Sensitive Super Bowl Security Documents Left on an Airplane
A CNN reporter found some sensitive—but, technically, not classified—documents about Super Bowl security in the front pocket of an airplane seat.
A CNN reporter found some sensitive—but, technically, not classified—documents about Super Bowl security in the front pocket of an airplane seat.
(required) • February 5, 2018 4:15 PM
The anti-CNN crowd will be tripping over themselves to declare them fakes by virtue of the messenger.
It is interesting and/or reassuring that they reveal a front-line program to detect aerosolized biothreats as that IS in fact “your tax dollars at work” – doing a job you very much would want them to do I might add – despite Libertarian rhetoric or “free-market” trope-based protections from Anthrax as some seem to shelter in.
Brad • February 5, 2018 4:26 PM
The documents were FOUO, so by definition they weren’t classified. Who cares.
Matiasv • February 5, 2018 4:35 PM
It would be safe to assume that he did not consider the document important enough to keep track off during the flight. A true problem in the organisation’s infosec training program.
Tarus BALOG • February 5, 2018 4:36 PM
While this is notable because of its content, people leave sensitive information in the seat back pockets without realizing it. I wrote a post awhile back about it:
https://www.adventuresinoss.com/2017/05/07/privacy-and-trash/
I often find discarded boarding cards which reveal quite a bit about the traveler, or sit next to people doing a Powerpoint presentation for public companies with unreleased sales figures, etc. This comes from a general lack of understanding about security combined with apathy.
Matiasv • February 5, 2018 4:50 PM
Information classification is only a tool to help officials for understanding which information should be kept of / should be protected (and to give legal repercussions if related duties are neglected). A plenty of sensitive information is stored inside employee’s memories and unclassified notes and recordings (as this particular paper)
I am currently writing my BBA of Security Management thesis titled as InfoSec handbook for managers. One of the important subjects I wanted to bring up was that only the data is important, not the form it has taken. Employees have to be able to measure and realise the worth of information (risk assessment) so they have a chance of protecting it (and to classify it correctly). There is a long way to go there…
Clive Robinson • February 5, 2018 5:12 PM
Hmmm,
Sensitive Homeland Security documents … were found by a CNN staffer in the seatback of a commercial plane, the media outlet reported.
Why do I find this “just to convenient”, that is if I heard it in a court case from an LEO my brain would automatically say “Parallel Construction”…
Thus I find myself asking, is the CNN staffer covering up a source, or were they actively tracking the person for various reasons?..
Because my experience from when I used to fly regularly prior to 9/11 suggests that the story is odd. I used to always look in the seatback pocket, and for point to point flights I’d only find the in flight mag, the emergancy instructions and duty free order form… It was only occasionally on connecting flights that I ever found anything, and at most it was a newspaper or pen or realy bad paperback novel.
Unless the aircraft “cleaning staff” have realy gone down hill in the last decade and a half, my “hinky sense” is waving a large warning flag that something is just not right with the story…
Arline • February 5, 2018 5:17 PM
@Tarus BALOG:
While this is notable because of its content, people leave sensitive information in the seat back pockets without realizing it.
They must have been aware they were reading it where people could see.
Perhaps the easiest and cheapest way to get sensitive information is to ride a commuter train and sit behind someone with a laptop. I’ve seen people editing ostensibly-confidential contracts, heard them talking about business deals, etc. Or just walk by a building and aim a camera in the window. A local lawyer’s office had divorce documents laying face up (until they saw me reading them… but they were back the next day).
hmm • February 5, 2018 6:51 PM
@ Clive
“Unless the aircraft “cleaning staff” have realy gone down hill in the last decade and a half”
Well yes, since you asked. They have. It’s a low end job in this economy. Happens all the time.
I personally found a couple 3-ring binders that fell out of the back of a passing van about a dozen years ago. It turned out they were the local disaster response team rosters, response codes, resources, telephone numbers, the whole shebang. Everything a troublemaker could possibly want and more. I didn’t work for CNN at the time – would it pique your conspiracy antennae the same way if I had? I simply called up the local fire chief and returned them, they were grateful enough about it. Case closed, no expose.
Moral of the story – stupid stuff like this happens all the time. I’d not lose more sleep than usual.
Anon • February 5, 2018 8:05 PM
@Clive: when I read “CNN” and “classied documents in seat back pocket of airline”, I also thought “what are the chances?!”.
I think it stinks.
Security Sam • February 5, 2018 9:07 PM
Super Bowl anti-terrorism documents
For Official Use Only plan
Can be used as aggregate
To find a hole in one.
22519 • February 5, 2018 11:12 PM
What we see going on in the security sphere, as far as the United States goes, is systemic failure. Cast your thoughts back to 9-11, how two of the attackers were issued visas, new and shiny, after their names were known, after the towers fell. It is not just a clear example of how people on the inside sometimes do a nosedive, it is an example of the astonishing failure of a system, as if there were no leaders.
This seemingly small compromise on an airplane is just one example of a big problem.
In today’s news on CNN there is a piece about how the Pentagon labeled the entire Korean Peninsula as North Korea–and Taiwan as part of China–in a nuclear report. Well, I hope we at least have the transgender bathroom issue solved at the Pentagon. Anti-sexual harassment training is going well. Anti-self harm training has had results that compare favorably to previous results, according to many. At least we are on the right track. Did you see the Superbowl? What funny commercials! YUK-YUK
Tut-tut, someone might say. People make mistakes.
That is certainly true, but would this kind of thing happen in China or Russia, and would it get reported? The mere fact of it being reported is damaging, and could be seriously bad. The threat was real enough to spend the money, organize a plan, and take precautions. I think the likelihood of such a compromise happening or being reported in Russia or China is much less, and that is a problem. People on the inside in the US are sometimes not engaged enough/care enough/etc. to take their jobs seriously. Why is that? If Snowden were Russian and he had eloped to Washington D.C. with 7 terabytes of RU goodies, do you think the Russkies would have let his girlfriend go cuddle him and have pillow talk in Arlington? I really doubt it.
Security is not being taken seriously enough, compromises are not punished hard enough, and a lack of awareness and responsibility seems to have become endemic.
Tut-tut!
Really? 1. OPM- the entire database of US people with clearances, personal information, interview information, got compromised. 2. Snowden- 7 terabytes? Downloaded from… WHOM did you say?
Question: what’s next? Stay tuned folks.
"Treasonous" he says of those who dare not clap. • February 5, 2018 11:22 PM
“as if there were no leaders.”
In the place of leadership we have people undermining security for politics as quickly as able.
Treason requires a named enemy in time of war. That’s really all that prevents the title being applied.
22519 • February 5, 2018 11:36 PM
@Matiasv
“Employees have to be able to measure and realise the worth of information (risk assessment) so they have a chance of protecting it (and to classify it correctly).”
I don’t mean to step on your toes, and I am quite sure you have a very good grip on this topic, but I just want to add a little bit to what you said.
Right, some employees measure the importance of information. They are usually people with a special kind of authority. The U.S. does not classify information according to its worth, in the broad sense. It classifies information according to how much damage it might do if compromised, right?
The phrase “risk assessment” is done in information management, yes, but it is more often applied to mission planning–a matrix that helps leaders see what is really of concern and whether steps have been taken to mitigate risk.
keiner • February 6, 2018 2:31 AM
FAKE news! So SAD!
wheiner • February 6, 2018 2:52 AM
The “sad!” here is conservatives selling their integrity to a known fraud as they run from reported fact.
Evan • February 6, 2018 3:02 AM
This is another consequence of “movie plot” style risk assessments. TV and movies are filled with examples of information theft occurring through comparatively exotic means – cat burglars, moles, sleeper agents, sophisticated hackers, etc – but the reality is that there are much, much greater security risks contained in far more mundane activities like, like working on a plane or train.
To everyone thinking this was a leak CNN is covering for, why would they? There’s nothing particularly newsworthy in knowing that local and Federal agencies have contingency plans for terrorist attacks against major public events. That the characteristics of a security program are so carelessly handled is the story here, not the actual contents of the brief.
No more actors. • February 6, 2018 3:24 AM
https://theintercept.com/2018/02/05/mitch-mcconnell-elaine-chao-offshore-paradise-papers/
What do we do about blatant, baldfaced abuses of power, law and country?
I suppose CNN dug this obvious truffle up also? These people are criminals.
Want to feign outrage about a few pages of a non-classified (but sensitive) program being found?
Get in line.
Larry • February 6, 2018 3:56 AM
@No more actors
“What do we do about blatant, baldfaced abuses of power, law and country?”
Answer,nothing! Look at Obama & the Clintons!
Peter A. • February 6, 2018 4:01 AM
“This exercise was a resounding success and was not conducted in response to any specific, credible threat of a bioterrorism attack […]”
Security theater by definition. No credible threat, but ex[tp]ensive exercises were conducted anyway, with a “resounding success”, of course.
This is how tax money is used to line the pockets of the bureaucrats and their cronies. In the U.S. and elsewhere as well.
Shemp • February 6, 2018 4:10 AM
@ Larry
It’s funny, you never actually convicted them of anything despite all your crying.
Maybe if you had something real? Try that sometime.
Mueller is REALLY about to indict your sitting dictator.
REALLY.
Paul • February 6, 2018 4:33 AM
The question is asked above: what next?
What came to mind was “Reichstag fire?”
But, of course, that won’t happen. Not because the US doesn’t have a Reichstag, but because the GOP makes such things unnecessary.
The US is well on the way to a “managed democracy” where extraordinary measures will be taken to defend the country against fake threats, while real ones are ignored.
Me myself • February 6, 2018 6:00 AM
I have no trouble believing that a DHS guy stupidly left sensitive documents where anyone could find them. But of all the people who could have found them, how convenient it is that it was a CNN reporter?
Doesn’t it strike anyone as a formidable coincidence that this reporter “happened” to take a look at one of the plane’s backseat pockets and it just “happened” to be mr. Walter’s former seat? Or maybe this reporter feels compelled to go through every seat’s pockets in all flights he boards in which case he needs psychological/psychiatric assistance for his OCD immediately. It would still be a coincidence (albeit smaller) connecting his and mr. Walter’s presence in the same plane at the same or consecutive flights, mind you.
Anyway, totally not fake news, nosiree, absolutely just a coincidence… just a bizarre coincidence… more like a miracle really.
TheInformedOne • February 6, 2018 9:35 AM
This is a new form of social engineering called “Dumbass”. Hackers wish they could employ this technique with better control and regularity, but who’s complaining when the secrets just sometimes fall into your lap?
Matiasv • February 6, 2018 9:36 AM
//Right, some employees measure the importance of information. They are usually people //with a special kind of authority. The U.S. does not classify information according to //its worth, in the broad sense. It classifies information according to how much damage it //might do if compromised, right?
We use the same definition here. The easiest way to measure the value of data is the damage it could cause when exposed. Totally agreed.
//The phrase “risk assessment” is done in information management, yes, but it is more //often applied to mission planning–a matrix that helps leaders see what is really of //concern and whether steps have been taken to mitigate risk.
It is usable term in measuring any risk in security or safety. My point was that the owner of the data has to be made to deeply understand the value of information and his valuable knowledge about it so he feels duty bound to safeguard it by best of his ability. (if you daily go through confidential material it becomes mundane to you)
When ever you see at 1st class flight an executive working a document about a future company fusion or an unlaunched tech-device you know that the ‘deep understanding’ has failed.
(required) • February 6, 2018 12:50 PM
@ Matiasv
“The easiest way to measure the value of data is the damage it could cause when exposed”
That’s a fair take I think. So let’s analyze this as you describe?
It’s only really “bad” if these details were to fall into the hands of a terrorist that was actively plotting to use aerosolized (or similar) delivery systems of bioweapons – which narrows the field considerably, doesn’t it.
Unlike a zero-day vuln or compromising exposed online secret, this “leak” was limited to one physical copy and contained physically. So far a CNN staffer and a few folks around them have seen it, and they did not report on the specific contents beyond the summary. So really, what data has “escaped” here? Not much.
To my eyes the takeaway is disclosure of the aerosol bioterror sniffing program itself, and the (expected) existence of contingency plans in case of a bioterror emergency involving a large public gathering like the *bowl… perhaps the forgetfulness or incompetence of a certain unnamed DHS agent… but that’s pretty much it, right?
Really it’s unclear that any of this info would have greatly aided a terrorist effort in the first place. That’s possible but actually unestablished here. Certainly a bioterror event would be plenty bad regardless of the first response coordination effort. So while it’s obviously concerning that such details could be carelessly left on a plane, it’s really not the great disclosure of “actionable information” that some pizza-minded conspiracists might decry as part of their usual anti-government spiels.
MarkH • February 7, 2018 2:08 AM
22519 wrote, “I think the likelihood of such a compromise happening or being reported in Russia or China is much less …”
Given the predominance of state-controlled news sources in those countries — and in China, an extensive system for overt censorship — I likewise expect a much lower probability that this type of embarrassing incident would be reported.
However. I’m aware of no evidence that security personnel (or any other major category) are more competent or disciplined.
Russia has a long history of humiliating failures which might easily have been averted, and a tradition of trying to conceal them. Russia has also maintained a heavy investment in its security and intelligence services, but the resulting depth of capacity doesn’t imply freedom from error and failure.
In “the movie version” of security services, the lesser degree of restraint may lend an appearance of potency to the secret services of authoritarian or totalitarian regimes, as compared to their western counterparts.
Me myself • February 7, 2018 5:46 AM
@nutbar anyone?
Hahaha you’re missing the mark by a looong shot my friend. Starting with your assumption that I have ever watched Fox News. Probably has something to do with the fact I’m not even USAmerican. I also have no idea who this Hannity person might be. But I really don’t fly that often, you got that right.
I don’t care whether this particular CNN employee’s job description says he’s not a reporter. Might as well be janitor or elevator operator for our line of thought. Let’s suppose this staffer does such activities regularly. How much useless stuff do you think he must have come upon until he hit “gold”? Given how many passengers board US flights everyday, even if these thousands CNN employees were occupied with nothing but scouring planes they had a far higher chance of NOT finding anything because whenever a screwup happens it was in a different plane. Or maybe CNN does actually have 87000 employess (I did a quick googling; numbers might be outdated. Domestic flights only, to make it easier) whose only job is to fly everywhere waiting for the opportunity to go through every pocket in the plane. CNN must spend quite a fortune on airline tickets hunting for these stories.
And what do the flight staff think of it? Are they okay with some random guy that refuses to leave the plane until he goes through every pocket?
It’s bizarre to think that someone does such activities in an “active search for stories”. There is a chance it will happen in a particular plane as it has of happening anywhere else. You might as well go dumpster diving in a random Washington street, after all who can’t say there won’t be misplaced ultra secret Pentagon documents in the bottom?
— OR —
Maybe this wasn’t a random opportunity encounter. Maybe this staffer had a specific goal on Mr. Walter, tailing him and waiting to see if he would forget sensitive documents behind. That’s another bizarre theory because it would imply that CNN keeps people whose duty is to follow government employees waiting for something to report. In this scenario Mr. Walter is being stalked in every café and store he goes to (because the screwup doesn’t have to happen in a plane) yet he did not call the cops on a guy that kept following him everywhere? Did this staffer get some sort of ninja training? Mossad spy academy?
Occam’s razor says my “conspiracy theory” is less bizarre than either of these and thus has a better chance of being right. Your call.
EvilKiru • February 7, 2018 1:56 PM
Occam’s razor says that the simplest possible explanation is likely correct and the following is certainly simpler than any of your 3 stories:
VinnyG • February 7, 2018 3:04 PM
@Arline – think of what could be learned by the underpaid security drone who monitors the video in very public places…
VinnyG • February 7, 2018 3:08 PM
@Security Sam – it’s a shame for your little verse that this didn’t happen at the PGA Tournament instead…
VinnyG • February 7, 2018 3:09 PM
@22519 +1 There are no leaders, only opportunistic posturing parasites…
Clive Robinson • February 8, 2018 8:27 AM
@ EvilKiru,
4. Because person B works at CNN, person B passes the papers on to a CNN reporter and the papers enter the news cycle.
This is the part of your argument that fails “Occam’s razor”. The simplest arguments are,
The probabilities are higher than yours for obvious reasons.
The thing is it’s actually fairly easy for the DHS to lookup exactly who was on the flight, the seat they were asigned to, when their ticket was booked, by whom and who payed for it, where they got on and off etc.
I suspect they already have looked this up so lets wait and see what happens next.
There of course is another option which is the whole “found in a seat pocket” argument is bogus, a bit of parallel construction etc. Which of course leaves the question of by whom.
Which brings up a fundemental point about Occam’s razor, it’s not designed to be used on sentient beings for exactly the faux / parallel construction reasons. That have long been beloved by various IC entities for “red flag” operations that long ago were refered to as “the smoke and mirrors of the great game”.
Ratio • February 8, 2018 8:52 AM
Occam must be slitting his wrists with his misunderstood razor by now.
EvilKiru • February 8, 2018 5:30 PM
@Clive: I’d wager that the logistics of arranging to be in the same outbound seat as an inbound passenger is of much higher improbability.
Clive Robinson • February 9, 2018 6:44 PM
@ EvilKiru,
I’d wager that the logistics of arranging to be in the same outbound seat as an inbound passenger is of much higher improbability.
I’d certainly not make that wager… In part because in the past I’ve been able to book specific seats that are shown as vacant on connecting flights. Thus even not knowing what seat a target is in just which flight they are going to get on and the connecting point they get off at will enable you to find out which seats are occupied only for that part of the flight. Which might be very few. Further if the target is traveling alone or with someone else will allow you to whittle that down further.
But it is also possible to simply ask somebody who has access to the full passenger manifest. Which since 2001 and US political demands includes one heck of a lot of people. Even simple social engineering may work if you book a seat through the airline it’s self.
But it might supprise you to look back at a legal case in 1993 between the UK’s “British Airways” and “Virgin Alantic” you will find that Virgin caught BA getting at the VA passenger manifest by computer hacking and bin-diving and then offering VA passengers upgrades or other perks to fly with BA instead,
For some reason people outside the industry think getting access to pasenger manifests is difficult, history shows it was not, even prior to 2001.
@ Nutbar Anyone,
Probabilities do not factor in to real-world events, only approximations or predictions of them. Occam’s razor says the simplest straight line is often the case. It does not prove it always is.
Probabilities factor into most things that involve “behaviour” or “actions in response to stimuli by non deterministic actors”. They also apply to determanistic but complex events such as applying thermal energy to working fluids. So they do feature in both “free will” and “determanistic” real-world processes.
What probability can not do is predict single instances of truly random processes and determanistic processes where an observer can not determin the process in use, only the likely hood of an action occuring over a suitable number of events.
As for Occam’s Razor there are various definitions none of which rule out probability for good reason[1].
You will often hear it expressed as,
Thus the usual argument is that of “Parsimony”[2] which is sometimes taken as impling the minimizing of the number of inductive / hypothetical steps. However it can also compare a step with another step and thus rule in favour of the more probable step, as “unnecessarily multiplied” can be applied either way.
[1] Occam’s, or more correctly Ockham’s razor is a principle attributed to the 14th century Scholastic philosopher, logician and Franciscan friar William of Ockham. Ockham being a rather nice English country village North East of Guildford in the county of Surrey where he was born in 1285, and is any easy bike ride from where I was born. If you think about it William formulated his idea seven centuries ago. As far as we know back then chance had not been studied in Europe let alone England within the rigours of mathmatics or logic. Thus what we now call “probability” as a branch of philosophy or mathmatics was probably unknown to him. The development of the mathematical methods of probability in Europe is believed to have first been discussed in the known letters of correspondence between Blaise Pascal and Gerolamo Cardano, Pierre de Fermat in the mid 1600’s over three centuries after William had formulated his razor.
[2] From the online English Oxford Dictionary, relating “Occam’s Razor” to “The Principle of Parsimony” or “stingyness”,
Which again does not state either the number of inferences or their probabilities, thus leaving it as an open choice. But does show it’s use in “real-world” behavioural activities.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Ed Bear • February 5, 2018 4:02 PM
Your tax dollars at work.