Schneier on Security
A blog covering security and security technology.
« Air Force One Security Leak |
| What if Your Vendor Won't Sell You a Security Upgrade? »
April 12, 2006
Military Secrets for Sale in Afghanistan
Stolen goods are being sold in the markets, including hard drives filled with classified data.
A reporter recently obtained several drives at the bazaar that contained documents marked "Secret." The contents included documents that were potentially embarrassing to Pakistan, a U.S. ally, presentations that named suspected militants targeted for "kill or capture" and discussions of U.S. efforts to "remove" or "marginalize" Afghan government officials whom the military considered "problem makers."
The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.
EDITED TO ADD (4/12): NPR story.
Posted on April 12, 2006 at 6:25 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I suppose we should be shocked by this, but I guess by now we expect this sort of thing...
I will make a guess that the HD's where from MS OS laptop systems probably running 2000 or XP, in which case there would be little or no excuse for not employing encryption.
The bazaar sales of hard drives with ... eh... interesting data on them cuts both ways.
A couple of years ago, a reporter purchased some hard drives in Afghanistan and found some Al Qeda documents on them. He wrote a report about it that was published in The Atlantic Monthly. See http://www.theatlantic.com/doc/200409/cullison
By the way, the print edition had some screen shots that weren't in the online version of the article. Interesting cultural glimpses.
A great way to dissimulate disinformation. The traditional method of "lost orders" left in a rucksack seems so 1800.
"A great way to dissimulate disinformation. The traditional method of 'lost orders' left in a rucksack seems so 1800."
I think it was George Carlin who once said "Military Intelligence, is an oxymoron"
"hard drives filled with classified data"
The artical referes to USB style flash drives. Which are a lot lot easier to hide some being little bigger than two thumb nails in size.
However you would think that the M.I. types would at least know when they had lost one...
""A great way to dissimulate disinformation. The traditional method of 'lost orders' left in a rucksack seems so 1800."
Or is Ispy spreading MORE disinformation, to convice people that the real classified data is actually faked classified data so whomever has it will ignore it because they think its fake?
Man, I gotta sit down...
They are supposed to know, because classified military equipment (COMSEC) is all supposed to be inventoried, kept secure (aka in a safe, or a secure area) and checked on a regular basis. COMSEC is a serious matter and I bet some people at Bagram are in big trouble right now.
"flash memory drives taken from military laptops" sounds like an oxymoron -- if it's flash memory is not "taken from a laptop", it's just a drive, if it's "taken from a laptop" it's usually some kind of internal component (either RAM or HD).
After all these years the "almighty CIA" myth is so shattered that I find it difficult to believe this is carefully-crafted disinfo; a uccessful disinfo effort would end up in a payoled afghan or middle-eastern paper, not a US one.
Anyway, it's hilarious to see that even the military won't use the basic Windows encryption... probably since it's so unreliable :D
I agree the loss of this data is unacceptable and someone will have some questions to answer...
The article doesn't lead me to believe that there has been a Communication Security (COMSEC) compromise.
According to NSTISSI 4009, COMSEC is, "Measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material."
Ahh, is this missing in the Los Alamos sense? As in, it never existed?
Digital Dissimulation Authentication - What is required is a dissimulation authentication scheme of digitial signatures so as to distinguish the documents which may actually be mil-int or a falsified facsmilie thereof. The protocol should give fuzzy matches, such that ~90% = the gov't may really be behind this sh*t; ~60% = someone's jerking us off; ~20% = damn kids!; ~5% = someone get President Dean his lithium.
You think the govt cares about the security of the troops? or their privacy?
The govt only cares about looking good enough to keep recruiting goals met.
You know that I know that I know that you know that the falsified leaked classified documents are really not real? 'Scuse me while I grab my lost shaker of salt.
I would imagine that these documents could easily have been forged. What's to prevent the seller, or the US Government even, to fill a hard drive with falsified or mixed true/false information in hopes of misdirecting enemies?
"equipment is all supposed to be inventoried"
What is the betting that there is insufficient laptops / PCs out there and the troops have bought their own data storage, and are sharing the computers...
They lose one and they think "t'is that shifty Cptn Smith, he's always nosin arnd peps kit, bet he's swiped it"
I can see endless fun coming out of this story.
I think its not out the realm of possibility that they could be forged. However, from my Air Force experience, it is more likely that the explanation presented in the story is closer to the truth.
I've seen more than a few instances where well-meaning but misinformed people discarded storage media without degaussing or (better yet) destroying.
"Of two equivalent theories or explanations, all other things being equal, the simpler one is to be preferred" -Occam's Razor (Restated).
COMSEC material is not the only kind of classified material. COMSEC material is material related to cryptography. Anything can become classified material in the right circumstances, even the daily chow hall menu.
I am told from guys serving over in Iraq and A'stan that there is minimal inventory control even on gov't assets. And you can indeed find HDDs, not just flash drives, for sale in local markets. No one uses encryption, no one seems to think about securing their assets so they get stolen and left behind, etc.
Also, everyone just tosses out all sorts of paper. Old briefings, bills with your name and SSN on them, etc. Not too much data mining would reveal a lot about the soldiers and their families. Could this be exploited in a military sense? Probably.
...because the easiest way to get 700 social security numbers is to fly to Afghanistan, find the right bazaar, find the right merchant within the bazaar, buy some old hard drives, then search them for documents containing social security numbers. That's so much cheaper, safer, and easier than just spamming out an email to 1,000,000 people asking them to reply with their social security number, and taking advantage of the fact that 700/1,000,000 is a tiny fraction of the average rate of idiocy on the internets.
Just because we have the most powerful military on the planet, does not mean that we can afford to neglect basic security procedures.
Too much security bureaucracy is as dangerous as too little. If the soldiers cannot get the tools to do their jobs because of excessive bureaucracy disguised as security, they will go out and procure their own . . . which will then not be held to any security safeguards. This is the classic, "Do we use the official CEOI which we know has already been compromised, or the homemade cipher which enemy crypto might be able to break in an hour or less?"
Simple, draconian rules seem to be the best answer to this sort of problem. "No flash drives allowed unless they are XYZ brand with a fingerprint reader, which is for sale cheap at the PX in large numbers."
Or better yet, "Portable media lives in safes or sealed envelopes in your duffel, not in yesterday's pants pockets."
These particular 700 are of great interest because they happen to be in Afghanistan at the moment and are probably way too busy to check their credit reports . . . not to mention being terrorist targets in their own right.
I don't see anything in the article that specifically states the members were present in Afghanistan at the time the information was found.
Now, if I wanted to turn this to a movie-plot... I'd develop a plot where a terrorist organization used the data to go take the servicemember's family hostage in the US. Hey, is that movie-plot contest still open?
From the article: "The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names."
I suppose the deployment rosters could be "old" and apply to previous years. If I were a soldier listed on such a roster, I'm not sure that I would feel any better.
I'd movie plot this problem the other way: the use of SSNs to get the credit cards to finance the terrorist acts, charging the bags of fertilizer and diesel fuel to kill the deployed soldier's family to his "own" credit card . . . much like charging the dead man's family for the bullet you executed him with.
Uhm, think about it from Al-Quaeda's view. It's actually a lot easier to walk down the street to the bazzar and buy all the HDDs.....
Agreed - I don't think I'd feel alot better about it. Just as I wasn't pleased when (as an active duty servicemember) my personal (and medical) data was stolen from TriWest Healthcare facilities a few years ago (pre CA SB1386).
Not a bad reversal on the movie plot. Although, I think I'd still prefer mine - it would have a bigger emotional impact.
Sorry... I reread your movie-plot. Your spin would have a bigger emotional impact IMHO.
In the days of paper it was easier, you gave the secret to the squaddie then watched while they memorised it, ate or burned it (not many photocopiers in the field)
Now, they copy it onto their personal flash with the family photos, email it to the squad via the regimental net .....
And the Sgt Bilkos of the military world see an asset with a value (without regard to possible contents)
Scratch "COMSEC", read "OPSEC"
Sorry, we usually just say "COMSEC" when we mean "classified stuff that goes in the safe". (I am active duty Air Force and work in communications - most of what I deal with is COMSEC) Anything classified SECRET, for example, is controlled - it has a red SECRET sticker (mentioned in the article) and is on an inventory sheet in the workcenter who owns it. (aka - the comm squadron at the base) This includes flash drives, laptop hard drives, external USB hard drives.. anything that stores SECRET material, or is hooked to the SIPRNET. Everywhere I've worked, this stuff has been tightly controlled. (checked on a regular basis, kept in one location etc)
@Clive - troops would not be using personal bought items on the SECRET side - or should not be, anyway.
What I'd like to know is why, in this case and in the case of the missing/stolen laptops from auditors that we've heard about recently, are social security numbers being distributed to workstations ? Even worse is that this info is winding up on portable workstations.
Seems to me SS#s should be used for HR & tax purposes only and not be distributed anywhere else. Auditors have no business getting the SS#s of employees and neither do field level US Gov't staff. Internal employee ID numbers should be used instead if you absolutely have to have a number. If staff actually need to see a SS# then it should be done by accessing the central HR server and not by downloading to a local spreadsheet.
Unfortunately the SSN replaced the miltary serial number many many years ago and is the only tracking number for military service members now. Meaning it's used for all sorts of stuff it was never intended to be used for.
everytime I hear about SSNs being disclosed as an identity theft risk I get really angry.
Not because of the disclosure of this information but because the government and industry continues to ignore the fact that using SSNs and other personal information for identity authentication is stupid!
We have the technology to create much stronger authentication methods but no will to implement them.
Releasing SSNs, driver's license numbers and birth certificates should only be an invasion of privacy, not an identity theft risk. I.e. knowing Brad Pitt's SSN, CDL, DOB and mother's maiden name should be no worse an identity theft risk than knowing whether he had captain crunch or cheerios for breakfast.
Of course having a decent encryption based authentication infrastructure will require the public to TRUST some components of the infrastructure
e.g. perhaps my bank is the issuer of authentication credentials. They might require that I let them take a picture and finger prints before issuing the creditials.
Effective identity theft is founded upon the fact that current authentication technologies are piss poor.
When people stop using mother's maiden names, SSNs and birthdays and start using authentication that is founded on photographs, finger prints and perhaps even DNA samples then identity theft will become much less lucrative.
I would rather someone beat out of me (or ask for) my PIN than cut my finger off.
@ Tom Chiverton
> I would rather someone beat out
> of me (or ask for) my PIN than cut
> my finger off.
I'm not saying we should have automated finger print readers everywhere. They might be a good idea but that is not what I'm proposing.
What I'm proposing is that an authenticating agency issues me a smart card that I use to generate digital signatures. This smart card might still be unlocked by a PIN so you might still allow the thief to beat your PIN out of you. (perhaps this could be a sales pitch for a particular brand of smart card)
A thief will then need to generate my digital signature to impersonate me. This is much harder that discovering my SSN, DOB, etc...
The obvious first place to attack this scheme is to get a new smart card issued to the thief.
Here is where I propose using fingerprints and various other intrusive biometric: the card issuing agency, as a condition of issuing the card, takes fingerprints, DNA, photographs, video of this data being collected etc. If you want to get a new smart card issued you had better have my biometric data.
With this scheme you might go years between getting new smart cards issued, in which case you would go years between having your biometric data collected. Of course this root authenticating agency should guard my biometric data zealously and only use it for authenticating me when I ask for a new card.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.