Could I Obtain Sensitive Data?
Without Breaching Any Access Controls?
Determine Sources of Data
Purchase Old Hardware
Social Media Sites
This is a demonstration, not an instruction manual for criminal behavior.
Obfuscation of sensitive data was done by me.
When possible, the data owner was notified of insecure information.
The identity of the owners have been hidden to protect the Security Impaired.
1. Create Forensic Image
2. Data Carve Files
EBay – 2 IPhone / 9 Hard Drives
Targeted Individuals Selling Equipment
(IT Employees Offloading Equipment)
2 Rounds of Purchases
2nd Round Included Hardware Resellers
Total Cost - $50 IPhone, $120 Hard Drives
IPhones Forensically Clean
Drives Re-Partitioned w/ Artifacts
5 – “Floor Models” (Only OS)
Hard Drives Zero’d Out
University of ######## Drive
Term Papers, Porn, and Mal-ware
Office Equipment Service company in PA
Service Logs, Time Off Request
• Purchased from Re-Seller
• Drive was not Formatted
• Partitions were not Deleted
• Drive belonged to Re-Seller Owner
Conclusion – Promising but could be Expensive
How do you handle EoL Media??
Credit Card Numbers
Social Security Numbers
Also, Personal Info and Business Trade Secrets
Conclusion – Very Easy, No Cost, No way to Automate…. Yet….
Total Time Spent – Approx. 8 hours
How could you control “pix leakage?”
Used Metasploit Framework – FTP Anon Scanner
Could also use Nmap
What Did We Find?
• Financial Information
• Unencrypted Backups
• Medical Records (PHI)
• Intellectual Property
• Passwords Galore (Include System Passwords to Global Companies)
• Voter Information/ Political Parties Info
In a Nutshell - Everything!
ASUS Is Not Alone
• At least 3 more vendors have same issue
• Currently contacting vendors
• Will release when patched or after 3 months