Schneier on Security
A blog covering security and security technology.
« Change Your Name and Avoid the TSA Watchlist |
| Fear of Terrorism Could Cause Psychosomatic Epidemic »
September 16, 2008
UK Ministry of Defense Loses Memory Stick with Military Secrets
The USB stick, outlining training for 70 soldiers from the 3rd Battalion, Yorkshire Regiment, was found on the floor of The Beach in Newquay in May.
Times, locations and travel and accommodation details for the troops were included in files on the device.
It's not the first time:
More than 120 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it was reported earlier this year.
Some 26 of those disappeared this year == including three which contained information classified as "secret", and 19 which were "restricted".
I've written about this general problem before: we're storing ever more data in ever smaller devices.
The point is that it's now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I'd never know it.
The solution? Encrypt them.
Posted on September 16, 2008 at 6:21 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Why always "hands it to a national newspaper"?
Maybe it's just my military associations, but this would be handed back "quietly" to the MoD or police if I found it.
LOL! My Firefox RSS live bookmark cut the headline to:
"UK Ministry of Defense Loses Memory..."
The best story is still the one about the US military sending someone to the souks outside Bagram torture center to buy all the thumbdrives back that had been stolen by the people hired to menial work on the base.
Of course, where would the afgans plug in a computer anyway.
I just read the linked article and there is a line where bruce says that he dosent think these devices could be made harder to lose. I disagree, the devices now come with a lanyard but they should have a saftypin like attachment so that they could be pinned to the inside of a pocket, or a velcro side to stick them to various surfaces, this would prevent some of the slipping out of pockets. The micro SD cards could be incorporated into wristwatches which solved the loss problem long ago. In fact wrist watches were the solution to losing pocket watches, as was the little pocket on the right side of your jeans that was made for the pocket watch. I like pockets with a velcro closure, these should be inside the jacket pockets.
Even if soliders wear little velcro pockets so they can velcro little things to avoid losing them.
They'd still find a way - especially after a night out on the piss!
I can see where you might take something like this with you by accident, several times after a hard day at playing war I would return to barracks/bivouac realizing I had a Kyk-13 keyfill device (think thumbdrive ca 1980; stored less than 1k; 4 of them would be the size of a standard building brick and twice as heavy) still in my pocket and then have to trudge back to the office to turn it in.
Maybe they should mount military-use thumbdrives permanently in a large colorful (but more likely OD) carrier/housing which has an external USB connector so the drive never need be extracted so that they were difficult to overlook/forget.
They could even build a security system into the housing such that a password had to be entered to enable to the drive. They could also put an RFID into it so if you left the post with it it would trigger an alarm.
For a lot of people, it's precisely that reason why it's handed to a newspaper / news. So they can't quietly pretend it never happened and the public found out how shoddy their data security are.
Why are thumbdrives necessary in this networked world?
Data that requires common access should be stored on a network drive that can be accessed from secured terminals/laptops/pda's. Sneakernet is so 1990's.
Because you can never really be sure that everyone with access from a "secure" terminal hasn't had thier system/credentials compromised either.
Either way it's a bit of a toss up. Although I would give greater odds to the USB stick being lost.
So long as you're not requiring confidential data required to be on specially marked devices. Queue the now old joke of the company that send the memo to remind everyone to that confidential data must be sent in the bright red interoffice mail envelopes marked CONFIDENTIAL. Hopefully I don't have to explain here why this is a stupid idea.
Encryption is better than nothing, maybe. Where's the key stored, where is the key generated? Encrypted files make backups harder than they already are. If the key is compromised you don't know it and ALL of your files are compromised. Losing an encrypted drive does nothing to help you recover the files, and the enemy can take as long as they want to examine the drive. Once it's undone, your files are like a house of cards. And you will never know it. You think the only compromises are those that make it to the headlines? HA HA HA! Besides, even an encrypted file conveys some information to the enemy.
Choose a superior encryption algorithm? Sure it may be better than weak encryption, but you STILL need a key and it will be password based, and then you are back to the same old "chose a strong password and change it often" nuisance, and you still can't be sure someone doesn't know what it is because of a rootkit or other snoop, or your boss, or who knows. And don't forget the mere possession of an obviously encrypted file will cause authorities to treat you differently than others. If the files are encrypted everyone knows it.
And that's just the beginning! Hardware based encryption? Sure, they're expensive and very unforgiving. And the files on the drive which are theoretically safe, are not safe at all, once they leave the drive. It's like living in a bad neighborhood. Sooner or later you have to leave the house. What are you going to do when all your protection is back home?!
Store the files in some hidden volume? Yeah, like millions of people who use some free piece of downloadable software don't know about the feature. Play dumb with border authorities and see what happens.
Biometrics sucks. And how easy is it to share files with others when you are doing all this stuff? Why not destroy the files altogether and be done with it? People need to share files like never before and all these solutions come from the military. They don't care about expense and they don't care about convenience.
Central server-based solution? Yeah, like the disgruntled IT guy can't get my keys, and don't get me started about the ridiculous access control schemes companies expect you to comply with. Is the cure worse than the disease? And once everything is going back and forth in the open it get's worse. Much worse.
The only reason these solutions even SEEM to be effective is because of the sheer odds of being targeted. Like driving without your seat belt fastened. I guess you can always yell at people that's it their fault for being stupid yada yada yada. Feel better?
You better do something and do something now, because attacks are coming which are more insidious than anything to date, attacks you have never even read about.
Give it a rest, your playstation pipe dreams are getting a little old.
I always have to harp on this when Bruce brings it up, so thus begins the harping (and taking Mr. S to task):
You can't solve your data security problems just by rubbing encryption on the files. You have to have an end-to-end data security policy, the core of which should be, "if you don't need the data, you don't take it with you in any form, period."
The encryption solution is a great one, but only as part of an overall policy. Otherwise what happens is people encrypt data with weak passwords, or they write the password on the usb key itself, and then when they lose the device they report, "The device was lost, but everything is perfectly fine, because the data was encrypted!"
See what you happens when you stop carrying a "big stick" :-)
"You have to have an end-to-end data security policy, the core of which should be, "if you don't need the data, you don't take it with you in any form, period."
Yep. But until that is accomplished, encryption is necessary.
If someone picks up the USB stick (or whatever) they will not be able to read it (unless, as you noted, the password is on the stick) and will probably erase it and be happy that they have a new USB stick.
Right now I am not aware of anything that correctly implements Digital Rights Management (DRM) such that machines cannot connect to your network without prior authorization ... and those machines that are authorized cannot download and store them locally.
I'm not talking about the junk DRM that the RIAA is pushing. Nor am I talking about filling the USB ports on a machine with epoxy.
IronKey? You must be kidding.
Way back in the 1960s I work at the Atlas Computer for the University of London, when we did some top secret work on the TSR2 plane. All the operators etc had to be vetted before the data was processed to ensure we weren't Russian spies. Then the guy in charge took all the results and dumped them in his car while he had lunch. The car was stolen, I am not sure if they ever recovered the data. Plus ca change?
haha alright. I was just waiting until somebody said something about me posting that on every post. :P
@Pat Cahalan - note the Chris Cahalin on page 26 latest issue Info Security.
Remember when copy machines were supposed to reduce paper consumed in offices? Presumably because people would think they don't need to make extra copies until needed, since it so easy to do so. The opposite happened because users found they could just push a button, and a "oh, might as well make extra" phenomenon. What this has to do with deciding what you put on a USB flash drive to take with you, is that users will take whatever they will conceivably need. And if the need is vague they will take it ALL. Who in the world wants to pick and choose what files should be loaded before leaving on a trip, because....they might be stolen?
And another thing, USB flash drives are big enough now that users are no longer limited to just a handful of files that they move from one machine to another. They want ACCESS to a lot more files than they will need. It's like your PC. The vast majority of files are never used, but they have to be there when they ARE needed. You want all those files to be accessible, all the time. It's not as if you really use all those files all the time. So, to say a user should pick and choose, well, it's from the same idea farm as "pick a strong password and change it often".
yes, encryption would have prevented the guy who found the stick from figuring out it was military info and running to the press.
it does seem strange, however, that people are in a club with a usb stick in their pocket. most people i know remove their keys and anything remotely valuable from their pockets when they go clubbing.
the simplest countermeasure for assets is to remove obvious vulnerabilities and avoid high-threat environments.
The problem with encryption is that there's no real standard format. So you can't use encryption between organisations without agreeing on the format first (and inside the organisation, you shouldn't be using removeable media at all).
One way or another you end up having to put the decryption program alongside the data, whether it's a self-unwrapping zip file or the system partition on a hardware encrypted stick.
That's a rubbish approach because 1) sensible firms bar executable content on removeable media, and 2) the program is often Windows-only
We need industry push for a standard format -- the ISO encrypted partition image. How does Truecrypt fit?
England is no stranger to seeding disinformation: one need only look to WWII to get all the stories you could want (and if that's not enough, investigate what was happening with the other principals involved.
In this case, it's probably a bona-fide breach, but that doesn't necessarily mean that all "losses" of thumb-drives, laptops, disks, etc. aren't intentional.
I'm not talking about user data, I'm talking about organizational data.
If you have bad security policy with your own files, that's largely your own problem. The organization's files are something else altogether.
There is no reason, ever, for any single user to take a copy of the *live* customer database outside of the organization unless it's a super-paranoid-super-user taking out an encrypted off-site backup copy, or an intruder making off with the database.
You're right, as far as users are concerned, "You want all those files to be accessible, all the time."
I also want a free pile of gold bars, I doubt I could convince an organization to give me that either. "What, I'll take care of it! I swear!"
Look at the history of data breaches and losses. A staggering percentage of the losses have a simply inexcusable volume of data lost, largely because someone whose job has nothing to do with security has access to *way* too much data and has no incentive or negative reinforcement in place to prevent them from unnecessarily exposing the organization's data to loss or theft.
Encryption will not solve that problem. It won't even put that much of a dent in it.
"When will they ever learn?" I just can't understand the reason for them not to use encryption. May be it affects the performance or do they lack of good key management procedures? It would be interesting to see where this data gets accessed? and by whom
"We need industry push for a standard format -- the ISO encrypted partition image. How does Truecrypt fit?"
An ISO standard would be an eventual goal, however since the recent events with Micro$haft and their document formats I'm begining to have little faith in some standards bodies impartiality.
However the basic "mechanics" of such a system although fairly easily accomplished are a very minor part of the problem.
Of more importance are the "organisational issues", "key managment issues", "data recovery" and such things as "cross jurisdiction" / "legislation issues".
A lot of these are above the tangible hardware and software level and are "human" issues. However one or two are real nuts and bolts issues and represent fundemental problems below that of a standard for encrypted storage and these realy do need to be addressed first.
One such can be found hidding away under the general cover of "key managment issues" it is a very nasty and difficult problem which is part of "key security" and is "unintentional key leakage vectors".
Off the shelf hardware has little or no provision for the secure use of keymat. The only stuff currently appears to be more to do with DRM support than anything else and effectivly places all the eggs in one basket (never a good idea).
Further "Off the shelf" Operating Systems are designed to be "efficient" in many ways and as a side effect they are unpredictable in what they do with data and mutable memory. It is not just memory swaping / paging which can in some OS's be switched off, it's a whole raft of issues including slack space in unrelated files due to issues with data buffering esspecialy with the likes of journal based file systems, and unintentional RAM "burn in" making the keymat available after the system has been shut down and power removed.
To the OS your plaintext pass phrase/word and the key it generates are just bits of data that are going to be shuffled around memory by the OS as it sees fit. That is in and out of buffers at all levels of the software and hardware stack, these buffers are rarely cleared after use and are usually of a significant size compared to an encryption key so there is a very real danger of it being left in a memory buffer, which may or may not be used by other applications or swaped out to disk...
Simplistic solutions to the more obvious problems tend to cause other problems in other ways (protecting memory pages from being swapped out means that in all probability the key related items will always be resident in the same parts of memory making it easier for certain types of attack).
Further any system you put in place will in all likleyhood end up being abused by developers trying to meet targets. For instance having a mechanisum whereby key related material is protected from swap means that it effectivly raises is status as it is always available in RAM. How long before some developer who has a performance issue simply invokes the process to improve his software response times, and thus effectivly performs a denial of service attack on the users machine?
This unintended security token retention/leakage and the side effects of mechanisums designed to prevent it is a very significant security issue. And has of recent times become a bit of a hot topic.
However untill OS and software developers take it properly on board all data encryption systems for "off the shelf" systems will have feet of clay standing on shifting sands...
Why always "hands it to a national newspaper"?
Both to ensure that those in authority can't claim it didn't happen and to protect themselves.
Maybe it's just my military associations, but this would be handed back "quietly" to the MoD or police if I found it.
What's to stop them "quietly" assuming you stole it in the first place?
"where would the Afg[h]ans plug [a flashdrive] in[to] a computer anyway."
they could plug into one of those unencrypted laptops govt/corporations frequently lose. then transmit the data via wifi at the nearest Starbucks or McDonald's (whichever). However, I wonder what value Al Qaeda would find with a colonel's favorite roast pork recipes (or whatever's usually on those drives)
wristwatches often do not stay on wrists, though wristwatches *are* better attached than flashdrives are (not). I suggest flashram implants. To clear the data, stungun yourself. :-)
"Memory stick" is a Sony trademark for its proprietary memory-card format.
What's a generic term for USB keys? How about "USB keys"?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.