Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unclean Military Hard Drives Sold On eBay

Posted by CmdrTaco on from the they-should-know-better dept.

An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay. The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.' Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."

44 of 369 comments (clear)

  1. I have to wonder by Lord+Grey · · Score: 4, Insightful
    The article states that this finding was the result of a study where a few hundred drives (300+) were purchased from various places and then scanned.

    A spokesman for BT said they found 34 per cent of the hard disks scrutinised contained 'information of either personal data that could be identified to an individual or commercial data identifying a company or organisation.'

    Later:

    For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.

    Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible? Granted that there would be capital outlay, but a lot of that is recovered by selling the drives again through the vary same channels, and the risk of getting caught would be extremely low. Quantity of information is lower than with network-based methods (eg, keyloggers, sniffers, etc.) or other information-gathering methods, but I would think the quality of the gathered data would be much, much higher. Good enough to resell for a relatively high amount.

    It seems, to me, that there is a bit of hyperbole going on here.

    --
    // Beyond Here Lie Dragons
    1. Re:I have to wonder by drinkypoo · · Score: 4, Insightful

      Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Uh, what makes you think that they aren't? Your comment is utterly devoid of value unless you can prove a negative somehow. Good luck!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:I have to wonder by Anonymous Coward · · Score: 5, Funny

      Your comment is utterly devoid of value unless you can prove you have something worthwhile to respond with. Good luck!

    3. Re:I have to wonder by noundi · · Score: 5, Insightful

      ... wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Well the black market is a quite complicated. The only groups with enough funding and enough motive to even try to obtain this information (disregarding the middlemen that you're mentioning) would be other nations. Let's say you're an exceptional nerd with enough skills to extract this data into usable form (I think it would be fair to say that many /.-ers fit or could fit this profile given some time to research). How would you go about selling this information to let's say North Korea? Who would you contact? Better yet, who would they allow you to speak to? I doubt you can just pick up the phone and ask the operator to "hook you up with the illest of Kim Jongs". But let's say you actually do get to speak with him (or anybody of importance really). How's your Korean? Ok final hypothesis, let's say you actually do speak Korean. What are you going to say? It's not like you're calling from AT&T to offer him 5$ less monthly fee if he subscribes to the service for 24 additional months.

      Basically I see where you're coming from but I wouldn't take the procedure so lightly. Plus there's possibly a lot more important information floating around somewhere that never "got in the wrong hands" as well.

      --
      I am the lawn!
    4. Re:I have to wonder by sadness203 · · Score: 5, Funny

      Your comment is so fat it was... oh ... no, wrong joke.

    5. Re:I have to wonder by DZign · · Score: 3, Interesting

      After reading the book 'spies among us' I've learned that making contact for selling information is just as simple as walking
      to an embassy/consulate from the specific country and asking to speak with someone about information..

      --
      Learn about pinball machines on www.flippers.be
    6. Re:I have to wonder by Lost+Race · · Score: 3, Insightful

      Your comment is utterly devoid of value unless you can prove a negative somehow. Good luck!

      "prove a negative"?

      Follow any of the links and never use that idiotic phrase again.

    7. Re:I have to wonder by drinkypoo · · Score: 3, Funny

      I'm so sorry I got caught speaking English. Next time I'll try to translate into nerd-speak so that those of you with slide whistles in your assholes will pipe down.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Unclean? by Nerdfest · · Score: 4, Informative

    I guess we'll need to format them in a purifying fire then.

    1. Re:Unclean? by auric_dude · · Score: 4, Informative

      Or use http://www.dban.org/node/68 - good enough for The Government Of Canada so good enough for these disks?

    2. Re:Unclean? by Mendoksou · · Score: 4, Funny

      It's finally time to start up my competitor to the NSA. The American Security Service (acronym to be determined) will, for the cost of hard drives on ebay (as well as some key other components... you never know what might be hidden in all those GPUs... we'd better test them. And those CPUs... and that RAM... and those computer games...), provide quality security and defense against our enemies. Especially if those enemies happen to be in the games I'm playing at the time.

      --
      DISCLAIMER: I am very rarely serious. If the above comment seems asinine makes no sense, it is most likely a bad joke.
    3. Re:Unclean? by Hyppy · · Score: 3, Insightful

      Most DoD member units approve DBAN already. Especially when it's set to the platter-melting 35-pass Guttman Wipe.

      The problem is when someone DOESN'T follow proper procedures. Rules are great and all, but someone is always going to break them in some way

    4. Re:Unclean? by Nimey · · Score: 3, Informative

      Since you apparently don't know what you're talking about: the 35-pass wipe is bullshit, and even the author says so.

      http://en.wikipedia.org/wiki/Gutmann_method#Criticism

      Essentially some of those patterns are specifically for obsolete MFM drives, and others are specifically for equally obsolete RLL drives. Nowadays you should just use random patterns, and even the DoD is fine with 7 passes.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    5. Re:Unclean? by NotQuiteReal · · Score: 5, Funny

      Aww, you just went for a cheap laugh.

      When you said The American Security Service (acronym to be determined) I thought for sure, you were going to start a wiping service!

      --
      This issue is a bit more complicated than you think.
    6. Re:Unclean? by Nathrael · · Score: 4, Funny

      Fire is best and most useful but other methods are possible.

      Nuke it from orbit. It's the only way to be sure.

      --
      A good education is a bit like a STD - it makes you unsuitable for a lot of jobs and gives you a desire to spread it.
  3. Scary that they sold the disk at all by Anonymous Coward · · Score: 5, Insightful

    You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.

    1. Re:Scary that they sold the disk at all by bleh-of-the-huns · · Score: 4, Interesting

      There are much quicker ways then that. In fact, at my old office, we had NSA approved degaussing equipment for hard drives, that destroyed the data permanently (no amount of forensics will be able to retrieve it), but left the drive itself intact for reuse or resale.

      The fun part of course is that when you turn it on.. 2 or 3 floors of lights all dimmed at the same time for a few seconds while it powered up and it hummed.. loudly... Thats a powerful magnet :)

      --
      I came, I conquered, I coredumped
    2. Re:Scary that they sold the disk at all by s0litaire · · Score: 3, Informative

      i'd use "dd if=/dev/urandom of=/dev/sda" Urandom is slower but better..

      --
      Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
    3. Re:Scary that they sold the disk at all by rongage · · Score: 5, Informative

      Modern drives have "servo tracks" on them - used for setting the head position. If you use an eraser powerful enough to wipe the drive, then the servo track is most likely also wiped - rendering the drive totally useless to most folk.

      --
      Ron Gage - Westland, MI
    4. Re:Scary that they sold the disk at all by samos69 · · Score: 3, Informative

      Yup, we just purchased a Verity degausser to wipe some drives before donating them to charity and have found that the servo track is wiped and they become completely useless... £1800 wasted, but it's damn fun to wipe things with!

  4. please... by VMaN · · Score: 5, Interesting

    Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.

    This challenge has stood for more than a year.
    http://16systems.com/zero.php

    1. Re:please... by canix · · Score: 5, Insightful

      It is possible that the people most likely to have the resources and expertise to do this (i.e. govt. security depts.) don't want to announce that they have this capability ...

    2. Re:please... by sakdoctor · · Score: 5, Funny

      In the UK, the government uses magnetic fields generated by train seats to erase sensitive data.

    3. Re:please... by WoLpH · · Score: 3, Insightful

      Why would any company enter a challenge like that? What data recovery company would comply to this: "You also must publicly disclose in a reproducible manner the method(s) used to win the challenge."?

      Regardless of wheter it is possible or not, it is definately not worth the trouble for anyone.

    4. Re:please... by Hyppy · · Score: 5, Insightful

      $500 to recover a drive, eh? If I had a data recovery business, I'd hang up on you too. If you want people to take you seriously, then perhaps you should present yourself in a serious manner. Offering $500 and a basement-made "King of Data Recovery" title is not a serious challenge. It's a slap in the face to any legitimate data recovery business to be "challenged" like that.

  5. DoD wiping standards by mati.stankiewicz · · Score: 5, Informative

    "which I believe is wiping the whole disk and then writing 1010 all over it."

    Taken from DoD 5220.22-M Wipe Standard:

    "[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."

    1. Re:DoD wiping standards by bleh-of-the-huns · · Score: 4, Interesting

      Certain 3 letter facilities in the US do that.. in fact, any electronic equipment going in.. never leaves. I have seen the destruction of a thumb drive that accidentally made it into the facility (many people arrived for a meeting there), but was caught on the way out and destroyed.

      Same facility provides all electronic equipment needed for various press events and what not.

      --
      I came, I conquered, I coredumped
    2. Re:DoD wiping standards by drinkypoo · · Score: 4, Funny

      What if you had memory issues with your brain and thus have a prosthetic memory installed to help you?

      What if the aliens came, and took you back to your home planet?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Financial Firms Do the Same by __aajwxe560 · · Score: 5, Informative

    I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.

    So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.

    1. Re:Financial Firms Do the Same by notarockstar1979 · · Score: 3, Funny

      I created the secure wiping policy for my department. It involves an axe. I get to use it on anyone who tries selling old drives instead of having them shredded.

  7. Little OT Anecdote by rodrigoandrade · · Score: 5, Informative

    I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.

    What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.

    1. Re:Little OT Anecdote by bleh-of-the-huns · · Score: 3, Interesting

      The problem is not necessarily from a gov branch, but most likely a supporting contractor, in this case Lockheed martin.

      Same reason why those same contractors are forbidden from using VPN from gov facilities (DOD and Federal atleast) to their home offices. In the past, a certain contractor from a certain company at a certain 5 pointed facility introduced some lovely malware that spread like wildfire fromthe contractors company to the gov facility.

      However, like I said, while policy says what not to do, deadlines and management looking the other way sometimes to meet those deadlines and whatnot go against those policies, sometimes nothing happens, sometimes bad things happen.

      --
      I came, I conquered, I coredumped
  8. In other news.. by __aanmys7397 · · Score: 5, Funny

    ..the market is being flooded with Chinese made ground to air missile defence systems, available for a quarter of the price, and half the accuracy.
    Fine Print: THERE IS NO WARRANTY FOR THE SYSTEM, TO THE EXTENT PERMITTED BY APPLICABLE LAW

  9. Nearly right... by LoyalOpposition · · Score: 5, Funny

    scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.

    That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.

    -Loyal

    --
    I aim to misbehave.
    1. Re:Nearly right... by H0p313ss · · Score: 3, Funny

      scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.

      That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.

      -Loyal

      So you're saying this Area 51 map and Build-Your-Own Nuke instructions I have here might be bogus?

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
  10. Who is really to blame? by sunking2 · · Score: 4, Insightful

    Did lockheed actually own these machines, or do they lease them? My guess is LM (like most larger companies) has a contract with someone like CSC/IBM/etc who actually owns, maintains, and replaces machines. This is probably where the ball was dropped. Every 3 years here CSC replaces 10s of thousands of PCs that they are itching to sell off before they depreciate into worthlessness. I can certainly see them taking short cuts, or missing a few. This is the problem with outsourcing IT infrastructure. They don't always really understand or care about the same thing as you.

  11. Probably illegally sold by roger_that · · Score: 5, Interesting

    The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.

    Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)

  12. Is it just me... by s0litaire · · Score: 4, Funny

    Or are these types of stories probably sponsored by E-Bay's PR department..

    Just think of all those people now bidding on old hard drives now... Probably won't be able to pick one up for under £99 by the end of the week :D

    That reminds me... Got a few old ones to sell myself... :D:D

    --
    Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
  13. Re:Uhh by linzeal · · Score: 3, Interesting

    The problem is when people have a whole bunch of them and 100 40 gig hard drives sold at a flea market can pickup 2000 dollars some weekends. I did a pull once where the guy was savvy enough to wipe the hard disks but did not check all the CD-Rom drives, half of which had CDs in them with corporate information. Looking it over I could of easily sold the info to an unscrupulous competitor but decided to just send them to him COD for cost of postage.

    --
    An Education is the Font of All Liberty
  14. For Highly Classified Data, it's more than a wipe by sirwired · · Score: 3, Informative

    I worked in a highly classified facility once. The wipe "standard" was to hire a lowly intern (such as myself), remove the platters from the case, take them out back, and sandblast them. The agencies scientists had decided degaussing wasn't good enough.

    SirWired

  15. Say what? by minsk · · Score: 3, Funny

    wiping the whole disk and then writing 1010 all over it.

    Did exactly that. Removed it from a computer. Wiped all over the disk. Then took a marker and wrote all over it. For additional security, wiped it *again* to remove the marker. And you nuts are still claiming there's secrets on it...

    </fiction>

  16. A+++++ Vendor! by xonar · · Score: 5, Funny

    A++++++++++++ service! Quick shipping, and free military secrets included! Would buy from again.

  17. Re:Why not just destroy these disks? by camperdave · · Score: 5, Interesting

    Why does the DoD not simply destroy the disks in question?

    Sometimes it's easier to detect a security problem by letting some information leak.

    --
    When our name is on the back of your car, we're behind you all the way!
  18. Re:For Highly Classified Data, it's more than a wi by jandoedel · · Score: 5, Funny

    ?? why would sandblasting an intern help in wiping the disk?