Schneier on Security
A blog covering security and security technology.
« Hackback |
| The Psychology of IT Security Trade-offs »
November 27, 2012
Classified Information Confetti
Some of the confetti at the Macy's Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways.
EDITED TO ADD (12/12): Update.
Posted on November 27, 2012 at 12:12 PM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This was mentioned on slashdot yesterday (or a few days ago, I can't remember). Even the site you linked to has an Updated story.
Summary: Nassau County police employee brought shredded confidential documents to the parade for him and his family to use as confetti. Seems pretty dumb.
The cross-cut shredder was introduced nearly 40 years ago - made famous by Oliver North in the 80s. I'm amazed there are people still using strip shredders - specially for sensitive information.
The problem is not just that they used a strip shredder, but that they used it sideways - each strip held ~one line of text so even a single strip could be meaningful.
Shredding longways means you need multiple pieces to make any sense of it.
Anybody remember that after the Iranians took over the US Embassy that they set their little old ladies to (successfully) re-assembling the shredded documents?
All together now...
"NCPD will provide identity protection services for every officer whose name was listed in the shredded documents."
But not the other victims who had their names and social security numbers litter-ally thrown to the wind?
"Nassau County Police Commissioner Thomas Dale is now deciding whether or not to take disciplinary action against the employee."
Seriously? It's not obvious? You done messed up and put undercover officers at risk and you get to keep your job?
@kingsnake: IIRC, the US embassy used "classified" shredders, that left little diamond, shaped fragments.
Figuring that nobody would ever have enough patience to reassemble the docs. Oops.
I think there was a (DARPA?) competition recently to do automated document reassembly...
Does nobody in the 'classified intelligence' world have a friend or relative who is OCD about puzzles... Strips, diamonds whatever, the more the challenge the greater the satisfaction.
An unrecoverable document is one that has been burned and composted, everything else is just protection against the lazy and under motivated.
@Loki's child: http://chenlab.ece.cornell.edu/people/Andy/...
Security is only as good as your weakest link. Train your employees to be vigilant, stay on top of best practices, continuously re-evaluate your needs; lather, rinse, repeat.
And when all else fails, thank your lucky stars when security breaches are discovered by the media, not people intent on doing harm. It remains to be seen where Nassau County PD sits on that continuum.
@Miles, Steve, et. al
I agree that it's mind-boggling that they don't use what I consider conventional shredders these days, and furthermore that they would shred them sideways.
From the updated story posted by moo:
"The department is also reviewing its document disposal procedures, and *is even considering* acquiring cross shredding machines for every police unit." (emphasis added)
I don't find that very inspiring - it suggests and strip-cut shredders are widely used. I imagine the police departments would regularly be shredding sensitive personal and operational data
I just checked the catalog of an office supply store and found that 11 of their 88 offered shredders were strip cut, less than their micro cut offerings. The strip cut units also didn't seem to be more economical than cross and diamond cut models
Snarki, did not realize they were "chippers" (as I call it) instead of strippers. Impressive. Really should be "dusters" though then, just to make sure, burnt and the ashes stirred. Of course, nowadays, rather than go through the pain of reassembling the hard copy, it would be much easier to hack the system and make soft copies ...
p.s. Hotel burglars exploit electronic lock bug: http://www.bbc.co.uk/news/technology-20507908
So the employee is at fault for bringing schredded documents - which should be possible to consider as garbage - out of the building - much the same way the garbage people would do the day after(this, of course, is speculation) - and that is the fault of the employee? No way! This is a management problem. How can the management possibly allow use of non qualified equipment (a simple line schredder) on documents that are likely to bring police officers lives in grave danger? Now THAT is the problem!
When the document has been destroyed it should be possible to distribute the remains to anyone. If the methods and equipment in the office are not good enough for that, then that is a management problem.
But lets fire and persue the employee, in stead of looking at where the real problem is - because that might be a real inconvenience when it is discovered that it is like that in many offices...
The "strip shredder" part is far more significant than the "sideways" part.
When someone hast to shred more than just single pages he hardly checks if there are some tables printed in landscape mode somewhere in between.
Plus, setting strips together is just do easy, no matter what direction as the strips will tend to stay in the right order.
So... Blaming the nameless employee is just to cheap.
A few years ago where I work, they decided that the "basmati rice" crosscut shred-size was too large and we got new shredders with even smaller output.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.