Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Intel Agency's Missing Laptops Might Contain Sensitive Data

Posted by timothy on from the their-ruse-their-clever-trick dept.

superapecommando writes "GCHQ lost 35 laptops in one year, potentially containing highly sensitive data. The UK's electronic spy centre was today lambasted by MPs for having a 'cavalier' attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. In a new report, the Commons Intelligence and Security Committee expressed concern that GCHQ appeared to be entirely unaware whether or not the computers, lost in 2008, contained top secret information on people posing an imminent security threat to the country."

39 of 51 comments (clear)

  1. But in most industries... by infolation · · Score: 1

    'lost laptop' translates as 'executive perk'.

  2. Re:Newsflash: by deepershade · · Score: 1

    This is about the UK. What's a US citizen got to do with it?

  3. Intel... igence? by dolmen.fr · · Score: 1

    I did not understood the relation between Intel and UK MP's until I thought the word may have been abbreviated.

  4. Lack of information by EdZ · · Score: 1

    I've always wondered whether these 'lost laptops' are simply the personal laptops of employees, that should never have been anywhere near anything to do with GCHQ, and GCHQ is just being overly cautious (does not know what, if any, data accidentally ended up on a personal laptop, so assume the worst). Or it could just be garden variety incompetence. Except for the unlikely event of an intelligence service disclosing far more information than would be prudent, there's little to tell either way.

  5. What do they mean by lost? by ThePangolino · · Score: 2, Interesting

    What do they mean by lost? Is it lost like "Lost in space", "Just lost The Game" or "Sorry, I *lost* my homework"?

    --
    My ignorance is just as good as your knowledge.
    1. Re:What do they mean by lost? by mSparks43 · · Score: 1

      The world would be a much safer place if all these secret agencies *lost* their funding.

    2. Re:What do they mean by lost? by Xest · · Score: 1

      If it's anything like the rest of public sector from when I worked in it for a while some years ago, then "lost" means "I left my laptop perfectly visible in the back seat of my car which I left parked outside on the street overnight in a not exactly crime-free part of town".

      So if they want to find them, eBay, or the house with the dodgy people in down the street are probably the best places to look.

    3. Re:What do they mean by lost? by RockDoctor · · Score: 1

      The world would be a much safer place if all these secret agencies *lost* their funding.

      Oh man, are you so dead. Dead, diced, buried in soft peat for 18 years and finally DNA tested to reveal that you were an Albanian illegal immigrant all along. Remember that family you used to have? Well don't worry about them, the remaining ones don't remember you.
      As they say in Texas "Dead man walking!"

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    4. Re:What do they mean by lost? by mSparks43 · · Score: 1

      Way to prove my point?

  6. Highly sensitive data? by maxwell+demon · · Score: 4, Funny

    Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

    --
    The Tao of math: The numbers you can count are not the real numbers.
    1. Re:Highly sensitive data? by fluch · · Score: 1

      After all, those people are not completely incompetent, are they?

      In the UK? You should reconsider your rhetorical question...

    2. Re:Highly sensitive data? by JohnBailey · · Score: 1

      Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

      Considering who you are talking about.. the answer can be summed up as.. BWHAAAA!!!

      --
      It is difficult to get a man to understand something when his job depends on not understanding it.
    3. Re:Highly sensitive data? by Fred_A · · Score: 1

      After all, those people are not completely incompetent, are they?

      <deep>I find your faith disturbing...</deep>

      --

      May contain traces of nut.
      Made from the freshest electrons.
    4. Re:Highly sensitive data? by Shimbo · · Score: 3, Informative

      Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

      Well, GCHQ workers *invented* public key encryption, so they are obviously not all completely incompetent. Big organisations lose laptops. It's more that they don't have the paperwork to prove nothing secret hit these machines. It's sloppy but hardly unexpected.

    5. Re:Highly sensitive data? by gmccloskey · · Score: 1

      This would be the UK that led the development of modern computing with the work of Alan Turing, led the development of the use of computers in industrial and military environments (Bletchley Park) and which dramatically shortened the second world war. This would be the UK that invented public key cryptography before the NSA. This would be the UK which developed working, scalable MIMD parallel processing (transputer) in the early 90s. Then there was the matter of Boole, who did some minor mathematical work. That UK.

    6. Re:Highly sensitive data? by johnw · · Score: 1

      Well, GCHQ workers *invented* public key encryption...

      And the story told by one of the inventors is that he made the crucial breakthrough whilst mulling the problem over in his head at home. So strict was the security in those days that he wasn't even allowed to write down his idea on a piece of paper outside the office, and he worried dreadfully that he might forget the details before he got back into the office and was able to record it.

      Clearly if they're now leaving laptops lying around, things aren't quite so strict.

    7. Re:Highly sensitive data? by TheLink · · Score: 1

      Yeah, nowadays the GCHQ bunch would probably post it on Twitter.

      --
    8. Re:Highly sensitive data? by jabithew · · Score: 1

      Yes, that UK.

      --
      All intents and purposes. Not intensive purposes.
  7. Should not be a problem... by fluch · · Score: 1

    This should not be a problem IF the hard drives are full disk encrypted. Now the "if" in the previous sentence is the crucial point...

    1. Re:Should not be a problem... by gmccloskey · · Score: 2, Insightful

      All UK government devices storing information classified as RESTRICTED ( no US equivalent) must have two factor authentication, and full disk encryption using a FIPS140 certified product from a CESG-approved list. Anything carrying CONFIDENTIAL or SECRET has the same, plus additional techniques and handling protocols to ensure CIA (confidentiality, integrity, assurance). TOP SECRET isn't discussed in open forums.

      This is a non story if they are accidental losses. All organisations, including those within and around the intelligence communities, lose assets. The real questions should be (1) was it accidental, (2) if not, who made the effort and (3) are you confident the systems in place will protect the information for long enough until its value decreases below the effort required to recover it.

        To be honest, the more pressing issue for ordinary citizens is not governments protecting or losing information about citizens, but private organisations.

    2. Re:Should not be a problem... by Tim+C · · Score: 1

      This is correct; I also have reason to have some understanding of correct handling and storage procedures for materials covered by the GPMS and those laptops should be encrypted. If not then someone will be facing a shitstorm for it.

      --
      It's official. Most of you are morons.
  8. A job for Jack Bower? by Galik · · Score: 1

    Where is Jack Bower when you need him?

    1. Re:A job for Jack Bower? by Anonymous Coward · · Score: 2, Funny

      He's probably being interrogated and tortured by Jack Bauer as to why the former is attempting to steal the latter's identity.

  9. Re:Underground? by BiggerIsBetter · · Score: 2, Funny

    That kind of gives the impression that GCHQ are trying to recruit hackers from the counter culture by advertising in tube stations.

    And on Slashdot, apparently.

    --
    Forget thrust, drag, lift and weight. Airplanes fly because of money.
  10. ...and by extension,everyone else's communications by D4C5CE · · Score: 1

    The centre is responsible for tracking the electronic communications of terrorists

    ...which is hardly feasible without having access to everyone's communications, since those deserving of surveillance don't tend to identify themselves by stating e.g. "This is a terrorist communication:" at the start of everything they say.

    GCHQ appeared to be entirely unaware whether or not the computers [...] contained [...] information on people posing an imminent security threat [...]

    Quite a few others should also/rather want to know whether the computers contained information on people under an imminent security threat; information compiled by none less than the officials on a mission to protect them.
    This begs the question if an eavesdropping agency losing 35 laptops in a year can really be called "responsible" for anything, or rather just irresponsible.

  11. Re:Underground? by Anonymous Coward · · Score: 3, Insightful

    That's a great idea. You know where London 2600 is held, right? Pretty sensible place to advertise, then - and if the Security Service and Secret Intelligence Service are advertising, why not GCHQ, the great-granddaddy of the father of modern computing and cryptology?

    The big challenge is that all the people with the requisite expertise in that particular field either have ethical problems with working for a government that does things that runs contrary to their personal beliefs (restrictions on free speech, mass surveillance and censorship, certain recent unpopular wars, and so on), or they don't really have anything left in the way of ethics at all (in which case, their trustworthiness is very limited, and they may already be working for organised crime or another government).

    Many of the older ones have retired from doing that kind of thing and settled down, and the problem with that is that their skill set is unlikely to be current. There are of course timeless techniques, but the field also moves very quickly and rediscovers new things in different ways, so keeping current is important.

    Of course, there are always new ones. Fresh talent does emerge and can probably be recruited in larval form, but not all hacking is self-taught, and the difference between a good hacker and a world-class hacker is things picked up from experience and teaching. Mentoring. But part of that is the counter-culture mindset, it's a required part of the critical thinking needed. Some people are needed to teach, and teach very very well. But the problem is that those people do not want to work for the UK government, even in a teaching capacity.

    A similar problem emerges when trying to buy a covert remote intelligence tool (CRIT). What to do; license Zeus? Hardly. The Chinese did something similar, and as you no doubt heard it turned out worryingly successful with a simple black market Trojan and some very astute targeting. But you can scarcely expect that to work the same way twice. Something rather more advanced is needed, but those that have developed more advanced tools have essentially told the intelligence agencies to go screw themselves or are otherwise people it would be recommended to avoid dealing with (as above). So a tender was raised at a recent conference and there have been no decent bids (General Electric almost don't count).

    Anyway. As for the story, the key word is "might". This audit is ahead of a new system proposed to modernise the key management by introducing ubiquitous security tokens, and full-disk encryption in software (TOP SECRET uses specialist hardware devices rather than hard disks right now). The problem here is a lack of yearly auditing, and unmarked, uncleared notebooks that should not have touched classified information, and probably did not if best practices from the CESG were followed, but conceivably could have done, which is unacceptable and something that needs to be addressed...

  12. Big Deal by Czmyt · · Score: 1

    They look downright responsible compared to the US Department of Homeland Security who supposedly lost over 1,000 laptops in a single year (2008).

    1. Re:Big Deal by dbcad7 · · Score: 1

      Yeah, but were they "homeland security laptops" or passengers laptops at the airport ?.. and "lost" is more likely "stole".. If indeed it was government equipment, the number would not be that high.. because first the person it was assigned to would have to repay the government at the inflated price the government bought it for, and second they would be looking at jeopardizing their cushy gub'ment job.

      --
      waiting for ad.doubleclick.net
    2. Re:Big Deal by Czmyt · · Score: 1

      Government equipment, not passenger equipment:
      http://biggovernment.com/tshepherd/2010/02/24/dept-of-homeland-security-loses-over-1000-computers-in-one-year/

  13. Re:...and by extension,everyone else's communicati by drinkypoo · · Score: 1

    The centre is responsible for tracking the electronic communications of terrorists

    ...which is hardly feasible without having access to everyone's communications

    Try "known or suspected terrorists" in the sentence in place of simply "terrorists" and all will be made right. Or as right as it gets.

    Quite a few others should also/rather want to know whether the computers contained information on people under an imminent security threat; information compiled by none less than the officials on a mission to protect them.

    Well, that's not their mission, but I guess it's not impossible. Usually if it does contain such information, it's on employees of the division in question, though not always.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  14. See this as an opportunity by houghi · · Score: 1

    Now they can make a law that will allow police to search your data without any court order in the interst of Queen and country. Because YOU could be the one that has that unknown data. As such you are also the potential criminal, so your DNS can be taken.

    So all people owning a portable will be searched and their DNA will be taken. Also people who live together, are related to, work together with, know somebody who or have ever seen somebody who either owns a portable, a computer, a device connected to the Internet or heard about it, will be searched and added to the database.

    No worries. Nobody can access that database or even hack it. It is placed on a portable so it moves around to avoid any physical attacks.

    --
    Don't fight for your country, if your country does not fight for you.
  15. Re:Newsflash: by Tim+C · · Score: 1

    Don't care? Don't read it. This site may be based in the US and heavily biased towards it, but it has an international readership.

    --
    It's official. Most of you are morons.
  16. TrueCrpt by rlp · · Score: 1

    Why didn't the UK mandate TrueCrypt (or equivalent) on laptops holding sensitive data?

    --
    [Insert pithy quote here]
    1. Re:TrueCrpt by gmccloskey · · Score: 1

      They have - by mandating that appropriate controls are implemented, including full disk encryption. See http://www.cabinetoffice.gov.uk/spf/sp4_isa.aspx - specifically requirement #40.

      Truecrypt is not a product tested and approved by http://www.cesg.gov.uk/ so it can't be used for UK government business. If someone is willing to pony up the accreditation fees, and it passes, then it can be used.

      These new UK gov regulations are interesting - they make specific nominated individuals in every government organisation personally responsible for data security - with penalties including fines and prison. Unsurprisingly, data security is now very heavily implemented and monitored.

    2. Re:TrueCrpt by Anne+Thwacks · · Score: 2, Insightful
      If it is anything like the rest of the present government policies, the actual requirement is to put a tick in a box labeled "Data is secure", and then apply a signature resembling "D. Duck" at the bottom of the paper, which is then filed along with 2,000,103 other pieces of identical paper with no way of tracing which piece applies to which equipment. My Guess is that Donald Duck had best be afraid ... very afraid. As should anybody in the UK who would prefer his personal data is not on sale at a market somewhere in India at this very moment.

      It is quite safe to assume any statements above about the government's supposed competence are the work of paid shills. In the last 10 years, the government has not previously shown any signs of competence.

      a) "It is illegal to import a potato knowing it to be Polish" "Honest, Sir, I did not know that potato was Polish. It does not even have a Polish accent!"

      b} "What will the government say if it gets out in the press?" "We will plead corporate insanity"

      --
      Sent from my ASR33 using ASCII
    3. Re:TrueCrpt by VoiceOfDoom · · Score: 1

      If someone is willing to pony up the accreditation fees

      ....twenty thousand quid. Not surprisingly, the list of CAPS-approved products is quite short and the suppliers that *are* accredited are a) making a mint and b) not inclined to improve their clunky, difficult-to-administer products in any way since all UK Govt clients are locked in to using them anyway.

      --
      "Life is pain Highness. Anyone who says otherwise is selling something"

      Westly, The Princess Bride

    4. Re:TrueCrpt by rlp · · Score: 1

      Not surprisingly, the list of CAPS-approved products is quite short

      PGP Whole Disk Encryption is on the 'CAPS-approved' list.

      --
      [Insert pithy quote here]
  17. Re:Newsflash: by lorg · · Score: 1

    Why not? Perhaps you should. You think they only contain secrets relevant to the UK? How can you be sure.

    If a spy agency, any, loose data/intel it is probably a concern to more then the people in the country where the agency belongs since spying is a global business.

  18. Re:Underground? by jabithew · · Score: 1

    Yeah. They are. Been on the Tube recently?

    --
    All intents and purposes. Not intensive purposes.