Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unclean Military Hard Drives Sold On eBay

Posted by CmdrTaco on from the they-should-know-better dept.

An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay. The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.' Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."

7 of 369 comments (clear)

  1. I have to wonder by Lord+Grey · · Score: 4, Insightful
    The article states that this finding was the result of a study where a few hundred drives (300+) were purchased from various places and then scanned.

    A spokesman for BT said they found 34 per cent of the hard disks scrutinised contained 'information of either personal data that could be identified to an individual or commercial data identifying a company or organisation.'

    Later:

    For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.

    Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible? Granted that there would be capital outlay, but a lot of that is recovered by selling the drives again through the vary same channels, and the risk of getting caught would be extremely low. Quantity of information is lower than with network-based methods (eg, keyloggers, sniffers, etc.) or other information-gathering methods, but I would think the quality of the gathered data would be much, much higher. Good enough to resell for a relatively high amount.

    It seems, to me, that there is a bit of hyperbole going on here.

    --
    // Beyond Here Lie Dragons
    1. Re:I have to wonder by drinkypoo · · Score: 4, Insightful

      Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Uh, what makes you think that they aren't? Your comment is utterly devoid of value unless you can prove a negative somehow. Good luck!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:I have to wonder by noundi · · Score: 5, Insightful

      ... wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Well the black market is a quite complicated. The only groups with enough funding and enough motive to even try to obtain this information (disregarding the middlemen that you're mentioning) would be other nations. Let's say you're an exceptional nerd with enough skills to extract this data into usable form (I think it would be fair to say that many /.-ers fit or could fit this profile given some time to research). How would you go about selling this information to let's say North Korea? Who would you contact? Better yet, who would they allow you to speak to? I doubt you can just pick up the phone and ask the operator to "hook you up with the illest of Kim Jongs". But let's say you actually do get to speak with him (or anybody of importance really). How's your Korean? Ok final hypothesis, let's say you actually do speak Korean. What are you going to say? It's not like you're calling from AT&T to offer him 5$ less monthly fee if he subscribes to the service for 24 additional months.

      Basically I see where you're coming from but I wouldn't take the procedure so lightly. Plus there's possibly a lot more important information floating around somewhere that never "got in the wrong hands" as well.

      --
      I am the lawn!
  2. Scary that they sold the disk at all by Anonymous Coward · · Score: 5, Insightful

    You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.

  3. Re:please... by canix · · Score: 5, Insightful

    It is possible that the people most likely to have the resources and expertise to do this (i.e. govt. security depts.) don't want to announce that they have this capability ...

  4. Who is really to blame? by sunking2 · · Score: 4, Insightful

    Did lockheed actually own these machines, or do they lease them? My guess is LM (like most larger companies) has a contract with someone like CSC/IBM/etc who actually owns, maintains, and replaces machines. This is probably where the ball was dropped. Every 3 years here CSC replaces 10s of thousands of PCs that they are itching to sell off before they depreciate into worthlessness. I can certainly see them taking short cuts, or missing a few. This is the problem with outsourcing IT infrastructure. They don't always really understand or care about the same thing as you.

  5. Re:please... by Hyppy · · Score: 5, Insightful

    $500 to recover a drive, eh? If I had a data recovery business, I'd hang up on you too. If you want people to take you seriously, then perhaps you should present yourself in a serious manner. Offering $500 and a basement-made "King of Data Recovery" title is not a serious challenge. It's a slap in the face to any legitimate data recovery business to be "challenged" like that.