Sensitive Super Bowl Security Documents Left on an Airplane

A CNN reporter found some sensitive -- but, technically, not classified -- documents about Super Bowl security in the front pocket of an airplane seat.

Posted on February 5, 2018 at 3:46 PM • 42 Comments

Comments

(required)February 5, 2018 4:15 PM

The anti-CNN crowd will be tripping over themselves to declare them fakes by virtue of the messenger.

It is interesting and/or reassuring that they reveal a front-line program to detect aerosolized biothreats as that IS in fact "your tax dollars at work" - doing a job you very much would want them to do I might add - despite Libertarian rhetoric or "free-market" trope-based protections from Anthrax as some seem to shelter in.


MatiasvFebruary 5, 2018 4:35 PM

It would be safe to assume that he did not consider the document important enough to keep track off during the flight. A true problem in the organisation's infosec training program.

Tarus BALOGFebruary 5, 2018 4:36 PM

While this is notable because of its content, people leave sensitive information in the seat back pockets without realizing it. I wrote a post awhile back about it:

https://www.adventuresinoss.com/2017/05/07/privacy-and-trash/

I often find discarded boarding cards which reveal quite a bit about the traveler, or sit next to people doing a Powerpoint presentation for public companies with unreleased sales figures, etc. This comes from a general lack of understanding about security combined with apathy.

MatiasvFebruary 5, 2018 4:50 PM

Information classification is only a tool to help officials for understanding which information should be kept of / should be protected (and to give legal repercussions if related duties are neglected). A plenty of sensitive information is stored inside employee's memories and unclassified notes and recordings (as this particular paper)

I am currently writing my BBA of Security Management thesis titled as InfoSec handbook for managers. One of the important subjects I wanted to bring up was that only the data is important, not the form it has taken. Employees have to be able to measure and realise the worth of information (risk assessment) so they have a chance of protecting it (and to classify it correctly). There is a long way to go there...

Clive RobinsonFebruary 5, 2018 5:12 PM

Hmmm,

Sensitive Homeland Security documents ... were found by a CNN staffer in the seatback of a commercial plane, the media outlet reported.

Why do I find this "just to convenient", that is if I heard it in a court case from an LEO my brain would automatically say "Parallel Construction"...

Thus I find myself asking, is the CNN staffer covering up a source, or were they actively tracking the person for various reasons?..

Because my experience from when I used to fly regularly prior to 9/11 suggests that the story is odd. I used to always look in the seatback pocket, and for point to point flights I'd only find the in flight mag, the emergancy instructions and duty free order form... It was only occasionally on connecting flights that I ever found anything, and at most it was a newspaper or pen or realy bad paperback novel.

Unless the aircraft "cleaning staff" have realy gone down hill in the last decade and a half, my "hinky sense" is waving a large warning flag that something is just not right with the story...

ArlineFebruary 5, 2018 5:17 PM

@Tarus BALOG:

While this is notable because of its content, people leave sensitive information in the seat back pockets without realizing it.

They must have been aware they were reading it where people could see.

Perhaps the easiest and cheapest way to get sensitive information is to ride a commuter train and sit behind someone with a laptop. I've seen people editing ostensibly-confidential contracts, heard them talking about business deals, etc. Or just walk by a building and aim a camera in the window. A local lawyer's office had divorce documents laying face up (until they saw me reading them… but they were back the next day).

hmmFebruary 5, 2018 6:51 PM

@ Clive

"Unless the aircraft "cleaning staff" have realy gone down hill in the last decade and a half"

Well yes, since you asked. They have. It's a low end job in this economy. Happens all the time.

I personally found a couple 3-ring binders that fell out of the back of a passing van about a dozen years ago. It turned out they were the local disaster response team rosters, response codes, resources, telephone numbers, the whole shebang. Everything a troublemaker could possibly want and more. I didn't work for CNN at the time - would it pique your conspiracy antennae the same way if I had? I simply called up the local fire chief and returned them, they were grateful enough about it. Case closed, no expose.

Moral of the story - stupid stuff like this happens all the time. I'd not lose more sleep than usual.

AnonFebruary 5, 2018 8:05 PM

@Clive: when I read "CNN" and "classied documents in seat back pocket of airline", I also thought "what are the chances?!".

I think it stinks.

Security SamFebruary 5, 2018 9:07 PM

Super Bowl anti-terrorism documents
For Official Use Only plan
Can be used as aggregate
To find a hole in one.

22519February 5, 2018 11:12 PM

What we see going on in the security sphere, as far as the United States goes, is systemic failure. Cast your thoughts back to 9-11, how two of the attackers were issued visas, new and shiny, after their names were known, after the towers fell. It is not just a clear example of how people on the inside sometimes do a nosedive, it is an example of the astonishing failure of a system, as if there were no leaders.

This seemingly small compromise on an airplane is just one example of a big problem.

In today's news on CNN there is a piece about how the Pentagon labeled the entire Korean Peninsula as North Korea--and Taiwan as part of China--in a nuclear report. Well, I hope we at least have the transgender bathroom issue solved at the Pentagon. Anti-sexual harassment training is going well. Anti-self harm training has had results that compare favorably to previous results, according to many. At least we are on the right track. Did you see the Superbowl? What funny commercials! YUK-YUK

Tut-tut, someone might say. People make mistakes.

That is certainly true, but would this kind of thing happen in China or Russia, and would it get reported? The mere fact of it being reported is damaging, and could be seriously bad. The threat was real enough to spend the money, organize a plan, and take precautions. I think the likelihood of such a compromise happening or being reported in Russia or China is much less, and that is a problem. People on the inside in the US are sometimes not engaged enough/care enough/etc. to take their jobs seriously. Why is that? If Snowden were Russian and he had eloped to Washington D.C. with 7 terabytes of RU goodies, do you think the Russkies would have let his girlfriend go cuddle him and have pillow talk in Arlington? I really doubt it.

Security is not being taken seriously enough, compromises are not punished hard enough, and a lack of awareness and responsibility seems to have become endemic.

Tut-tut!

Really? 1. OPM- the entire database of US people with clearances, personal information, interview information, got compromised. 2. Snowden- 7 terabytes? Downloaded from... WHOM did you say?

Question: what's next? Stay tuned folks.

"Treasonous" he says of those who dare not clap.February 5, 2018 11:22 PM

"as if there were no leaders."

In the place of leadership we have people undermining security for politics as quickly as able.

Treason requires a named enemy in time of war. That's really all that prevents the title being applied.

22519February 5, 2018 11:36 PM

@Matiasv

"Employees have to be able to measure and realise the worth of information (risk assessment) so they have a chance of protecting it (and to classify it correctly)."

I don't mean to step on your toes, and I am quite sure you have a very good grip on this topic, but I just want to add a little bit to what you said.

Right, some employees measure the importance of information. They are usually people with a special kind of authority. The U.S. does not classify information according to its worth, in the broad sense. It classifies information according to how much damage it might do if compromised, right?

The phrase "risk assessment" is done in information management, yes, but it is more often applied to mission planning--a matrix that helps leaders see what is really of concern and whether steps have been taken to mitigate risk.

wheinerFebruary 6, 2018 2:52 AM

The "sad!" here is conservatives selling their integrity to a known fraud as they run from reported fact.

EvanFebruary 6, 2018 3:02 AM

This is another consequence of “movie plot” style risk assessments. TV and movies are filled with examples of information theft occurring through comparatively exotic means - cat burglars, moles, sleeper agents, sophisticated hackers, etc - but the reality is that there are much, much greater security risks contained in far more mundane activities like, like working on a plane or train.

To everyone thinking this was a leak CNN is covering for, why would they? There’s nothing particularly newsworthy in knowing that local and Federal agencies have contingency plans for terrorist attacks against major public events. That the characteristics of a security program are so carelessly handled is the story here, not the actual contents of the brief.

LarryFebruary 6, 2018 3:56 AM

@No more actors
"What do we do about blatant, baldfaced abuses of power, law and country?"
Answer,nothing! Look at Obama & the Clintons!


Peter A.February 6, 2018 4:01 AM

"This exercise was a resounding success and was not conducted in response to any specific, credible threat of a bioterrorism attack [...]"

Security theater by definition. No credible threat, but ex[tp]ensive exercises were conducted anyway, with a "resounding success", of course.

This is how tax money is used to line the pockets of the bureaucrats and their cronies. In the U.S. and elsewhere as well.

ShempFebruary 6, 2018 4:10 AM

@ Larry

It's funny, you never actually convicted them of anything despite all your crying.

Maybe if you had something real? Try that sometime.

Mueller is REALLY about to indict your sitting dictator.

REALLY.

PaulFebruary 6, 2018 4:33 AM

The question is asked above: what next?

What came to mind was "Reichstag fire?"

But, of course, that won't happen. Not because the US doesn't have a Reichstag, but because the GOP makes such things unnecessary.

The US is well on the way to a "managed democracy" where extraordinary measures will be taken to defend the country against fake threats, while real ones are ignored.

Me myselfFebruary 6, 2018 6:00 AM

I have no trouble believing that a DHS guy stupidly left sensitive documents where anyone could find them. But of all the people who could have found them, how convenient it is that it was a CNN reporter?

Doesn't it strike anyone as a formidable coincidence that this reporter "happened" to take a look at one of the plane's backseat pockets and it just "happened" to be mr. Walter's former seat? Or maybe this reporter feels compelled to go through every seat's pockets in all flights he boards in which case he needs psychological/psychiatric assistance for his OCD immediately. It would still be a coincidence (albeit smaller) connecting his and mr. Walter's presence in the same plane at the same or consecutive flights, mind you.

Anyway, totally not fake news, nosiree, absolutely just a coincidence... just a bizarre coincidence... more like a miracle really.

TheInformedOneFebruary 6, 2018 9:35 AM

This is a new form of social engineering called "Dumbass". Hackers wish they could employ this technique with better control and regularity, but who's complaining when the secrets just sometimes fall into your lap?

MatiasvFebruary 6, 2018 9:36 AM

//Right, some employees measure the importance of information. They are usually people //with a special kind of authority. The U.S. does not classify information according to //its worth, in the broad sense. It classifies information according to how much damage it //might do if compromised, right?

We use the same definition here. The easiest way to measure the value of data is the damage it could cause when exposed. Totally agreed.

//The phrase "risk assessment" is done in information management, yes, but it is more //often applied to mission planning--a matrix that helps leaders see what is really of //concern and whether steps have been taken to mitigate risk.

It is usable term in measuring any risk in security or safety. My point was that the owner of the data has to be made to deeply understand the value of information and his valuable knowledge about it so he feels duty bound to safeguard it by best of his ability. (if you daily go through confidential material it becomes mundane to you)

When ever you see at 1st class flight an executive working a document about a future company fusion or an unlaunched tech-device you know that the 'deep understanding' has failed.

nutbar anyone?February 6, 2018 12:30 PM

@ Me Myself

"Doesn't it strike anyone as a formidable coincidence that this reporter "happened" to take a look at one of the plane's backseat pockets and it just "happened" to be mr. Walter's former seat?"

Has Fox News made you insane? Honestly asking. EVERYTHING is a dark conspiracy? THIS? Lol. Nuts!

Have you never found anything in the pocket in front of your seat? Then you don't fly much.

This wasn't a reporter anyway if you CAN READ ABOUT IT before losing your mind, it was a staffer.
There are thousands of staffers working for CNN. They look for stories, report what they find.

Or you know, aliens are conspiring with CNN to serve pizza to molesters in DC.
Whatever Hannity tells you is surely the case. He's a rational mind too! XD

(required)February 6, 2018 12:50 PM

@ Matiasv

"The easiest way to measure the value of data is the damage it could cause when exposed"

That's a fair take I think. So let's analyze this as you describe?

It's only really "bad" if these details were to fall into the hands of a terrorist that was actively plotting to use aerosolized (or similar) delivery systems of bioweapons - which narrows the field considerably, doesn't it.

Unlike a zero-day vuln or compromising exposed online secret, this "leak" was limited to one physical copy and contained physically. So far a CNN staffer and a few folks around them have seen it, and they did not report on the specific contents beyond the summary. So really, what data has "escaped" here? Not much.

To my eyes the takeaway is disclosure of the aerosol bioterror sniffing program itself, and the (expected) existence of contingency plans in case of a bioterror emergency involving a large public gathering like the *bowl... perhaps the forgetfulness or incompetence of a certain unnamed DHS agent... but that's pretty much it, right?

Really it's unclear that any of this info would have greatly aided a terrorist effort in the first place. That's possible but actually unestablished here. Certainly a bioterror event would be plenty bad regardless of the first response coordination effort. So while it's obviously concerning that such details could be carelessly left on a plane, it's really not the great disclosure of "actionable information" that some pizza-minded conspiracists might decry as part of their usual anti-government spiels.


MarkHFebruary 7, 2018 2:08 AM

22519 wrote, "I think the likelihood of such a compromise happening or being reported in Russia or China is much less ..."

Given the predominance of state-controlled news sources in those countries -- and in China, an extensive system for overt censorship -- I likewise expect a much lower probability that this type of embarrassing incident would be reported.

However. I'm aware of no evidence that security personnel (or any other major category) are more competent or disciplined.

Russia has a long history of humiliating failures which might easily have been averted, and a tradition of trying to conceal them. Russia has also maintained a heavy investment in its security and intelligence services, but the resulting depth of capacity doesn't imply freedom from error and failure.

In "the movie version" of security services, the lesser degree of restraint may lend an appearance of potency to the secret services of authoritarian or totalitarian regimes, as compared to their western counterparts.

Me myselfFebruary 7, 2018 5:46 AM

@nutbar anyone?

Hahaha you're missing the mark by a looong shot my friend. Starting with your assumption that I have ever watched Fox News. Probably has something to do with the fact I'm not even USAmerican. I also have no idea who this Hannity person might be. But I really don't fly that often, you got that right.

I don't care whether this particular CNN employee's job description says he's not a reporter. Might as well be janitor or elevator operator for our line of thought. Let's suppose this staffer does such activities regularly. How much useless stuff do you think he must have come upon until he hit "gold"? Given how many passengers board US flights everyday, even if these thousands CNN employees were occupied with nothing but scouring planes they had a far higher chance of NOT finding anything because whenever a screwup happens it was in a different plane. Or maybe CNN does actually have 87000 employess (I did a quick googling; numbers might be outdated. Domestic flights only, to make it easier) whose only job is to fly everywhere waiting for the opportunity to go through every pocket in the plane. CNN must spend quite a fortune on airline tickets hunting for these stories.

And what do the flight staff think of it? Are they okay with some random guy that refuses to leave the plane until he goes through every pocket?

It's bizarre to think that someone does such activities in an "active search for stories". There is a chance it will happen in a particular plane as it has of happening anywhere else. You might as well go dumpster diving in a random Washington street, after all who can't say there won't be misplaced ultra secret Pentagon documents in the bottom?

-- OR --

Maybe this wasn't a random opportunity encounter. Maybe this staffer had a specific goal on Mr. Walter, tailing him and waiting to see if he would forget sensitive documents behind. That's another bizarre theory because it would imply that CNN keeps people whose duty is to follow government employees waiting for something to report. In this scenario Mr. Walter is being stalked in every café and store he goes to (because the screwup doesn't have to happen in a plane) yet he did not call the cops on a guy that kept following him everywhere? Did this staffer get some sort of ninja training? Mossad spy academy?

Occam's razor says my "conspiracy theory" is less bizarre than either of these and thus has a better chance of being right. Your call.

EvilKiruFebruary 7, 2018 1:56 PM

Occam's razor says that the simplest possible explanation is likely correct and the following is certainly simpler than any of your 3 stories:

1. Person A accidentally leaves important papers in seat-back pocket.
2. Person B randomly gets the same seat assignment for an outbound flight as person A had on the inbound flight.
3. Person B finds important papers in seat-back pocket.
4. Because person B works at CNN, person B passes the papers on to a CNN reporter and the papers enter the news cycle.

VinnyGFebruary 7, 2018 3:04 PM

@Arline - think of what could be learned by the underpaid security drone who monitors the video in very public places...

VinnyGFebruary 7, 2018 3:08 PM

@Security Sam - it's a shame for your little verse that this didn't happen at the PGA Tournament instead...

Clive RobinsonFebruary 8, 2018 8:27 AM

@ EvilKiru,

4. Because person B works at CNN, person B passes the papers on to a CNN reporter and the papers enter the news cycle.

This is the part of your argument that fails "Occam's razor". The simplest arguments are,

    4. Because person B works somewhere other than at CNN, person B passes the papers on to a CNN staffer and the papers enter the news cycle via the staffer.
    4. Because person B works at or for CNN, and has been assigned a task to cover the person or related activities, they then pass it on to a CNN reporter and the papers enter the news cycle.

The probabilities are higher than yours for obvious reasons.

The thing is it's actually fairly easy for the DHS to lookup exactly who was on the flight, the seat they were asigned to, when their ticket was booked, by whom and who payed for it, where they got on and off etc.

I suspect they already have looked this up so lets wait and see what happens next.

There of course is another option which is the whole "found in a seat pocket" argument is bogus, a bit of parallel construction etc. Which of course leaves the question of by whom.

Which brings up a fundemental point about Occam's razor, it's not designed to be used on sentient beings for exactly the faux / parallel construction reasons. That have long been beloved by various IC entities for "red flag" operations that long ago were refered to as "the smoke and mirrors of the great game".

EvilKiruFebruary 8, 2018 5:30 PM

@Clive: I'd wager that the logistics of arranging to be in the same outbound seat as an inbound passenger is of much higher improbability.

Nutbar anyone?February 9, 2018 12:11 PM

@ Clive

"The probabilities are higher than yours for obvious reasons."

Probabilities do not factor in to real-world events, only approximations or predictions of them.
Occam's razor says the simplest straight line is often the case. It does not prove it always is.

There's a reasonably practical chance of a CNN employee getting that seat. It's not infeasible. Not to mention, there's at least as good a chance that an unaffiliated discovery by a non-CNN employee would get passed to any other news network, Fox or BBC or any. There's really no way to know WHAT the actual "probabilities" are - and any statistician worth elbow patches would quickly disabuse you of your notion that you can estimate it realistically at all here. It's entirely ephemeral unknowns and guesswork probabilities, there's not evidence either way.


@ Me Myself

Ratio would like to instruct you on the proper use of Occam's razor.

You are personable and all, but what you just said is borderline insane on its face :

CNN does not pay staffers to stalk DHS employees. Prove the allegation in any way at all.
You can't just go down the rabbit hole without a single rope back to the surface.

Nobody goes around looking for DHS documents in airplanes or any other public place.
That would be pretty much the definition of a fool's errand. Again, crazy assertion.

These documents in question aren't even "that" sensitive really overall. By nature of the topic 'everything' about it is sensitive, and they'd like to keep it secret - but this particular document really doesn't measure up to an imminent national security risk even in the worst hands. Not by itself.

"It's bizarre to think that someone does such activities in an "active search for stories"."

Well, it's somewhat more bizarre that you think I said that's what happened here.
CNN staffers GENERALLY go looking for stories. This fell in a lap - ~literally.

If anyone wanted DHS documents that make for a killer scoop, these are not them.
The entire story was that they were left on a plane carelessly. That's literally it.

Maybe instead of a philosophical trope like Occam's razor you'd be better off with a limerick?

There once was a DHS traveler
whose seat-mate was quite a blatherer.
With a sigh and a bleat,
he stowed documents in the seat,
and proceeded to take a long napper.


Clive RobinsonFebruary 9, 2018 6:44 PM

@ EvilKiru,

I'd wager that the logistics of arranging to be in the same outbound seat as an inbound passenger is of much higher improbability.

I'd certainly not make that wager... In part because in the past I've been able to book specific seats that are shown as vacant on connecting flights. Thus even not knowing what seat a target is in just which flight they are going to get on and the connecting point they get off at will enable you to find out which seats are occupied only for that part of the flight. Which might be very few. Further if the target is traveling alone or with someone else will allow you to whittle that down further.

But it is also possible to simply ask somebody who has access to the full passenger manifest. Which since 2001 and US political demands includes one heck of a lot of people. Even simple social engineering may work if you book a seat through the airline it's self.

But it might supprise you to look back at a legal case in 1993 between the UK's "British Airways" and "Virgin Alantic" you will find that Virgin caught BA getting at the VA passenger manifest by computer hacking and bin-diving and then offering VA passengers upgrades or other perks to fly with BA instead,

http://www.independent.co.uk/news/battle-of-the-airlines-king-backed-dirty-tricks-ba-staff-hacked-into-virgin-computers-and-poached-1477973.html

For some reason people outside the industry think getting access to pasenger manifests is difficult, history shows it was not, even prior to 2001.

@ Nutbar Anyone,

Probabilities do not factor in to real-world events, only approximations or predictions of them. Occam's razor says the simplest straight line is often the case. It does not prove it always is.

Probabilities factor into most things that involve "behaviour" or "actions in response to stimuli by non deterministic actors". They also apply to determanistic but complex events such as applying thermal energy to working fluids. So they do feature in both "free will" and "determanistic" real-world processes.

What probability can not do is predict single instances of truly random processes and determanistic processes where an observer can not determin the process in use, only the likely hood of an action occuring over a suitable number of events.

As for Occam's Razor there are various definitions none of which rule out probability for good reason[1].

You will often hear it expressed as,

    "Entities should not be unnecessarily multiplied."

Thus the usual argument is that of "Parsimony"[2] which is sometimes taken as impling the minimizing of the number of inductive / hypothetical steps. However it can also compare a step with another step and thus rule in favour of the more probable step, as "unnecessarily multiplied" can be applied either way.

[1] Occam's, or more correctly Ockham's razor is a principle attributed to the 14th century Scholastic philosopher, logician and Franciscan friar William of Ockham. Ockham being a rather nice English country village North East of Guildford in the county of Surrey where he was born in 1285, and is any easy bike ride from where I was born. If you think about it William formulated his idea seven centuries ago. As far as we know back then chance had not been studied in Europe let alone England within the rigours of mathmatics or logic. Thus what we now call "probability" as a branch of philosophy or mathmatics was probably unknown to him. The development of the mathematical methods of probability in Europe is believed to have first been discussed in the known letters of correspondence between Blaise Pascal and Gerolamo Cardano, Pierre de Fermat in the mid 1600's over three centuries after William had formulated his razor.

[2] From the online English Oxford Dictionary, relating "Occam's Razor" to "The Principle of Parsimony" or "stingyness",

    Lest they fall into anthropomorphizing, many behaviorists follow the principle of parsimony, often called Occam's razor, that restricts inferences to the simplest adequate explanation of any particular animal behavior.

Which again does not state either the number of inferences or their probabilities, thus leaving it as an open choice. But does show it's use in "real-world" behavioural activities.

NutbarFebruary 12, 2018 4:44 AM

"What probability can not do is predict single instances..."

With hardly any specific data and but pure guesswork (gutwork?) to go on, to determine if it's "likely" or not that a CNN staffer, one of tens of thousands of them nationwide, would sit in the seat where the DHS employee left the paperwork.. I mean you can dress it up but that's a purebred guess either way. To try to talk "probabilities" about that is to tell a story that has no actual bearing on what really did happen. Shrodinger had the right approach, just list the possibilities and let the specific undefined math be undefined. Of course he only had 2 options in his binary example and life is hard to reduce to a coin flip. To try to predict such an instance in real life out of the blue is the road to madness.

To bring a colloquialist reduction of a dark age Friar into just any discussion (one who ought to be more rightly known for being among the first to advocate for the separation of church and state or for property rights than for the relatively silly "razor" that we now ascribe to William of Ockham and over-apply to subjects other than Church dogma of Creationism vs science, in ways the author never intended) is kind of like citing the Magna Carta as the seat of your rationale for believing the official story of 9/11 or not. William of Ockham would "probably" be shocked and appalled to know what a casual reductive argument he'd become known for somehow down the line, of all his life's work.

So however useful you feel it is in some unspecified capacity, I'd say that's just another reading of the same bones or sheep's intestines as any ever tried to draw divine knowledge from yet without the colorful connective tissue of the genuine article.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.