Shred Bin Security – Yours Stinks – Fix it for Free

Shred Bin Security — How to upgrade it... probably for free!
If you have a sizable contract with a shredding company, keep reading.
 
The Shred Bin Security Conundrum

Your organization realizes they need help getting rid of their wastepaper. Some of it can be recycled. Easy. There are plenty of recycling companies around. Some of it, however, contains sensitive information that must be destroyed.

So, you contact your local "I-Rip-A-Part" shredding company.

You are offered your choice of two shred bin styles, if you are lucky. The elegant particle board beige box, or the converted garbage can.

Both scream security joke. But hey, they only gave you two choices. So, you take what "I-Rip-A-Part" gives you. After all, it's their business. They know best.

Your employees may not laugh out loud, but they get the message. Management either doesn't know much about shred bin security, or they only care enough to make it look like they are doing their due diligence. The result...

Pretty soon these start popping up.

 

Who's laughing now?
Just the office snoops, competitive intelligence professionals, activists, news media, hackers, etc.

Let me provide some background before providing a workable solution. The crummy shred bin issue is a problem for most U.S. based organizations.

The problem has two roots:

1. A lack of understanding about information security on the part of the confidential information custodians.
2. Shredding companies preying on this ignorance to maximize their profits. (Number one allows number two.)

Most shred bins being provided by shredding companies are nothing more than security theater; a mental bandage playing to the threat. They are inexpensive, ineffective, and won't prevent any semi-espionage adept person from taking what's inside. 

Attacks include: unscrewing the cabinet, picking the cheap lock, sticking a $8.00 flexible grabber through the slot, bending the plastic lid back, or pulling the inner liner bag through the slot... more

Dumpster Diving…A Treasure Trove

From the book, What You Don't Know... Your Guide to Achieving "Knowledge Advantage" in the Information Age!

"Valuable Open Source information is thrown away every day, waiting to be collected by the thoughtful researcher. Dubbed “dumpster diving,” or “trash picking” a wastebasket becomes a friend to researchers and a foe of anyone you are collecting on...

How useful dumpster diving is can be readily seen by the fact that a highly-placed US intelligence official was convicted and sentenced to life in prison for working with Moscow operatives. He had thoughtlessly thrown away key clues to his betrayal, not thinking they would end up on a prosecutor’s desk. Expecting anything to be buried forever in a trash heap can be a major mistake...

In the United States the Supreme Court has said that, as a general rule, things left in trash cans curbside are considered “abandoned” and are there for the taking."

Related: Confidential Paperwork Security

Things We See — Blue Bucket Blues

Not all information security issues are this obvious. 

Finding all of them requires an independent Technical Information Security Survey. more

The Wire - Censored to Protect You

HBO's The Wire was lauded for its gritty, realistic portrayal of the drug war in Baltimore, but it seems law enforcement thought the show could be a bit too authentic at times. In a story about cellphone tracking technology, showrunner David Simon tells The Baltimore Sun that "At points, we were asked by law enforcement not to reveal certain vulnerabilities in our plotlines."

Simon, who was once a reporter for the very same paper, explains that the writers once intended to show that criminals using the walkie-talkie-eque, "push-to-talk" feature of Nextel phones could avoid surveillance and wiretaps. According to Simon, the technology "was actually impervious to any interception by law enforcement during a critical window of time." more

Everything You Need to Know About Shredding Sensitive Waste Paper

Scraps of seemingly useless information tossed in the trash may be synergistically related. Analysis can reveal the big picture to outsiders. Reducing the availability of these puzzle parts is an important counterespionage responsibility. Stealing trash is believed to be the number one business espionage trick.

Shredding Checklist

• Encourage the destruction of all waste paper as soon as it becomes waste.
• Make a deskside crosscut shredder your primary weapon.
• Large volume waste will require a larger, bulk crosscut shredder.
• Place a shredder or locked bin next to photocopy machines in sensitive areas.
• Extend shredding efforts to key executives’ home offices as well.
• Never save confidential papers in a box under the desk “to be shredded later.”
• Always use crosscut type (or better) shredders.
• Retire any strip-cut shredders you are using.
• Once shredders or locked bins are in place, remind people to use them.
• Do not entrust bulk wastepaper destruction to paper recyclers unless they can destroy on-site using a truck-mounted shredder (and you can watch). Cart and shred only when sheer bulk dictates this as the logical choice and the material is not highly sensitive. Otherwise, destroy it yourself before recycling.

The big shredder purchasing mistake… Buying just one large central shredder for everyone to use. Reason: Not everyone will use it. Why? Too inconvenient.

People are too busy to be bothered to walk over to a shredder every time they should. A better choice - several convenient deskside crosscut shredders, or locked storage bins. This is one perk which has a very positive payback.

Did You Know?…  

There are people who will reassemble shredded strips, and computer programs which can optically piece together shredded strips, too.

Buyers Guide to Shredders 

Shredder manufacturers and distributors...

http://tinyurl.com/Dahle-Shredders

http://tinyurl.com/Lynde-Ordway

http://tinyurl.com/abcosolutions

http://tinyurl.com/abe-online

http://tinyurl.com/alleghenyshredders

http://tinyurl.com/ameri-shred

http://tinyurl.com/papershredders

http://tinyurl.com/cumminsshredders

http://tinyurl.com/Dahle4Shredders

http://tinyurl.com/eccobusiness

http://tinyurl.com/FellowesShredders

http://tinyurl.com/gbc-shredder

http://tinyurl.com/IdealShredders

http://tinyurl.com/industrialshredders

http://tinyurl.com/intimus

http://tinyurl.com/mbmcorp

http://tinyurl.com/semshred

http://tinyurl.com/somatcompany

http://tinyurl.com/whitakerbrothers

• Replace your stripcut shredders with crosscut (or better) models. Stripcut models do not provide business-level security.  
• Deskside crosscut shredders are also available from retails stores such as Staples or Office Depot.

~Kevin

Police Strip Cut Shreds Used as Parade Confetti

Ethan Finkelstein, was at the NYC Thanksgiving Day Parade and noticed something weird about the confetti... "and it says 'SSN' and it's written like a social security number, and we're like, 'That's really bizarre.'

"There are phone numbers, addresses, more social security numbers, license plate numbers and then we find all these incident reports from police."

One confetti strip indicates that it's from an arrest record, and other strips offer more detail. "This is really shocking," Finkelstein said. "It says, 'At 4:30 A.M. a pipe bomb was thrown at a house in the Kings Grant' area."

A closer look shows that the documents are from the Nassau County Police Department. The papers were shredded, but clearly not well enough.

They even contain information about Mitt Romney's motorcade, apparently from the final presidential debate, which took place at Hofstra University in Nassau County last month. (more)

UPDATE: ...Sources close to the investigation into the incident told PIX11 News that an employee of the Nassau County Police Department was watching the parade near 65th Street and Central Park West, along the parade route. He had brought shredded NCPD documents with him for his family and friends to use as confetti... (more) (video)

Jersey Sure - Encrypted & Self-Destructing iPhone Email

Encryption is meant to keep your messages secret from any third-party eavesdropper–what security pros call a “man-in-the-middle” attack. 

But what about that more common problem, the man-on-the-other-end? Even trusted recipients of a message, photo or video can leak secrets, carelessly forward messages, let them fall into the wrong hands, or even betray the sender and dig up evidence years later–a lesson folks like Anthony Weiner and Adrian Lamo have illustrated all too clearly.

Wickr, a free application that launched in the iPhone app store Wednesday, aims to encrypt text, picture and video messages to prevent their interception by men-in-the-middle. But then, as the app’s name implies, those messages also delete themselves after just minutes or even seconds like a burning wick, leaving no trace behind even for forensic investigators. “We want to let people send messages that are easy, secure, and leave no trace,” says Robert Statica, one of the company’s founders and director of Center for Information Protection at the New Jersey Institute of Technology. (more)

Deshredding Reveals Massive Cold War Identity Theft

The reconstructed contents of 500 trash bags offer new insights into the extent of spying activities by the East German secret police, or Stasi, in West Germany.

As the German regional public broadcaster RBB recently reported, the Stasi ran an extensive program of stealing identities of tens of thousands of West German citizens to enable their spies to operate freely in the West...

This massive fraud came to light when the agency of the Federal Commissioner for the Stasi records completed the reconstruction of about a million torn-up documents, or the contents of about 500 trash bags. The reconstruction was accomplished, for the most part, through meticulous work by hand. (more)

Spybusters Security Tip: Never use a stripcut shredder. Always crosscut, particle, or pulp shred your sensitive wastepaper. Computerized document reconstruction (de-shredding programs) are available.

Dilbert vs. The Recycling Bin

...which can lead to some crafty employee solutions to sensitive wastepaper security. 

This blue bin was discovered recently by Murray Associates information security consultants...

It's enough to straighten Dilbert's tie.

Spybusters Security Tip # 512: Never store confidential materials awaiting shredding in an unlocked container. If there is an on-going need to shred small amounts of materials daily, buy a deskside crosscut shredder... and be sure to use it.

"All Your Shreds Are Belong to U.S." Wins Reconstruct Shreds Contest

via gizmag.com...

At the end of October, DARPA (the Defense Advanced Research Projects Agency) launched its Shredder Challenge contest. The objective: create a system for reconstructing shredded papers, then demonstrate it by piecing together five documents, the shredded remains of which were posted on the contest's website. Although the contest had a December 4th deadline, the "All Your Shreds Are Belong to U.S." team correctly reassembled all five documents with two days to spare.

The San Francisco-based team, which beat out approximately 9,000 competitors, used "custom-coded, computer-vision algorithms to suggest fragment pairings to human assemblers for verification." Members of the team spent approximately 600 man-hours developing algorithms and otherwise working on the challenge, completing everything within 33 days. Because it was able to reconstruct all five documents posted in the contest, the team was able to claim the complete prize of US$50,000.

DARPA hosted the contest both to develop methods of reading shredded documents left behind by enemies in war zones, and to identify ways in which U.S. shredded documents could be read by other parties, so that countermeasures could be developed.

Missed the contest?

Try the game!

Security Director Alert - Another Name for your Rolodex... Data Killers

Why would anyone want to shred a smartphone...twice?  

Well, if they wanted to be sure that all of their private information wouldn't fall into the wrong hands; they might shred it or burn it or both! Who would blame them when Wikileaks and identity theft stories dominate the news headlines? From corporate espionage to bored hackers, it seems someone is always after someone else's data! How does one keep private, corporate or government information from becoming public knowledge?

Recently a large federal agency that had upgraded their enterprise-wide smartphones wanted to have the old phones destroyed. The security officer responsible for the destruction of these smartphones took the smartphones to an un-knowledgeable electronics recycling company who shredded the phones. Unfortunately that company didn't have the specialized equipment to shred them small enough and the officer found several intact SIM cards in a pile of shredded residue. Luckily he found the un-shredded cards before the Inspector General found them! (more)

As you can see, not all shredding companies are created equal. Data Killers is the destruction arm of Turtle Wings, Inc., an ISO certified, woman-owned, HUBZoned company holding multiple GSA contracts. These folks claim they can get it done right the first time:

Elizabeth Wilmot, President

301-583-8399
1-877-KILLS-DATA
info@DATAKILLERS.com

Hammacher Schlemmer's World's Best Paper Shredder? You decide.

...which they will gladly sell to you. 

"The Best Cross Cut Shredder"
This shredder earned The Best rating from the Hammacher Schlemmer Institute because it shredded the most sheets at once and cut paper into unrecognizable, 1/8" x 1" pieces. The Best Cross Cut Shredder's steel gears cut credit cards and CDs into miniscule pieces that were impossible to reassemble or decipher.

Testing Criteria
A consumer panel determined that security, ease of use, shredding capacity, and quietness were the most important attributes when purchasing a cross cut shredder. The importance of each category was weighted proportionally during the Hammacher Schlemmer Institute's tests.


Test Methodology
Security: Analysts shredded paper and CDs with each model and measured the shreds to determine which unit provided the best security.

Ease of Use: The shredders were rated on how easily they accepted paper, maneuverability, and how easy it was to empty each unit's receptacle.

Shredding Capacity: Analysts determined the maximum number of 20-lb. bond paper sheets each model could shred at one time.

Quietness: A digital sound meter was used to measure the amount of noise produced by each shredder.

Additional Paper Shredder Resources
• "How to Choose A Shredder" - Dahle
(Hint: Crosscut not Stripcut. Always.)
• Lynde-Ordway
• ABCO Office Solutions
• Advantage Business Equipment
• Allegheny Paper Shredders
• Ameri-Shred
• Capital Shredder Corp
• Cummins Allison Corporation
• Dahle USA
• ECCO Business Systems
• Fellowes Manufacturing Company
• Ideal
• Industrial Paper Shredders, Inc.
• Intimus Paper Shredders
• MBM Corporation (Destroyit)
• Security Engineered Machinery
• Whitaker Brothers
• General search (Yahoo)

Export, eh... or, The PC is Smokin'

Dumpster diving isn't something Saskatchewan's privacy commissioner makes a habit of, but this time Gary Dickson says he was left with little choice.

Dickson and two assistants had to wade through a massive recycling dumpster this week to recover medical files. They sorted through paper more than 1 1/2 metres deep after getting a tip directing them to the container behind the Golden Mile Shopping Centre in Regina... "So we seized all of this stuff immediately and the only way we could do that was getting into the recycling bin."

It took a couple of hours to go through the dumpster. Dickson estimates they found more than 1,000 files that should have been shredded.

Whoever tossed the files had to know what they were, he said.

The commissioner said doctors, regional health authorities and other health professionals have long been told to follow Saskatchewan's Health Information Protection Act. The act says trustees have to safeguard personal health information in their custody.

There are fines of $50,000 for individuals and $500,000 for organizations for breaching the act. (more)

A shredder is beginning to look like a bargain, Doc.

Security Director Alert - E-data Disposal

Stories like this one pop up with unusual regularity, but this one hits close to home...

There was a story today in the New York Times about New Jersey State Comptroller Matthew Boxer's discovery during an audit of surplus state computers slated for auction that 79% of them still had readily accessible information on their hard drives.

Information was found on 46 of the 58 computers scheduled to be sold, and on 32 of those 46, the information found was highly personal in nature that should have never been made public.

For instance, one computer - a laptop - had been used by a judge, and "contained confidential memos the judge had written about possible misconduct by two lawyers, and the emotional problems of a third," the Times article stated. Personal financial information about the judge, including tax returns, were also found on the laptop. (more) (video about photocopier drives)

Questions to ask...
What happens to my company's old hard drives? (sold, auctioned, recycled, returner to lessor, donated)

Do I even know where all of them are? (desktops, laptops, photocopy print centers, tablets)

What about other old media? (old floppies, CDs, DVDs, smart cell phones, x-rays, videotapes, product samples, prototypes, old promotional materials)

Tip: This is not the IT department's job. It's a security issue. It's security's job. "Erasing" "degaussing" and even "smashing" is not good enough to protect the most sensitive information. Keep your hard drives. Give the leasing company the money for a new one. Then crosscut shred your e-media. (Hey, you do it for your sensitive waste paper.)

I was talking to Kevin Kane and Jason Moorhouse, two sharp guys from the Shredit company, yesterday and learned that they operate globally and have shredders that can even handle old refrigerators! 

In case you need an additional reason to shred e-media, I also learned that non-compliance with HIPPA regulations, for example, can bring heavy fines and even jail time. So, gather your junkers and clunkers and find someone (I don't care who) to shred it. ~Kevin

Hand-Powered Paper Shredder

Shredsors - 9-blade portable shredding scissors 

• Perfect for destroying junk mail, bank statement, old credit cards, top secret memos and photos of your ex!
• Easy grip plastic handle with 9 metal shredding blades
• Size: 7-1/2" long x 1" thick blades (19 cm x 2.5 cm)
• Not a toy: use only under adult supervision 
• (more)

Security Of Desks and File Cabinets

So, I am updating my address book. Up pops Michael Silva, a very smart independent security consultant in Edmonds, Washington. I verify his web site address. Interesting. It sidetracks me and I begin poking around. I found a gem for you!

Security Of Desks and File Cabinets <-- click

There may be nothing in this brief article you don't already know, but refresh your memory anyway. When it comes to securing information, this topic ranks right up there with shredding and eavesdropping.

Necessity spawns invention...
At the start of my career an executive countered my suggestion that he clear his desk at night. "I have my paperwork in very specific piles. I can't be moving all of them every night."

I invented a desk condom for him. Custom made to fit his desk, it was lightweight ripstop nylon with a drawstring along the edges. Flip it over the desk at night, pull the cord, lock the lock. Simple. Cheap. It worked for him. Kept after-hours snoops away, and kept the cleaners from knocking over his piles of papers. Stored easily, too.

If you get any grief, ask your execs, "Would you leave a stack of twenties on your desk overnight?" ~Kevin
Photo (Click to enlarge.) - My worst case.

Spy Toolkit Item #141 - Dissolving Paper

Sources:
Mitsui USA
Endless Technologies
Nic Law Enforcement Supply
Defense Devices

Bonus...
Next time you venture out into that unhygienic world of ours, make sure you bring along our Dissolving Paper Soap! Simply wet your hands and rub them together with one sheet of paper soap -- and watch as the "paper" transforms into sudsy lather!

Meanwhile, over at Xerox...
Scientists demonstrated paper that can be reused after printed text automatically deletes itself from the paper's surface within 24 hours. Instead of trashing or recycling after one use, a single piece of paper can be used a second time, and reused up to 100 times, said Eric Shrader, area manager at PARC. (more)

ID Theft News - 8% ?!?! (seems high, or are high)

...and this is just in the past two weeks...

• Eleven people from at least five different countries are facing charges for their involvement in a wide-ranging scheme to hack into nine US companies and steal and sell more than 40 million credit and debit card numbers. "As far as we know, this is the single largest and most complex identity theft case that's ever been charged in this country," Attorney General Michael Mukasey said. Officials said the ring had stolen hundreds of millions of dollars. (more) ...when federal prosecutors disclosed that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it. That's because only four of the chains clearly alerted their customers to breaches. (more)

• About 150,000 people in the US have been affected by the theft of laptops with personal information about current and former employees of brewing giant Anheuser-Busch. (more)

• A new report from the California Department of Public Health discovered that 127 UCLA Medical Center employees viewed celebrities' medical records without permission between January 2004 and June 2006, which is nearly double the number first reported earlier this year. (more)

• UK - Data protection experts have called for hospitals to use more effective encryption techniques after a laptop containing the personal data of thousands of patients was stolen. An unnamed manager at Colchester Hospital in Essex has been sacked as a result of the theft... (more)

• Security researcher Joe Stewart has identified a Russian gang that infected 378,000 computers with malware over a 16-month period in an effort to steal passwords and other information. (more)

• Ireland - The loss of a laptop containing 380,000 records of social welfare and pension recipients is a wake-up call for the Government and public and private sector bodies to ensure all staff are trained properly in data protection and use of encryption. (more)

• The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing.

The company, based in New York, lost possession of the laptop at San Francisco International Airport. The laptop contained unencrypted pre-enrollment records of individuals... (more) UPDATES: ...unencrypted laptop was found in the same office from which it was reported missing. (more) The U.S. Transportation Security Administration has cleared Verified Identity Pass to resume enrollments in its Registered Traveler program... (more) The laptop had been stolen, but was returned, according to the Sheriff's Department.

• The University of Michigan Credit Union in Ann Arbor confirmed that a data theft has resulted in some of its members becoming identity theft victims. The credit union said that so far, "less than 100" people have had their identities stolen -- mostly to open fraudulent credit card accounts. The theft, involving documents that were supposed to have been shredded... (more)

• Greece - Hundreds of bank clients in Greece and other European countries have turned into hostages because of actions of groups that steal data from bankcards and do uncontrolled drawings, the Greek To Bhma daily reports. (more)

UK - The BBC has apologised after a memory stick containing details of hundreds of children who applied to take part in a TV show was stolen. (more)

• Wells Fargo & Co. is notifying some 5,000 people that their personal information might have been seen by someone using a bank access code illegally. (more)

Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc. (more)

The #1 Reason to Ditch Your Stripcut Shredder

"Unshredding" shredded documents is nothing new. Our client family has been hearing this warning from me for over 30 years now.

Reconstruction can be accomplished by hand; most notably, when the Iranians took over the American Embassy in Tehran around 1980 (example).

Once a back-room government parlor trick, computer automated document reconstruction is now available to the general public!

Recommendations...
Ditch every stripcut (and partial stripcut) shredder in your company. They do not provide adequate business-level information security. Use crosscut, particle-cut or pulping shredders. Alert your Purchasing Department... "No more crummy stripcut shredders!"

Resources...
• "How to Choose A Shredder" - Dahle
(Hint: Crosscut not Stripcut. Always.)
• Lynde-Ordway
• ABCO Office Solutions
• Advantage Business Equipment
• Allegheny Paper Shredders
• Ameri-Shred
• Capital Shredder Corp
• Cummins Allison Corporation
• Dahle USA
• ECCO Business Systems
• Fellowes Manufacturing Company
• GBC Shredmaster Factory Direct
• Ideal
• Industrial Paper Shredders, Inc.
• Intimus Paper Shredders
• MBM Corporation (Destroyit)
• Security Engineered Machinery
• Somat Corporation (pulping shredders)
• Whitaker Brothers
• General search (Yahoo)

Bulk wastepaper destruction companies serving your area…
• The National Association for Information Destruction, Inc.
(Search "Certified Members")