Poor data handling and lax PC disposal practices by some Australian organizations has made corporate espionage easy.
Very few companies take the steps necessary to clean and re-format hard drives making auction houses a treasure trove of sensitive information. For only $5, senior security engineer for Pointsec, Frederik Borjesson bought some hard drives, and used the necessary software to demonstrate just how easy it is to locate lists of employee names, legal agreements and company headers; as well as the usual porn.
Borjesson said that he was able to find and read information - without James Bond-style technology - on 12 out of 14 hard disks purchased online which had supposedly been re-formatted and wiped clean.
"The software and hardware investments are just pocket money - corporate espionage has a history of using James bond-type stuff but now it is so easy to recover information from second-hand hard drives," Borjesson said.
"We bought different laptops and hard drives online to show how much information you can actually uncover when they have been sold off from a company; it is amazing what we could find.
"We found lists of access codes and employee names, e-mail correspondence, legal agreements, everything that is on a PC could be found, even pornography, despite the fact that the seller of the equipment stated it had been refurbished."
Volante national security practice manager Ajoy Ghosh has undertaken a similar exercise and says it's common to find such data.
He said some internal IT shops are not effectively wiping data from hard drives, even though some do attempt to take the matter seriously.
"I purchased 240 computers with hard drives ranging from 20G to 60G from an online auction house and was able to recover 145,200 individual files and the average time to recover each computer was eight hours," Ghosh said.
"The computers were from an 18 months lease in a financial corporation and were already supposedly wiped before they went to the auction house. The oldest files recovered were 549 days old with the average age of a recovered file 50 days.
"It doesn't matter if the IT department of the financial company or auction house did the scrubbing, whoever it was didn't do it properly."
Ghosh also gave examples of an ex-OneTel Web server purchased from a liquidator which included client databases and a corporate e-mail server that held some four years of company e-mail, including contractual information.
Director of InfoXChange Australia, Andrew Mahar, said the company turns around about 8000 second-hand computers annually, mainly from companies and government departments, which are in turn passed onto the general public.
Mahar said 90 percent of the information previously held on the gear had been scrubbed, but added companies are now taking extra steps to ensure the hard drive is completely useless by attacking it with a screwdriver.
"Some companies put screwdrivers through the hard drives to physically damage them, which annoys us like buggery but if they take that extra step then no information can be taken," he said.