[BreachExchange] One of the West's biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries

[Destry Winant]

https://www.businessinsider.com/western-countries-send-servers-full-of-sensitive-information-to-foreign-countries-2018-12

Western companies routinely abandon confidential, sensitive, and
personally identifying information to private companies in foreign
countries when they upgrade their servers, workstations, and
networking gear for new hardware, a source tells Business Insider.

The unprotected data is a goldmine for hackers.

The source, based in Romania, approached us after reading our December
22 article on whether hackers had the ability to take entire countries
offline. The source runs an IT hardware refurbishment company that
buys up old equipment from countries such as Spain, the Benelux area,
and the UK, and sells it to customers who don't need top-spec
equipment. Typically he is buying truckloads of old servers, "stuff
that is past its prime or out of warranty, but it is still perfectly
usable. The procedure is simple: hardware comes in, gets evaluated,
fixed, wiped, sold," the source says.

The problem, our source says, is that even when the incoming hardware
has been marked as being already wiped clean it often is not.

A "mostly complete" directory of "passwords for a major European
aerospace manufacturer"

"Over the last 3 years I have found a lot of crazy things," the source
says, including:

A mostly complete database of the Dutch public health insurance
system, with social security data, billing, addresses, medical
histories. "Imagine the social engineering scams you could do with
this data," the source says.
Codes, software and procedures for the traffic lights and railway
signalling "for a few major Spanish cities." "Imagine the potentially
deadly effects of this getting where it shouldn't," he adds.
Customer credit card data including addresses and shopping habits for
a major UK supermarket chain.
And, alarmingly, "a mostly complete (and as far as I could tell, still
up to date and functional) employee directory with access codes /
badges / smartcards / passwords for a major European aerospace
manufacturer."

Our source asked for anonymity because his company and its clients
would be angered if their identities appeared in an article about lax
security.

But two independent sources with industrial cybersecurity expertise —
Nir Giller, the CTO of CyberX and Darktrace Director of Technology
Andrew Tonschev — both confirmed to Business Insider that the Romanian
source's scenario was both common and plausible.

"Right now, I'm looking at the sensor listing, their IP's and access data"

"Even now, I am processing the remains of a server farm that until a
month or so ago, was part of a power company in France," our source
says. The buyer noted the ability of hackers to burn down factories
simply by accessing unprotected systems which control things like
temperature sensors that prevent equipment from burning out. "Guess
what, data [from the French company] is still there," the source
claims. "Right now, I'm looking at the sensor listing, their IP's and
access data. Obviously, I'm sanitizing everything before passing it
on, but it never should have gotten into my hands in the first place."

The source says that sometimes the data he finds is so critical that
he contacts the originating company to alert them to that they have a
problem with security. "In most cases the reaction was one of
disbelief, 'no, it cannot happen to us, we're well protected!'"

As more companies lease server space, fewer of them know what happens
when those leases end

The problem exists because of the way server space is discarded by
large corporations. Few companies want the bother of maintaining their
own server farms. So they lease space from specialists. At the end of
a lease, companies can walk away from their contracts — leaving the
servers with the vendor, which is supposed to carefully destroy the
data. Alternatively, when older servers reach the end of their
warranty they are replaced in "forklift" upgrades, en masse. In both
cases, the disused servers are supposed to be wiped by certified
experts using special software and approved processes. In reality,
it's quicker to skip steps, or not do it properly, or let mistakes go.
The result is that the original data is often accessible even when an
old server has been certified clean.

"The West is failing at an institutional level to keep their critical
data safe," the source says "No need for CSI-worthy hacking stories,
just a credit card to buy up your used hardware - odds are the data
will be still there, even if someone marked them as already wiped."