Slashdot Mirror
It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds (gizmodo.com)
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. From a report: For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII) -- the bread and butter of identity theft. Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you'd imagine. "I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600," he said.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.
Used to belong to a tax accounting firm.
Fully functioning. Over 100k tax return forms still on the system.
*Everything*, was still there. Names, SSNs, tax id records, addresses, everything.
It's a damn good thing I was honest and DBAN'd that drive immediately.
I contacted the seller and told him this.
Never heard back...
So rise up, all ye lost ones, as one, we'll claw the clouds.
Since they are owned by iTards to begin with.
Yesterday, BeauHD posted an article related to the fact that California is re-introducing right-to-repair legislation, which, believe it or not, is related to this topic.
If I can open a slot on the bottom of my laptop and easily replace the internal storage drive (on my PS/3 and PS/4 doing this requires removal of one screw), then I can be 100% certain that I am not leaking data if I sell on my old device. Yes, OK, I still have to buy a new drive and maybe re-install the OS on it, but these are simple enough tasks these days.
With the advent of devices with integrated storage, often soldered on to motherboards, this becomes impossible. What this now means is that the original manufacturer would have to come up with a way to *guarantee* you that all data on embedded storage had been securely wiped. Otherwise, their failure to do that, coupled with negligent design or negligent security implementations, could result in the loss of your personal data.
I wonder how many smartphone/tablet/similar device manufacturers would be willing to step up and own that liability in return for being able to prevent you from upgrading or repairing your device. I'm betting not that many.
Expect someone to mass purchase defunct store web sites to get equivalent data.
I buy a lot of used laptops from people to refurbish and give to local schools that don't have the money to buy them.
I am appalled at what I find on them.
One time I got (they were donated) 10 used IBM Thinkpads from a criminal law firm in town. They did absolutely nothing to purge the hard drives of sensitive client information. All of their files were intact, unencrypted, just sitting in My Documents.
I called them to tell them what they had done and they didn't care one iota. Unbelievable. I could probably have reported them to the State Bar, and probably SHOULD have. But, one thing I've learned is, don't poke an alligator with a stick.
I ended up just nuking them all from orbit with DBAN and continuing about my business.
Scary Movie?
Or scary like Marlon Wayans is adopted?
Or scary like the little hand guy reminds you of me?
Way way back when, I used to refurbish warranty returns for a major computer retailer. Almost no one wiped their drive before returning their machine. (In addition I amassed a nice music and movie collection of discs left in the drives.) We didn't care much, we would just wipe it and carry on.Sounds like nothing has changed. Incidentally the variety of failures we encountered was impressive - dropped in oceans, hit by trucks, burnt through with blowtorches, urinated on, smoked to death, shot, infested, in addition to the general component failures.
12:50 - press return.
I bought used cell phones in the past and was amazed at the number of devices containing photos, videos, or social media accounts still logged in.
Most people:
1. Dont get rid of a laptop or phone until it absolutely stops working altogether.
and
2. Dont have the skills or knowledge needed to go in & clear the data from a non-working device.
and
3. Dont realize that they need to. They think the data is gone forever once that device died. "I cant get to the data so hackers wont be able to either."
I want to know where I can get 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones for around $600.
Just had a hard drive in a laptop fail intermittently. Replaced it, took a hammer to the old one after I dropped it from 15ft a few times. No one is going to recover anything from that chunk of parts. I've also disassembled a few to get the magnets out.
Always look for crypto-currency wallets/numbers/keys/passwords.
I once found a used laptop with a dogecoin wallet on it, there was still 15 coins in it!
Needless to say, I still went to work the next day.
#DeleteFacebook
>200,000 images
that number seems low
I worked at a school system where used computers to be sold or discarded were erased with fdisk. When I found that out, I took a "wiped" computer and used fdisk to rebuild a default Windows partition table and showed them that the filesystem and all of its files were easily accessible. From then on, we used a Linux live CD to copy /dev/urandom over the data.
I expect a lot of those "used laptops" were stolen. I doubt the thieves cared enough to even so much as look at the data on the machine. They just wanted to sell it for a quick fix. I'm sure my personal data is available for the world to see by now, given how many machines have been stolen from me. You'd think I'd learn my lesson and encrypt everything, but I buy low-end machines and don't have the patience for that sort of thing.
As someone who has dumpster dived for electronics before, it's amazing the shape people throw away hardware in. They crack a screen and don't think about he data on the system, let alone the fact that the laptop still works. I've found tax records, bank passwords, etc on systems I've come across. I'm always a proponent of DBAN and when I find that stuff I'm quick to wipe the system, but I imagine a lot of people's data gets stolen due to carelessness.
How and why would you use OCR software to search a drive for PII?
It's a high time for the consumer operating systems to include an automatic data backup to an external or otherwise designated device followed by automatic software license backups over all installed proprietary software, followed by a disk wipe plus random overwrites as many times as requested to fulfill the customer needs. And somehow automatically ensure that the customer pulls out the backup drives instead of the wiped ones.
If he got them all at pawn shops, then many of them could have been stolen. A lot of stolen goods go to pawn shops. The same is true of flea markets.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
without a common user solution.
Pretty much everyone on here knows how to properly wipe a device / drive / whatever.
This crowd, however, doesn't really represent the common user.
To be used effectively by those who don't speak IT fluently, the process of wiping / clearing any
given device needs to be simplified imo.
After educating these people on WHY they need to wipe a device, make sure they have an
easy method to make it happen.
For phones, a built in App wipes the entire phone when the user initiates it. ( Throw some
confirmation dialog in there to make sure it's what they want to do. )
All manner of laptops and whatnot can probably use a pre-installed program to initiate the wipe on next
reboot. ( again, with confirmation ) Only really relevant for Windows and Mac systems as anyone
who is running Linux probably doesn't need any hand-holding for this sort of thing.
I typically overwrite all sectors on a HD for a month with random crap, and drill holes in the platters.
After that it gets spun around inside a 15 Tesla magnet for 2 hours. Then I use thermite to melt it into a pool of slag, grind up the slag into a fine powder and divide that into 5 equal portions.
I feed one of those portions to my dogs and then set half of their waste on fire and put the other half into the garbage. I use honey to stick another portion to the bird seed I have in a feeder. The third portion I take to a metal recycling place. The fourth portion gets flushed down the toilet. The fifth portion is in a safe deposit box, just in case I need to recover anything.
If I'm being extra careful, I encrypt the drive with ROT13, twice, before the random writes.
The ones that worked were full of data...
>Social Security numbers, dates of birth, credit card information
None of these things is a secret and should not be used as such.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
If you're planning on getting something you use back, and are desperate enough to use a pawn shop to get money, you probably aren't thinking, "Hey, I should invest money I don't have right now in backup media so that I can wipe the contents of this machine I'm planning to get back after I get my paycheck next week."
If you wipe the drive properly, the machine becomes useless to you, even if you get it back.
Of course, if a thief is pawning it, they probably didn't think to wipe the contents. Heck, they may have been too stupid to, OR, while they were rummaging around their victim's house, discovered that stealing their identity wasn't a profitable idea...
you do is DBAN and/or replace the drive, and if phone, do wipe. Never use a used laptop or computer or phone due to numerous issues. This would include sensitive documents, passwords, illegal content, viruses, etc.
So I guess I'm showing my ignorance, but people sell things to pawn shop intending it to be like a payday loan with collateral of their property?
I help refurbish computers for a nonprofit and had one donated a while back. From a cursory look on the hard drive, there was no login password, business and home addresses, SSN and credit card numbers, pictures, scans, detailed financial data and more. I could have totally stolen this user's complete identity so easily if I were a dishonest person. Needless to say. the hard drive underwent DBAN. Even computers I've bought from secondhand stores have had personal info on them. I guess most people think the login password is sufficient in most cases to prevent the data from being used even though we all know there are tools to recover or erase the login password.
-- After all is said and done, more is said than done.
A person might be concerned about privacy. You, me, most people here wouldn't fit in the other category, but people generally don't care about privacy. Even if they get stung, they'll care about it only until they get their replacement cards and a refund from their credit card company, then it's back to the same lax behaviors.
Case in point: People who are concerned about their privacy wouldn't tell 20 million anonymous people that they're going on vacation and, by extension, leaving their house generally unsecured for a long period of time. But it happens all the time.
I have a few friends that bring me boxes or hdd's do scour.
The naughty pics, the financial information and so forth just make me cringe....
Good thing my white hat is on solid.
For spinning platters, yeah drill a couple holes. Then it can't be spun without vibrating far more than the width of a track. If you can't spin it, you can read the data from it.*
SSDs have a bunch of little memory chips, of course - and each chip can be read with nothing more than a Raspberry Pi. They really need to go into a shredder, or a fire (not ecological).
Wiping an SSD by writing zeroes to each sector may do nothing but add the sector the "zeroes" list. Writing random data to all sectors will wipe most of the memory chips, but not all because there is no stable mapping between sector numbers as seen by the OS and chip locations.
Some SSD vendors provide a wipe utility which actually wipes their drives.
* Someone did a cool parlor trick of reading a few bits off a disk without spinning it by using a million-dollar magnetic microscope. They had an error rate of around 25% and it takes an hour or so to read a few bytes. With 8,000,000,000,000 bits on a 1 TB drive, we'll all be long dead before that technique would find anything interesting on a typical drive.
** But it could be useful if someone did:
dd bs=32 count=1 of=bitcoin_key_billion_dollars
Way to stay on topic
I would recommend if you're discarding a device, you donate it to a reputable recycler in your area.
I know in my case, as a recycler, we destroy all data on all devices we receive before repurposing them.
You should pick a recycler whom is committed to customer privacy and has certifications for data destruction practices.
Ask your recycler about how they handle data on received devices. Probe deeper if you want, ask to see the procedures taken.
Not every consumer is savvy enough to properly erase devices. Some devices can be tricky to erase, especially phones. Even the savvy group of people discarding devices, they may have busy schedules. May not have time/energy to devote to properly erasing devices. They like everyone else should choose a reputable recycler, for peace of mind and time savings.
This is a great use-case for casual device encryption.
Phone, tablet, desktop PC, on all of these you should consider full device encryption for your storage.
Once an encrypted device is no longer needed, you can discard it safely without worry if was encrypted all along to begin with.
This also helps mitigate the consequences of device theft.
This is the primary purpose of a pawnbroker and why you usually won't find them in nicer neighborhoods. They offer secured loans and hold onto the collateral, there is no credit check or credit reporting if a person defaults on a loan. The person has a contracted amount of time to repay the loan and interest, afterwards the items can be resold.
People can also sell things outright to the shop.
Exactly, usually the interest is far better than a payday loan, but they have the collateral.
A payday loan (in my area) costs $75.00 for $500.00 0 interest loan with a 2 week payback. They take a bank account for the deposit and pull the $75.00 to renew your loan if you don't pay it back in 2 weeks. Effectively you're paying $1950/year in fees for a $500 until you pay the principal.
With a pawn shop you use property as collateral, and typically get a loan amounting to 25%-50% of your collateral's thrift/used goods value (it depends on how quickly the shop thinks they'll be able to sell it if you default), often there's some type of storage fee too. The interest amounts to 10%/month and if you pay back your loan + storage fees in 3 months you get your things back.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Every computer I resell I've started checking for cryptocurrency.
Back when BTC was going for a couple bucks, college kids would set up miners on school PCs that I would later buy at surplus sales.
That $5 Core Duo with the massively outdated GPU might be worth its weight in gold.
In a world of the blind, the one-eyed man is king--and the two-eyed man is a heretic.
Do what I do - put your personal information onto a removable drive, instead of onto the drive in your computer. Then if you sell your computer, or if it's stolen, or if you have to take it in for repairs, your personal information isn't on the computer.
Remember to back up your external, private drive, as well as backing up your computer.
When I get rid of a phone (I typically keep them because AI don't buy contract phones), SIM card pulled, factory reset 3 times. On laptops, I set up the laptop, Network or wifi connections. Then the drive gets mirrored with an SSD, the HDD is shelved with the expiration date of the warranty. If I sell the laptop, the original drive gets put back.
Several years ago, was working at a refurb place and processed a whole pallet full of cd/dvd-rom drives. It was amazing how many movies and software disks I found. The disk with the homemade porn was a bonus. (I broke that one.)
We wiped the drives without even looking at them, but I imagine many still had info on it. I've bought or been given many things over the years that still had lots of data. My favorite was a computer loaded with several years of tax returns and job applications. I wiped it, but even I was tempted.
"A payday loan (in my area) costs $75.00 for $500.00 0 interest loan with a 2 week payback. They take a bank account for the deposit and pull the $75.00 to renew your loan if you don't pay it back in 2 weeks. Effectively you're paying $1950/year in fees for a $500 until you pay the principal."
This is where a lot of people get into trouble - they think the $75.00 is paying off the loan. It ISN'T. It's only paying off the interest.
And you can't touch the principal unless you can pay the whole $500.
So you can't even chip away at the loan.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
While off topic, at least he's got some enthusiasm about something other than Trump.
I have this box full of old hard drives and cell phones going back 15 years. This is why. I should really do something with it one of these days, but at least I know for certain no one is looking at them.
There may still be cache files on the main drive containing personal data.
Just bought some SLC SSD's from Ebay. Came complete with OS and customer data. Sad.
Omg dont mention the T word or the C word. You will bring them.
Destruction of old hardware and devices is cathartic!
There are Federal and State laws that cover notifications of a data breach (Federal doesn't have generic breach rules that I know of, but some laws such as HIPPA have such requirements). Reporting it to the FBI allows them to inform the affected company that there has been a data breach and provide assistance, which they do.
Sure, the first reaction is to want to be a good citizen and report crimes. Then there's remembering just why you shouldn't talk to cops.
Trusting law enforcement and the legal system to treat you fairly and honestly is for optimists.
I can't help feeling that Microsoft could significantly improve this situation by including Bitlocker into Windows 10 Home edition.
They could make it even better if was one of the recommended actions in "Action Center" - meaning that Windows would occasionally nag you to set it up.
Avantslash - View Slashdot cleanly on your mobile phone.