Military Secrets for Sale on Stolen USB Drives

nTrfAce writes "Per a BBC Article, "US forces in Afghanistan are checking reports that stolen computer hardware containing military secrets is being sold at a market beside a big US base. Shopkeepers at a market next to Bagram base, outside Kabul, have been selling memory drives stolen from the facility, the Los Angeles Times newspaper says.""

Missing Classified Hard Drives

[Anonymous Coward]

One would have thought that something was afoot when the PC failed to boot? And would someone explain to me how a non US citizen got into the "secret" areas to be able to pick up a "secret" disk drive. This story if true is just plain stupid - someone should hang!

I'm no military fan...

[Anonymous Coward]

...but how do they know the 'secrets' are actually that and not some kind of decoy?

Re:Why?

[plankrwf]

How else to spread sensitive information?
At least this way, no president needs to leak [nysun.com] anything himself

Re:why/when.

[plankrwf]

This is a known problem indeed. (Someone modd parent up, I haven't gotten modpoints right now).
I remember a case at a client in which we had to mail a very sensitive, very important document very quickly.
Turned out we couldn't mail it using the clients own mailsystem, as... it didn't allow Word-attachments (or Zip or ...) to be sent along...
In the end we ended up taking the document on a floppy (yes, this was some years ago), to a 'learning centre' computer which was attached to the internet, and we ended up mailing it with... hotmail...
Roel

Yet another chill pill moment

[Xiph]

The stuff that's stolen is probably not aimed getting highly sensitive data, but at getting a bit of cash from selling the hardware:

"He reportedly said he was selling the items for their value as hardware alone."

that lack of organization also suggest the problem isn't huge, a claim also supported by

"Coalition officials regularly survey bazaars across Afghanistan for the presence of contraband materials, but thus far have not uncovered sensitive or classified items"

So it's not large scale, hyperterrorsquads selling supersensitive secret soldier material to themselves. but rather small bits of pieces, that together will probably seem as just that. small bits of pieces. It is however always unfortunate that personal and classified information is handled carelessly, but if we can't even handle this properly at home, why should it be any better in Afghanistan.
I'll give the answer right here: First, get better at handling information security at home, before you start using the technology abroad.
Don't give sensitive material to people who haven't been screened on how they handled it (I thought this was already a goal the tried to achieve)

Re:Why?

[arivanov]

The army will probably try to stop this by mandating it not be done.

Once upon a time it could force that it is not done. This is what levels of security above C and OSes like Trusted Solaris were all about. Not about being unhackable, but about it being impossible to copy data from a higher security container to a lower. Granted, someone with high enough security clearance and rights to declare his USB drive "secure" could have gotten past that as well, but the average PHB wannabie corporate ladder climber could not do anything about it. He could not "take work home".

This is also coming back. The slashdot crowd keeps bitching about Vista DRM being Digital Wrongs Management and being mostly promoted by pigopolists. Once again wrong. Along with AD it will allow any corporation to force a mandatory encryption policy on all the data on all media in the house at the click of a mouse. Throw in this the usage of TPM chips on all Vista ready PCs and this will make any data that a corporation wants to make unrecoverable without proper access credential on a PC really unrecoverable. All of this centrally controlled. This will also result in much faster adoption of Vista in the enterprise than people can even think off, especially for mobile devices.

This also means that if Linux is to compete for the desktop it will have to have the same features regardless of Stallmans desires. This is one thing on which Linus is absolutely right. The usage of DRM by pigopolists is a current fad which is only a minor fraction of its actual use. The real use of DRM is to enforce a security policy on data across an enterprise. Having this will be essential to the success of any OS out there in 2-3 years. Also, there is no problem with DRM being opensource. Essentially DRM is nothing but a crypto application. Same as with every good crypto - having the source should not allow one to break it.

Re:why/when.

[cocotoni]

I don't want to sound like I come from that Monty Python sketch, but that is nothing.

Long time ago we had to transfer some sensitive data between two military bases. The data was saved to a floppy (8" floppy at that), put in sealed envelope, in the locked suitcase chained to the carriers wrist, into APC, to the airport, helicopter, APC, and straight to us. The whole nine yards.

And then we found that the caporal on the other end found it bizzare that there was something shuffling in the envelope, and to secure it better he put a couple of staples through the envelope. And through the disk.

Since the data was both sensitive and urgent (no time for the whole nine yards again), we ended by transferring it using modem over unsecured phone carrier.

Scrapping the Military..

[Savage-Rabbit]

Windows - it's that insecure, you don't even need physical access to a machine to steal it's componants! ;-)

Somewhere in California (IIRC) there is a company that specializes in providing military aircraft for the movie industry. At the time he appeared in a documentary which I watched, the owner of this business had apparently assembled more than one Cobra Gunship from parts sold off by the Armed Forces as scrap and was well on his way toward assembling (what was at the time at least) a state-of-the-art Apache assault helecopter using parts draw from similar sources (they showed footage of it being assembled). According to this guy some of the things the US armed forces sell off to civillans as 'scrap' are downright scary both because they are sometimes dangerous (contain live munitions, toxic materials, rocket engines, etc..) and because this 'scrap' includes some pretty sensetive electronic equipment. So stolen PC's are not the only problem, the US armed forces quite freely sells off some pretty amazing stuff as junk. True enough, the information on a stolen PC can cause a significant security breach but an enemy nation getting it's hands on sensetive military electronics at a scrap auction is even worse. I suppose the way the military filters equipment for disposal may have improved over the last few years but somehow I doubt it.

Re:why/when.

[Bob3141592]

So, no reading of a report on the train, no after-dinner report writing. Nothing. Ambitious people break the rules to perform better. So they take stuff home anyway. As long as the hardware doesn't get stolen, nothing is noticed. Big publicity when sensitive information makes it to the press.

If thisis only about company sensitive information, then fine. But if you're talking about military secret or confidential, then the rules are a bit different. You can't read a classified document on the way home on the train, as other people around you could see it. And unless your home was certified as a secure site, it would be illegal to have the docement there. You'd also need special paperwork to take the document out of it's original building.

I have to ask who is doing this stealing. If it's by uncleared civilians, then what are they doing in proximity to classified material? Otherwise the stealing must be done by cleared personnel, which is a whole different story of criminal intent. Something doesn't add up here.

Re:why/when.

[rahrens]

I have the same feeling about this. The military is absolutely anal about classified information. Like another poster mentioned, PCs used for classified info have HDs in carriers so they can be removed from the PC for storage when not in use, in addition such PCs are required to have the usb ports disabled through group security policy, if not at the registry level, as well as floppies. They are not allowed to have cd or dvd burners, read only for classified PCs. Such PCs are not allowed to have network connectivity with UNclassified PCs, either, and classified networks are NOT allowed to be connected physically to the Internet.

So I suspect that this reporter saw something on a stolen usb drive and just assumed that it would be classified. It may have been sensitive, but of a lower classification that would not have required the measures I mentioned above. Not that loosing such info wouldn't be bad - it very well could have, but that doesn't equate to classified info.

Of course, while we're speculating, he could have seen a document that was created by the soldier that owned the usb drive, who then failed to follow procedures for classifying documents properly, and mentioned classified info in an unclassified document, on an unsecured system. That has been known to happen, especially under combat conditions, and is just as bad as what the article is talking about...

Re:Strong encryption

[patio11]

There is not too much subjective about the statement "some US troops sexually abused prisoners in Iraq". Thats a fact. Here's another: "the US military found out about it before the press did, through a whistleblower, and immediately started investigating and preparing charges, and as a result some of the culprits are now doing hard time". Unfortunately, the pictures for Truth #2 don't sell nearly so many papers.

Re:Strong encryption

[meringuoid]

If your life was saved due to someone pulling another person's (not a normal person, someone who takes joy in seeing women and children burning alive) fingernails out with pliers, would you complain?

I very much hope that I would.

I am not saying that the ends justify the means

Oh yes you are.