STE WILLIAMS

If you don’t know what a beer engine is, you’re probably imagining an giant-sized, diesel-powered pump for delivering beer in huge quantities – a sort of “fire truck meets Octoberfest” concoction.

In fact, a beer engine is a respectably artisanal device that you are likely to see in real pubs that serve real ale.

It’s a hand-operated piston pump that draws up beer straight from the cellar without needing the gas pressure that traditionalists claim not only makes the beer improperly frothy, but also ruins its taste and aroma.

Anyway, a colleague of ours recently bought a pair of beer engines for his home – not for actually serving beer, he hastened to explain (in the average household setting, a jug does a better job), but for the admittedly good looks of their brass fittings and turned handles.

What does all this have to do with computer security?

Thus far, nothing.

It was when the seller sent him the items he’d purchased online that the security problems came to light.

When he opened the box, his gleaming beer engines were thoroughly and thoughtfully protected in a cushion of packaging material…

…that had been dug out of the office shredder.

Unfortunately for the seller, this office shredder wasn’t a very good one, and it wasn’t in very good condition.

The documents were cut in a single direction into strips about 10mm wide, making it easy to read each piece and extract potentially sensitive data from it.

Worse still, the blades of the shredder were so blunt that, in some cases, they hadn’t sliced through the paper but had merely scored or corrugated it, leaving whole documents damaged but more or less intact.

We didn’t want to dig too deeply, but it was impossible not to notice bank statements, work notes, spreadsheets of results and even unused cheques. (Surprising as it may seem, chequebooks are still used in the UK.)

This sort of information is gold dust to a cybercrook or a social engineer who is looking to trick someone inside your company into doing something they shouldn’t, such as resetting a password, unlocking an account or opening a booby-trapped document.

To be honest, the leaked information in the beer engine packaging wasn’t especially dangerous for us to see, but we didn’t need to see it, and that’s what matters.

When it comes to social engineering, the devil really is in the details: you’re much more likely to believe the story of someone claiming fraudulently to be a colleague (or even claiming to be your CEO or CFO) if they are familiar with company minutiae that make them sound like an insider.

So don’t give away anything to the crooks that you don’t need to, and be especially careful not to give away things that stand out precisely because you meant to destroy them but didn’t.

What to do?

• Don’t try to re-use the output of your shredder, even for innocent-sounding purposes such as packaging. Considering that you shredded the documents in the first place to stop them falling into other people’s hands, it doesn’t make sense to send them to someone else, even after you’ve shredded them!
• If you want to shred your own documents, invest in a cross-cut shredder that turns paper into tiny squares rather than strips. Cross-cut shredders produce chaff that is much harder to piece back together, and each individual fragment contains much less information.
• Maintain and use your shredder as recommended so that it keeps on cutting properly. Lubricate paper shredders regularly, and don’t try to stuff through more sheets at a time than the shredder is rated for, or you may end up with unshredded pages among the chaff.
• Familiarise yourself with official guidelines and standards for document disposal. If you deal with businesses in other countries, look at their guidelines, too, and follow their standards if they’re stricter than your own.
• Consider using a reputable shredding company who will collect, shred and certify the destruction of documents that are no longer needed. It’s easy to fall behind on your shredding, and it becomes ever more tempting to “catch up” by putting a selection of sensitive documents in with your regular waste.

Follow @NakedSecurity
Follow @duckblog

Image of pub beer engines from Bikeworldtravel / Shutterstock, Inc.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PZbrOhjapFg/