7. WARNING
This is a demonstration, not an instruction manual for criminal behavior.
Obfuscation of sensitive data was done by me.
When possible, the data owner was notified of insecure information.
The identity of the owners have been hidden to protect the Security Impaired.
9. Old Hardware
EBay – 2 IPhone / 9 Hard Drives
Targeted Individuals Selling Equipment
(IT Employees Offloading Equipment)
2 Rounds of Purchases
2nd Round Included Hardware Resellers
Total Cost - $50 IPhone, $120 Hard Drives
10. Results:
IPhones Forensically Clean
Drives Re-Partitioned w/ Artifacts
5 – “Floor Models” (Only OS)
Hard Drives Zero’d Out
University of ######## Drive
Term Papers, Porn, and Mal-ware
Office Equipment Service company in PA
Service Logs, Time Off Request
2
1
7
18. Drive 9
• Purchased from Re-Seller
• Drive was not Formatted
• Partitions were not Deleted
• Drive belonged to Re-Seller Owner
Conclusion – Promising but could be Expensive
How do you handle EoL Media??
46. Results:
Credit Card Numbers
Login Information
Social Security Numbers
Also, Personal Info and Business Trade Secrets
Conclusion – Very Easy, No Cost, No way to Automate…. Yet….
10
15
30
Total Time Spent – Approx. 8 hours
How could you control “pix leakage?”
54. FTP Servers
What Did We Find?
• Financial Information
• Unencrypted Backups
• Medical Records (PHI)
• Intellectual Property
• Passwords Galore (Include System Passwords to Global Companies)
• Voter Information/ Political Parties Info
In a Nutshell - Everything!
55. FTP Servers
ASUS Is Not Alone
• At least 3 more vendors have same issue
• Currently contacting vendors
• Will release when patched or after 3 months
57. FTP Servers
Results:
• IPs Scanned – ½ Class A
• Anonymous FTP Servers – 3000+
• “Legitimate” Servers - >100
Conclusion – THE Path of Least Resistance