Schneier on Security
A blog covering security and security technology.
« Your Brain on Fear |
| Privacy International's 2007 Report »
January 9, 2008
Swedish Army Loses Classified Information on Memory Stick
The daily newspaper, Aftonbladet, turned the stick over to the Armed Forces on Thursday. The paper's editorial office obtained the memory stick from an individual who discovered it in a public computer center in Stockholm.
An employee of the Armed Forces has reported that the misplaced USB memory stick belongs to him. The employee contacted his superior on Friday and divulged that he had forgotten the memory stick in a public computer. A preliminary technical investigation confirms that the stick belongs to the employee.
The stick contained both unclassified and classified information such as information regarding IED and mine threats in Afghanistan.
I wrote about this sort of thing two years ago:
The point is that it's now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I'd never know it.
Also this. Although why the Swedish Army doesn't encrypt its portable storage devices is beyond me.
Posted on January 9, 2008 at 1:46 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The opposite is also occurring in the US. Government agencies are enforcing encrypted volumes on all computers without regard to the type of data and the use of the computer. This is adding huge amounts of overhead to agencies like NOAA that are already strapped for people time. They don't need to spend money and time on encrypting data that is already public. And the software they are using to encrypt all their windows machines is causing lots of problems and delays. Yes, some of their computers and laptops need to be heavily locked down, but blindly applying that to all computers is not smart. Being outside of these gov. agencies, I can actually get work done that civil servants can't do because of all the security restrictions.
As a Swede, I should point out that the Swedish Army is pretty dinky. We haven't been in a war since 1814 (although we do participate in a number of peacekeeping missions, such as in Afghanistan). It wouldn't be totally unfair to say that we have gotten a little complacent about our national security. Not that that is a defence or anything, of course there should be mandatory encryption on all drives with classified material.
Hope it was not on one of the new swiss army knief with USB. That would be funny.
Well, you have to remember as a nordic people, the Swedes are basically vikings. Sure, you can take their USB sticks, but who wants to face the wrath of a Viking Bezerker sacking your city?
With apologies to my Swedish Father, I'll go back to writing open source database programs and eating my herring soaked in lye.
What's worse than not encrypting the portable disk is plugging it into a public terminal.
Bruce, before even wondering about the stick being encrypted you should be wondering why a stick with classified data is being plugged into a computer in the first place.
Even if it had been encrypted, decryping and working with files on it using the public computer seems like a really bad idea.
Not to mention that you are trusting that the public computer is clean and won't infect the stick in any way.
It IS mandatory in Sweden to encrypt any sensitive data on mobile computers and portable media...
@Kenny and NetAdminGuy:
I agree completely...
What's really amusing is the fact that it was the tabloid Aftonbladet who got hold of the USB mem stick. A week or so ago a hacker group called VFH (vuxna förbannade hackare, in english: adult pissed-off hackers) managed to leak the login details for several of Aftonbladet's journalists' mail accounts, as well as facebook details (for those who apparently used the same pwd).
Read an english summare here: http://stupid.domain.name/node/514
While the USB-stick contained some classified material, it was of very low value (otherwise this contractor/researcher wouldn't have gotten access to it at all). Needless to say, he broke many rules when he put this information on a USB-stick and brought it to a public library (and plugged it into a public computer, now that’s something). I read in other more trustworthy media* that the Swedish army does in fact have strict policies in place, especially for moderately to highly classified information.
*) You should all know that Aftonbladet is a sensationalist tabloid that shouldn’t be trusted too highly. Ironically, Aftonbladet’s intranet was hacked just a few days ago, and stayed hacked for several days until the hackers published the accounts and passwords to the employees web accessible e-mail (among other awkward information). There were quite a few comic and nasty e-mails being sent from e.g. the executive editor’s account. The CIO used a six letter password, “anakin��?, which I think says quite a lot about Aftonbladet’s own IT security awareness.
This isn't Lt. Col. Super Secret losing next summer's planned troop movements. This is Cpl. Nobody who carries a thumbdrive with powerpoints of "How not to step on a mine" and a the physical fitness test scores of the 6 people on his section.
I disagree that routine drive encryption is a bad thing. There's practically zero overhead in performance or complication (if this is not true, you're using the wrong drive encryption software), and it means that you don't have to think too hard about what you're doing, which is ideal for mass-deployment among non-security-conscious people.
Sure, there are other risks which need to be mitigated in equally non-thinking ways, but routine drive encryption is part of the solution, not part of the problem.
They should have never stopped writing their important data on lutefisk.
Real simple. Nothing allowed going inside a military complex in the form of data or media. Nothing allowed going outside of the military complex. End of problem.
If that was Jack Bauer's memory stick...oh never mind
Someone anonymously wrote: "Hope it was not on one of the new swiss army knief with USB. That would be funny."
Sigh. European citizens have spent the last hundred years or so, trying to teach non-Europeans that Sweden and Switzerland are not the same.
You touch upon a very important issue, the amounts of (personal) data and their dynamics and increasing dramatically and mistakes are bound to be made. When it comes to national security this is grave, but also in terms of our personal reccords held in various insitutions. We see similair problems in the UK and on the USB front in the Netherlands as well.
@Gus : Please don't draw American attention to Europe. If they can point at us on a map they'll only want to bomb us.
@Brian Mankin: If we (the US) had wanted Europe bombed we would not have made the Nazis stop doing so.
@Bob. Thanks for helping us with the Nazi's. Sorry we lied about the oil.
I enjoy reading your broad perspective on security.
I work in this space and have started a focussed blog on the subject of protecting sensitive data.
I think you and I may have some similar thoughts?
Its at www.donondata.blogspot.com
The US military doesn't necessarily encrypt memory sticks, either. They're marked, but not always encrypted.
The swedish army uses special encrypting usb-sticks internally when they need to move data physically. The Police are now investigating why this guy used an unsecured stick in a public computer with low grade classified army documents on.
You my friend, are hilarious... keep it up.
to Cameron... I know why!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.