Also some of the high speed copiers need to buffer data when you are making 100 copies of a 1000 page manual.

[stayouttadabunker]

why there isn't an option to (and why leasing companies don't) erase its
contents at the end of its service life at a location.

'cause they want you to pay for a service call... 

[golflover]

When we replace copiers, computers or anything with a storage device, the hardrive is removed and gets put in the closet in my office Eventually they find a company to shred them, or I get to take my aggravation out on them 




      Still snow on the ground here  Thinking we are 3 weeks from a golf course opening around here.  looks like it is back to Richmond!