The Only Safe Computer is a “Dead” Computer ? Seriously ??? !!!

phenomlab

I spotted this tweet earlier, and was a bit shocked to say the least - not by the author of the tweet, but the author of the article itself, which was this https://www.uscybersecurity.net/cyber-attack/

My response

Even dead computers pose a significant risk if the HDD remains intact and has not been securely erased.

We really need to do better than this if we are to protect the integrity of sensitive information, and data that is our property. Simply dumping a PC when you have finished with it (or when it simply gives up) is nowhere near sufficient to protect this sensitive data. Criminals are not interested in hardware - they will typically be interested in the contents of the disk. Even if you think you’ve removed data, you’ve only removed the pointers to it - the information will still be there for someone with a basic knowledge to be able to recover.

Seriously - if you do decide to get rid of your PC, Laptop, Phone, or anything else that may contain sensitive information (even copier image drums contain data), then for your own sake and safety, ensure that the contents of the disk have been erased first. We’ve seen so many tales of laptops being sold on eBay where the data remains intact - in some cases, much to the detriment of the person selling the equipment. If you wonder what I’m talking about here, there was a story on eBay some time ago where some random guy who thought he was some sort of “hot shot” decided to sell a broken laptop, which a security expert bought. BIG mistake…

The article was hilarious - this guy basically uncovered the seller’s entire life, his Hotmail account, and so much more - including some bizarre images, shall we say… I doubt you’ll find the story now, but this guy threatened to place the entire contents online for the world to see unless the seller gave him a refund 🙂

But, back to my point - it’s incredibly easy for anyone to assume someone else’s digital identity by failing to remove sensitive data from machines before they are disposed of. We as security professionals should be giving out much better advice than this.

Let’s open up the discussion in this area, as it’s woefully misunderstood.

Dave_Howe

Was reading a book of essays by Schneier yesterday and he asserts that, if the NSA WANT to get into your computer, they will; he points to Stuxnet as an example where TAO successfully bridged the airgap to protected systems by using usb devices as a covert channel.

So its fine to say the only 100% unhackable computer is a dead one - but probably more accurate to say only a computer with no communication to the outside world is safe, and even then, only if malware hasn’t been installed in advance to make the above condition false….

phenomlab

Dave_Howe True, but by that same definition, a computer without a HDD cannot operate 😄

Dave_Howe

phenomlab Actually, I manage several - also on the “Stuff David has been reading” list is the recent book by Snowden, where he covers the fact that he had to go find an old Dell machine to use for his exfiltration, because they had been long replaced by thin-client terminals with no local storage.

But the solution to HD persistence in “dead” computers is FDE, such as veracrypt (and Schneier recommends Truecrypt in that essay, but it could well predate the veracrypt fork)