“High- tech copy machines a gold mine for data thieves” was as story printed on March 18, 2010 in the Toronto Star, which should give pause to every one of us. That is, everybody who uses a smart photocopier or who provides access to one for others.
You may think this is overreaction, but is it?
By smart photocopier, I mean one with a computer inside that provides all the great features. The computer also has a disk, which indiscriminately retains images of sensitive and personal images like tax returns (social insurance numbers), job applications, and legal documents.
It also unwittingly retains images of critical information like executive summaries about corporate plans, new business strategies, and unpublished quarterly financial reports.
So everybody using a smart photocopier really needs to give some thought as to the consequences of their confidential material falling into the hands of those who would benefit from its unauthorized use for personal gain. How could this happen? you think. Well, lots of ways.
Someone such as a photocopier service person could simply copy the disk data. Or someone with unauthorized access to the machine at night. If the copier has a data access port, anyone familiar with the data communications capabilities of the data port could walk by with their smart phone and download the data.
Twenty years ago I remember watching a news documentary describing a similar but lower tech use of photocopiers to steal sensitive and critical information. Apparently during the cold war spies would insert a camera into a photocopier destined for the opposition’s embassy. Then the “copier tech” would surreptitiously remove the film from the hidden camera in the photocopier and, of course, replace it with more unused film.
So, without becoming paranoid about photocopiers, how can you get them to do you bidding with confidence that your sensitive and critical information will not fall into the hands of others?
Some simple things you can do are:
1. Always do your own photocopying whenever possible.
2. If you must use a copy service, then keep your eyes on your original documents and all copies of them, just as diligently as you would keep eye contact with your credit /debit card during a purchasing transaction.
3. Don’t use smart photocopiers unless you are sure of the security policy by which they are managed.
As the custodian of a smart photocopier, ensure your telecommunications and security people have configured it to:
a. Configure it to communicate only as mandated by your corporate security policy.
b. Implement an ongoing process to regularly scrub (rather than just “deleted”).
c. Implement an ongoing process to monitor the event logs of the copier and alert on suspicious activity such as unauthorized attempts to connect it to a telecommunications network, unauthorized attempts to communicate with its data port in order to upload data, and unauthorized attempts to open or tamper with the machine.
Prior to sending the copier off premises for service or for disposal, ensure the disk is either removed and destroyed or that data is scrubbed and destroyed completely. Otherwise, you could end up with the same consequences as confidential data on a used and resold computer work station or laptop being retrieved by its new owner.
Of course we all know that there are dumb users even for smart photocopiers. How many times have we all found original documents left by some previous users of the copy machine? So it’s probably a good practice to count your original documents before and after using a photocopier.
Have a secure week.
Ron Lepofsky, B.A.SC. (Mech Eng), CISSP
President
ERE Information Security Auditors
www.ere-security.ca
www.ere-security.com
