Security 101: I’m with stupid

For those that listen to my podcasts, read this blog or see me on stage or at conferences with my security hat on you'll all be aware I take security and privacy of data seriously, very seriously.

In 2000 I co-invented SmoothWall the ubiquitous firewall that became so popular (from where Endian and IPCop then became derivatives) and I then bankrolled and started the company of the same name. Since exiting there in 2003 I've advised at the highest government levels as a certified cleared consultant and advisor and now tell you all how to protect yourself in Cloud.

Therefore tonight when configuring some 2nd user kit acquired from an eBay commercial seller nowhere near my home I was surprised to find the kit actually originated from a very large commercial company in the catering sector four miles from my home here in Wiltshire.

The kit, a multi function laser printer, HP branded presumably was from an office clearance. Now heres where I get prickly. I wrote white papers and good practice guides for MFP disposal years ago recommending the only way to get rid of them is to actually scrap them as industrial waste and not to let them go to a recycling company. Most recycling companies are generally self proclaimed specialists with VERY BASIC ISO 27001 / BS standards (read paper collection exercises that don't qualify you to do squat) who can run dban on a laptop and apply an acetate sticker saying data cleansed on it. You can't do that with MFP's they have either solid state logic, flash memory or worse a harddrive. And they're manna from heaven for hackers.

Cue some basic easy legal and above board manipulation of report functions via HPLIP under Linux and now I have 150 confidential faxes sent and received from the original owner on what is now actually legally my property, and worse because it's a network device I now have their IP address schema, gateway details and enough info from the faxes to play social engineering havoc if I was a malicious hacker.

I am on vacation for my sons birthday the next few days so I am not going to go out my way to point out to the IT director concerned what shape and size a fine from the office of the CIO looks like but after the recent food scares in the UK I am sat on purchase orders from every supplier they work with and it's just stupid, idiotic and immature awareness or lack of awareness on their part that they 1) contracted their IT disposals to a bunch of clowns who broke the law and presumably their contract 2) left the original entity open to a fine or worse still a malicious hacker had they got that info.

Heres the worse kick in the teeth to me personally, turns out they're a SmoothWall user so they obviously do get Security not just the major risks of data privacy or their responsibilities under any of the blended security matrixes that make up common sense IT practitioning,

Time to draft an email to their CIO and ask him who he employs to look after security as I'd be handing them a P45 and working out how to get this back into a box to own it. Wonder what else they recycled without due diligence ? Time to hand these faxes to their rightful owner and to point out the genuine sheer unadulterated stupidity of their ways. It's even more stupid when you think that this company are actually market leaders by hard won hard grafted achievement supplying catering to local government organisations, hospitals, care homes etc. Not small fry - so you'd expect better process control and understanding of IT security.

Epic fail.

Please if you are one of the thousands of people who read my blog don't emulate them.

One thought on “Security 101: I’m with stupid

  1. Interesting read. So I am from NYC and a few years ago when I was a high school student I remember seeing old computers sitting in the hallway waiting for collection. Usually these old gears would sit there for six months. At one point, because I was involved with the school's IT, I took two of them home and tried to install Ubuntu 6 on them. The hard-drives were not completely erased and I could even log in since I knew the master password. I can relate to you that nobody takes this seriously. Our college has lost some servers which hold students' records such as SSN. But the problem is when people need to throw out an old PC they just put it in the hallway, hoping somebody would come and send to somoebody responsible. Truth is nobody would; they all get dumped as waste (or stolen if the PC still look okay). Regarding printers, that's very interesting. I think most people will just forget about that because they assume the printer is sitting in local LAN,

Comments are closed.