Slashdot Mirror
It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds (gizmodo.com)
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. From a report: For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII) -- the bread and butter of identity theft. Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you'd imagine. "I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600," he said.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.
Used to belong to a tax accounting firm.
Fully functioning. Over 100k tax return forms still on the system.
*Everything*, was still there. Names, SSNs, tax id records, addresses, everything.
It's a damn good thing I was honest and DBAN'd that drive immediately.
I contacted the seller and told him this.
Never heard back...
So rise up, all ye lost ones, as one, we'll claw the clouds.
Yesterday, BeauHD posted an article related to the fact that California is re-introducing right-to-repair legislation, which, believe it or not, is related to this topic.
If I can open a slot on the bottom of my laptop and easily replace the internal storage drive (on my PS/3 and PS/4 doing this requires removal of one screw), then I can be 100% certain that I am not leaking data if I sell on my old device. Yes, OK, I still have to buy a new drive and maybe re-install the OS on it, but these are simple enough tasks these days.
With the advent of devices with integrated storage, often soldered on to motherboards, this becomes impossible. What this now means is that the original manufacturer would have to come up with a way to *guarantee* you that all data on embedded storage had been securely wiped. Otherwise, their failure to do that, coupled with negligent design or negligent security implementations, could result in the loss of your personal data.
I wonder how many smartphone/tablet/similar device manufacturers would be willing to step up and own that liability in return for being able to prevent you from upgrading or repairing your device. I'm betting not that many.
I buy a lot of used laptops from people to refurbish and give to local schools that don't have the money to buy them.
I am appalled at what I find on them.
One time I got (they were donated) 10 used IBM Thinkpads from a criminal law firm in town. They did absolutely nothing to purge the hard drives of sensitive client information. All of their files were intact, unencrypted, just sitting in My Documents.
I called them to tell them what they had done and they didn't care one iota. Unbelievable. I could probably have reported them to the State Bar, and probably SHOULD have. But, one thing I've learned is, don't poke an alligator with a stick.
I ended up just nuking them all from orbit with DBAN and continuing about my business.
Always look for crypto-currency wallets/numbers/keys/passwords.
I once found a used laptop with a dogecoin wallet on it, there was still 15 coins in it!
Needless to say, I still went to work the next day.
#DeleteFacebook
I typically overwrite all sectors on a HD for a month with random crap, and drill holes in the platters.
After that it gets spun around inside a 15 Tesla magnet for 2 hours. Then I use thermite to melt it into a pool of slag, grind up the slag into a fine powder and divide that into 5 equal portions.
I feed one of those portions to my dogs and then set half of their waste on fire and put the other half into the garbage. I use honey to stick another portion to the bird seed I have in a feeder. The third portion I take to a metal recycling place. The fourth portion gets flushed down the toilet. The fifth portion is in a safe deposit box, just in case I need to recover anything.
If I'm being extra careful, I encrypt the drive with ROT13, twice, before the random writes.
>Social Security numbers, dates of birth, credit card information
None of these things is a secret and should not be used as such.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
For spinning platters, yeah drill a couple holes. Then it can't be spun without vibrating far more than the width of a track. If you can't spin it, you can read the data from it.*
SSDs have a bunch of little memory chips, of course - and each chip can be read with nothing more than a Raspberry Pi. They really need to go into a shredder, or a fire (not ecological).
Wiping an SSD by writing zeroes to each sector may do nothing but add the sector the "zeroes" list. Writing random data to all sectors will wipe most of the memory chips, but not all because there is no stable mapping between sector numbers as seen by the OS and chip locations.
Some SSD vendors provide a wipe utility which actually wipes their drives.
* Someone did a cool parlor trick of reading a few bits off a disk without spinning it by using a million-dollar magnetic microscope. They had an error rate of around 25% and it takes an hour or so to read a few bytes. With 8,000,000,000,000 bits on a 1 TB drive, we'll all be long dead before that technique would find anything interesting on a typical drive.
** But it could be useful if someone did:
dd bs=32 count=1 of=bitcoin_key_billion_dollars
Every computer I resell I've started checking for cryptocurrency.
Back when BTC was going for a couple bucks, college kids would set up miners on school PCs that I would later buy at surplus sales.
That $5 Core Duo with the massively outdated GPU might be worth its weight in gold.
In a world of the blind, the one-eyed man is king--and the two-eyed man is a heretic.