Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United Kingdom Government Security Transportation

Heathrow Airport Security Files Found on USB Stick In The Street (bbc.co.uk) 116

"The BBC is reporting a security probe after security data about Heathrow was discovered on a USB found on the street," writes long-time Slashdot readers Martin S. From the article: The Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect the Queen. A man found it in west London and handed it into the paper, it said. Heathrow said all of its security plans had been reviewed and it was "confident" the airport was secure. "We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future," it said.
The Mirror reports that the USB stick was not encrypted and did not require a password, according to an article shared by Slashdot reader rastos1. Insiders "admitted it sparked a 'very, very urgent' probe, and that it posed 'a risk to national security'."
This discussion has been archived. No new comments can be posted.

Heathrow Airport Security Files Found on USB Stick In The Street

Comments Filter:
  • by BoRegardless ( 721219 ) on Sunday October 29, 2017 @03:37PM (#55454333)

    Security only applies to everyone else.

    • This is grounds to quit on the spot if you're the CISO.

      Security is as good as the weakest link. Usually that weakest link is found in the C-Level and their secretaries. These people know ZERO about IT security but demand full privileges over their systems.

      The only reason you don't get to hear about it too often is that they are also the people who would fire people for being incompetent fools who jeopardize security...

      • by Anonymous Coward

        A real CISO would find out about the leak, sell and short their stock, make the announcement and make it sound as horrific as possible, take the profits and walk away wealthy.

    • by dougdonovan ( 646766 ) <dougdonovan@msn.com> on Sunday October 29, 2017 @04:44PM (#55454607) Journal
      obviously an hourly wage security person is missing their usb.
    • It wasn't a case of 'national security'.
      It would only involve a handful of passengers falling out of the sky.
      The state was nowhere at risk.
      • by Anonymous Coward

        From TFS:

        including details of measures used to protect the Queen.

        So...yea...'national security...'

        • When asked what would happen to England when Queen Elizabeth II would die, she allegedly answered: "Nothing, the country will just go on."
          So, no, not really 'national security'.
          Note however the 'alleged' part. :)
  • Can't be (Score:4, Funny)

    by nospam007 ( 722110 ) * on Sunday October 29, 2017 @03:40PM (#55454347)

    In the UK, USB sticks with sensitive or secret info always have to be forgotten in an underground car, it's the law.

    • by rtb61 ( 674572 )

      This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where, well, only one need. That need being, selling it, everything contracted is contracted to the highest bidder, so as for national security issues. Highest bidder for that information, in the entire chain of handling of that

      • "This sounds a little more suss though. Why load those particular files onto a USB stick to remove from the office. Internal and external secured networks, no need for sneaker net https://en.wikipedia.org/wiki/ [wikipedia.org]... [wikipedia.org] this is not a decade or more ago, absolutely no need to carry them any where,"

        The word you're looking for is 'stupidity'.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday October 29, 2017 @03:42PM (#55454353) Homepage

    I believe that it is them who we currently blame for all things like this.

  • No Excuse! (Score:4, Informative)

    by Murdoch5 ( 1563847 ) on Sunday October 29, 2017 @03:45PM (#55454375) Homepage
    Why wasn't the USB key in question a high security, hardware encrypted device? There is no reason to not have a military FIPS-140-2, AES encrypted USB key that can self wipe and self destruct, with full location tracking and remote kill switch.

    There is no excuse for files of this importance to be left on a "normal" key. Who ever provided the key and who ever takes care of the systems the files were copied off of, should face criminal charges.
    • My money is on the idiot who lost it didn't even know that such encrypted USB keys exist.

      What you're most likely dealing with here is some idiot C-level who will not even get fired for that blunder.

      • My bet is the person who lost it still has 199 more with the same data on, so he won't miss it. Probably some are already in Iran/Moscow/Azerbajan/Karachi or wherever they are supposed to be, and the rest are hidden behind the seats on Circle Line trains.
    • by GuB-42 ( 2483988 )

      Though I prefer the major fuck up hypothesis, who said the data is real and not deliberate misinformation.

      Also I think that all the James Bond style security is overkill. This is definitely confidential information but not top secret. Well implemented AES is more than sufficient. In fact a fancy USB stick will raise a lot more attention. Not a good thing.

      • It is ridiculous to say virtually unbreakable security is a bad idea because it will draw more attention. It can draw as much attention as you can imagine, all of which will be I'm the form of: "Hey, get a look at all these ones and zeroes that mean nothing to us and never will"
    • I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.

    • Because it's fictional...

    • Why wasn't the USB key in question a high security, hardware encrypted device?

      My guess is that it's either because somebody copied work files onto their personal USB drive despite copying files off the agency network onto personal devices being banned but or then management trusted that employees would treat USB drives containing classified documents with the same care they treat paper media copies of the same documents.

      Either way, at the very least somebody needs to start looking for a new line of work because this is just something which should never happen, plain and simple.

      • with the same care they treat paper media copies of the same documents

        They did. This is the UK - top security documents are often found blowing around in the streets.

    • This. It is trivial to ensure data on a USB flash drive is encrypted:

      1: $50 gets you an Iepin hardware encrypting USB drive that has a keypad on it. Ten wrong guesses, and you have a blank USB hard drive. You can get an IronKey drive for a bit more that has actual epoxy potting and physical destruction of circuits if one tries to guess the password too often.
      2: BitLocker, FileVault, LUKS, and VeraCrypt are common and easy to use. If you have a keyfile at home and at work, and you use VeraCrypt, an att

  • This is exactly the same as dropping a scribbled napkin or leaving a folder in a seat -- just much more information in much smaller of a form factor.

    And I'm not really sure what is going to change this. If there's a way to enforce the use of encrypted flash drives, that would help. But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

    • by Jeremi ( 14640 )

      But even if so it seems like exceptions typically get carved out for big shots who either can't or don't want to deal with extra layers of bother.

      No doubt -- the only real solution is to make it so that the appropriate security mechanisms can be put in place without incurring any extra layers of bother, so that people won't try to circumvent them. Of course that's much easier said than done.

  • the man for found it will face changers and be hit with bill to fix it as damages.

    When you have something like this you hand it over to someone who can leak it with no traces back to you.

  • by Anonymous Coward

    by the new airport cyber security expert, that used to work at Equifax up until a few months ago.

  • by h33t l4x0r ( 4107715 ) on Sunday October 29, 2017 @04:20PM (#55454511)
    I'd sooner chew gum found in the street.
  • Mysterious USB drive discovered and found on the street plugged directly into sensitive heathrow servers, believed to be the cause of all grounded air traffic across Europe.
    • Yeah, hope they sandboxed the crap out of whatever hardware they plugged that USB drive into.
      • It just takes a Raspberry Pi; it isn't rocket science. You can't trust the electronic files, but you can print or PDF safely enough. Of course you eliminate networking...

  • A man found it in west London and handed it into the paper

    Should read:

    A man found it in west London, checked the contents and then hawked it round the gutter press, eventually selling it to the highest bidder.

  • I wonder if the person who found it is in trouble ?

    On the other side of the pond I fear that person would have been arrested and facing life in prison. Hate to be so cynical, but I remember 1 or 2 cases where a person was facing outrageous penalties (Aaron Swartz for one) for doing nothing harmful.

    • Listen, Aaron didn't have to die. He chose that route. He would have served 2-3 years. He was a bright person who wanted information to be free. He just got caught with his dick in the honey jar.

      But comparing Aaron to this situation is very irresponsible. What Aaron did was illegal(even if what he did was moral). Finding a USB stick and using it is not illegal.

  • Where do they find these editors?

    "A USB", please, I feel ashamed coming here now. A new low.

    • Why? How many did you think there were?
    • Where do they find these editors?

      "A USB", please, I feel ashamed coming here now. A new low.

      While it may not sit comfortably with you, 'A USB' is clearly now passed into common language in this context to mean 'A portable storage device, with a USB A connector supporting the USB mass storage device type'.

      I guarantee that if I shout over to my colleague across the room 'Have you got a USB I can borrow', we will pass me a USB flash drive rather than either a port, a section of motherboard, or a standard.

  • Comment removed based on user account deletion
  • not to plug usb-sticks-found-in-the-street into my computer.

    • Guy's homeless. He doesn't have a computer.

    • by Anonymous Coward

      That's why he went to a library and used their [cnn.com] computer (in reality he was on the way to the library to use their computer for job hunting when he found it).

  • Comment removed based on user account deletion
  • by Martin S. ( 98249 ) on Monday October 30, 2017 @03:50AM (#55456329) Journal

    My original submission included making the point that only an idiot plugs in a found USB [theregister.co.uk] but this has been removed in the edit and my scepticism has been lost.

    The reported fact that this was found on the street amongst fallen leaves is highly unlikely and suspicious. It does provide plausible deniability for the journalist over their source, but my money is this will be revealed to be a hoax.

    The newspaper that published this story, offers to pay for stories [mirror.co.uk]. My belief is that there is a very good chance this will be revealed to be entirely a hoax. A assembly of public source data to get a reward/story bounty from the newspaper.

    It is possible, but unlikely this could be a honey trap for the journalist, or anybody with the USB including attack code intended to compromise their PC/Network. This is how STUX worked.

    • by jabuzz ( 182671 )

      Depends what you are plugging it into. I sure as hell would not plug it into any sort of x86 hardware. But an un networked Raspberry Pi, sure. Or even a networked Raspberry Pi that is stuck in a VLAN all of it's own and firewalled up the wazzo.

      I personally doubt very much however that it is a hoax of any description.

    • You're making a lot of assumptions about the actions of plugging in a USB stick.

      It's like saying that given the odds of people dying in a car accident only an idiot would get in a car. You ignore many variables, many risks, many controls, and by simplifying such a complex action into a single accusative soundbite your original submission had every reason to be edited and have that line removed.

      • I'm pointing out several plausible alternatives that blow away the assumption that this is real.

        The likelihood that this would be 'found' in this way, that it would include sensitive data, that it would not be encrypted all amounts a fail of Occams Razor in a very big way.

        The vast majority of lost USB drives will end up lost for ever, swept up in rubbish, buried in decaying leaf litter.

        That the device contain sensitive data, that it was found, that it was examined, that this data was unencrypted, that it fo

  • by SuperDre ( 982372 ) on Monday October 30, 2017 @04:25AM (#55456399) Homepage
    And why did the finder give it to a paper and not to the police (which is what he should have done). I wonder how much money he got from the paper...
    • why did the finder give it to a paper and not to the police

      To be fair, the police probably would not know what a USB stick was.

      Anyway, this is the UK - a USB stick is probably safer lying in a puddle in the street than in a "secure" government institution

Avoid strange women and temporary variables.

Working...