Slashdot Mirror
Data Breach Exposes RAF Staff To Blackmail
Yehuda writes "Wired reports, 'Yet another breach of sensitive, unencrypted data is making news in the United Kingdom. This time the breach puts Royal Air Force staff at serious risk of being targeted for blackmail by foreign intelligence services or others.
The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories — information the military needed to determine their security risk.
The recordings were stored on three unencrypted hard drives that disappeared last year.'"
All the money that their government has goes to buying moats and other fun things for the MPs.
"I have never let my schooling interfere with my education." --Mark Twain
why didn't they just encrypt the disks? If it's supposed to be sensitive information, store it securely!
Note: I was 13 when I wrote most of this. Take with several grains of salt.
um, just because your boss knows something embarrassing, it doesn't mean your wife, family, whole world needs to know.
On the other hand, if your boss has special forces, it could work to your advantage...
Idiot: "Sir, you know that midget fetish I spoke about during the security interview?"
Chief Idiot: "Yes? I really quite enjoyed that bit. Quite naughty!"
Idiot: "Well, there are some chaps who think they can hold it over me, for a few quid, per week... not tell the missus, and all."
Chief Idiot: "Oh, well, that's not right, I'll send some SAS over there ASAP and they won't be a problem anymore."
Sounds like a convenient way to legally fire or reassign someone.
upon the advice of my lawyer, i have no sig at this time
"Ummm..."
These are the same idiots who are putting surveillance cameras everywhere, fingerprinting and taking DNA samples from musicians who are simply visiting the UK to play in a few clubs (then denying them entrance because the clubs hadn't paid a fee and agreed to report on them), and generally acting like fascists.
They're great at grabbing reams of private information they would have no right to if Britain were still a free society. Protecting it from unauthorized access? Not so much.
Goddamn wankers!
I've calculated my velocity with such exquisite precision that I have no idea where I am.
the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories -- information the military needed to determine their security risk
If yes to any of the above do you want these as officers? Even the extra-marital affairs in most circumstances provide proof that the person is capable of disloyalty.
The real problem is if they have done any of this and don't admit to it, they're disloyal, liars that shouldn't be given clearance. If they do admit it, they're too stupid to be in a position of authority. The only way time you want to ask these questions is if you know the answer in advance and the answer is "squeaky clean".
These posts express my own personal views, not those of my employer
It seems to me that many organisations would consider payroll, health and other HR info as private and hence restrict access to it on the network, but they wouldn't consider encrypting it with a passowrd - well at least nowhere where I have worked. ...
And perhaps military institutions consider attack plans, weapons secrets and such as worthy of protection but not an "inteview" that we did "ourselves", "inhouse".
We are learning more and more that this is a connected world - yes even your fridge will have an IP address and be on the net one day mark my words and EVERYTHING will need to be encrypted. Encryption grammar and other security verbiage will be second hand speak for moms and kids
"have you packed your lunch"
"Yes mom"
"And MD5 SSL'd your homework via the kerebos LDAP certificate server? You know what happened last time when Mr Jones found your SSH key unencoded on the SELinux partition - I don't want to go through that again"
"Arghh yes mom I have been over this 1000 times with you let it go - my friends and I were scanning photons of the prom dance when James accidentally Bluetoothed a letter from his brother in the army to Amy's communication jewellery which had a compaible 3DES encrytpion algorithm - now will you let it go!? Shees!"
"I'm just saying is all - I have to go and buy some groceries and when I scan my embedded subcutaneous barcode it better not say that I have been SQL Injected because of a bad CRC checksum - I won't be embarrassed like I was the last time"
http://projectleader.wordpress.com
Just because their bosses already know doesn't mean their wives did.
Someone wanna explain to me how drug-using hooker-banging ex-cons are OFFICERS IN THE ROYAL AIR FORCE?
"extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories " - sounds like a viral marketing campaign for the RAF if you ask me - who knew that they had so much fun! I suppose the word 'raffish' had to come from somewhere.
Good to see the Brits have as bad a security as we do.
Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone.
Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.
Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.
Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.
Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."
http://rocknerd.co.uk
Actually the whole point about these interviews is to screen out people who are susceptible to blackmail. If you had an extra-marital affair and your wife doesn't know, then you either tell your wife or you don't get security clearance.
I guess the British government is now following the principle of "information wants to be free". :P
"They're great at grabbing reams of private information they would have no right to if Britain were still a free society."
When were we ever a free society? When has any country been "free"? I suppose there's a philosophical discussion to be had here but I get the sense that
Interested to hear when you think the UK was a 'free' society. It would have to probably be after 1928 - universal suffrage, before then women under 28 couldn't vote so they weren't very free. Couldn't be 1939 - 1952 as we had identity cards then. Interested to hear your definition of 'free'.
cheers.
Because with information of sufficient importance the very fact we don't have an exhaustive audit trail would be worrying (someone may of gotten access). The fact that we don't even know where it is? That, is scary. Not only is the risk that this data still exists, meaning that either careers will be ruined or national security will be endangered. But additionally it is a further reminder of how incompetent government can be with obviously important data.
Although you may find the strength of feeling some people have regarding this breech to be unfounded, I expect I am not alone in finding your opinion that nothing bad will happen because "it rarely does" incredibly naive.
All Royal Air Force staff involved can thus forget about any clearance at all since they can be blackmailed.
I guess the military should compensate said personnel for loss of career possibilities and of course improve their data protection/storage/etc policies.
.
Keep it in your head. There is no such thing as absolute security, therefore there is no such thing as security. If you don't want to share something, don't share it with anybody.
.
blog me no blogs
So losing sensitive data "last year" is only being reported now as a problem!?
I hope that between losing the material and reporting it (several months later), some action has already been taken to minimise the potential for blackmail. ...or were they waiting a certain length of time to see if it turned up somewhere or was posted back to them before panicking.
(I would say that I hope action has already been taken to prevent this from happening again, but I'm not that naive)
I worked for a while in this area. If you want to get rid of a failing, and very expensive, defence project, the best way to do it is to have an 'accidental' security stuff up. That way you can ditch the failed program under the guise of 'national security' rather than incompetence, mismanagement, and the various other real reasons for project failures. This also means the project managers usually get off from being completely incompetent. Rather than have a failed project, they have a security breach, which is often investigated and forgotten about with a slap on the back and a guffaw (especially if the member is a part of the boys club).
It wouldn't surprise me if the stuff up was part of some Machiavellian back room defence politics. The old canard that civilians (especially on /.) state about choosing incompetence over conspiracy can be thrown out the window when it comes to national security and defence. Many of these individuals realize they have a system that can be exploited for their own personal gain if needed.
Because it's cheaper to blackmail loyality than to buy it? Duh...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It doesn't matter so much whether the information is false or true, what matters is if you have control of the means of communication. Just ask John Kerry about the Swift Boat Veterans. Baseless information can do great damage if you have the power to shout it loudly enough. Meanwhile, BAE systems bribed a Saudi Prince over US$1billion to direct his country to make various arms purchases and when the UK authorities began investigations, our own British government stepped in and order the investigation stopped. Corruption on a massive scale that dropped from the national press like a scab from a leper.
I think this post further down has one of the most insightful takes on why the information might be gathered. Not that I feel it fully excuses the gathering of the information and certainly doesn't excuse its loss. The RAF officers who gave this information to their employers had a simple choice - tell the truth about their more shameful behaviour or lie to cover it up. They chose wrong.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
This has nothing to do with the Regulation of Investigatory Powers Act. If some ne'er-do-well has stolen the hard drive, RIPA is not going to entitle them to the key to decrypt it, nor does it make encrypting it in the first place illegal! CESG ( http://www.cesg.gov.uk/ ) assesses a wide variety of cryptographic products as to their suitability for handling protectiveloy marked information, and some of these are restricted to HMG use only!
The paper forms for Developed Vetting themselves are marked "RESTRICTED STAFF (when completed)". See http://www.cabinetoffice.gov.uk/spf/faqs.aspx for information about protectively marked assets, and the DV forms themselves at http://www.hmgcc.gov.uk/clearance.aspx.
I prefer extortion. The X makes it sound cool. -Bender