Heathrow Airport Security Files Found on USB Stick In The Street

"The BBC is reporting a security probe after security data about Heathrow was discovered on a USB found on the street," writes long-time Slashdot readers Martin S. From the article: The Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect the Queen. A man found it in west London and handed it into the paper, it said. Heathrow said all of its security plans had been reviewed and it was "confident" the airport was secure. "We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future," it said.
The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."

If you are the CTO ...

[BoRegardless]

Security only applies to everyone else.

Re: If you are the CTO ...

[dougdonovan]

obviously an hourly wage security person is missing their usb.

Don't be scared...

Don't be scared..., be very frightened, but don't be scared.

Can't be

[nospam007]

In the UK, USB sticks with sensitive or secret info always have to be forgotten in an underground car, it's the law.

Re:Can't be

[rtb61]

This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... this is not a decade or more ago, absolutely no need to carry them any where, well, only one need. That need being, selling it, everything contracted is contracted to the highest bidder, so as for national security issues. Highest bidder for that information, in the entire chain of handling of that data, according to typical corporate practices is entitled to that data. It might not have been totally nefarious, just moderately nefarious (setting up hard wired hack points, new sources of data, security holes that can be readily breached etc). The only reason to lose it on a subway, it would have been secured on their person, was fear and panic disposal, this depending upon any traceable data on the device, device clean, than dropped in panic, device full of identifying stuff, than just a clumsy idiot (in probability terms).

Re:Can't be

Quite. And if the data's on a CD or paper, it has to be left on a train.

Re:Can't be

[nospam007]

"This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where,"

The word you're looking for is 'stupidity'.

The North Koreans stole it!

[Alain+Williams]

I believe that it is them who we currently blame for all things like this.

Re: The North Koreans stole it!

No, you're wrong! I have irrefutable conjecture and speculation that says it could only have been the Russians. What more proof do you need?

Re: The North Koreans stole it!

Mexicans actually.

Re: The North Koreans stole it!

[Reverend+Green]

Obviously it was the French. It's always the French.

Re: The North Koreans stole it!

[Hal_Porter]

The 'Russian collusion/Russia threat' meme will disappear from the media now the NYT and WashPo have reported that Hillary's campaign paid for the Steele dossier.

Before that it reflected badly on Trump, and now it reflects badly on Hillary and the Democrats. And only 7% of journalists are Democrats. So it will simply drop off the short list of stories they talk about because talking about it doesn't fit their preferred narrative.

Re: The North Koreans stole it!

What are you even doing on slashdot?

This is a place for engineers and scientists (and other nerds). An engineer or scientist should not care where the data came from, but rather whether or not it is accurate.

If it is accurate, then it reflects poorly on Trump. If it is not accurate, then it reflects poorly on Clinton.

However, the investigation is ongoing, and conclusions should wait until said investigation is complete.

Re: The North Koreans stole it!

[Hal_Porter]

If it is accurate, then it reflects poorly on Trump. If it is not accurate, then it reflects poorly on Clinton.

My point being that the NYT/WashPo/CNN etc all talked about Russian collusion when they thought Trump was guilty of it, despite having no evidence of a crime. Then it came out that Clinton's campaign had illegally paid for the Steele dossier from Russia - the illegality comes from paying a law firm to pay FusionGPS which eventually paid him. The FEC requires campaign expenditure over $200 to be itemised. I predict the Democrat supporting media will simply stop talking about Russia at this point.

And I'd say if you're interested in truth, don't trust any of these news sources. They'll report things they know to be untrue, or at least have no evidence for if they think that report will help their party. And they'll not report things for which there is evidence if they think reporting those things will hurt their party. In fact the NYT freely admitted it was giving up old fashioned notions of impartiality and checking things were true before the election

https://www.nytimes.com/2016/0...

I.e. what news they report is solely determined by whether they think it will move things in their direction politically, not whether they actually think the report is true or not.

And incidentally engineers and 'nerds' are hardly immune to this sort of intellectual dishonesty and sloppiness as any arguments over the merits of hardware or software will tell you. Fanboys exist in both politics and engineering.

Re: The North Koreans stole it!

Why is Clinton even relevant? She lost. The Dems were split between the Bernie faction and the DINOs who do nothing before the purge. If she becomes a candidate again in 2020, Trump will win again. 2024? It will be Pence or perhaps some libertarian. In fact, since the DNC ejected anyone for Bernie, they are destined for a minority stake in Congress for the indefinite future, since they have nothing the voters want (people who are pro-corporation go Republican, and the people who actually had a reasonable platform are not there anymore.) Yes, Clinton did use her machinations to win the primary, but she didn't just lose the election by burning the Bernie supporters... she has ensured that only Libertarians and Tea Party people run the country now, and for a long time to come.

Re: The North Koreans stole it!

And exactly what does ANY OF THIS have to do with the price of tea in China?

You won, get over it, stop deflecting, stop whining about Hillary, stop wringing your hands over the Russia thing, DO SOMETHING USEFUL.

Oh wait, you never expected to win, and now that you have you are having a hard time transitioning from campaigner to leader?

Re: The North Koreans stole it!

[Hal_Porter]

He's not my leader and I didn't win. I'm not a US citizen. I'm pointing to the staggering intellectual dishonesty of accusing him of Russian collusion for a year with no evidence and when evidence comes out Hillary did collude - and probably broke FEC rules doing it - simply stopping talking about Russia.

Re: The North Koreans stole it!

That's just American partisan politics.

How many times did we have to read the phrase "Benghazi", as if it was a magical spell?

Very sad. Worst part is that partisans of both stripes will always put party above accountability, so individuals will stand by bad leaders well past their due date and scramble to pivot once their moment has passed.

Ain't nobody begging for Hillary's endorsement now that she's not running for president.

Re: The North Koreans stole it!

As long as the Dems can put a candidate up who can sit down, shut up, and not shoot themselves in the groin, I fully expect a repeat of 2008 in 2020, with Republicans running for the hills from their toxic candidate once he loses.

The Republicans could have won with such a candidate in 2012, but the individual candidates were all fairly weak.

Of course, it's no guarantee that he'll lose, but historically, two presidents below 50% in their final approval rating before the election -- George W. Bush and Harry Truman -- won, and three, Gerald Ford, Jimmy Carter, and George H.W. Bush, lost. George W. Bush had approval ratings in 2004 higher than Mr. Trump has ever seen, and Truman winning a second term was famously an upset.

Going into 2018, polling is suggesting that Mr. Trump has a time limit on how long "easy mode" is in place. Polling is suggesting that voters will start putting Democrats in the legislature to act as a balance. Having failed a year in to enact any of his promises, and now fighting with the same Republicans he needs to get his agenda through, he's got about another year to get all his promises through until he's got to negotiate with Democrats.

Re: The North Koreans stole it!

[DutchUncle]

Who dropped Russia off the list of stories? Which news agency have you been ignoring the most lately?

One for the collection

We've seen DVDs lost in the mail, USB sticks left on the bus, on the train, and in taxis. Somewhere in the street is new, though. Now, any bets as to where we'll find accidentally left interesting data next?

Incompetence or something sinister?

[Wh1t3Rabbit2084]

Are the police and relevant authorities confident that this was something that was an internal blunder, and not something more sinister? If this was an accidental issue, the person who committed the blunder should be held to account. While I'm hoping that this is the most likely account and thus most probable, I'm not discounting malice of intent from an insider or terrorist. Either way, this really isn't good.

Re:Incompetence or something sinister?

Or b.s. fake news to get the public all agog? Believe nothing you hear today, except what you know for sure.

Plans

I'm so worried about the baggage retrieval system they have at Heathrow.

Re:Plans

[Opportunist]

So I get it you have to use it a lot, too? Our self-help group meets every Wednesday.

Don't worry. Your luggage will be found. I'm absolutely confident. You just must not lose hope.

Re: Plans

Excellent Monty Python quote

'm so worried about what's hapenin' today, in the middle east, you know
And I'm worried about the baggage retrieval system they've got at Heathrow
I'm so worried about the fashions today, I don't think they're good for your feet
And I'm so worried about the shows on TV that sometimes they want to repeat

I'm so worried about what's happenin' today, you know
And I'm worried about the baggage retrieval system they've got at Heathrow
I'm so worried about my hair falling out and the state of the world today
And I'm so worried about bein' so full of doubt about everything, anyway

I'm so worried about modern technology
I'm so worried about all the things that they dump in the sea
I'm so worried about it, worried about it, worried, worried, worried

I'm so worried about everything that can go wrong
I'm so worried about whether people like this song
I'm so worried about this very next verse, it isn't the best that I've got
And I'm so worried about whether I should go on, or whether I should just stop

I'm worried about whether I ought to have stopped
And I'm worried about, it's the sort of thing I ought to know
And I'm worried about the baggage retrieval system they've got at Heathrow

I'm so worried about whether I should have stopped then
I'm so worried that I'm driving everyone 'round the bend
I'm worried about the baggage retrieval system they've got at Heathrow

No Excuse!

[Murdoch5]

Why wasn't the USB key in question a high security, hardware encrypted device? There is no reason to not have a military FIPS-140-2, AES encrypted USB key that can self wipe and self destruct, with full location tracking and remote kill switch.

There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.

Re:No Excuse!

SNOWDEN IS HERO TO THE PEOPLE

Re:No Excuse!

More likely an overburned employee that had to keep working with this files... You would be surprised how much convenience wins over security even in higher ranks.

Re:No Excuse!

[Opportunist]

My money is on the idiot who lost it didn't even know that such encrypted USB keys exist.

What you're most likely dealing with here is some idiot C-level who will not even get fired for that blunder.

Re: No Excuse!

Other than FIPS not being UK accredited, and trackers not being allowed in most places that data is generated and 99% of products require a Windows OS. Plenty of reasons for unencrypted media, they just never leave the F****** room.

Re:No Excuse!

[GuB-42]

Snowden used encryption in a way that would be considered paranoid for normal people.
What kind of whistleblower/traitor/hero/terrorist would know enough to get access to secret documents but be dumb enough to lose an unencrypted USB key in the street. I can imagine using an unencrypted key for stealing data when there is no other choice but definitely not keeping it that way.

An employee screwing up makes a lot more sense to me.

Re: No Excuse!

You might have unencrypted USB in a secure area, but it shouldn't have classified anything on it ever.

Re:No Excuse!

[GuB-42]

Though I prefer the major fuck up hypothesis, who said the data is real and not deliberate misinformation.

Also I think that all the James Bond style security is overkill. This is definitely confidential information but not top secret. Well implemented AES is more than sufficient. In fact a fancy USB stick will raise a lot more attention. Not a good thing.

Re: No Excuse!

[Zero__Kelvin]

Everyone who uses encryption uses it in a way that would be considered paranoid by normal people. Normal people don't understand encryption and have no idea they even use it when they do (e.g. https)

Re: No Excuse!

[Zero__Kelvin]

It is ridiculous to say virtually unbreakable security is a bad idea because it will draw more attention. It can draw as much attention as you can imagine, all of which will be I'm the form of: "Hey, get a look at all these ones and zeroes that mean nothing to us and never will"

Re:No Excuse!

[Antique+Geekmeister]

I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.

Re: No Excuse!

[Reverend+Green]

Because it's fictional...

Re: No Excuse!

The people demand an unconditional pardon and the Medal of Freedom for national hero Snowden.

Re: No Excuse!

Normal people don't understand encryption and have no idea they even use it when they do (e.g. https)

And most "normal" people shouldn't be using the internet without basic knowledge, due to the risks and potential for abuse, but then again, instead of holding them up as the standard, I would call them for what they really are: Idiots.

Just because most people are ignorant doesn't make it OK. Those jumping on the bandwagon are still subject to it's consequences, even if they cannot recognize nor care about them.

Re:No Excuse!

[The+Cynical+Critic]

Why wasn't the USB key in question a high security, hardware encrypted device?

My guess is that it's either because somebody copied work files onto their personal USB drive despite copying files off the agency network onto personal devices being banned but or then management trusted that employees would treat USB drives containing classified documents with the same care they treat paper media copies of the same documents.

Either way, at the very least somebody needs to start looking for a new line of work because this is just something which should never happen, plain and simple.

Re: No Excuse!

[Zero__Kelvin]

Most normal people are idiots, but not all are, and some abnormal people like yourself are idiots who read what I wrote and decide it said a whole lot of stuff it didn't.

Re:No Excuse!

[Anne+Thwacks]

My bet is the person who lost it still has 199 more with the same data on, so he won't miss it. Probably some are already in Iran/Moscow/Azerbajan/Karachi or wherever they are supposed to be, and the rest are hidden behind the seats on Circle Line trains.

Re:No Excuse!

[Anne+Thwacks]

with the same care they treat paper media copies of the same documents

They did. This is the UK - top security documents are often found blowing around in the streets.

Re:No Excuse!

Because that goes against the UK's M.O. that encryption is the devil.

Re:No Excuse!

Ideally, there is no excuse.

That said, the real excuses are:
- how do we update personnel, practices, and provide more security minded training, when we're already on a budget crunch, over-worked, stuck in ineffective 'cheer-leading' sessions, by corporate C levels.

Granted I'm speaking more to US the counterparts, however I have a hard time believing across the pond isn't so far removed from the absurd hurdles that come up when trying to introduce something as trivial as using a 'secure USB' drive.

Re:No Excuse!

[ctilsie242]

This. It is trivial to ensure data on a USB flash drive is encrypted:

1: $50 gets you an Iepin hardware encrypting USB drive that has a keypad on it. Ten wrong guesses, and you have a blank USB hard drive. You can get an IronKey drive for a bit more that has actual epoxy potting and physical destruction of circuits if one tries to guess the password too often.
2: BitLocker, FileVault, LUKS, and VeraCrypt are common and easy to use. If you have a keyfile at home and at work, and you use VeraCrypt, an attacker has no way to decrypt the drive, except for a brute force against the entire 256 bit length, or physically breaking into the two locations.
3: If policies lock out encryption on the drive level, WinZIP, WinRAR, Acrobat and Microsoft Word can all AES-128 encrypt any files and encapsulate them in their own format.
4: Any big company has some security/compliance education to teach people the dangers of unencrypted media, be it tape, CDs, or whatnot.
5: One's smartphone can carry data. Both iOS and Android support the ability to copy files to the device, and both have apps that can actually create and open VeraCrypt containers on the device for further security. A rooted Android phone can even mount the VC container so you can copy stuff directly into it.
6: There are commercial utilities like Boxcryptor which make encryption extremely transparent.
7: If policies lock out software solutions, then that is what a hardware encrypted drive is for (see #1.)

Ten years ago, there might have been an excuse. These days, with encryption so easy to access and use, there isn't an excuse for this. I almost wonder if the USB flash drive being lost was a deliberate act of sabotage.

Re: No Excuse!

[ctilsie242]

Normal people may not know how exactly the mechanism of their deadbolt at home works, but they turn the key and ensure it is locked. They may not know how their car's remote does a handshake with the vehicle's computer, but they at least know how to press the lock button.

Computer encryption is insanely easy. You don't have to know about S-boxes or shifting stuff around to click on a file, click "encrypt", type in "correct horse battery staple" and be on your way.

Re:No Excuse!

My money is on the idiot who lost it didn't even know that such encrypted USB keys exist.

What you're most likely dealing with here is some idiot C-level who will not even get fired for that blunder.

If he/she weren't trained on security by their employer in order to perform their duties, one cannot say they are at fault.

Re: No Excuse!

[thegarbz]

Everyone who uses encryption uses it in a way that would be considered paranoid by normal people.

You have a dim view of normal people. There are plenty of normal people who consider encryption in its most basic form as meaning "not wanting others to see my personal files". That isn't paranoid behavior and few would consider it as such.

But then when you start talking about layering encryption, embedding hidden volumes in primary volumes for plausible deniability, using software that intentionally doesn't change the last modified date of encrypted archives to hide actions, you'll quickly get considered paranoid by normal people and nerds alike.

Re:No Excuse!

I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.

Which is where things Group Policy come in: simply set it so that any media inserted has to be encrypted, and if you want an exception you have to get the OK from not your immediate superior, but someone above them.

I've seen too many tickets where an employee asks for something, CCs their manager, who does a rubber stamp "approved". This may be fine for small things, but (IMHO) not so much for overriding the company's security policy.

Nowadays there's no reason why all media shouldn't be encrypted by default.

Re: No Excuse!

[Zero__Kelvin]

Most people figure they already have that covered by using a password, if they bother to go that far, and "nobody would want to get at any of my files anyway, LOL" If you don't know this then you have never tried to have a discussion about encryption with laymen.

Re: No Excuse!

[thegarbz]

Most people figure they already have that covered by using a password

You're right. Especially for things like USB sticks where ones with built in password protection are already seeing a rise in popularity.

Re: No Excuse!

Government austerity? Only the private sector can have nice things apparently.

Careless people meet data density

[SlaveToTheGrind]

This is exactly the same as dropping a scribbled napkin or leaving a folder in a seat -- just much more information in much smaller of a form factor.

And I'm not really sure what is going to change this. If there's a way to enforce the use of encrypted flash drives, that would help. But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

Re:Careless people meet data density

[Jeremi]

But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

No doubt -- the only real solution is to make it so that the appropriate security mechanisms can be put in place without incurring any extra layers of bother, so that people won't try to circumvent them. Of course that's much easier said than done.

the man for found it will face changers and be hit

[Joe_Dragon]

the man for found it will face changers and be hit with bill to fix it as damages.

When you have something like this you hand it over to someone who can leak it with no traces back to you.

Maybe it was accidentally dropped...

by the new airport cyber security expert, that used to work at Equifax up until a few months ago.

Who plugs in USB drives found in the street?

[h33t+l4x0r]

I'd sooner chew gum found in the street.

Re:Who plugs in USB drives found in the street?

[Opportunist]

I do. It's my job.

Then again, I plug it into systems that exist for that sole reason...

Re: Who plugs in USB drives found in the street?

"Mannnnnnn, you ain't got no job, Tommy" - Martin

Re:Who plugs in USB drives found in the street?

[datavirtue]

This incident has made those loose flash drives all the more tempting. No one can resist examining a random flash drive. It is like finding a wallet. You have to open it and rifle through the whole thing.

Re:Who plugs in USB drives found in the street?

[Antique+Geekmeister]

Especially with these on the market:

> http://www.popularmechanics.co...

Re:Who plugs in USB drives found in the street?

RTFA. He plugged it to a library machine. That's what they're for :p

Re:Who plugs in USB drives found in the street?

What's the title of your job and what company do you work for?

Re:Who plugs in USB drives found in the street?

[coofercat]

The digital 'glory hole' ;-)

Re:Who plugs in USB drives found in the street?

[Opportunist]

The title is IT security researcher&consultant and the company I work for deals with security in the financial sector.

Re:Who plugs in USB drives found in the street?

[thegarbz]

I do. I also do other risky things like drive a car to work, and go scuba diving. The trick is that I manage the risk.

Would I chew gum found in the street? Well maybe if I ran a lab that was capable of testing for dangerous organsims, but then it would likely still taste like shit. At least a USB stick is useful.

Re:Who plugs in USB drives found in the street?

I chew gum found on the street. If it's in sealed, original packaging, and appears not to be tampered with.

A lot of dismissive commentary here on /. assumes that every action has a nefarious motive, or that any possibility at all of evil intent justifies the most extreme security measures. That type of thinking is excessive and mostly paranoid.

In the real world you assess risks and then make a decision. I do it, you do it, everyone does it. Stop pretending otherwise.

Re:Who plugs in USB drives found in the street?

[Hognoxious]

Not sure why that means random USB keys found in the street are your concern.

If you were a hospital lab technician would you analyse every puddle of piss you found as you were taking a stroll?

Re:Who plugs in USB drives found in the street?

[Opportunist]

Only if I get paid to do so. Or if I have reason to assume an epidemic might be afoot.

Next weeks news:

[burtosis]

Mysterious USB drive discovered and found on the street plugged directly into sensitive heathrow servers, believed to be the cause of all grounded air traffic across Europe.

Re:Next weeks news:

[llamahunter]

Yeah, hope they sandboxed the crap out of whatever hardware they plugged that USB drive into.

Re:Next weeks news:

[aaarrrgggh]

It just takes a Raspberry Pi; it isn't rocket science. You can't trust the electronic files, but you can print or PDF safely enough. Of course you eliminate networking...

Re:If you are the CTO ...

[Opportunist]

This is grounds to quit on the spot if you're the CISO.

Security is as good as the weakest link. Usually that weakest link is found in the C-Level and their secretaries. These people know ZERO about IT security but demand full privileges over their systems.

The only reason you don't get to hear about it too often is that they are also the people who would fire people for being incompetent fools who jeopardize security...

In the olden days,

Hackers dropped USB sticks for the office workers to found. Today, the government officials and security professionals drop USB sticks in public spaces for the terrorists and criminals to found. They just didn't mean to.

Re:In the olden days,

In the olden days (2002 or so), the bad guys dropped "MP3 CDs" with an autorun.inf pointing to a malicious installer which autoinstalled onto Windows 2000 and XP. I remember a startup completely hosed by one of those, which not just installed BackOrifice, but copied all Word and other documents to a site overseas, and once done, did a mass delete. A stack of those CDs mysteriously appeared on the receptionist's counter. Six months later, the startup was gone, because an overseas competitor offered the same services to the startup's customers for a fraction of the price, as well as making a note that all the customer's records with the startup were copied over.

Welcome to the TrumpVerse, UK!

Get used to it!

Boobs in Chaaaarge!

OUCH!

"handed it into the paper"

Neat trick!

Or did they mean "handed it IN TO the paper". Two words - VASTLY different meaning.

Slight correction

[Harold+Halloway]

A man found it in west London and handed it into the paper

Should read:

A man found it in west London, checked the contents and then hawked it round the gutter press, eventually selling it to the highest bidder.

Meanwhile here on the otherside of the pond

[jmccue]

I wonder if the person who found it is in trouble ?

On the other side of the pond I fear that person would have been arrested and facing life in prison. Hate to be so cynical, but I remember 1 or 2 cases where a person was facing outrageous penalties (Aaron Swartz for one) for doing nothing harmful.

Re: Meanwhile here on the otherside of the pond

Listen, Aaron didn't have to die. He chose that route. He would have served 2-3 years. He was a bright person who wanted information to be free. He just got caught with his dick in the honey jar.

But comparing Aaron to this situation is very irresponsible. What Aaron did was illegal(even if what he did was moral). Finding a USB stick and using it is not illegal.

Re: Meanwhile here on the otherside of the pond

[datavirtue]

Great. Now random flash drives are going to become even more irresistible than they already where. Every security manager's worst nightmare.

Re:the man for found it will face changers and be

When you have something like this you hand it over to someone who can leak it with no traces back to you.

What in the FUCK is wrong with you? Life isn't some James Bond movie where the good guy always wins. This information is practically a blueprint for a terrorist attack. Think you'll rest easy knowing you were the responsible party who leaked information that ended up taking innocent lives, as if "no traces" is the most important thing here? Wake the fuck up.

When you have something like this you hand it over to the responsible party to prevent a leak. We have enough security breaches in the world driven by ignorance and incompetence. We don't fucking need more driven by stupid asshats who want to pull the pin on the grenade just to see what leaks out.

USB in the Street?

Sounds sorta familiar.

With a healthy bit of conspiracy thinking, I hope the drive was check and tested on insulated equipment.

https://en.wikipedia.org/wiki/Stuxnet

Granted, it could be good old fashion incompetence, so it should also be tempered with Hanlon's razor.

"A USB"

[Mr0bvious]

Where do they find these editors?

"A USB", please, I feel ashamed coming here now. A new low.

Re:"A USB"

[crimson+tsunami]

Why? How many did you think there were?

Re:"A USB"

"A USB", please, I feel ashamed coming here now.

Why, don't you find interface standards laying around on the street? I saw an RS-232 in an alley a few weeks back and a Centronics on the sidewalk a few months back, but I didn't pick them up. Nobody has anything to plug those into anymore. :(

Re:"A USB"

[JamesKeane7745]

Where do they find these editors?

"A USB", please, I feel ashamed coming here now. A new low.

While it may not sit comfortably with you, 'A USB' is clearly now passed into common language in this context to mean 'A portable storage device, with a USB A connector supporting the USB mass storage device type'.

I guarantee that if I shout over to my colleague across the room 'Have you got a USB I can borrow', we will pass me a USB flash drive rather than either a port, a section of motherboard, or a standard.

And what?

What do we call it when security depends on potential attackers just not knowing what measures you've taken?

From where I sit, Heathrow's security has a pretty good record. It's a high profile target with a huge volume and variety of traffic - the world's busiest airport, by some measures - and yet no significant attack has got through it in more than 25 years.

I cracked the case...

[datavirtue]

"We have also launched an internal investigation to understand how this happened..."

Let me tell you what happened. Someone dumped the files onto a flash drive and dropped it somewhere.

My mom always told me...

[tofleplof]

not to plug usb-sticks-found-in-the-street into my computer.

Re:My mom always told me...

[Hognoxious]

Guy's homeless. He doesn't have a computer.

Re:My mom always told me...

That's why he went to a library and used their computer (in reality he was on the way to the library to use their computer for job hunting when he found it).

Re: If you are the CTO ...

[I75BJC]

LOL!!!

In Other News

[QuadEddie]

In other news, an airport security presenter was extremely embarrassed when plugging in his USB stick to find 32gb of child porn.

Encryption

The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."

At least we know it was the good guys, because in UK only terrorists use encryption.

Only an idiot plugs in a found USB

[Martin+S.]

My original submission included making the point that only an idiot plugs in a found USB but this has been removed in the edit and my scepticism has been lost.

The reported fact that this was found on the street amongst fallen leaves is highly unlikely and suspicious. It does provide plausible deniability for the journalist over their source, but my money is this will be revealed to be a hoax.

The newspaper that published this story, offers to pay for stories. My belief is that there is a very good chance this will be revealed to be entirely a hoax. A assembly of public source data to get a reward/story bounty from the newspaper.

It is possible, but unlikely this could be a honey trap for the journalist, or anybody with the USB including attack code intended to compromise their PC/Network. This is how STUX worked.

Re:Only an idiot plugs in a found USB

[jabuzz]

Depends what you are plugging it into. I sure as hell would not plug it into any sort of x86 hardware. But an un networked Raspberry Pi, sure. Or even a networked Raspberry Pi that is stuck in a VLAN all of it's own and firewalled up the wazzo.

I personally doubt very much however that it is a hoax of any description.

Re:Only an idiot plugs in a found USB

[thegarbz]

You're making a lot of assumptions about the actions of plugging in a USB stick.

It's like saying that given the odds of people dying in a car accident only an idiot would get in a car. You ignore many variables, many risks, many controls, and by simplifying such a complex action into a single accusative soundbite your original submission had every reason to be edited and have that line removed.

hmmm..

[SuperDre]

And why did the finder give it to a paper and not to the police (which is what he should have done). I wonder how much money he got from the paper...

Re:hmmm..

[Anne+Thwacks]

why did the finder give it to a paper and not to the police

To be fair, the police probably would not know what a USB stick was.

Anyway, this is the UK - a USB stick is probably safer lying in a puddle in the street than in a "secure" government institution

Re:If you are the CTO ...

A real CISO would find out about the leak, sell and short their stock, make the announcement and make it sound as horrific as possible, take the profits and walk away wealthy.

Security?

Who picks up a USB drive they found laying in the street and then proceeds to plug it into their computer to see what's on it?

Re:If you are the CTO ...

[slashrio]

It wasn't a case of 'national security'.
It would only involve a handful of passengers falling out of the sky.
The state was nowhere at risk.

Re:hmmm.. (Duh...)

Simple, using some intel channel they don't want disclosed they discovered or at least were lead to suspect that the security plans were compromised.
UK police or intelligence know that the security methods had to be changed so they sent an agent with the USB drive to a friendly reporter at the paper so they can safely change observable security practices without tipping off whoever the opponent is.

silly git

UK police are not interested in minor incidents like found USB drives with national security data or organized child trafficking targeting white girls.

They only deal with real crimes like complaining about the UK being flooded with muzzies or leaving ham sandwiches near mosques.

I will see your article and raise you a SHOP

[laurencetux]

https://usbkill.com/

this is a site that actually sells working units (and a "filter" gizmo you can test with)

revealing plans and security by obscurity

Security only applies to everyone else.

A security architecture / plan should (ideally) be effective even it is known to the enemy, otherwise it's just security by obscurity. So while the having it obscure is useful in that discovery is an extra hoop a attacker has jump through, it shouldn't be relied on.

Re:If you are the CTO ...

From TFS:

including details of measures used to protect the Queen.

So...yea...'national security...'

I'm not making assumptions.

[Martin+S.]

I'm pointing out several plausible alternatives that blow away the assumption that this is real.

The likelihood that this would be 'found' in this way, that it would include sensitive data, that it would not be encrypted all amounts a fail of Occams Razor in a very big way.

The vast majority of lost USB drives will end up lost for ever, swept up in rubbish, buried in decaying leaf litter.

That the device contain sensitive data, that it was found, that it was examined, that this data was unencrypted, that it found its way into the hands of a journalist all stretch the base assumption well beyond braking point.

Re:If you are the CTO ...

[slashrio]

When asked what would happen to England when Queen Elizabeth II would die, she allegedly answered: "Nothing, the country will just go on."
So, no, not really 'national security'.
Note however the 'alleged' part. :)