Entries Tagged "theft"

Page 14 of 22

UK Ministry of Defense Loses Memory Stick with Military Secrets

Oops:

The USB stick, outlining training for 70 soldiers from the 3rd Battalion, Yorkshire Regiment, was found on the floor of The Beach in Newquay in May.

Times, locations and travel and accommodation details for the troops were included in files on the device.

It’s not the first time:

More than 120 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it was reported earlier this year.

Some 26 of those disappeared this year == including three which contained information classified as “secret”, and 19 which were “restricted”.

I’ve written about this general problem before: we’re storing ever more data in ever smaller devices.

The point is that it’s now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I’d never know it.

The solution? Encrypt them.

Posted on September 16, 2008 at 6:21 AMView Comments

Security Idiocy Story

From the Dilbert blog:

They then said that I could not fill it out—my manager had to. I told them that my manager doesn’t work in the building, nor does anyone in my management chain. This posed a problem for the crack security team. At last, they formulated a brilliant solution to the problem. They told me that if I had grocery bag in my office I could put the laptop in it and everything would be okay . Of course, I don’t have grocery bags in my office. Who would? I did have a windbreaker, however. So I went up to my office, wrapped up the laptop in my windbreaker, and went back down.

People put in charge of implementing a security policy are more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense—and they know it makes no sense—they have to do it in order to follow “policy.”

Posted on August 6, 2008 at 1:52 PMView Comments

Laptop with Trusted Traveler Identities Stolen

Oops. A laptop with the names of 33,000 people enrolled in the Clear program—the most popular airport “trusted traveler” program—has been stolen at SFO. The TSA is unhappy.

Stealing databases of personal information is never good, but this doesn’t make a bit of difference to airport security. I’ve already written about the Clear program: it’s a $100-a-year program that lets you cut the security line, and nothing more. Clear members are no more trusted than anyone else.

Anyway, it’s easy to fly without an ID, as long as you claim to have lost it. And it’s also easy to get through airport security without being an actual airplane passenger.

None of this is security. Absolutely none of it.

EDITED TO ADD (8/7): The laptop has been found. Turns out it was never stolen:

The laptop was found Tuesday morning in the same company office where it supposedly had gone missing, said spokeswoman Allison Beer.

“It was not in an obvious location,” said Beer, who said an investigation was under way to determine whether the computer was actually stolen or had just been misplaced.

Why in the world do these people not use full-disk encryption?

Posted on August 5, 2008 at 12:09 PMView Comments

The Case of the Stolen BlackBerry and the Awesome Chinese Hacking Skills

A high-level British government employee had his BlackBerry stolen by Chinese intelligence:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.

That can’t look good on your annual employee review.

But it’s this part of the article that has me confused:

Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.

Um, what? I assume the IT department just turned off the guy’s password. Was this nonsense peddled to the press by the UK government, or is some “expert” trying to sell us something? The article doesn’t say.

EDITED TO ADD (7/22): The first commenter makes a good point, which I didn’t think of. The article says that it’s Chinese intelligence:

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence.

But Chinese intelligence would be far more likely to clone the BlackBerry and then return it. Much better information that way. This is much more likely to be petty theft.

EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you’re a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you’re not going to immediately burn him by stealing his BlackBerry. That’s just stupid.

Posted on July 22, 2008 at 10:05 AMView Comments

Exploiting the War on Photography

Petty thieves are exploiting the war on photography in Genoa:

As they were walking around, Jeff saw some interesting looking produce and pulled out his Canon G-9 Point-and-Shoot and took a few pictures. Within a few minutes a man came up dressed in plain clothes, flashed a badge, and told him he couldn’t take photos in the store. My brother said “no problem” (after all, it’s a private store, right?), but then the guy demanded my brother’s memory card.

My brother gave him that “Are you outta your mind” look and said, “No way!” Can you guess what happened next? The guy simply shrugged his shoulders and walked away.

My brother saw him in the store a little later, and the guy had a bag and was shopping. My brother made eye contact with him, and the guy turned away as though he didn’t want Jeff looking at him. Jeff feels like this wasn’t “official store security,” but instead some guy collecting (and then reselling) memory cards from unsuspecting tourists (many of whom might have just surrendered that card immediately).

Posted on July 10, 2008 at 6:54 AMView Comments

Hundreds of Thousands of Laptops Lost at U.S. Airports Annually

This is a weird statistic:

Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey.

Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-sized airports, and 69 percent are not reclaimed.

Travelers seem to lack confidence that they will recover lost laptops. About 77 percent of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn’t do anything if they lost their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.

I don’t know how to generalize that to a total number of lost laptops in the U.S.; let’s call it 750,000. At $1,000 per laptop—a very conservative estimate—that’s $750 million in lost laptops annually. Most are lost at security checkpoints, and I’m sure the numbers went up considerably since those checkpoints got more annoying after 9/11.

There aren’t a lot of real numbers about the costs of increased airport security. We pay in time, in anxiety, in inconvenience. But we also pay in goods. TSA employees steal out of suitcases. And opportunists steal hundreds of millions of dollars of laptops annually.

EDITED TO ADD (7/14): Seems like this is not a story.

Posted on July 4, 2008 at 8:20 AMView Comments

Security Through Obscurity

Sometimes security through obscurity works:

Yes, the New York Police Department provided an escort, but during more than eight hours on Saturday, one of the great hoards of coins and currency on the planet, worth hundreds of millions of dollars, was utterly unalarmed as it was bumped through potholes, squeezed by double-parked cars and slowed by tunnel-bound traffic during the trip to its fortresslike new vault a mile to the north.

In the end, the move did not become a caper movie.

“The idea was to make this as inconspicuous as possible,” said Ute Wartenberg Kagan, executive director of the American Numismatic Society. “It had to resemble a totally ordinary office move.”

[…]

Society staff members were pledged to secrecy about the timing of the move, and “we didn’t tell our movers what the cargo was until the morning of,” said James McVeigh, operations manager of Time Moving and Storage Inc. of Manhattan, referring to the crew of 20 workers.

From my book Beyond Fear, pp. 211-12:

At 3,106 carats, a little under a pound and a half, the Cullinan Diamond was the largest uncut diamond ever discovered. It was extracted from the earth at the Premier Mine, near Pretoria, South Africa, in 1905. Appreciating the literal enormity of the find, the Transvaal government bought the diamond as a gift for King Edward VII. Transporting the stone to England was a huge security problem, of course, and there was much debate on how best to do it. Detectives were sent from London to guard it on its journey. News leaked that a certain steamer was carrying it, and the presence of the detectives confirmed this. But the diamond on that steamer was a fake. Only a few people knew of the real plan; they packed the Cullinan in a small box, stuck a three-shilling stamp on it, and sent it to England anonymously by unregistered parcel post.

This is a favorite story of mine. Not only can we analyze the complex security system intended to transport the diamond from continent to continent—the huge number of trusted people involved, making secrecy impossible; the involved series of steps with their associated seams, giving almost any organized gang numerous opportunities to pull off a theft—but we can contrast it with the sheer beautiful simplicity of the actual transportation plan. Whoever came up with it was really thinking—and thinking originally, boldly, and audaciously.

This kind of counterintuitive security is common in the world of gemstones. On 47th Street in New York, in Antwerp, in London: People walk around all the time with millions of dollars’ worth of gems in their pockets. The gemstone industry has formal guidelines: If the value of the package is under a specific amount, use the U.S. Mail. If it is over that amount but under another amount, use Federal Express. The Cullinan was again transported incognito; the British Royal Navy escorted an empty box across the North Sea to Amsterdam—where the diamond would be cut—while famed diamond cutter Abraham Asscher actually carried it in his pocket from London via train and night ferry to Amsterdam.

Posted on June 18, 2008 at 1:13 PMView Comments

1 12 13 14 15 16 22

Sidebar photo of Bruce Schneier by Joe MacInnis.