For those that listen to my podcasts, read this blog or see me on stage or at conferences with my security hat on you’ll all be aware I take security and privacy of data seriously, very seriously.
In 2000 I co-invented SmoothWall the ubiquitous firewall that became so popular (from where Endian and IPCop then became derivatives) and I then bankrolled and started the company of the same name. Since exiting there in 2003 I’ve advised at the highest government levels as a certified cleared consultant and advisor and now tell you all how to protect yourself in Cloud.
Therefore tonight when configuring some 2nd user kit acquired from an eBay commercial seller nowhere near my home I was surprised to find the kit actually originated from a very large commercial company in the catering sector four miles from my home here in Wiltshire.
The kit, a multi function laser printer, HP branded presumably was from an office clearance. Now heres where I get prickly. I wrote white papers and good practice guides for MFP disposal years ago recommending the only way to get rid of them is to actually scrap them as industrial waste and not to let them go to a recycling company. Most recycling companies are generally self proclaimed specialists with VERY BASIC ISO 27001 / BS standards (read paper collection exercises that don’t qualify you to do squat) who can run dban on a laptop and apply an acetate sticker saying data cleansed on it. You can’t do that with MFP’s they have either solid state logic, flash memory or worse a harddrive. And they’re manna from heaven for hackers.
Cue some basic easy legal and above board manipulation of report functions via HPLIP under Linux and now I have 150 confidential faxes sent and received from the original owner on what is now actually legally my property, and worse because it’s a network device I now have their IP address schema, gateway details and enough info from the faxes to play social engineering havoc if I was a malicious hacker.
I am on vacation for my sons birthday the next few days so I am not going to go out my way to point out to the IT director concerned what shape and size a fine from the office of the CIO looks like but after the recent food scares in the UK I am sat on purchase orders from every supplier they work with and it’s just stupid, idiotic and immature awareness or lack of awareness on their part that they 1) contracted their IT disposals to a bunch of clowns who broke the law and presumably their contract 2) left the original entity open to a fine or worse still a malicious hacker had they got that info.
Heres the worse kick in the teeth to me personally, turns out they’re a SmoothWall user so they obviously do get Security not just the major risks of data privacy or their responsibilities under any of the blended security matrixes that make up common sense IT practitioning,
Time to draft an email to their CIO and ask him who he employs to look after security as I’d be handing them a P45 and working out how to get this back into a box to own it. Wonder what else they recycled without due diligence ? Time to hand these faxes to their rightful owner and to point out the genuine sheer unadulterated stupidity of their ways. It’s even more stupid when you think that this company are actually market leaders by hard won hard grafted achievement supplying catering to local government organisations, hospitals, care homes etc. Not small fry – so you’d expect better process control and understanding of IT security.
Please if you are one of the thousands of people who read my blog don’t emulate them.