Slashdot Mirror
Unclean Military Hard Drives Sold On eBay
An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay.
The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.
The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.'
Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."
Later:
Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible? Granted that there would be capital outlay, but a lot of that is recovered by selling the drives again through the vary same channels, and the risk of getting caught would be extremely low. Quantity of information is lower than with network-based methods (eg, keyloggers, sniffers, etc.) or other information-gathering methods, but I would think the quality of the gathered data would be much, much higher. Good enough to resell for a relatively high amount.
It seems, to me, that there is a bit of hyperbole going on here.
I guess we'll need to format them in a purifying fire then.
You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.
Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.
This challenge has stood for more than a year.
http://16systems.com/zero.php
"which I believe is wiping the whole disk and then writing 1010 all over it."
Taken from DoD 5220.22-M Wipe Standard:
"[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."
I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.
So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.
I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.
What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.
..the market is being flooded with Chinese made ground to air missile defence systems, available for a quarter of the price, and half the accuracy.
Fine Print: THERE IS NO WARRANTY FOR THE SYSTEM, TO THE EXTENT PERMITTED BY APPLICABLE LAW
Why does the DoD not simply destroy the disks in question?
Power corrupts the few, while weakness corrupts the many.
scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.
-Loyal
I aim to misbehave.
Did lockheed actually own these machines, or do they lease them? My guess is LM (like most larger companies) has a contract with someone like CSC/IBM/etc who actually owns, maintains, and replaces machines. This is probably where the ball was dropped. Every 3 years here CSC replaces 10s of thousands of PCs that they are itching to sell off before they depreciate into worthlessness. I can certainly see them taking short cuts, or missing a few. This is the problem with outsourcing IT infrastructure. They don't always really understand or care about the same thing as you.
The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.
Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)
Or are these types of stories probably sponsored by E-Bay's PR department..
:D
:D:D
Just think of all those people now bidding on old hard drives now... Probably won't be able to pick one up for under £99 by the end of the week
That reminds me... Got a few old ones to sell myself...
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
The problem is when people have a whole bunch of them and 100 40 gig hard drives sold at a flea market can pickup 2000 dollars some weekends. I did a pull once where the guy was savvy enough to wipe the hard disks but did not check all the CD-Rom drives, half of which had CDs in them with corporate information. Looking it over I could of easily sold the info to an unscrupulous competitor but decided to just send them to him COD for cost of postage.
An Education is the Font of All Liberty
I worked in a highly classified facility once. The wipe "standard" was to hire a lowly intern (such as myself), remove the platters from the case, take them out back, and sandblast them. The agencies scientists had decided degaussing wasn't good enough.
SirWired
First part of story. scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
I just had a mental image of a private being assigned a sharpie and a room full of hard drives, furiously writing 1010 on each one.
Are to overwrite the harddrive 9 times, then degauss (which makes a loud POP and the magnetic information is GONE, and THEN to drill 6 holes through the drive. The DoD policy memo can be found here http://www.drms.dla.mil/turn-in/usable/cpu-memo-jun01.pdf
This space intentionally left blank
wiping the whole disk and then writing 1010 all over it.
Did exactly that. Removed it from a computer. Wiped all over the disk. Then took a marker and wrote all over it. For additional security, wiped it *again* to remove the marker. And you nuts are still claiming there's secrets on it...
</fiction>
A++++++++++++ service! Quick shipping, and free military secrets included! Would buy from again.
The problem with writing 1010 all over the disk is that it only covers an extremely tiny fraction of the disk. Most modern drives are much larger than 4 bits.
It is also highly inefficient since the OS would always have to read a whole sector (typically 512 bytes) and modify it in memory before writing it back again to avoid changing any bits outside of those 4 that are to be wiped!
So, why not just sell it on eBay and hope the buyer wipes the disk before using it?
I work for the IRS and we supposedly use the DOD standard. Our wiping software actually has a "/DOD" switch. However, unlike the standard quoted in another post, our software just reinitializes the MBR and then does 7 random overwrites. Is that better or worse than writing patterns? I dunno.
I do know, however, that we never let a drive out of our inventory without a wipe. If the drive has failed completely, we have a big magnetic blanker we use. (Local option - in my office, we then take those drives apart, abuse the platters, and one of our techs makes sculptures from them. Neat stuff.)
As an aside, we never RMA drives, either. If a drive in our possession fails, we call for a warranty replacement and send back in the return box a signed statement swearing that we destroyed the old drive. If a laptop has a failure that requires a contractor tech to replace parts, we make them come on-site then have someone stand over them the whole time to make sure they don't try to actually read anything off the drive.
I would expect the military to do at least as well. Am I wrong?
I just got out of the Military and was in there for 6 years. Not one time did we ever wipe a hard drive, not because we did not care nor to lazy. We never sold the hard drives or gave them away. We either reused the drive or we smashed it and then recycled it. The Army is so paranoid that we even had to take RAM out of old computers that processed classified information just because it MIGHT have information left...
Every time a piece of hardware which wasn't properly cleaned to the recommended levels, the individual responsible for letting it leave the premises should be held accountable....personally. How about sharing state secrets with the enemy? You can't know who it was destined for so there's every possibility it will go overseas. To my knowledge this carries a harsh sentence, but we can allow a prison sentence if they co-operate with the authorities and ensure the command level personnel are also charged.
My guess is that most of this stuff happens through employee laziness, and contractor unaccountability. If you have lobbyists lairing in government to ensure that you keep the contracts no matter what and are able to hide anything under the "national security" red herring then why bother enforcing rules like wiping stuff properly? The idea of being held PERSONALLY responsible, with potential jail time will make people stop and think, specially if the command level have no loophole to blame their underlings for anything the press find out about.
I worked for a government contractor at Tinker AFB in Oklahoma back in 2005-2006. I was on a contract doing server/desktop support for a wing on the base. Whenever we had a failed drive in a desktop, laptop or server there were certain protocols that we had to follow to make sure the data was compromised. We had to remove the drive and then take it apart completely. Once it was dismantled we had to scratch the platters to make sure they couldn't be reassembled in a different drive. I was also in on a server upgrade and they were going to sell the old server in a surplus auction. We were told to run a wipe of the drives and then REMOVE THEM because DOD regulations stated that the drives couldn't be sold at all. Then we had to destroy the drives in the same way I described above. Obviously this situation is someone not doing their job or just taking drives to make money.
?? why would sandblasting an intern help in wiping the disk?
link please
I prefer the muriatic acid formatting approach myself. You know, just in case there are any confidential bits or bytes left in the drive's PCB traces or ICs, or sticking to the side walls of the platter enclosure. You can never be too careful....
It is possible that the people who want to sell you a product don't want to announce the capability they wish to sell you is not necessary.
Besides, if the government is after you, they have such a variety of options to figure out what goes on (pin cameras, laser mics, various other forms of mics, analysis programs that can guess what you are typing, installation of keyloggers, and just simple acquisition with legal means like a warrant) that worrying about whether they may, beyond all known capabilities of industry, be able to recover data off your drive is absolutely hilarious.
If you're that paranoid, just never, ever do or say anything the government will pay attention to. In the maxima, this means never doing or saying anything. Ever.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."