Military Secrets for Sale on Stolen USB Drives

nTrfAce writes "Per a BBC Article, "US forces in Afghanistan are checking reports that stolen computer hardware containing military secrets is being sold at a market beside a big US base. Shopkeepers at a market next to Bagram base, outside Kabul, have been selling memory drives stolen from the facility, the Los Angeles Times newspaper says.""

Strong encryption

[VincenzoRomano]

I hope that those soldiers were using strong encryption for file systems.
I hope that those soldiers were not storing sensible data on those drives.
I hope that those soldiers were not storing weird photos involving prisoners ...
Real world tends to be different from hopes!

Re:Strong encryption

[meringuoid]

I hope that those soldiers were not storing weird photos involving prisoners ...

If soldiers have been abusing prisoners, I'd prefer them to photograph themselves doing it and then store those photographs on disks which are later stolen and leaked to the press.

Otherwise, how will we ever know what our armed representatives abroad are doing in our names?

Re:Strong encryption

[Saven+Marek]

> I hope that those soldiers were using strong encryption for file systems.

Remember encryption isn't the be all and the end all. What happens when you lose your own keys?

And keys on a laptop itself, well that's all portable too. Laptop + usb key means nothing since you have to carry the encryption keys with you. Without doing that your data is useless, and carrying them with you means when the laptop is stolen, you have the key stolen with it.

Instant access to your data. If they have your key they also can unencrypt anything else of yours, so you have not just lost the USB drive but more than that. How much do you think an encryption for sale on the black market is?

Let me tell you it ain't cheap so there's profit to be made. Where there is profit there is motive. By using encryption you are adding additional motive to the thieves.

So why use the problems with encryption without the benefit? It doesn't make sense. Kapsky and Dilinger's 1999 paper addressed this issue on when widespread use of portable computing was just beginning.

Re:Strong encryption

[ObsessiveMathsFreak]

Otherwise, how will we ever know what our armed representatives abroad are doing in our names?

But shouldn't soliders have the right to strip prisioners naked and photgraph their anuses, without fear of government surveillance?

Re:Strong encryption

[x2A]

not if it's goatse guy!

Re:Strong encryption

[chrismcdirty]

I really doubt that most of them tell the actual truth. Like in America, their job is to sell the news. Most of the time, they put a spin on it to please their citizens, or to upset their citizens. If the citizens hate Americans, they'd likely make their news biased against America.

For example, would you have me read British news concerning America? Iranian? French? Libyan? German? How am I, the ignorant American, supposed to know which ones are truly impartial, and which ones are putting their Anti-/Pro-American spin on the news, just like the news companies here in America?

Re:Strong encryption

[RandoX]

"The truth" is subjective.

Re:Strong encryption

[snoozebutton]

By reading as many differing sources as possible, and making your own conclusions.

Re:Strong encryption

[patio11]

There is not too much subjective about the statement "some US troops sexually abused prisoners in Iraq". Thats a fact. Here's another: "the US military found out about it before the press did, through a whistleblower, and immediately started investigating and preparing charges, and as a result some of the culprits are now doing hard time". Unfortunately, the pictures for Truth #2 don't sell nearly so many papers.

Re:Strong encryption

[pianophile]

You voted for Bush - twice.

I didn't, and neither did approximately half of US voters.

How is the military carrying out his commands not representative of you? You don't get off that easily.

I hope that someday you are personally blamed for the actions of your government, too, you jerk.

Re:Strong encryption

[meringuoid]

If your life was saved due to someone pulling another person's (not a normal person, someone who takes joy in seeing women and children burning alive) fingernails out with pliers, would you complain?

I very much hope that I would.

I am not saying that the ends justify the means

Oh yes you are.

Re:Missing Classified Hard Drives

[x2A]

Windows - it's that insecure, you don't even need physical access to a machine to steal it's componants! ;-)

I'm no military fan...

...but how do they know the 'secrets' are actually that and not some kind of decoy?

Re:I'm no military fan...

[mrogers]

Military Intelligence has released a list of the secrets that have been recovered and those that are still at large. Among the recovered secrets:

• The B2 Stealth Bomber is just a decoy made out of balsa wood and black paper; smart bombs are actually delivered by UPS
• Lee Harvey Oswald acted alone; the FBI and Secret Service were so embarrassed by their failure to protect the President from some wandering nutjob that they spent the next 30 years trying to create the impression there had been some kind of conspiracy
• A 1989 Cheers episode that made reference to the Kennedy assassination was seized by the CIA minutes before it was scheduled to air; the tape went missing, and so far 11 American civilians have been killed in the effort to prevent it reaching a wider audience
• Aging Cuban guerillas launched a successful coup in Washington DC while the nation's attention was focussed on the last episode of Sex and the City. President-for-Life Fidel Castro described it as "a good day to bury good news".

Why?

[bl00d6789]

Let me be the first to ask: Why the hell is the military storing sensitive data on USB drives, which are prone to both theft and failure?

Re:Why?

[michaelhood]

Policy and practice are often quite distant from each other in reality. Especially in government; military or otherwise.

Re:Why?

[1u3hr]

Let me be the first to ask: Why the hell is the military storing sensitive data on USB drives, which are prone to both theft and failure?

Most likely it's just sneakernet; moving files from laptop to PC etc. After transferring the files they forget to wipe the USB stick. The army will probably try to stop this by mandating it not be done. Which will work for a while till troops rotate and a new batch come in. The only real solution is to physically disable USB ports, which would be difficult with the number of legitimate USB peripherals now. Otherwise everything needs to be transparently encrypted. The military fears losing access to critical data in battle more than possible security breaches though.

Re:Why?

[plankrwf]

How else to spread sensitive information?
At least this way, no president needs to leak anything himself

Re:Why?

[arivanov]

The army will probably try to stop this by mandating it not be done.

Once upon a time it could force that it is not done. This is what levels of security above C and OSes like Trusted Solaris were all about. Not about being unhackable, but about it being impossible to copy data from a higher security container to a lower. Granted, someone with high enough security clearance and rights to declare his USB drive "secure" could have gotten past that as well, but the average PHB wannabie corporate ladder climber could not do anything about it. He could not "take work home".

This is also coming back. The slashdot crowd keeps bitching about Vista DRM being Digital Wrongs Management and being mostly promoted by pigopolists. Once again wrong. Along with AD it will allow any corporation to force a mandatory encryption policy on all the data on all media in the house at the click of a mouse. Throw in this the usage of TPM chips on all Vista ready PCs and this will make any data that a corporation wants to make unrecoverable without proper access credential on a PC really unrecoverable. All of this centrally controlled. This will also result in much faster adoption of Vista in the enterprise than people can even think off, especially for mobile devices.

This also means that if Linux is to compete for the desktop it will have to have the same features regardless of Stallmans desires. This is one thing on which Linus is absolutely right. The usage of DRM by pigopolists is a current fad which is only a minor fraction of its actual use. The real use of DRM is to enforce a security policy on data across an enterprise. Having this will be essential to the success of any OS out there in 2-3 years. Also, there is no problem with DRM being opensource. Essentially DRM is nothing but a crypto application. Same as with every good crypto - having the source should not allow one to break it.

Re:Why?

[blowdart]

Once upon a time it could force that it is not done.

Whilst not as fine grained as you are talking about you can completly disable USB drives, at least on Windows 2000, XP and Windows 2003 by tweaking file system permissions or the registry. Microsoft even detail it in a knowledge base article and it can be enforced by a domain policy if you're running AD.

Re:Why?

[Fred_A]

You can do so in any Unix by not putting the users in the usb group and setting the permissions accordingly.

Or by not enabling the usb-storage driver.

Re:Why?

[Martin+Foster]

I had the opportunity to visit a Canadian Government IT tradeshow given in Ottawa. One of the firms marketing their devices specialized in USB/Portal drives which had finger print scanners built-in. According to the salesman these things were selling like hotcakes, especially in the US military.

As mentioned before, they tend to be used for things like sneaker nets, where bandwidth requirements of the data inside (G2/Int) would simply bog down the communications network. This is especially critical your using VHF/HF radios to pass on your voice/data communications.

They are also used to carry around orders as a lot of briefing rooms now have projectors and computers even in the field. Simply put, the same uses you and I have for such devices the military will find useful as well.

That being said, the norm for such devices with any critical information is to have them stored in appropriate storage containers based on classification. For example, a CONFIDENTIAL document needs only to be stored steel container with a specific vault, while a COSMIC TOP SECRET document would need a vault. Interestingly enough the classicisation remains on such devices even after the file has been removed.

Re:Why?

[Foobar+of+Borg]

Been hitting the Kool-Aid pretty hard, haven't you? I bet you believe that we actually found the WMDs, too!

why/when.

[rew]

Why and when are rules ignored?

Here in the Netherlands, there has been a series of cases where sensitive information has leaked through stolen/lost hardware, and every time some official was breaking the rules.

The rules were unworkable: DO NOT TAKE YOUR WORK HOME.

So, no reading of a report on the train, no after-dinner report writing. Nothing. Ambitious people break the rules to perform better. So they take stuff home anyway. As long as the hardware doesn't get stolen, nothing is noticed. Big publicity when sensitive information makes it to the press.

But if they were to start policing the policy, a lot of the ambitious people would eventually give in to the rules, and simply watch tv after dinner, and read the newspaper on the train. Results? Productivity drop.

Re:why/when.

[plankrwf]

This is a known problem indeed. (Someone modd parent up, I haven't gotten modpoints right now).
I remember a case at a client in which we had to mail a very sensitive, very important document very quickly.
Turned out we couldn't mail it using the clients own mailsystem, as... it didn't allow Word-attachments (or Zip or ...) to be sent along...
In the end we ended up taking the document on a floppy (yes, this was some years ago), to a 'learning centre' computer which was attached to the internet, and we ended up mailing it with... hotmail...
Roel

Re:why/when.

[Darren.Moffat]

"Results? Productivity drop."

I personally disagree, in my experience you actually in the longer term get a productivity increase. Why ? because the people are more relaxed and more refreshed with a balanced lifestyle that isn't all "work work work". People who constantly take work home are marters to the job or just really bad at planning.

Re:why/when.

[forgotten_my_nick]

Reminds me of a friend of mine who had to support an application for the the Israeli military. Over the phone they finally realised that he needed to be at the machine to fix it. Took months getting approval.

When he finally got approved he was allowed enter as far some guard post, at which point another guy came out and talked to him through a fence. He never once saw the machine.

Re:why/when.

[Fred_A]

Why is everybody whining when this is obviously a great win for western values? The afghans have gotten from raising sheep to stealing and sellinf government property in only a few years ! They are now obviously a fully fledged western capitalistic society.

Re:why/when.

[cocotoni]

I don't want to sound like I come from that Monty Python sketch, but that is nothing.

Long time ago we had to transfer some sensitive data between two military bases. The data was saved to a floppy (8" floppy at that), put in sealed envelope, in the locked suitcase chained to the carriers wrist, into APC, to the airport, helicopter, APC, and straight to us. The whole nine yards.

And then we found that the caporal on the other end found it bizzare that there was something shuffling in the envelope, and to secure it better he put a couple of staples through the envelope. And through the disk.

Since the data was both sensitive and urgent (no time for the whole nine yards again), we ended by transferring it using modem over unsecured phone carrier.

Re:why/when.

[Ohreally_factor]

And then we found that the corporal on the other end found it bizzare that there was something shuffling in the envelope, and to secure it better he put a couple of staples through the envelope. And through the disk.

Security thru immobilization!

Re:why/when.

[Bob3141592]

So, no reading of a report on the train, no after-dinner report writing. Nothing. Ambitious people break the rules to perform better. So they take stuff home anyway. As long as the hardware doesn't get stolen, nothing is noticed. Big publicity when sensitive information makes it to the press.

If thisis only about company sensitive information, then fine. But if you're talking about military secret or confidential, then the rules are a bit different. You can't read a classified document on the way home on the train, as other people around you could see it. And unless your home was certified as a secure site, it would be illegal to have the docement there. You'd also need special paperwork to take the document out of it's original building.

I have to ask who is doing this stealing. If it's by uncleared civilians, then what are they doing in proximity to classified material? Otherwise the stealing must be done by cleared personnel, which is a whole different story of criminal intent. Something doesn't add up here.

Re:why/when.

[rahrens]

I have the same feeling about this. The military is absolutely anal about classified information. Like another poster mentioned, PCs used for classified info have HDs in carriers so they can be removed from the PC for storage when not in use, in addition such PCs are required to have the usb ports disabled through group security policy, if not at the registry level, as well as floppies. They are not allowed to have cd or dvd burners, read only for classified PCs. Such PCs are not allowed to have network connectivity with UNclassified PCs, either, and classified networks are NOT allowed to be connected physically to the Internet.

So I suspect that this reporter saw something on a stolen usb drive and just assumed that it would be classified. It may have been sensitive, but of a lower classification that would not have required the measures I mentioned above. Not that loosing such info wouldn't be bad - it very well could have, but that doesn't equate to classified info.

Of course, while we're speculating, he could have seen a document that was created by the soldier that owned the usb drive, who then failed to follow procedures for classifying documents properly, and mentioned classified info in an unclassified document, on an unsecured system. That has been known to happen, especially under combat conditions, and is just as bad as what the article is talking about...

Yet another chill pill moment

[Xiph]

The stuff that's stolen is probably not aimed getting highly sensitive data, but at getting a bit of cash from selling the hardware:

"He reportedly said he was selling the items for their value as hardware alone."

that lack of organization also suggest the problem isn't huge, a claim also supported by

"Coalition officials regularly survey bazaars across Afghanistan for the presence of contraband materials, but thus far have not uncovered sensitive or classified items"

So it's not large scale, hyperterrorsquads selling supersensitive secret soldier material to themselves. but rather small bits of pieces, that together will probably seem as just that. small bits of pieces. It is however always unfortunate that personal and classified information is handled carelessly, but if we can't even handle this properly at home, why should it be any better in Afghanistan.
I'll give the answer right here: First, get better at handling information security at home, before you start using the technology abroad.
Don't give sensitive material to people who haven't been screened on how they handled it (I thought this was already a goal the tried to achieve)

More details in the original LA Times article

[rchatterjee]

The BBC article is based on a LA Times article which contains more details like the fact that on the thumb drives they found a list of soldier's SSNs which which they were able to track down the soldier's home addresses.

Original LA Times article

Amusing comment in _Slate_

[Black+Parrot]

"Intelligence seems to be one of the few things the military doesn't overpay for - one Afghan spying on al Qaeda gets $15 for every successful mission."

Re:Amusing comment in _Slate_

[NeoSkandranon]

But how far does $15 go in Kabul?

Far enough to make it worth the informant's while I'd guess.

SSNs

SSN should stand for Supposedly Secret Number.

Everybody knows your SSN. Every employer you've had, every school you've been to, everybody you've applied for credit from, every company that's provided a service like long distance to you. Also, every firm any of those organizations have contracted out their data handling to.

Fewer people know what shoe size you wear.

Similar issues in the UK

[Firefalcon]

Similarly we've had several reports in the press about MI5/6 agents/staff leaving their laptops in Taxi's - whenever data is portable it is at risk of loss or theft...

Re:Missing Classified Hard Drives

You normally don't use USB drives as boot drives.

Good Points Above

[jbenwell]

Good points above, but there are a couple of things that I would like to know:

1. How big are the drives? I find that my 256MB one fills up all the time. If these are 512MB or more, I may want one.

2. How much? I can get a (new) 1GB drive at Costo for $60 (Canadian), so I'd hope these (used) ones are going for less then that.

A corrupt black market economy?

[Rogerborg]

Mission accomplished!

Great... just what our soldiers need!

[tomcres]

Poor guys... Now their addresses are in the hands of the entrepreneurs in Kabul... they're going to be getting tons of junk mail for "Habib's Roof and Tile" and "Afghan National Platinum MasterCard"... :(

asking for it

[Errtu76]

Hm. Invading a country. Letting the invaded people work for you at your base with your stuff. And now there's stuff missing you say? Really? Who would've thought ....

We just assume they are secrects

[Thecarpe]

We just assume the information is some military secret. There is a distict possibility that the information on those drives is nothing more than family pictures or some other relatively mundane piece of information. I have friends in the FBI who have thumb drives and I just assume that the information on them is classified, but in truth, I know that it is probably a collection of pictures of them at the local bar or on vacation that they are toting to the local photo lab for processing. Nothing like a good reason to freak out though, right?!

We'll find out on CNN sometime that the drives contained Osama's location, Sadam's smoking gun, Slobadan Milosevich's memoirs, and Jimmy Hoffa's remains...oh, and the location of Salmon Rushdie's appartment that he shares with Elvis, the Loch Ness Monster and Bigfoot.

Re:We just assume they are secrects

[Thecarpe]

If the "secrets" were as big as the press intended them to be, we wouldn't have known anything about the contents, good or bad. 1) The LA Times is not an authority on much of anything except the spin that they put on the 2nd hand information that they gather. 2) Sensationalizing the contents of the disks (corrupt Afghani officials) doesn't make the information terribly sensitive.

It a war torn region like Afghanistan, it is no secret who is corrupt in the government, and it's no secret where military strikes are going to happen. The bottom line is that the media is turning routine military information into something more than it is and creating scandal where there should just be a little tightening of the reigns. I'm not saying that it's not a bad situation to have people thieving those thumb drives. I am saying that we are believing exactly what we are reading from a second / third hand source and that's a no-no. The LA Times, BBC, and AP for that matter are reporting on something that they know will appear terrible on first glance (that sells newspapers and tv time). If it is as bad as they reported, I will eat my own shoe when the congressional hearings commence.

Scrapping the Military..

[Savage-Rabbit]

Windows - it's that insecure, you don't even need physical access to a machine to steal it's componants! ;-)

Somewhere in California (IIRC) there is a company that specializes in providing military aircraft for the movie industry. At the time he appeared in a documentary which I watched, the owner of this business had apparently assembled more than one Cobra Gunship from parts sold off by the Armed Forces as scrap and was well on his way toward assembling (what was at the time at least) a state-of-the-art Apache assault helecopter using parts draw from similar sources (they showed footage of it being assembled). According to this guy some of the things the US armed forces sell off to civillans as 'scrap' are downright scary both because they are sometimes dangerous (contain live munitions, toxic materials, rocket engines, etc..) and because this 'scrap' includes some pretty sensetive electronic equipment. So stolen PC's are not the only problem, the US armed forces quite freely sells off some pretty amazing stuff as junk. True enough, the information on a stolen PC can cause a significant security breach but an enemy nation getting it's hands on sensetive military electronics at a scrap auction is even worse. I suppose the way the military filters equipment for disposal may have improved over the last few years but somehow I doubt it.

You don't need to go to Afghanistan

[megarich]

I have your military secrets right here! It's yours for only 3 easy payments of 19.95?! That's right only 19.95! And if you act now before you finish reading this post, we'll throw in keys to the pentagon, absolutely FREE!!!! *NY residents must pay sales tax. Offer only good in the continent u.s.