Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heathrow Airport Security Files Found on USB Stick In The Street (bbc.co.uk)

Posted by EditorDavid on from the removable-storage-media dept.

"The BBC is reporting a security probe after security data about Heathrow was discovered on a USB found on the street," writes long-time Slashdot readers Martin S. From the article: The Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect the Queen. A man found it in west London and handed it into the paper, it said. Heathrow said all of its security plans had been reviewed and it was "confident" the airport was secure. "We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future," it said.
The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."

70 of 116 comments (clear)

  1. If you are the CTO ... by BoRegardless · · Score: 4, Insightful

    Security only applies to everyone else.

    1. Re: If you are the CTO ... by dougdonovan · · Score: 4, Funny

      obviously an hourly wage security person is missing their usb.

  2. Can't be by nospam007 · · Score: 3, Funny

    In the UK, USB sticks with sensitive or secret info always have to be forgotten in an underground car, it's the law.

    1. Re:Can't be by rtb61 · · Score: 2

      This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... this is not a decade or more ago, absolutely no need to carry them any where, well, only one need. That need being, selling it, everything contracted is contracted to the highest bidder, so as for national security issues. Highest bidder for that information, in the entire chain of handling of that data, according to typical corporate practices is entitled to that data. It might not have been totally nefarious, just moderately nefarious (setting up hard wired hack points, new sources of data, security holes that can be readily breached etc). The only reason to lose it on a subway, it would have been secured on their person, was fear and panic disposal, this depending upon any traceable data on the device, device clean, than dropped in panic, device full of identifying stuff, than just a clumsy idiot (in probability terms).

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Can't be by nospam007 · · Score: 1

      "This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where,"

      The word you're looking for is 'stupidity'.

  3. The North Koreans stole it! by Alain+Williams · · Score: 2

    I believe that it is them who we currently blame for all things like this.

    1. Re: The North Koreans stole it! by Reverend+Green · · Score: 2

      Obviously it was the French. It's always the French.

    2. Re: The North Koreans stole it! by Hal_Porter · · Score: 1

      The 'Russian collusion/Russia threat' meme will disappear from the media now the NYT and WashPo have reported that Hillary's campaign paid for the Steele dossier.

      Before that it reflected badly on Trump, and now it reflects badly on Hillary and the Democrats. And only 7% of journalists are Democrats. So it will simply drop off the short list of stories they talk about because talking about it doesn't fit their preferred narrative.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re: The North Koreans stole it! by Hal_Porter · · Score: 2

      If it is accurate, then it reflects poorly on Trump. If it is not accurate, then it reflects poorly on Clinton.

      My point being that the NYT/WashPo/CNN etc all talked about Russian collusion when they thought Trump was guilty of it, despite having no evidence of a crime. Then it came out that Clinton's campaign had illegally paid for the Steele dossier from Russia - the illegality comes from paying a law firm to pay FusionGPS which eventually paid him. The FEC requires campaign expenditure over $200 to be itemised. I predict the Democrat supporting media will simply stop talking about Russia at this point.

      And I'd say if you're interested in truth, don't trust any of these news sources. They'll report things they know to be untrue, or at least have no evidence for if they think that report will help their party. And they'll not report things for which there is evidence if they think reporting those things will hurt their party. In fact the NYT freely admitted it was giving up old fashioned notions of impartiality and checking things were true before the election

      https://www.nytimes.com/2016/0...

      I.e. what news they report is solely determined by whether they think it will move things in their direction politically, not whether they actually think the report is true or not.

      And incidentally engineers and 'nerds' are hardly immune to this sort of intellectual dishonesty and sloppiness as any arguments over the merits of hardware or software will tell you. Fanboys exist in both politics and engineering.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    4. Re: The North Koreans stole it! by Hal_Porter · · Score: 1

      He's not my leader and I didn't win. I'm not a US citizen. I'm pointing to the staggering intellectual dishonesty of accusing him of Russian collusion for a year with no evidence and when evidence comes out Hillary did collude - and probably broke FEC rules doing it - simply stopping talking about Russia.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    5. Re: The North Koreans stole it! by DutchUncle · · Score: 1

      Who dropped Russia off the list of stories? Which news agency have you been ignoring the most lately?

  4. No Excuse! by Murdoch5 · · Score: 3, Informative

    Why wasn't the USB key in question a high security, hardware encrypted device? There is no reason to not have a military FIPS-140-2, AES encrypted USB key that can self wipe and self destruct, with full location tracking and remote kill switch.

    There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.

    1. Re:No Excuse! by Anonymous Coward · · Score: 1

      SNOWDEN IS HERO TO THE PEOPLE

    2. Re:No Excuse! by Opportunist · · Score: 1

      My money is on the idiot who lost it didn't even know that such encrypted USB keys exist.

      What you're most likely dealing with here is some idiot C-level who will not even get fired for that blunder.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:No Excuse! by GuB-42 · · Score: 2

      Snowden used encryption in a way that would be considered paranoid for normal people.
      What kind of whistleblower/traitor/hero/terrorist would know enough to get access to secret documents but be dumb enough to lose an unencrypted USB key in the street. I can imagine using an unencrypted key for stealing data when there is no other choice but definitely not keeping it that way.

      An employee screwing up makes a lot more sense to me.

    4. Re:No Excuse! by GuB-42 · · Score: 2

      Though I prefer the major fuck up hypothesis, who said the data is real and not deliberate misinformation.

      Also I think that all the James Bond style security is overkill. This is definitely confidential information but not top secret. Well implemented AES is more than sufficient. In fact a fancy USB stick will raise a lot more attention. Not a good thing.

    5. Re: No Excuse! by Zero__Kelvin · · Score: 5, Insightful

      Everyone who uses encryption uses it in a way that would be considered paranoid by normal people. Normal people don't understand encryption and have no idea they even use it when they do (e.g. https)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re: No Excuse! by Zero__Kelvin · · Score: 1

      It is ridiculous to say virtually unbreakable security is a bad idea because it will draw more attention. It can draw as much attention as you can imagine, all of which will be I'm the form of: "Hey, get a look at all these ones and zeroes that mean nothing to us and never will"

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re:No Excuse! by Antique+Geekmeister · · Score: 2

      I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.

    8. Re: No Excuse! by Reverend+Green · · Score: 1

      Because it's fictional...

    9. Re:No Excuse! by The+Cynical+Critic · · Score: 1

      Why wasn't the USB key in question a high security, hardware encrypted device?

      My guess is that it's either because somebody copied work files onto their personal USB drive despite copying files off the agency network onto personal devices being banned but or then management trusted that employees would treat USB drives containing classified documents with the same care they treat paper media copies of the same documents.

      Either way, at the very least somebody needs to start looking for a new line of work because this is just something which should never happen, plain and simple.

      --
      "Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
    10. Re: No Excuse! by Zero__Kelvin · · Score: 1

      Most normal people are idiots, but not all are, and some abnormal people like yourself are idiots who read what I wrote and decide it said a whole lot of stuff it didn't.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    11. Re:No Excuse! by Anne+Thwacks · · Score: 1

      My bet is the person who lost it still has 199 more with the same data on, so he won't miss it. Probably some are already in Iran/Moscow/Azerbajan/Karachi or wherever they are supposed to be, and the rest are hidden behind the seats on Circle Line trains.

      --
      Sent from my ASR33 using ASCII
    12. Re:No Excuse! by Anne+Thwacks · · Score: 1
      with the same care they treat paper media copies of the same documents

      They did. This is the UK - top security documents are often found blowing around in the streets.

      --
      Sent from my ASR33 using ASCII
    13. Re:No Excuse! by ctilsie242 · · Score: 1

      This. It is trivial to ensure data on a USB flash drive is encrypted:

      1: $50 gets you an Iepin hardware encrypting USB drive that has a keypad on it. Ten wrong guesses, and you have a blank USB hard drive. You can get an IronKey drive for a bit more that has actual epoxy potting and physical destruction of circuits if one tries to guess the password too often.
      2: BitLocker, FileVault, LUKS, and VeraCrypt are common and easy to use. If you have a keyfile at home and at work, and you use VeraCrypt, an attacker has no way to decrypt the drive, except for a brute force against the entire 256 bit length, or physically breaking into the two locations.
      3: If policies lock out encryption on the drive level, WinZIP, WinRAR, Acrobat and Microsoft Word can all AES-128 encrypt any files and encapsulate them in their own format.
      4: Any big company has some security/compliance education to teach people the dangers of unencrypted media, be it tape, CDs, or whatnot.
      5: One's smartphone can carry data. Both iOS and Android support the ability to copy files to the device, and both have apps that can actually create and open VeraCrypt containers on the device for further security. A rooted Android phone can even mount the VC container so you can copy stuff directly into it.
      6: There are commercial utilities like Boxcryptor which make encryption extremely transparent.
      7: If policies lock out software solutions, then that is what a hardware encrypted drive is for (see #1.)

      Ten years ago, there might have been an excuse. These days, with encryption so easy to access and use, there isn't an excuse for this. I almost wonder if the USB flash drive being lost was a deliberate act of sabotage.

    14. Re: No Excuse! by ctilsie242 · · Score: 1

      Normal people may not know how exactly the mechanism of their deadbolt at home works, but they turn the key and ensure it is locked. They may not know how their car's remote does a handshake with the vehicle's computer, but they at least know how to press the lock button.

      Computer encryption is insanely easy. You don't have to know about S-boxes or shifting stuff around to click on a file, click "encrypt", type in "correct horse battery staple" and be on your way.

    15. Re: No Excuse! by thegarbz · · Score: 1

      Everyone who uses encryption uses it in a way that would be considered paranoid by normal people.

      You have a dim view of normal people. There are plenty of normal people who consider encryption in its most basic form as meaning "not wanting others to see my personal files". That isn't paranoid behavior and few would consider it as such.

      But then when you start talking about layering encryption, embedding hidden volumes in primary volumes for plausible deniability, using software that intentionally doesn't change the last modified date of encrypted archives to hide actions, you'll quickly get considered paranoid by normal people and nerds alike.

    16. Re: No Excuse! by Zero__Kelvin · · Score: 1

      Most people figure they already have that covered by using a password, if they bother to go that far, and "nobody would want to get at any of my files anyway, LOL" If you don't know this then you have never tried to have a discussion about encryption with laymen.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    17. Re: No Excuse! by thegarbz · · Score: 1

      Most people figure they already have that covered by using a password

      You're right. Especially for things like USB sticks where ones with built in password protection are already seeing a rise in popularity.

  5. Careless people meet data density by SlaveToTheGrind · · Score: 1

    This is exactly the same as dropping a scribbled napkin or leaving a folder in a seat -- just much more information in much smaller of a form factor.

    And I'm not really sure what is going to change this. If there's a way to enforce the use of encrypted flash drives, that would help. But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

    1. Re:Careless people meet data density by Jeremi · · Score: 1

      But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

      No doubt -- the only real solution is to make it so that the appropriate security mechanisms can be put in place without incurring any extra layers of bother, so that people won't try to circumvent them. Of course that's much easier said than done.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  6. Maybe it was accidentally dropped... by Anonymous Coward · · Score: 2, Funny

    by the new airport cyber security expert, that used to work at Equifax up until a few months ago.

  7. Who plugs in USB drives found in the street? by h33t+l4x0r · · Score: 4, Insightful

    I'd sooner chew gum found in the street.

    1. Re:Who plugs in USB drives found in the street? by Opportunist · · Score: 5, Interesting

      I do. It's my job.

      Then again, I plug it into systems that exist for that sole reason...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Who plugs in USB drives found in the street? by datavirtue · · Score: 2

      This incident has made those loose flash drives all the more tempting. No one can resist examining a random flash drive. It is like finding a wallet. You have to open it and rifle through the whole thing.

      --
      I object to power without constructive purpose. --Spock
    3. Re:Who plugs in USB drives found in the street? by Antique+Geekmeister · · Score: 1

      Especially with these on the market:

      > http://www.popularmechanics.co...

    4. Re:Who plugs in USB drives found in the street? by coofercat · · Score: 3, Funny

      The digital 'glory hole' ;-)

    5. Re:Who plugs in USB drives found in the street? by Opportunist · · Score: 1

      The title is IT security researcher&consultant and the company I work for deals with security in the financial sector.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Who plugs in USB drives found in the street? by thegarbz · · Score: 1

      I do. I also do other risky things like drive a car to work, and go scuba diving. The trick is that I manage the risk.

      Would I chew gum found in the street? Well maybe if I ran a lab that was capable of testing for dangerous organsims, but then it would likely still taste like shit. At least a USB stick is useful.

    7. Re:Who plugs in USB drives found in the street? by Hognoxious · · Score: 1

      Not sure why that means random USB keys found in the street are your concern.

      If you were a hospital lab technician would you analyse every puddle of piss you found as you were taking a stroll?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    8. Re:Who plugs in USB drives found in the street? by Opportunist · · Score: 1

      Only if I get paid to do so. Or if I have reason to assume an epidemic might be afoot.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Next weeks news: by burtosis · · Score: 1

    Mysterious USB drive discovered and found on the street plugged directly into sensitive heathrow servers, believed to be the cause of all grounded air traffic across Europe.

    1. Re:Next weeks news: by llamahunter · · Score: 1

      Yeah, hope they sandboxed the crap out of whatever hardware they plugged that USB drive into.

    2. Re:Next weeks news: by aaarrrgggh · · Score: 1

      It just takes a Raspberry Pi; it isn't rocket science. You can't trust the electronic files, but you can print or PDF safely enough. Of course you eliminate networking...

  9. Re:If you are the CTO ... by Opportunist · · Score: 1

    This is grounds to quit on the spot if you're the CISO.

    Security is as good as the weakest link. Usually that weakest link is found in the C-Level and their secretaries. These people know ZERO about IT security but demand full privileges over their systems.

    The only reason you don't get to hear about it too often is that they are also the people who would fire people for being incompetent fools who jeopardize security...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Re:Plans by Opportunist · · Score: 1

    So I get it you have to use it a lot, too? Our self-help group meets every Wednesday.

    Don't worry. Your luggage will be found. I'm absolutely confident. You just must not lose hope.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Slight correction by Harold+Halloway · · Score: 1

    A man found it in west London and handed it into the paper

    Should read:

    A man found it in west London, checked the contents and then hawked it round the gutter press, eventually selling it to the highest bidder.

  12. Meanwhile here on the otherside of the pond by jmccue · · Score: 1, Troll

    I wonder if the person who found it is in trouble ?

    On the other side of the pond I fear that person would have been arrested and facing life in prison. Hate to be so cynical, but I remember 1 or 2 cases where a person was facing outrageous penalties (Aaron Swartz for one) for doing nothing harmful.

    1. Re: Meanwhile here on the otherside of the pond by Anonymous Coward · · Score: 1

      Listen, Aaron didn't have to die. He chose that route. He would have served 2-3 years. He was a bright person who wanted information to be free. He just got caught with his dick in the honey jar.

      But comparing Aaron to this situation is very irresponsible. What Aaron did was illegal(even if what he did was moral). Finding a USB stick and using it is not illegal.

    2. Re: Meanwhile here on the otherside of the pond by datavirtue · · Score: 1

      Great. Now random flash drives are going to become even more irresistible than they already where. Every security manager's worst nightmare.

      --
      I object to power without constructive purpose. --Spock
  13. "A USB" by Mr0bvious · · Score: 1

    Where do they find these editors?

    "A USB", please, I feel ashamed coming here now. A new low.

    --
    Never happened. True story.
    1. Re:"A USB" by crimson+tsunami · · Score: 1

      Why? How many did you think there were?

    2. Re:"A USB" by JamesKeane7745 · · Score: 1

      Where do they find these editors?

      "A USB", please, I feel ashamed coming here now. A new low.

      While it may not sit comfortably with you, 'A USB' is clearly now passed into common language in this context to mean 'A portable storage device, with a USB A connector supporting the USB mass storage device type'.

      I guarantee that if I shout over to my colleague across the room 'Have you got a USB I can borrow', we will pass me a USB flash drive rather than either a port, a section of motherboard, or a standard.

  14. I cracked the case... by datavirtue · · Score: 1

    "We have also launched an internal investigation to understand how this happened..."

    Let me tell you what happened. Someone dumped the files onto a flash drive and dropped it somewhere.

    --
    I object to power without constructive purpose. --Spock
  15. My mom always told me... by tofleplof · · Score: 2

    not to plug usb-sticks-found-in-the-street into my computer.

    1. Re:My mom always told me... by Hognoxious · · Score: 1

      Guy's homeless. He doesn't have a computer.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:My mom always told me... by Anonymous Coward · · Score: 1

      That's why he went to a library and used their computer (in reality he was on the way to the library to use their computer for job hunting when he found it).

  16. Re: If you are the CTO ... by I75BJC · · Score: 1

    LOL!!!

  17. In Other News by QuadEddie · · Score: 1

    In other news, an airport security presenter was extremely embarrassed when plugging in his USB stick to find 32gb of child porn.

  18. Only an idiot plugs in a found USB by Martin+S. · · Score: 3, Interesting

    My original submission included making the point that only an idiot plugs in a found USB but this has been removed in the edit and my scepticism has been lost.

    The reported fact that this was found on the street amongst fallen leaves is highly unlikely and suspicious. It does provide plausible deniability for the journalist over their source, but my money is this will be revealed to be a hoax.

    The newspaper that published this story, offers to pay for stories. My belief is that there is a very good chance this will be revealed to be entirely a hoax. A assembly of public source data to get a reward/story bounty from the newspaper.

    It is possible, but unlikely this could be a honey trap for the journalist, or anybody with the USB including attack code intended to compromise their PC/Network. This is how STUX worked.

    1. Re:Only an idiot plugs in a found USB by jabuzz · · Score: 1

      Depends what you are plugging it into. I sure as hell would not plug it into any sort of x86 hardware. But an un networked Raspberry Pi, sure. Or even a networked Raspberry Pi that is stuck in a VLAN all of it's own and firewalled up the wazzo.

      I personally doubt very much however that it is a hoax of any description.

    2. Re:Only an idiot plugs in a found USB by thegarbz · · Score: 1

      You're making a lot of assumptions about the actions of plugging in a USB stick.

      It's like saying that given the odds of people dying in a car accident only an idiot would get in a car. You ignore many variables, many risks, many controls, and by simplifying such a complex action into a single accusative soundbite your original submission had every reason to be edited and have that line removed.

  19. hmmm.. by SuperDre · · Score: 2

    And why did the finder give it to a paper and not to the police (which is what he should have done). I wonder how much money he got from the paper...

    1. Re:hmmm.. by Anne+Thwacks · · Score: 1
      why did the finder give it to a paper and not to the police

      To be fair, the police probably would not know what a USB stick was.

      Anyway, this is the UK - a USB stick is probably safer lying in a puddle in the street than in a "secure" government institution

      --
      Sent from my ASR33 using ASCII
  20. Re:If you are the CTO ... by Anonymous Coward · · Score: 1

    A real CISO would find out about the leak, sell and short their stock, make the announcement and make it sound as horrific as possible, take the profits and walk away wealthy.

  21. Re:If you are the CTO ... by slashrio · · Score: 1

    It wasn't a case of 'national security'.
    It would only involve a handful of passengers falling out of the sky.
    The state was nowhere at risk.

    --
    "Trump!!", the new Godwin.
  22. I will see your article and raise you a SHOP by laurencetux · · Score: 1

    https://usbkill.com/

    this is a site that actually sells working units (and a "filter" gizmo you can test with)

  23. Re:If you are the CTO ... by Anonymous Coward · · Score: 1

    From TFS:

    including details of measures used to protect the Queen.

    So...yea...'national security...'

  24. I'm not making assumptions. by Martin+S. · · Score: 1

    I'm pointing out several plausible alternatives that blow away the assumption that this is real.

    The likelihood that this would be 'found' in this way, that it would include sensitive data, that it would not be encrypted all amounts a fail of Occams Razor in a very big way.

    The vast majority of lost USB drives will end up lost for ever, swept up in rubbish, buried in decaying leaf litter.

    That the device contain sensitive data, that it was found, that it was examined, that this data was unencrypted, that it found its way into the hands of a journalist all stretch the base assumption well beyond braking point.

  25. Re:If you are the CTO ... by slashrio · · Score: 1

    When asked what would happen to England when Queen Elizabeth II would die, she allegedly answered: "Nothing, the country will just go on."
    So, no, not really 'national security'.
    Note however the 'alleged' part. :)

    --
    "Trump!!", the new Godwin.