http://news.yahoo.com/s/ap/betrayed_by_a_cell_phone  (story below)
 

By TED BRIDIS, Associated Press Writer 6 minutes ago 

WASHINGTON - Don't tell your cell phone any secrets. It might not keep
them. 

Second hand phones purchased over the Internet surrendered credit card
numbers, banking passwords, business secrets and even evidence of
adultery.

One married man's girlfriend sent a text message to his cell phone: His
wife was getting suspicious. Perhaps they should cool it for a few days.

"So," she wrote, "I'll talk to u next week."

"You want a break from me? Then fine," he wrote back.

Later, the married man bought a new phone. He sold his old one on eBay
Inc. for $290.

The guys who bought it now know his secret.

The married man had followed the directions in his phone's manual to
erase all his information, including lurid exchanges with his lover. But
it wasn't enough.

Selling your old phone once you upgrade to a fancier model can be like
handing over your diaries. All sorts of sensitive information pile up
inside our cell phones, and deleting it may be more difficult than you
think.

A popular practice among sellers, resetting the phone, often means
sensitive information appears to have been erased. But it can be
resurrected using specialized yet inexpensive software found on the
Internet.

A company, Trust Digital of McLean, Va., bought 10 different phones on
eBay this summer to test phone-security tools it sells for businesses.
The phones all were fairly sophisticated models capable of working with
corporate e-mail systems.

Curious software experts at Trust Digital resurrected information on
nearly all the used phones, including the racy exchanges between guarded
lovers.

The other phones contained:

_One company's plans to win a multimillion-dollar federal transportation
contract.

_E-mails about another firm's $50,000 payment for a software license.

_Bank accounts and passwords.

_Details of prescriptions and receipts for one worker's utility
payments.

The recovered information was equal to 27,000 pages - a stack of
printouts 8 feet high. 

"We found just a mountain of personal and corporate data," said Nick
Magliato, Trust Digital's chief executive. 

Many of the phones were owned personally by the sellers but crammed with
sensitive corporate information, underscoring the blurring of work and
home. "They don't come with a warning label that says, 'Be careful.' The
data on these phones is very important," Magliato said. 

One phone surrendered the secrets of a chief executive at a small
technology company in Silicon Valley. It included details of a pending
deal with Adobe Systems Inc., and e-mail proposals from a potential
Japanese partner: 

"If we want to be exclusive distributor in Japan, what kind of business
terms you want?" asked the executive in Japan. 

Trust Digital surmised that the U.S. chief executive gave his old phone
to a former roommate, who used it briefly then sold it for $400 on eBay.
Researchers found e-mails covering different periods for both men, who
used the same address until recently. 

Experts said giving away an old phone is commonplace. Consumers upgrade
their cell phones on average about every 18 months. 

"Most people toss their phones after they're done; a lot of them give
their old phones to family members or friends," said Miro Kazakoff, a
researcher at Compete Inc. of Boston who follows mobile phone sales and
trends. He said selling a used phone - which sometimes can fetch
hundreds of dollars - is increasingly popular. 

The 10 phones Trust Digital studied represented popular models from
leading manufacturers. All the phones stored information on "flash"
memory chips, the same technology found in digital cameras and some
music players. 

Flash memory is inexpensive and durable. But it is slow to erase
information in ways that make it impossible to recover. So manufacturers
compensate with methods that erase data less completely but don't make a
phone seem sluggish. 

Phone manufacturers usually provide instructions for safely deleting a
customer's information, but it's not always convenient or easy to find.
Research in Motion Ltd. has built into newer Blackberry phones an
easy-to-use wipe program. 

Palm Inc., which makes the popular Treo phones, puts directions deep
within its Web site for what it calls a "zero out reset." It involves
holding down three buttons simultaneously while pressing a fourth tiny
button on the back of the phone. 

But it's so awkward to do that even Palm says it may take two people. A
Palm executive, Joe Fabris, said the company made the process
deliberately clumsy because it doesn't want customers accidentally
erasing their information. 

Trust Digital resurrected erased e-mails and other information from a
used Treo phone provided by The Associated Press after it was reset and
appeared empty. The AP ordinarily purges its phones the correct way, but
for demonstration purposes turned over a reporter's phone that had been
simply reset to see whether Trust Digital could recover the information.
It did. 

Once the AP phone was properly wiped using Palm's awkward "zero-out"
technique, no information could be recovered. 

"The tools are out there" for hackers and thieves to rummage through
deleted data on used phones, Trust Digital's chief technology officer,
Norm Laudermilch, said. "It definitely does not take a Ph.D." 

Fabris, Palm's director of wireless solutions, said after AP's inquiries
that the company may warn customers in an upcoming newsletter about the
risks of selling their used phones. "It might behoove us to raise this
issue," Fabris said. 

Dean Olmstead of Fresno, Calif., sold his Treo phone on eBay after using
it six months. He didn't know about Palm's instructions to delete safely
all his personal information. Now, he's worried. 

"I probably should have done that," Olmstead said. "Folks need to know
this. I'm hoping my phone goes to a nice person." 

Guy Martin of Albuquerque, N.M., wasn't as concerned someone will snoop
on his secrets. He also sold his Treo phone on eBay and didn't delete
his information completely. 

"I'm not that kind of valuable person, so I'm not really worried," said
Martin, who runs the http://www.imusteat.com
<http://us.rd.yahoo.com/dailynews/ap/ap_on_hi_te/storytext/betrayed_by_a
_cell_phone/20126917/SIG=10p36srs0/*http://www.imusteat.com>  Web site.
"I guarantee that three-quarters of the people who buy these phones
don't think about this." 

Trust Digital found no evidence that thieves or corporate spies are
routinely buying used phones to mine them for secrets, Magliato said. "I
don't think the bad guys have figured this out yet." 

President Bush
<http://search.news.yahoo.com/search/news/?p=President+Bush> 's former
cybersecurity adviser, Howard Schmidt, carried up to four phones and
e-mail devices - and said he was always careful with them. To sanitize
his older Blackberry devices, Schmidt would deliberately type his
password incorrectly 11 times, which caused data on them to
self-destruct. 

"People are just not aware how much they're exposing themselves,"
Schmidt said. "This is more than something you pick up and talk on. This
is your identity. There are people really looking to exploit this." 

Executives at Trust Digital agreed to review with AP the information
extracted from the used phones on the condition AP would not identify
the sellers or their employers. They also showed AP receipts from the
Internet auctions in which they bought the 10 phones over the summer for
prices between $192 and $400 each. 

Trust Digital said it intends to return all the phones to their original
owners, and said it kept the recovered personal information on a single
computer under lock and disconnected from its corporate network at its
headquarters in northern Virginia. 

Peiter "Mudge" Zatko, a respected computer security expert, said phone
owners should decide whether to auction their used equipment for a few
hundred dollars - and risk revealing their secrets - or effectively toss
their old phones under a large truck to dispose of them. 

What about a case like the Lothario whose affair Trust Digital
discovered? 

"I'd run over the phone," Zatko said. "Maybe give it an acid bath."

 

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *