An IT asset is any information that the company owns, their hardware or system that they used in business activities for that company. The process of IT asset disposal can be fraught with risk but the most risky element is environmental compliance with the federal and state regulations. There is also the disaster that could happen if the company’s assets were discovered leaching toxic materials in the environment, processed under unsafe working condition overseas in a dumping ground, or moldering in a landfill. To ensure that your IT asset disposal is in environmental compliance here are some key facts that you should know.
When it says “free”, it does not always mean that
There are IT recycling vendors that will offer to take the assets and dispose of them at no cost to the company. When you ask them how they can do this, they may tell you that they will make money selling the assets for scrap. This should throw up a red flag and make you suspicious. When an IT asset material does have some value as scrap, it is not usually enough to sustain a recycling business that is environmentally compliant. If your company does have to pay fines for a company who is practicing poor recycling those “free” services could cost your company a fortune. So if an IT asset disposal center offers to dispose of your company’s assets for free, look for another service.
Downstream does matter
Many of these companies have partners downstream who they hand off the assets to be processed further and it is usually material they cannot sell. One important thing to note is that your company is liable for all IT assets that you have disposed of throughout the chain of custody. This is from the time it leaves your company to the final disposition spot. To make sure that the company you choose is environmental compliance you need to make sure that all of the people involved are also in compliance. Make sure that you do know where your IT assets go.
This is the most reliable way to make sure that company you chose is environmental compliance. Generally, there is no one at your company who has the expertise or time to audit the IT asset disposal recycling center practices from start to finish. You do not have to rely on their word that they and any partners are in compliance. Ask to see their certification for compliant and safe IT asset recycling, which are one or both of these certificates, R2/RIOS and e-Stewards. To get these certificates they also have to monitor their partners and provide documented proof that the IT asset disposal is in compliance with all standards and laws.
Ever wonder how secure your information truly is? What security protocols do you practice? Maybe creating a password? Locking the computer so others cannot access your data? Bypassing windows passwords only takes a minute or less and the windows 10 installation disk. Thus far, I have been successful in using the Windows 10 disk to bypass account passwords and even activating deactivated accounts on Windows Server 2012, Windows 10, Windows 7, and Windows 8.1. I have yet to test the technique to bypass locked computer accounts in Windows XP and Vista, but I do not foresee any complications with those operating systems.
Before you think this makes you safer because you use Mac OS X. I have also been able to bypass root level account passwords on a MacBook Pro, running Mac OS X (10.10) Yosemite operating system, using built-in Apple commands. This method also took less than a minute to accomplish.
The security implemented in an operating system and accounts always has a level of vulnerability. Most security measures are feel good methods. Username and passwords, for example, represent single level authentication, identifying who you are, the username and proof that you are who you are, the password. It is said for modern security protocols to require the username to be unique and the password to have a minimum of 16 characters and a random combination of uppercase, lowercase, numbers and special characters to be utilized. 16 digits the extent of the average person to remember their own passwords. With the growing technological advancements of computer processing power, such passwords will eventually be capable of being broken in shorter amounts of time, eventually making them completely useless. Most operating systems store username and password combinations as hash algorithms in specific files that can be viewed as plain text, resulting in the need for passwords to be ultimately obsolete.
Stating those facts does not mean “So, why bother?” with username and passwords. Passwords do stop the average person from gaining access and some level of security is better than no level of security. There, of course, are other ways to better secure your operating systems, preventing the method mentioned here from being capable of being utilized. Data at rest encryption, for example, is an option at the operating system level. This means a decryption process must occur prior to the operating system boot.
2 factor and 3-factor authentication also increase the security level of your operating system. CAC (Common Access Cac) cards, commonly utilized by the DoD and other government agencies are a prime example of 2-factor authentication. The first factor, requiring the card itself that maintains encrypted certificates to identify who you are and who you say you are, plus the second factor of a pin as secondary proof. 3-factor authentication would include features such as biometrics. Keep in mind, even with all of these methods being utilized. There is no such thing as a 100% secure system.
Google & Your Website – A Blind Alliance
Assume you have a website “onlineshopperdotcom” and when you search it on Google with keywords “online shopper website” you might get a sneak peek on the page results of your website and other websites relating to your keyword. That’s quite universal as we all urge to have our websites searched and indexed by Google. This is quite common for all e-commerce websites.
A. Your website “onlineshopperdotcom” is directly allied with Google.
B. Your website & your web server (where you have all usernames & passwords saved) are directly allied with each other.
C. Alarmingly, Google is indirectly allied to your web server.
You might be convinced that this is normal and may not expect a phishing attack using Google to retrieve any information from your web server. Now given a second thought, instead of searching “online shopper website” on Google, what if I search “online shopper website usernames and passwords”, will Google be able to give the list of usernames and passwords for online shopper website? As a security consultant, the answer will be “MAYBE, SOMETIMES!”, but if you use Google dorks (proper keywords for accessing Google), the answer will be a big “YES!” if your website ends up with mislaid security configurations.
Google Dorks can be intimidating.
Google pops in as a serving guardian until you see the other side of it. Google may have answers to all your queries, but you need to frame your questions properly and that’s where GOOGLE DORKS pitches in. It’s not a complicated software to install, execute and wait for results, instead it’s a combination of keywords (intitle, inurl, site, intext, allinurl etc) with which you can access Google to get what you are exactly after.
For example, your objective is to download pdf documents related to JAVA, the normal Google search will be “java pdf document free download” (free is a mandatory keyword without which any Google search is not complete). But when you use Google dorks, your search will be “filetype: pdf intext: java”. Now with these keywords, Google will understand what exactly you are looking for than your previous search. Also, you will get more accurate results. That seems promising for an effective Google search.
However, attackers can use these keyword searches for a very different purpose – to steal/extract information from your website/server. Now assuming I need usernames and passwords which are cached in servers, I can use a simple query like this. “filetype:xls passwords site: in”, this will give you Google results of cached contents from different websites in India which have usernames and passwords saved in it. It is as simple as that. In relation to online shopper website, if I use a query “filetype:xls passwords inurl:onlineshopper.com” the results might dismay anyone. In simple terms, your private or sensitive information will be available on the internet, not because someone hacked your information but because Google was able to retrieve it free of cost.
How to prevent this?
The file named “robots.txt” (often referred to as web robots, wanderers, crawlers, spiders) is a program that can traverse the web automatically. Many search engines like Google, Bing, and Yahoo use robots.txt to scan websites and extract information.
robots.txt is a file that gives permission to search engines what to access & what not to access from the website. It is a kind of control you have over search engines. Configuring Google dorks isn’t rocket science, you need to know which information to be allowed and not allowed in search engines. Sample configuration of robots.txt will look like this.
Sadly, these robots.txt configurations are often missed or configured inappropriately by website designers. Shockingly, most of the government & college websites in India are prone to this attack, revealing all sensitive information about their websites. With malware, remote attacks, botnets & other types of high-end threats flooding the internet, Google dork can be more threatening since it requires a working internet connection in any device to retrieve any sensitive information. This doesn’t end with retrieving sensitive information alone, using Google dorks anyone can access vulnerable CCTV cameras, modems, mail usernames, passwords and online order details just by searching Google.