Heathrow Airport Security Files Found on USB Stick In The Street (bbc.co.uk) 116
"The BBC is reporting a security probe after security data about Heathrow was discovered on a USB found on the street," writes long-time Slashdot readers Martin S. From the article:
The Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect the Queen. A man found it in west London and handed it into the paper, it said. Heathrow said all of its security plans had been reviewed and it was "confident" the airport was secure. "We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future," it said.
The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."
The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."
If you are the CTO ... (Score:5, Insightful)
Security only applies to everyone else.
Re: (Score:2)
This is grounds to quit on the spot if you're the CISO.
Security is as good as the weakest link. Usually that weakest link is found in the C-Level and their secretaries. These people know ZERO about IT security but demand full privileges over their systems.
The only reason you don't get to hear about it too often is that they are also the people who would fire people for being incompetent fools who jeopardize security...
Re: (Score:1)
A real CISO would find out about the leak, sell and short their stock, make the announcement and make it sound as horrific as possible, take the profits and walk away wealthy.
Re: If you are the CTO ... (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
It would only involve a handful of passengers falling out of the sky.
The state was nowhere at risk.
Re: (Score:1)
From TFS:
including details of measures used to protect the Queen.
So...yea...'national security...'
Re: (Score:2)
So, no, not really 'national security'.
Note however the 'alleged' part.
Can't be (Score:4, Funny)
In the UK, USB sticks with sensitive or secret info always have to be forgotten in an underground car, it's the law.
Re: (Score:3)
This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where, well, only one need. That need being, selling it, everything contracted is contracted to the highest bidder, so as for national security issues. Highest bidder for that information, in the entire chain of handling of that
Re: (Score:2)
"This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/ [wikipedia.org]... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where,"
The word you're looking for is 'stupidity'.
The North Koreans stole it! (Score:3)
I believe that it is them who we currently blame for all things like this.
Re: The North Koreans stole it! (Score:3)
Obviously it was the French. It's always the French.
Re: (Score:1)
The 'Russian collusion/Russia threat' meme will disappear from the media now the NYT and WashPo have reported that Hillary's campaign paid for the Steele dossier.
Before that it reflected badly on Trump, and now it reflects badly on Hillary and the Democrats. And only 7% of journalists are Democrats [washingtonpost.com]. So it will simply drop off the short list of stories they talk about because talking about it doesn't fit their preferred narrative.
Re: (Score:2)
If it is accurate, then it reflects poorly on Trump. If it is not accurate, then it reflects poorly on Clinton.
My point being that the NYT/WashPo/CNN etc all talked about Russian collusion when they thought Trump was guilty of it, despite having no evidence of a crime. Then it came out that Clinton's campaign had illegally paid for the Steele dossier from Russia - the illegality comes from paying a law firm to pay FusionGPS which eventually paid him. The FEC requires campaign expenditure over $200 to be itemised. I predict the Democrat supporting media will simply stop talking about Russia at this point.
And I'd say
Re: (Score:1)
He's not my leader and I didn't win. I'm not a US citizen. I'm pointing to the staggering intellectual dishonesty of accusing him of Russian collusion for a year with no evidence and when evidence comes out Hillary did collude - and probably broke FEC rules doing it - simply stopping talking about Russia.
Re: (Score:2)
Re: (Score:2)
So I get it you have to use it a lot, too? Our self-help group meets every Wednesday.
Don't worry. Your luggage will be found. I'm absolutely confident. You just must not lose hope.
No Excuse! (Score:4, Informative)
There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.
Re: (Score:2)
My money is on the idiot who lost it didn't even know that such encrypted USB keys exist.
What you're most likely dealing with here is some idiot C-level who will not even get fired for that blunder.
Re: (Score:2)
Re: (Score:3)
Though I prefer the major fuck up hypothesis, who said the data is real and not deliberate misinformation.
Also I think that all the James Bond style security is overkill. This is definitely confidential information but not top secret. Well implemented AES is more than sufficient. In fact a fancy USB stick will raise a lot more attention. Not a good thing.
Re: No Excuse! (Score:1)
Re: (Score:3)
I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.
Re: No Excuse! (Score:2)
Because it's fictional...
Re: (Score:2)
Why wasn't the USB key in question a high security, hardware encrypted device?
My guess is that it's either because somebody copied work files onto their personal USB drive despite copying files off the agency network onto personal devices being banned but or then management trusted that employees would treat USB drives containing classified documents with the same care they treat paper media copies of the same documents.
Either way, at the very least somebody needs to start looking for a new line of work because this is just something which should never happen, plain and simple.
Re: (Score:2)
They did. This is the UK - top security documents are often found blowing around in the streets.
Re: (Score:2)
This. It is trivial to ensure data on a USB flash drive is encrypted:
1: $50 gets you an Iepin hardware encrypting USB drive that has a keypad on it. Ten wrong guesses, and you have a blank USB hard drive. You can get an IronKey drive for a bit more that has actual epoxy potting and physical destruction of circuits if one tries to guess the password too often.
2: BitLocker, FileVault, LUKS, and VeraCrypt are common and easy to use. If you have a keyfile at home and at work, and you use VeraCrypt, an att
Re: (Score:1)
SNOWDEN IS HERO TO THE PEOPLE
Re: (Score:3)
Snowden used encryption in a way that would be considered paranoid for normal people.
What kind of whistleblower/traitor/hero/terrorist would know enough to get access to secret documents but be dumb enough to lose an unencrypted USB key in the street. I can imagine using an unencrypted key for stealing data when there is no other choice but definitely not keeping it that way.
An employee screwing up makes a lot more sense to me.
Re: No Excuse! (Score:5, Insightful)
Re: No Excuse! (Score:1)
Re: (Score:2)
Normal people may not know how exactly the mechanism of their deadbolt at home works, but they turn the key and ensure it is locked. They may not know how their car's remote does a handshake with the vehicle's computer, but they at least know how to press the lock button.
Computer encryption is insanely easy. You don't have to know about S-boxes or shifting stuff around to click on a file, click "encrypt", type in "correct horse battery staple" and be on your way.
Re: (Score:2)
Everyone who uses encryption uses it in a way that would be considered paranoid by normal people.
You have a dim view of normal people. There are plenty of normal people who consider encryption in its most basic form as meaning "not wanting others to see my personal files". That isn't paranoid behavior and few would consider it as such.
But then when you start talking about layering encryption, embedding hidden volumes in primary volumes for plausible deniability, using software that intentionally doesn't change the last modified date of encrypted archives to hide actions, you'll quickly get considered p
Re: No Excuse! (Score:1)
Re: (Score:2)
Most people figure they already have that covered by using a password
You're right. Especially for things like USB sticks where ones with built in password protection are already seeing a rise in popularity.
Careless people meet data density (Score:2)
This is exactly the same as dropping a scribbled napkin or leaving a folder in a seat -- just much more information in much smaller of a form factor.
And I'm not really sure what is going to change this. If there's a way to enforce the use of encrypted flash drives, that would help. But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.
Re: (Score:2)
But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.
No doubt -- the only real solution is to make it so that the appropriate security mechanisms can be put in place without incurring any extra layers of bother, so that people won't try to circumvent them. Of course that's much easier said than done.
the man for found it will face changers and be hit (Score:1)
the man for found it will face changers and be hit with bill to fix it as damages.
When you have something like this you hand it over to someone who can leak it with no traces back to you.
Maybe it was accidentally dropped... (Score:2, Funny)
by the new airport cyber security expert, that used to work at Equifax up until a few months ago.
Who plugs in USB drives found in the street? (Score:5, Insightful)
Re:Who plugs in USB drives found in the street? (Score:5, Interesting)
I do. It's my job.
Then again, I plug it into systems that exist for that sole reason...
Re: (Score:2)
The title is IT security researcher&consultant and the company I work for deals with security in the financial sector.
Re: (Score:2)
Not sure why that means random USB keys found in the street are your concern.
If you were a hospital lab technician would you analyse every puddle of piss you found as you were taking a stroll?
Re: (Score:2)
Only if I get paid to do so. Or if I have reason to assume an epidemic might be afoot.
Re:Who plugs in USB drives found in the street? (Score:4, Funny)
The digital 'glory hole' ;-)
Re: (Score:3)
Re: (Score:2)
Especially with these on the market:
> http://www.popularmechanics.co... [popularmechanics.com]
I will see your article and raise you a SHOP (Score:2)
https://usbkill.com/ [usbkill.com]
this is a site that actually sells working units (and a "filter" gizmo you can test with)
Re: (Score:2)
I do. I also do other risky things like drive a car to work, and go scuba diving. The trick is that I manage the risk.
Would I chew gum found in the street? Well maybe if I ran a lab that was capable of testing for dangerous organsims, but then it would likely still taste like shit. At least a USB stick is useful.
Next weeks news: (Score:2)
Re: (Score:1)
Re: (Score:2)
It just takes a Raspberry Pi; it isn't rocket science. You can't trust the electronic files, but you can print or PDF safely enough. Of course you eliminate networking...
Slight correction (Score:2)
A man found it in west London and handed it into the paper
Should read:
A man found it in west London, checked the contents and then hawked it round the gutter press, eventually selling it to the highest bidder.
Meanwhile here on the otherside of the pond (Score:2, Troll)
I wonder if the person who found it is in trouble ?
On the other side of the pond I fear that person would have been arrested and facing life in prison. Hate to be so cynical, but I remember 1 or 2 cases where a person was facing outrageous penalties (Aaron Swartz for one) for doing nothing harmful.
Re: Meanwhile here on the otherside of the pond (Score:1)
Listen, Aaron didn't have to die. He chose that route. He would have served 2-3 years. He was a bright person who wanted information to be free. He just got caught with his dick in the honey jar.
But comparing Aaron to this situation is very irresponsible. What Aaron did was illegal(even if what he did was moral). Finding a USB stick and using it is not illegal.
Re: (Score:2)
"A USB" (Score:2)
Where do they find these editors?
"A USB", please, I feel ashamed coming here now. A new low.
Re: (Score:2)
Re: (Score:1)
Where do they find these editors?
"A USB", please, I feel ashamed coming here now. A new low.
While it may not sit comfortably with you, 'A USB' is clearly now passed into common language in this context to mean 'A portable storage device, with a USB A connector supporting the USB mass storage device type'.
I guarantee that if I shout over to my colleague across the room 'Have you got a USB I can borrow', we will pass me a USB flash drive rather than either a port, a section of motherboard, or a standard.
Re: (Score:2)
My mom always told me... (Score:2)
not to plug usb-sticks-found-in-the-street into my computer.
Re: (Score:2)
Guy's homeless. He doesn't have a computer.
Re: (Score:1)
That's why he went to a library and used their [cnn.com] computer (in reality he was on the way to the library to use their computer for job hunting when he found it).
Re: (Score:1)
Only an idiot plugs in a found USB (Score:4, Interesting)
My original submission included making the point that only an idiot plugs in a found USB [theregister.co.uk] but this has been removed in the edit and my scepticism has been lost.
The reported fact that this was found on the street amongst fallen leaves is highly unlikely and suspicious. It does provide plausible deniability for the journalist over their source, but my money is this will be revealed to be a hoax.
The newspaper that published this story, offers to pay for stories [mirror.co.uk]. My belief is that there is a very good chance this will be revealed to be entirely a hoax. A assembly of public source data to get a reward/story bounty from the newspaper.
It is possible, but unlikely this could be a honey trap for the journalist, or anybody with the USB including attack code intended to compromise their PC/Network. This is how STUX worked.
Re: (Score:2)
Depends what you are plugging it into. I sure as hell would not plug it into any sort of x86 hardware. But an un networked Raspberry Pi, sure. Or even a networked Raspberry Pi that is stuck in a VLAN all of it's own and firewalled up the wazzo.
I personally doubt very much however that it is a hoax of any description.
Re: (Score:2)
You're making a lot of assumptions about the actions of plugging in a USB stick.
It's like saying that given the odds of people dying in a car accident only an idiot would get in a car. You ignore many variables, many risks, many controls, and by simplifying such a complex action into a single accusative soundbite your original submission had every reason to be edited and have that line removed.
I'm not making assumptions. (Score:2)
I'm pointing out several plausible alternatives that blow away the assumption that this is real.
The likelihood that this would be 'found' in this way, that it would include sensitive data, that it would not be encrypted all amounts a fail of Occams Razor in a very big way.
The vast majority of lost USB drives will end up lost for ever, swept up in rubbish, buried in decaying leaf litter.
That the device contain sensitive data, that it was found, that it was examined, that this data was unencrypted, that it fo
hmmm.. (Score:3)
Re: (Score:2)
To be fair, the police probably would not know what a USB stick was.
Anyway, this is the UK - a USB stick is probably safer lying in a puddle in the street than in a "secure" government institution