[ISN] Alta privacy office: Hi-tech fax machines a security risk

[InfoSec News]

http://cnews.canoe.ca/CNEWS/Canada/2005/03/20/967337-cp.html

By JUDY MONCHUK
March 20, 2005 

CALGARY (CP) - In the realm of high-tech dangers, few would consider
the lowly fax machine or photocopier a security risk.

That would be naive, says Tim Chander, research manager of Alberta's
Office of Information and Privacy.

"It's not your grandfather's printer anymore - these things are
computers with hard drives that can be connected to the Internet,"  
said Chander.

"Anything you're photocopying (is) copied and stored on the hard
drives unless they are overwritten."

Chander said most businesses, government offices and health
authorities lease their office equipment without considering the
security ramifications.

"We haven't had a complaint come to our office. We just want
organizations to be aware that anyone photocopying personal, business
or health information to realize that when your lease is up, your
information is going out the door," he said.

The government of Alberta recently put together a policy stipulating
that any leased machine with a hard drive must have its memory wiped
clean when its lease is up. Departments also have the option of
purchasing the hard drive - a cost of about $300.

Josh Ryder, manager of computer security at the University of Alberta
in Edmonton says few people think of printers as a security threat.

"If you explain that every document you've ever photocopied on this
machine is walking out the door when this machine walks out, that's
probably plain enough that most people would sit up and pay
attention," said Ryder. "But I don't think it's being explained that
way."

Most office equipment with digital technology now has multi-tasking
capabilities and memory to queue up jobs from a number of computers as
well as taking information from outside sources.

"Now the fax machine is essentially a printer," said Ryder.

And while most companies have firewalls set up to protect their
computer networks from hackers or viruses, Ryder noted that printers
or fax machines generally sit outside that layer of protection.

"The issue is that these devices are not secure. Generally, you can't
say 'only allow these computers to listen to you.' "

Unauthorized access or disclosure of personal information is a breach
of privacy legislation.

Alberta's privacy commission's office notes that both the organization
that puts the information on the machine and the vendor are
responsible for the information on it.

"Some of these older machines get refurbished and sold again," said
Chander. "Some companies we've spoken with wipe the data themselves.  
But those are the large companies like Xerox and Hewlett Packard."

Chander suggests that anyone handling sensitive information stipulate
in leasing agreements that the memory must be wiped clean or that they
have the option of purchasing the hard drive to destroy it themselves.

Federally, the Department of National Defence has a policy where they
retain the hard drive of any fax machine or photocopier when a lease
is up.

So could someone hack into a fax or photocopier and hijack a networked
computer system? Both Ryder and Chander say it's technologically
possible.

"It's a logical conclusion," said Chander. "We haven't heard of it,
but I'm not ruling it out."

Although hard drives and the information they hold are not easily
accessible on most machines, Chander says it's important to be
vigilant.