Server with Top-Secret Data Stolen

An anonymous reader writes "Usually missing information stories are fairly low key; the loss of a few thousand student records is cause for concern for those involved, but hardly national security. This one is slightly different. The company Forensic Telecommunications Services has announced that a server containing 'thousands of top-secret mobile phone records and evidence from undercover terrorism and organized crime investigations' has been stolen. From the article: 'The company — whose clients include Scotland Yard and the Crown Prosecution Service — has assured the public that the server is security protected, and the breach will not compromise ongoing police operations. The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.'"

Just FYI...

[daveschroeder]

...Forensic Telecommunications Services is a UK company, not a US company, so please keep that in mind when crafting your comments.

(And yes, this is fairly plainly obvious to anyone who takes a moment to look.)

Re:Just FYI...

[Control+Group]

But the British government has been in bed with the US government for years, which means they pretty much do whatever the US tells them to, which means they're pretty much just a US colony, which means that this loss is obviously attributable to FBI negligence, which is clearly linked to the PATRIOT Act, which means that it's the sole responsibility of the current administration - and we all know how Karl Rove likes to publicize secret information; this loss is obviously why he's resigning - which means that George W. Bush wants criminals to go free, so he can further consolidate his power and declare himself interim president for life!!!

CAN'T YOU SEE, MAN? IT'S THE END OF FREEDOM!

Re:Just FYI...

[Dunbal]

Do you think it's a coincidence that this news breaks just after Rove's resignation? I don't think so!!!

New conspiracy in 5 minutes.

Re:Just FYI...

Sure it's not USA?

http://images1.wikia.com/uncyclopedia/images/5/5c/ Worldmap.jpg

Re:Just FYI...

[ArsenneLupin]

The Forensic Telecommunications Services website is an ASP site. Please keep that in mind before browsing this site from work or in the presence of young children...

Re:Just FYI...

[bryan1945]

You missed FEMA, Hurricane Katrina, and the Red Sox winning the World Series. And maybe crab people, but they could just be communists.

Re:Just FYI...

[megaditto]

Since it's legal in UK to spy on US citizens, and since it's legal in US to spy on UK citizens, one has to assume that MI5/6 is giving NSA a nice happy reacharound...
Do you think one of those phones that tapped was Barak Osama's?

Re:Just FYI...

I didn't realize that the UK was into outsourcing sensitive government functions to the private sector... sounded American enough to me.

Re:Just FYI...

Are we supposed to give them a free pass because they're from the UK?

Re:Just FYI...

mmmmmmmmmm, reacharound. :-)

Re:Just FYI...

[AHumbleOpinion]

the British government has been in bed with the US government for years, which means they pretty much do whatever the US tells them to

BS. It is a two way street, you are just being myopic in your historical context. We aided the British in the Falklands for example. No US interests were threatened since the British would have won with or without our help. All we did was further alienate ourselves from Central and South America. Then there were the European wars of the last century. Certainly it wouldn't really matter if the Kaiser had defeated Britain from an American perspective, we could have done business with him. The lunatic that followed him twenty years later would have been too dangerous, but we may have been able to arm Britain and Russia and avoid direct involvement. However such courses were not followed because the United States has a predisposition to help Britain when she needs it.

Re:Just FYI...

[thaig]

The UK govt is probably more of an outsourcer than the US govt. e.g. the RAF outsources the maintenance of all it's combat aircraft: they buy X hours of operational availability. Even the Skynet 5 Military comms satellites are outsourced.

Re:Just FYI...

[cHiphead]

And you missed the White Sox winning the World Series the very next year.

I've been telling you mofos the End is Near, but everyone just laughs it off!

Cheers.

Re:Just FYI...

[cHiphead]

Oh and ONE MORE! Van Halen just got back together. With David Lee Roth.

END!

Cheers.

Re:Just FYI...

[VJ42]

That's why the good ol' NSA and GCHQ people set up ECHELON, and it's not just limited to the UK and USA, the other Countries countries that signed the UKUSATreaty are Canada, Australia and New Zealand.

I'm not usually one of the tin-foil hat brigade, but the radomes at Menwith hill must be being used for something.

Re:Just FYI...

[Blakey+Rat]

Whoooooooosh...

Re:Just FYI...

[Control+Group]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue.

Either way, I'm scared.

Re:Just FYI...

[conspirator57]

umm... it seems to me that >80% of Britons want out of Iraq. It also seems to me that Blair was replaced to accomplish that. For a little bit now we've been hearing the Brits are getting out of Iraq per popular demand. Then this week we hear the Brits are staying. Two days after a Bush - Brit pow-wow at Camp David... Seems a bit puppetish to me. Maybe this doesn't reflect the relationship as a whole, but then again...

Re:Just FYI...

[rifter]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue.

Either way, I'm scared.

David Bowie, dude... American... History... Geography..

Head Asplode! :D

The worst part for y'all is, someone set us up the bomb and we are not afraid of using it. Be afraid, be very very afraid :D.

Re:Just FYI...

[TrebleMaker]

Oh and ONE MORE! Van Halen just got back together. With David Lee Roth.
END! Umm... I forgot. Which one is the "fat lady", again?

Re:Just FYI...

[AHumbleOpinion]

Whoooooooosh...

No. While the complete post was obviously a joke, it began with a reasonable point that many do actually believe. It was worthy of a fork that discussed that one point.

Re:Just FYI...

[AHumbleOpinion]

... For a little bit now we've been hearing the Brits are getting out of Iraq per popular demand. Then this week we hear the Brits are staying. Two days after a Bush - Brit pow-wow at Camp David... Seems a bit puppetish to me ...

We have no idea what was discussed. There are other reasonable possibilities. If the "surge" is having positive results then perhaps the Brits are willing to participate in that. Perhaps the Sunni's turning on Al-Queda changed the "calculation" the Brits used to justify the pullout. Perhaps increasing interference by Iran has encouraged them to deploy troops to secure the border, that the troops are not going back into town, so its a different mission. We'll have to wait and see, but "puppetish" assumptions seem to be politically opportunistic.

Isn't it obvious?

[thatskinnyguy]

I blame the intern!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Top secret public records?

[mmarlett]

Which is it: Top secret phone records or information that has already been released in court cases? It doesn't seem like the two are the same.

Re:Top secret public records?

[yog]

I don't get it. What happened to locks, keys, and trusted employees? It seems like companies and government organizations are constantly leaving sensitive materials in cars or in unsecured locations where they can be stolen by opportunistic thieves. After thousands of years of civilization, and with all the fancy technology at our disposal today, have we learned nothing about how to keep important materials out of mischievous hands?

A server with sensitive information should not be on the public internet, and it should not be on the premises of a subcontractor! It should be safe behind locked doors with access only by a select few, and protected by strong encryption too. I just don't get it; it's kind of depressing.

Re:Top secret public records?

[Frosty+Piss]

The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams

Mybe they meant "proprietary" instead of "Top Secret". Clearly it isn't "Top Secret".

Re:Top secret public records?

[dmpyron]

I've handled TS and above at a number of contractors over the years. That said, "What happened to locks, keys, and trusted employees?". And how do you get a server out of the building? Stuff in down your pants? I've never worked anywhere where areas with classified information weren't surrounded by cameras. And access control. And lots of other means of tracking the comings and goings. There's more to this story than has been made public.

The lady doth protest too much, methinks. Something is rotten in the state of Denmark.

Either there really wasn't much to worry about or they are secretly passing rectangular pieces of firehardened clay out their anuses. And these guys are called a "security" firm!

Re:Top secret public records?

[c_woolley]

Actually, "Top Secret" just means something that is very important to keep private. So, in this case it was Top Secret. I just isn't Government-type Top Secret. I was thinking the same thing as you though.

Here is my handy-dandy link to a definition of Top Secret:
http://www.google.com/search?hl=en&defl=en&q=defin e:Top+Secret&sa=X&oi=glossary_definition&ct=title

As you can see, it also means they could have stolen a valuable movie staring Val Kilmer...

Re:Top secret public records?

[crabpeople]

Well you dont hear about the hundreds of millions of secured data protection events everyday because they wouldn't be newsworthy. If a corporation or org successfully repels a threat, why would it make the frontpage of slashdot?

The simple fact is that there is more and more data in the world so more and more breaches will happen. Its inevitable. Just try not to be the one asleep at the switch.

Re:Top secret public records?

[sumdumass]

One of the biggest objections Bush had with taking every suspected terrorist to trial was that the information gains could tell the enemy how to defeat the ways they collected it as well as tip them off on who knows what.

It wouldn't surprise me if these servers contained more information then what was used in court. by doing that, they wouldn't be exposing the entire aspect of their investigation. So while the cases have or are in trial, I could be possible that not all the evidence went with them. Just enough to secure a conviction. some of it might still be top secrete because it exposes too much but now not relevant because the cases are being disposed off.

Re:Top secret public records?

[ericartman]

Agreed, any secure job I've worked on I'm surprised they let you leave with the air in your lungs. Cameras, scales, metal detectors, entry through a small cubicle, sealed coffins we called them. Couldn't enter or leave unless a guard several miles away released the coffin, surprised no one died in that. Just speculation here but seeing how it's impossible in my mind to walk out with a server in a secure installation the obvious thought is that this was supposed to happen and whatever was on that server someone wanted either to see or destroy. But then I read too many books. Teleportation of a server seems even harder to believe though.

Cart

Re:Top secret public records?

[RMH101]

In the UK, phone tap evidence is not admissible in a court of law. This is presumably because if it *was* admissible then it could become a matter of public record, and the spooks wouldn't want that to happen.
Hence, it follows in this case that they almost certainly contained way more info than was used in court...

I could sure trust them

[faloi]

Except that their physical security is apparently so poor that I can't imagine their data security is much better.

"All the data is protected, as long as the thieves don't look at the password sticker hidden inside the case."

Re:I could sure trust them

[Sunrise2600]

I love how whenever there is a data breach they have to say, don't worry it wasn't important data anyway.

Re:I could sure trust them

[Greyfox]

They probably mean "password-protected". We all know how easy THAT is to get around. These guys don't sound clueful enough to actually encrypt their data (Though if any of them are reading this and want to correct me, please go ahead...)

Re:I could sure trust them

[ydra2]

We're just lucky it was only "Top Secret" data. It could have been "Super Duper Ultra Top Secret" data. Then it would be a security compromise instead of just a security glitch.

Re:I could sure trust them

[Xiaran]

Im not one of those guys but I did used to work in the disk encryption industry in the UK. I wrote(well me and three other programmers) a product that encrypted windows disks and CE based PDAs. One thing to remember is that companies in the UK are subject to the data protection act. That means they are required by law to protect peoples information. That said it isnt that unusal to find companies that have quite caught up or gotten around to encrpyting their sensitive data... but all the companies Ive worked for in the UK(financial services) has had whole disk encryption on office PCs and servers.

Re:I could sure trust them

[c_woolley]

It was the secret to Druidia's air supply!!!

ROLAND: The combination is one.

HELMET: One.

SANDURZ: One.

ROLAND: Two.

HELMET: Two.

SANDURZ: Two.

ROLAND: Three.

HELMET: Three.

SANDURZ: Three

ROLAND: Four.

HELMET: Four.

SANDURZ: Four.

ROLAND: Five.

HELMET: Five.

SANDURZ: Five.

HELMET: So the combination is one, two, three, four, five. That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage.

Good thing I didn't have anything to hide,

[MrMr]

from the Russian mafia.

Re:Good thing I didn't have anything to hide,

[thatskinnyguy]

In Soviet Russia, record steals you!

Re:Good thing I didn't have anything to hide,

[Starteck81]

Good thing I didn't have anything to hide,from the Russian mafia.

They may even want to hire you depending on what you've done. ;-)

Re:Good thing I didn't have anything to hide,

[sakonofie]

Perhaps a more accurate version:

In Soviet Russia, it is a good thing that the Russian mafia doesn't have anything to hide from you.

Wrong Terminology

[stewbacca]

"Top Secret" is a term reserved for government classification schemes (in the US) and is clearly outlined by US laws. Using "Top Secret" for a business is just sensationalism. This business lost sensitive data, not "Top Secret" data.

Re:Wrong Terminology

[daveschroeder]

Actually, that's incorrect.

Many nations have equivalent parallel classification schemes, including using the terminology "top secret". Long-standing agreements between various nations allow sharing of information in the same categories.

See here and here for details.

If FTS is a contractor on terrorism investigations, it could very well be handling "top secret" data. The article refers to it as "top secret", but you're correct: it's not clear if "top secret" is merely being inappropriately applied here, or whether the information really could be technically "top secret".

It is (PowerPoint) quite routine for contractors to handle classified information in the US and UK.

Re:Wrong Terminology

do you understand that there are many countries apart from US of A in this world?
for your *american* information, this story probably has very little to do with the US of A. RTFA.

Re:Wrong Terminology

[fotbr]

Are you sure of that? Companies like Lockheed Martin, Boeing, General Electric, General Dynamics, etc all handle government secrets (and top secrets) as part of their defense contracts -- usually as parts of products they're building, but more and more intelligence analysis is being contracted out as well. I'd be surprised if British defense contractors didn't do much the same.

Re:Wrong Terminology

[stewbacca]

I was a contractor that handled real Top Secret data and that term is reserved for government classified data only. Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data. My point is that there are too many stories from JoeBlow, Inc. that report "Top Secret" information being stolen just to sensationalize the story. To working professionals in the Intel field, the notion that Top Secret data was stolen is a national security crisis, only to read in the story that some stupid company lost some data with private information in it.

True, that many countries share classification terminology. England, Canada, U.S. and Australia, for example, have all worked to synchronize their terms and laws. But the common thread is that these are all covered by government classification guidelines, not the private sector.

I suppose the info in the story could be "Top Secret" in the true sense of the word, but if this company was a contractor handling real Top Secret (ie, government classified) data, it would be a much bigger story than something buried in slashdot ;-)

Re:Wrong Terminology

[stewbacca]

Contractors working with US classified documents are bound to the same rules and regulation as government employees when handling classified data. My point is that companies can't just make up their own classification of something being "Top Secret". Boeing doesn't have the right to make something they created "Top Secret" just because Boeing thinks it is Top Secret. Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret. Anything else would be internal corporate policy, but any naming convention Boeing comes up with on their own is NOT provided the same protections under US Law that real government classifications are. (I may sound like a broken record, but I used to teach this stuff to government employees).

Re:Wrong Terminology

Speaking as someone who has worked for DOD as a contractor-- if they are in the employ (not saying they are) of the government, that terminology is correct.

Re:Wrong Terminology

[jrumney]

it would be a much bigger story than something buried in slashdot ;-)

It was front page news in several UK papers over the weekend.

Re:Wrong Terminology

Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret. Anything else would be internal corporate policy, but any naming convention Boeing comes up with on their own is NOT provided the same protections under US Law that real government classifications are.

And? Last I checked, wiretaps were typically performed by the government, and subject to the designations the government puts on them. It's not only entirely possible but highly likely that the government had declared that their terrorism wiretap recordings were classified at some level.

Re:Wrong Terminology

[IBBoard]

Maybe the UK works differently (or maybe it's because of transfer of classification based on content) but I work at a List X company and people within the company get to determine whether documents are Restricted or whatever (we use UC, R, S and TS in the UK - there is Confidential, but it's generally replaced with S). They can also extracted parts of a report and release them at a lower classification (since I spend most of my day working on an Unclass machine).

I'm assuming there must be some controls somewhere to stop incorrect downgrading etc, and it probably won't apply to business data (which gets marked "[company name] proprietary") but that's how it seems to work from my year here so far.

Re:Wrong Terminology

[stewbacca]

A week ago I would have known (I just moved back to the States from the UK) ;-) Stupid narrow world-view of the US!

Re:Wrong Terminology

[IBBoard]

Just a related thing I thought of as I posted: Government and Government Associates hate companies who insist on "Private and Confidential" in documents and are unwilling to change to "Private and in confidence". One of the many joys of having Confidential as an important security keyword and having email monitors that check for sensitive keywords to stop accidental release!

Re:Wrong Terminology

[MaximvsG]

Yeah, I agree with most of that. Companies can classify their data anyhow they want, including using "secret," "top secret," etc.. But it's not the same as Government classified data. *Unless* they were authorized to store Government classified data, then this would in-fact be a huge breach of security and unlikely we'll be reading about it on slashdot.

Re:Wrong Terminology

[stewbacca]

"Company name proprietary" is appropriate. What my gripe is, (in the US, at least) is that companies mark business data as "Top Secret", which is strictly reserved and regulated by US law, when the company just means "company proprietary" or "company sensitive" data. It is just an irritating sense of inflated self-importance that gets under my skin, is all.

Re:Wrong Terminology

[Frosty+Piss]

Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data.

In the USA at least, contractors handle actual honest-to-god the real deal "Top Secret" all the time. In fact, most of our government's "Top Secret" programs are run exclusivly by contractors.

Re:Wrong Terminology

[cyphercell]

So, you don't think the Crown Prosecution Service or Scotland Yard would have "Top Secret" data? Seriously, the information stolen was evidence and phone numbers, how likely do you think it is that the phone numbers coincided with the evidence? Sorry, but I think the use of "Top Secret" is completely applicable in this case.

Re:Wrong Terminology

[stewbacca]

True, all of what you said (except contractors are not the majority of classified handlers, especially in compartmentalized intel). I was a contractor and I handled classified all day long. My point is that companies are TOLD by government classification guidelines what is "Top Secret" and don't just make up their own classifications because they work with government classified data. Even if contractors CREATE the data, the company doesn't classify the content they created, the government does. I've said too much. The blacksuits are here. Nice knowing you all!

Re:Wrong Terminology

[daveschroeder]

I'm aware of how classified data works, and when and how the terms are used. You said that the term top secret "reserved for government classification schemes (in the US) and is clearly outlined by US laws". If you were simply speaking from a US-centric standpoint, and not to mean that the term wasn't used elsewhere, my apologies; my point was that the term "top secret" is used by several other nations, including the UK. Your statement about how this was codified in the US was confusing since the company in question was a UK company.

And I do agree that sometimes the term "top secret" is misused for sensationalism, or incorrectly applied. But it's also wrong to say that data generated by a contractor cannot be top secret in the legal and statutory sense of the term. It absolutely can be. In this case, I agree that it's not clear if the data that is related to, e.g., terrorism investigations is actually "top secret" or just sensitive.

Re:Wrong Terminology

[stewbacca]

I can only speak for UK law a little bit, having only worked there for a short while, but I do believe that the UK has clear government classification guidelines that are pretty tightly integrated with US classification law. A phone number is not worthy of "Top Secret" classification. Especially since a phone number alone does not reveal means or methods, nor does the compromise of a list of phone numbers cause "grave damage" to national security, which is the basic tenet of "Top Secret" classification under US Law.

Now I suppose I should actually read TFA, since my initial post has inspired an entirely off topic sub-conversation ;-)

Re:Wrong Terminology

[networkBoy]

Not entirely.
We have five levels of "classification":
[company name] top secret
[company name] restricted secret
[company name] secret
[company name] confidential
[company name] public

While I agree that this is not the same as US Gov Top Secret, it leverages people's basic understanding of what those words mean and their impressions as to equality to the government. Just as the US would not want Top Secret notes passed to Iran, we would not want [company name] Top Secret passed to our competitors though we may share with a "friendly" company.

I fully understand how this gets under your skin, as I've been (accidentally) involved with USAF Top Secret materials and it is a whole 'nother sport (never mind ballpark) than company classified data.
-nB

Re:Wrong Terminology

[stewbacca]

But it's also wrong to say that data generated by a contractor cannot be top secret in the legal and statutory sense of the term.

I apologize for not being clear, but this is not what I meant. Contractors create Top Secret material all the time; it just isn't their call to say if it is Top Secret or not. They create data, then the US classification authority applies a classification. This goes for government employees as well. An individual working an intelligence mission as a government employee doesn't classify documents, even if they created the document. The classification authorities assign classifications to all information created, not the operators creating the information.

Of course the article is not about a US contractor, so that only adds to the confusing posts I've made. Thanks for hearing me out ;-)

Re:Wrong Terminology

[fotbr]

And that is exactly my point. It may be real TS stuff -- just because a private company lost it doesn't mean its not TS.

Re:Wrong Terminology

[mce]

At least in my country (which is not the US), the government has no monopoly on the terms "confidential", "secret", or "top secret". The government does have a clear definition of them for its own purposes, and it is special in that breaching the applicable regulations has immediate legal consequences, but that does not disallow companies from having their own classification schemes that uses those same terms. In fact, there are provisions in national and NATO regulations that explicitly allow for dealing with both kinds of classifications in parallel if they exist.

Re:Wrong Terminology

I was a contractor and I handled classified all day long. My point is that companies are TOLD by government classification guidelines what is "Top Secret" and don't just make up their own classifications because they work with government classified data. Even if contractors CREATE the data, the company doesn't classify the content they created, the government does.

True. I'm a scientist and I used to work in civilian nuclear reactor R&D. I was working on a government project, and one of the reports I wrote ended up being classified. However, I didn't have the clearance to read the report I wrote.

Rules are rules though.

Re:Wrong Terminology

[gallwapa]

hang on a second - civilian nuclear reactor R&D, you write a report, and it gets classified? Now for the question: What the heck was it about?

Re:Wrong Terminology

[Torvaun]

Great thing about R&D, sometimes you find things that are even better (more potent) than what you're looking for. People looking for pesticides have found nerve gas, why shouldn't people designing reactors find that some particular design just happens to output mostly weaponizable material?

Re:Wrong Terminology

[zippthorne]

The US is roughly the size of the EU (order of magnitude). Did you pay attention to every issue that is front page news in every member country of the EU when living in UK? or did you mostly focus on your snarky little island nation?

Re:Wrong Terminology

[cyphercell]

I think it was "evidence", "phone numbers", "database lost", that caught my attention. :)

Detailed Cell Phone Bill

[sjaguar]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

Re:Detailed Cell Phone Bill

[Reece400]

I'd be more excited if I could get a detailed listing of MY calls, damned cell phone companies!

Re:Detailed Cell Phone Bill

[tehcyder]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

It's OK, I recorded them all from my end.

Re:Detailed Cell Phone Bill

[Belacgod]

Should have signed up for the Iphone, then you'd get 52 pages!

Re:Detailed Cell Phone Bill

Get her the iPhone and then you will get all the useless data information that you can imagine :P

Re:Detailed Cell Phone Bill

[JCSoRocks]

No, it's probably got the same level of "useful detail" as the 300 page long iPhone bills.

Private company?????

Shouldn't someone explain wtf does top secret policial information in the hands of a corporation? Such information should be gathered, kept and custodied by police.

Re:Private company?????

It's not top secret, dumbfuck. It's already disclosed in courts, and Top Secret is a military designation, not a police designation. Top Secret information is required to be kept in certified vaults, with certified access control mechanisms that limit physical access to people with the requisite clearance. In other words, you're a fucktard; it's not top secret information.

Re:Private company?????

[pthor1231]

Just because information has a certain classification doesn't mean anyone other than "police" is going to have it. In the US, and I would imagine a fairly similar situation in the UK, quite often contractors will have access to various levels of classified information for their particular project. Chances are though this is not technically "Top Secret" classified information, and just some sensationalist media, as a few other posters have noted.

Re:Private company?????

[Fallon]

Top Secret data is in the hands of lots of military contractors. If you handle TS data you have to comply with lots of REALLY overkill security measures. Secret classified data must be kept on SIPR net, which is a huge worldwide network massively encrypted and not connected to the Internet. TS is even more secure.

Re:Private company?????

[Don_dumb]

The police outsource forensics. The MOD and most areas of government outsource loads of sensitive jobs (or jobs that handle sensitive data) thanks to the joys of privatisation.

Re:Private company?????

[LWATCDR]

Nothing like like a good old MkI air gap for security.

This was a Physical Break in

[varmittang]

"FTS can confirm that the company was recently the victim of a break-in at one of our premises in Kent. As a result, some IT equipment including a server was stolen."

Very important info for all those who want to start a flame war about what OS it was running and why it was connected to the Internet.

Re:This was a Physical Break in

[tehcyder]

Very important info for all those who want to start a flame war about what OS it was running and why it was connected to the Internet.

Spoilsport, now there's only going to be a handful of comments.

Re:This was a Physical Break in

[p0tat03]

I suppose the better question now is... how do you sneak out of a secured building with a server? Stuff it down your pants? Or did they merely open the case and swipe the drive, in which case it's certainly do-able?

Re:This was a Physical Break in

The same way they got into the "secured" building?

Re:This was a Physical Break in

[wodon]

Well, the easiest way seems to do it using a trolley while wearing a suit and carrying a clipboard.
Nothing like a bit of social engineering to get into a secure area.

What happened to the airport mainframe?

Well since this article is somewhat disappointing, I find a previous article detailing an airport data server which was stolen far more serious. I know it was covered here on slashdot back in 02' or 03' but was unable to find it.

Spooks, Spooks, Spooks

[WED+Fan]

Wasn't this an episode of "Spooks" ("MI:5" in America)

Spooks Brain? "Brain and Brain, what is Brain?"

It's already been hacked by now

Either this unit has been misplaced or it is actually stolen. The question is how? Was it locked in a Telco closet? If so, then somebody forgot to lock it. That was probably the last technician that last did maintenance on it. Ouch! If it's an actual PC based phone system then it's already been rooted which is extremely easy when you have access to the local machine. Some still run Win2000,Warp OS/2, and Linux. I guess the only value that server has to offer is in selling the phone numbers off to the highest bidder. The server parts will just become some kids PC. Any thoughts?

Comment removed

[account_deleted]

Comment removed based on user account deletion

wow

[ArcadeX]

Somebody drops the ball when a backup tape goes missing. Laptop gets stolen isn't that much of a stretch, but a server? You would think something like this would blow away any confidence people have in this company... Company I work for wipes all computers / servers that get shipped, and the image is pushed over a secure network, hard drive encryption or not, and we don't even have much in the way of confidential information.

Re:wow

[Detritus]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365. Most companies are vulnerable to theft, even of large items like servers. once everyone leaves for the day or weekend.

Re:wow

[Anonymous+Brave+Guy]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365.

Well, I'm guessing the answer to that specific question in the UK is basically none, given that in general civilians having firearms is illegal and all...

However, I would imagine that businesses working in certain sensitive industries are used to working with the police, and employ a combination of defensive measures and some rapid call-out arrangement to protect themselves. Given that we don't see banks being robbed all the time, it appears that full-time, gun-carrying staff (are scary black outfits and funky earpieces mandatory as well?) are not a prerequisite for "real physical security".

Protected how?

[hcdejong]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)
2. with a brick of thermite on a proximity detonator inserted into the case
3. boring ol' cryptography

Re:Protected how?

[Fallon]

We actually have a case of thermite grenades sitting in our TCF (where all our communications gear & servers sit). Of course there's also the thousand odd soldiers with M16s around that you have to get through first. Sitting in downtown Kabul Afghanistan and needing all that physical security does make me a bit nervous at times though.

Re:Protected how?

[Svartalf]

Nothing like the flash demil process on computer gear. And yeah, I'd be a bit uneasy about needing that level of security, but with where that comm gear (and you) is at, I wouldn't have it any other way really.

Re:Protected how?

[bryan1945]

"1. Cryptonomicon-style"

I so just jumped to "Necronomicon-style" when I read that. Chin-sucking whirlpool books would probably be rather effective ("Army of Darkness" for you heathens that don't understand that).

Re:Protected how?

[Cheesey]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I don't think that would work, even in 1999 when Neal Stephenson wrote the book. Some data would be recoverable: disks are very hard to completely destroy. Encrypted filesystems are the right way to do it, with the key only kept in memory.

I don't know why Stephenson's characters didn't think of that idea, since they worked for a PGP-style data security company. Nor do I understand why the adversaries used Van Eck phreaking to spy on Randy's laptop rather than just install a hardware keylogger, or why an EMP can destroy a CPU but not a hard disk controller. But hey, at least the ending was better than The Diamond Age.

Re:Protected how?

[ubrgeek]

> 1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I have one of those in the doorway of my cube. As soon as I get up to tell someone something and walk through it, my memory is wiped... :)

Security Protected?

[Sperbels]

Security Protected? Meaning what? You have to login to Windows?

Does it matter?

[Opportunist]

Do you think that something like this cannot happen anywhere else?

Well-protected?

[winchester]

If their physical security is this bad, one wonders how much value should be placed in the statement that the data on the server is "adequately protected".

Moreover, this should spark the debate whether it is okay that private companies work on this sort of data, and whether the government should or should not have its own data specialists.

Re:Well-protected?

[Belacgod]

I'd argue that government wouldn't be any better at it. Plus, you could never fire the people responsible--at least here the company's going to lose a lot of business.

Who's next?

Ten to one, we hear next week that some large repository of Student papers is vulnerable too.

Whew! I'm not impacted this time.

This sure makes me glad I live in the state of Ohio! Oh, wait...

More likely.

[AltGrendel]

They simply forgot to activate the alarm system when they went home.

Never attribute to malice what can be explained by stupidity.

Bizarre reporting

[mattr]

It seems most journalists are just mouthing the press releases over again. "Security Protected" is a talk-down-to-you phrase, "protected" means "secure" anyway, and it intentionally doesn't tell you anything about how it really is protected. The company with the break-in obviously wasn't using security sufficient to deter people targeting them - for a security analysis company not to use more expensive security commensurate with the value of their clients' info is not even mentioned. Something silly about outsourcing is mentioned in TFA but in not the press release of course because it was stolen from their premises. Impossible perhaps to deter a truly obsessed insider, but for TFA not even to talk about what that incredible "security protected" technology stuff is, is just dumb.

I think it would be in the company's best interest to say everything was encrypted with unbreakable algorithms, but perhaps they have rules about not disclosing anything and maybe they don't want to spread the idea that people should encrypt things, that would certainly put a damper on their business, wouldn't it. I'd understand if they don't want to say they have a cell phone tracker or phone home device in it, but as for trusting them when they say nothing is important on that server they stole sounds very strange. More likely someone knew what they were going for it sounds.

Laptops, always, desktops, yes, servers - ?

[caluml]

Well, I always use encrypted partitions for equipment that could be stolen - laptops, or my home PC - but I wouldn't consider it for servers.
This makes you think though.

Re:Laptops, always, desktops, yes, servers - ?

What about your kiddie porn stash? Or your usual porn stash if you're married? Or your MP3s if you're a teenager?

Or, with this government, all your e-mails........

live by the sword, die by the sword...

[3seas]

invasion of privacy is a very pervasive thing once you start it up....

Re:live by the sword, die by the sword...

[Gen.Anti]

Interesting, although wouldn't it be more accurate to say that once your privacy is taken, you can die by that sword many times, as your data is stolen in a chain. It's not the database owners who "die" by that sword, is it?

a different slant on Wrong Terminology....

Other threads are quite correct to say that UK/US/Can etc have similar classifications, and that contractors routinely handle these (though note the lack of a US "Restricted")

When I started my career at a UK C+C Headquarters, we still had some old documents with the original UK top classification on, which was "MOST SECRET". They changed this during WW2 because the Yanks might read this as 'Almost Secret'.

All these classifications used to refer to Military Intelligence-type data. But come the end of the Cold War, the spooks grabbed any work they could to justify their budgets. Lots of this work was in non-military areas - even terrorism was originally non-military, but now lots of 'civilian' work has fallen to them. So I would not be surprised to find data on gangs, or porn barons classified as 'TOP SECRET'. Heck, I bet that Thames House South holds some papers on the current protest at Heathrow with TOP SECRET all over them.

contradiction...

[kajumix]

"top secret data ...subject to full disclosure"

Re:contradiction...

"top secret data ...subject to full disclosure"

Yes, keep on going. To whom? Which court?

Deliberate theft?

[orangesunglasses]

It is probably understandable how laptops and PC's get stolen, as maybe an opportunistic theft, but how the fuck can someone just wander off with a server? This presents two reasons why it was stolen
1. It was stolen for the hardware, so have a look on ebay soon
2. It was stolen for the data that the machine contained, which is probably more concerning.

Re:Deliberate theft?

[felipekk]

I`m glad you cleared that out. I thought the guy stole it to get the Windows product key in that server.

Re:Deliberate theft?

[beakerMeep]

Just from reading the summary I kind of had the pessimistic thought that maybe it was stolen not for the data, but to keep the data out of the courts. or maybe it wasn't stolen at all but rather one of those cases where a company "accidentally loses" self incriminating evidence or evidence that hurts the police's cases.

And yes, I watch too much TV.

Classification Designations

[Jtheletter]

Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret.

Someone really ought to tell that to Dick Cheney.

This post is Treat As Top Secret. ;)

Re:Classification Designations

[stewbacca]

Someone really ought to tell that to Dick Cheney.

Actually, I was thinking more like Sandy Berger, since he actually broke a law regarding handling of classified documents. I'm not sure what your Cheney comment is referring to, but it can't be more egregious than the Berger incident.

Re:Classification Designations

[Jtheletter]

I'm not sure what your Cheney comment is referring to, but it can't be more egregious than the Berger incident.

Sorry for the uber late reply, you'll probably never see it but just in case this is good info for people to be aware of I think. Basically Cheney has created a new level of cassification to justify not sharing any information from his office. You may have heard about the "man-sized safe" that he has in his office, well he fills it with pretty much every document he produces and labels them "Treat as Top Secret". I think it's actually a different term than 'top secret' but regardless, there is no such official classification 'Treat As X'. The documents are not officially classified at that level as it would invoke all sorts of other paperwork and expenses, but since it says 'treat as' it puts his staff i the position of having to treat it as such even though it may not actually be. The upshot is that the VP has for all intents and purposes totally classified all of his office's papers without the mess of having to adhere to the classification regulations. You know, silly little procedural details like justifying the classifications. It's as evil as it is ingenious. It's one more way in which Cheney has cloaked himself and his actions in darkness from even the rest of the executive branch.

Re:Classification Designations

[stewbacca]

Absolutely unfounded... There are entirely too many checks and balances in place for the VP (or any politician for that matter) to create his own classification scheme.

Re:Classification Designations

[Jtheletter]

Absolutely unfounded... There are entirely too many checks and balances in place for the VP (or any politician for that matter) to create his own classification scheme.

My friend, some might say there are too many checks and balances to prevent a lot of the things that have gone on with this administration in the last 6 years, yet the abuses occurred anyway. Your disbelief makes them no less true. The Washington Post broke this story and AFAIK there have been no retractions. Here are some links to the articles in question.

• A reference from rawstory.com, with the daily show clip.
• The Washington Post article
• Story in the New York Times

The NYT article deals mostly with how Cheney HAS BEEN flaunting the system of checks and balances already in place, even going so far as to request the abolition of the classification oversight committee itself! From the article: "Officials at the National Archives and the Justice Department confirmed the basic chronology of events cited in Mr. Waxman's letter.
The letter said that after repeatedly refusing to comply with a routine annual request from the archives for data on his staff's classification of internal documents, the vice president's office in 2004 blocked an on-site inspection of records that other agencies of the executive branch regularly go through. "

I leave it to you to draw your own conclusions from these events, but I assure you, they are occurring.

Okay, here's what we've got

[spun]

The Rand Corporation, in conjunction with the saucer people, under the supervision of the reverse vampires, are forcing George W. Bush to go to bed early in a fiendish plot to eliminate the meal of dinner.

We're through the looking glass, people

Re:Okay, here's what we've got

[SPJ911]

My thoughts exactly!. Lord only knows where we'd be without the wit and wisdom of Bart & Lisa Simpson.

Top Secret!

[lymond01]

The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.

So...not top secret then.

Commodization

have we learned nothing about how to keep important materials out of mischievous hands?

Perhaps it's the commoditization of data? It used to be that anything written down was important. Then only certain paper from certain individuals. Now, with 1 TB hard drives, how easy is it to tell what's sensistive and what isn't?

You have a 60+ GB drive in a laptop, a speadsheet with all the sensitive SSNs and such is maybe a couple of megs. All the rest of it is no big deal.

Perhaps instead of putting stuff on the internal drive, the sensitive information is put on external drives with stickers reading "If this goes missing you will lose your job and be charged with a felony." Maybe that will motivate people to pay attention to what is important (and safely ignore what is not).

Sorry

[c_woolley]

I was just looking for porn. I'll give the system back when I am done with it. Bunch of crappy phone numbers. Don't worry, when I give it back there will be something worth keeping safe.

Server located

[wireloose]

--- "CAN'T YOU SEE, MAN? IT'S THE END OF FREEDOM!"

No problem, everyone calm down. The server has been located. http://cgi.ebay.com/A6144A-HP-9000-Server-L3000-UN IX-PA-RISC-550MHZ_W0QQitemZ280141263427QQihZ018QQc ategoryZ162QQssPageNameZWDVWQQrdZ1QQcmdZViewItem

Yes, actually. The cat does "got my tongue."

[Impy+the+Impiuos+Imp]

> Usually missing information stories are fairly low key; the loss of a few thousand
> student records is cause for concern for those involved, but hardly national security.

Yeah! The problems of tiny organizations are not really worthy of national, much less international, attention.

> This one is slightly different...'The company -- whose clients include Scotland Yard
> and the Crown Prosecution Service '...

Wait, I thought you said this was slightly different. Sounds like the same class of problems as that of a small school, from the point of view of the $2.1 trillion spending, 15 aircraft carrier battlegroup wielding, moon-landing, shuttle-launching, eh, it's only $500 billion for this war, that savings & loan bailout, that geezer drug benefit cha-CHING-ing nation.

Let me guess, you RMA your disks too

[DamnStupidElf]

Do you RMA unencrypted disks? How do you wipe sensitive data off the dead ones? There are plenty of reasons to encrypt server drives.

Re:Let me guess, you RMA your disks too

[BenEnglishAtHome]

Where I work, the servers are encrypted. The laptops are encrypted. The desktops are about to be encrypted.

No disk is ever RMA'd anywhere. If we have a failure, we get a new replacement disk and send back a sheet of paper saying we destroyed the old one.

We wipe sensitive data with 7 random overwrites on all disks in storage that may be used again. Working desktop and laptop disks passing out of the organization for donation to schools or charities get the same treatment.

Dead disk drives from laptops and desktops are treated just like server disks. Server disks at end of life are never passed out of the organization in working condition. They are software-wiped as above, degaussed in a gigantic noisy machine, disassembled, and the platters removed. Glass platters are broken into little bits and thrown out. Metal platters are beaten up with a hammer and then (I am not kidding) a guy in the office makes sculptures out of them. We have an area with various towering sculptures representing literally thousands of decommissioned disks, some of which are really heavy 8-inch platters made, it appears, of copper. I guess that means we've been doing this for a long time.

The sculpture procedure is optional and specific to my local office. :-) At that point, our official procedures clear us to sell the platters by simply pitching them in amongst the other miscellaneous tons of broken equipment we periodically sell off as scrap.

Opinions? Good enough?

Re:Let me guess, you RMA your disks too

[DamnStupidElf]

No disk is ever RMA'd anywhere. If we have a failure, we get a new replacement disk and send back a sheet of paper saying we destroyed the old one.

See, that's the thing that most companies would have trouble getting away with. I suppose once you're big enough to audit the taxes of the company RMAing your equipment, they don't really mind taking your word that you're destroying the drives and not selling them on the side.

We wipe sensitive data with 7 random overwrites on all disks in storage that may be used again. Working desktop and laptop disks passing out of the organization for donation to schools or charities get the same treatment.

The only obvious thing is sector reassignment. Modern drives keep a spare track or two to reassign bad sectors to. Most of the data is still there in a bad sector, and could probably be reconstructed exactly with a better read head or of course an electron microscope. Still, that's just a tiny fraction of the data on the drive. It depends on how valuable even a tiny bit of data would be. Mandatory encryption will fix that anyway.

Dead disk drives from laptops and desktops are treated just like server disks. Server disks at end of life are never passed out of the organization in working condition. They are software-wiped as above, degaussed in a gigantic noisy machine, disassembled, and the platters removed. Glass platters are broken into little bits and thrown out. Metal platters are beaten up with a hammer and then (I am not kidding) a guy in the office makes sculptures out of them. We have an area with various towering sculptures representing literally thousands of decommissioned disks, some of which are really heavy 8-inch platters made, it appears, of copper. I guess that means we've been doing this for a long time.

I would grind the glass platters (considering even a millimeter of disk still has complete sectors on it) and sand the metal platters down to remove the magnetic medium. Of course, I'm not an expert in data destruction and am more of a CS/math guy than a physicist, so take this with a grain of salt. My guess is that your copper colored disks are really iron oxide; basically just really smooth rust.

For the IRS, it is conceivable that any amount of data stolen would have at least some value. My guess is that social security numbers along with names and addresses are in a whole lot (most?) of your data, so even getting snippets would be slightly valuable. Overall I'd say there's a pretty low chance of losing data via old hard disks with the methods you've described.

The pieces are beginning to fall into place...

[p4rri11iz3r]

Yesterday it was a 3-ton chunk of meteorite in Russia. http://science.slashdot.org/article.pl?sid=07/08/1 3/1524249

Today its server with sensitive data in the UK.

Tomorrow: Profit!

Humor often used to introduce serious topics

[AHumbleOpinion]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue. Either way, I'm scared.

You have no need to be scared. While the complete post was a joke, it began with a statement that many actually do believe. The point contained in that statement was worthy of being discussed, the fact that it was introduced as part of a joke does not detract from the fact that many believe it. Humor and satire are often used to introduce serious topics. Did I miss some rule that only the original author and not a responder may do so?

Security

[youknitty]

No one seems to regard security with enough concern to actually do enough to protect it, just talk about how they are so good at protecting things.

Stuff you learn about security

[JoeCommodore]

As I have read a lot on administering servers there is one axiom that stands out, "even if you do all the communication and data protection as well as keep out bad guys from getting in through your ports, if they get hold of the box it is just a matter of time, as they have total access."

Encrypted drive with a password to open access during boot would be the best (unless bad guys compromise the box while it is running).

But who knows there probably is a way around that too, as with DRM - someone somewhere seems to eventually figure out a new (usually easy) method of bypassing the most secure systems.

Home server encryption - Is there a good solution?

[BenEnglishAtHome]

What about your kiddie porn stash? Or your usual porn stash if you're married? Or your MP3s if you're a teenager?

I use Cryptobox. Is that good enough?

I'm serious. I don't know if it's good enough. I chose it because it was easy to use but it could be horribly flawed and I'd never know.