Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Confidential data left on old PCs

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Confidential data left on old PCs
Date: Fri, 18 Feb 2005 03:31:57 -0600 (CST) 
http://www.vnunet.com/news/1161309

[Time for our yearly report on how used hard drives bought from 
eBay elicit sensitive security information. Guess what, nothing 
has changed! http://seclists.org/lists/isn/2003/Jan/0072.html   - WK]


Peter Warren
Computing 
17 Feb 2005

Highly-sensitive information such as passwords and user names of 
company executives has been found on used computer disk drives bought 
on eBay.

Researchers at the University of Glamorgan analysed some 100 
randomly-sourced PC hard disks, and discovered that more than half 
contained data from organisations such as multinational companies, 
universities and a primary school.

Data on the disks included:

* staff records, passwords, internal emails and financial details

* school reports, a list of pupils, and letters to parents

* a document template for university degree certificates.

Attempts had been made to destroy data on nearly half the disks in the 
study, but significant material remained intact.

'On at least seven of the disks that I have seen there was enough 
information to allow a hacker to get into an organisation,' said Dr 
Andy Jones, security research group leader for BT Exact, who examined 
the disks.

The government issues guidelines to businesses and public bodies on 
the proper disposal of computer equipment, much of it freely available 
online.

But the University of Glamorgan research, seen exclusively by 
Computing, suggests that even the most diligent organisations can 
still be affected.

Information from Swedish insurance company Skandia was uncovered, even 
though the firm invests in data destruction. 'This is not embarrassing 
for us, it's absolutely horrifying,' said a Skandia spokeswoman.

'We pay to have our data wiped thoroughly, so we are going to have to 
investigate to discover how it happened and make sure it does not 
happen in the future.'

Southampton University says it has launched an investigation, after 
passwords and staff emails were discovered by the research. The 
university uses a specialist company to wipe disks before disposal of 
equipment.

'We need to find out what happened and ensure it doesn't happen 
again,' said a spokeswoman.

Agrochemicals company Monsanto says it will investigate how details of 
crop research from its Cambridge offices was found.

'We assume this is an isolated incident which has arisen during the 
restructuring of our Cambridge offices, when a number of IT items were 
disposed of at the end of their working lives,' said a spokesman. 'It 
seems a serious lapse in our procedures for the disposal of surplus IT 
kit has occurred.'

Computing has requested that all disks and data recovered by the 
University of Glamorgan research are returned to their original owners 
or destroyed.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Confidential data left on old PCs, InfoSec News <=
Previous by Date:  [ISN] Davis questions security of Treasury Web site, InfoSec News
Next by Date:  [ISN] Hackers post Paris Hilton's address book online, InfoSec News
Previous by Thread:  [ISN] Davis questions security of Treasury Web site, InfoSec News
Next by Thread:  [ISN] Hackers post Paris Hilton's address book online, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]