Slashdot Mirror
Unclean Military Hard Drives Sold On eBay
An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay.
The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.
The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.'
Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."
You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.
Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.
This challenge has stood for more than a year.
http://16systems.com/zero.php
"which I believe is wiping the whole disk and then writing 1010 all over it."
Taken from DoD 5220.22-M Wipe Standard:
"[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."
I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.
So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.
I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.
What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.
..the market is being flooded with Chinese made ground to air missile defence systems, available for a quarter of the price, and half the accuracy.
Fine Print: THERE IS NO WARRANTY FOR THE SYSTEM, TO THE EXTENT PERMITTED BY APPLICABLE LAW
Your comment is utterly devoid of value unless you can prove you have something worthwhile to respond with. Good luck!
scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.
-Loyal
I aim to misbehave.
... wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?
Well the black market is a quite complicated. The only groups with enough funding and enough motive to even try to obtain this information (disregarding the middlemen that you're mentioning) would be other nations. Let's say you're an exceptional nerd with enough skills to extract this data into usable form (I think it would be fair to say that many /.-ers fit or could fit this profile given some time to research). How would you go about selling this information to let's say North Korea? Who would you contact? Better yet, who would they allow you to speak to? I doubt you can just pick up the phone and ask the operator to "hook you up with the illest of Kim Jongs". But let's say you actually do get to speak with him (or anybody of importance really). How's your Korean? Ok final hypothesis, let's say you actually do speak Korean. What are you going to say? It's not like you're calling from AT&T to offer him 5$ less monthly fee if he subscribes to the service for 24 additional months.
Basically I see where you're coming from but I wouldn't take the procedure so lightly. Plus there's possibly a lot more important information floating around somewhere that never "got in the wrong hands" as well.
I am the lawn!
The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.
Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)
A++++++++++++ service! Quick shipping, and free military secrets included! Would buy from again.
Your comment is so fat it was... oh ... no, wrong joke.
Why does the DoD not simply destroy the disks in question?
Sometimes it's easier to detect a security problem by letting some information leak.
When our name is on the back of your car, we're behind you all the way!
Aww, you just went for a cheap laugh.
When you said The American Security Service (acronym to be determined) I thought for sure, you were going to start a wiping service!
This issue is a bit more complicated than you think.
?? why would sandblasting an intern help in wiping the disk?