Print 57 comment(s) - last by rcc.. on May 12 at 3:17 PM

Confidential details about the U.S.'s THAAD (Terminal High Altitude Area Defense) ground to air missile defence system, used to shoot down Scud missiles in Iraq, were found on a hard drive by British researchers. The researchers also found a wealth of other personal information and medical records from Lockheed Martin and several other major corporations or government entitities.  (Source: The Daily Mail)
A hard drive has been carelessly released, but is fortunately in safe hands

Hot off the heels of the  of selling the B-2 stealth bomber's radar spectrum to a Russian national and intrusions by Chinese hackers, the U.S. Armed Forces have another leak on their hands.  Researchers analyzing 300 hard drives bought at computer fairs and on the internet auction site eBay discovered a surprise -- a hard drive containing U.S. missile defense secrets that was not properly wiped by contractor Lockheed Martin.

The research project was conducted by BT's Security Research Centre in England in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia, and Longwood University in the US.  According to British news site The Daily Mail, the researchers made the startling discovery that the hard drive in question contained highly sensitive information on test launch procedures of the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.

Also on the drive were Lockheed Martin's internal security policies, blueprints of facilities, and personal information on employees including social security numbers. 

On other hard drives, the researchers discovered a wealth of additional information from other companies on employees, including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.  The drives were purchased in or shipped to the UK, America, Germany, France and Australia.  Over 34 percent of the drives, according to researchers, contained "information of either personal data that could be identified to an individual or commercial data identifying a company or organisation."

Two disks from England's Lanarkshire NHS Trust hold patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters from Monklands and Hairmyres hospitals.  A disk from an Australian nursing home contained pictures of patients and their wound.  A disk sold in France contained network data and security logs from the German Embassy in Paris.  Other disks contained secret business information from an auto company and a UK-based fashion company.

Dr Andy Jones, head of information security research at BT, states, "This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.  For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.  Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly."

Dr Iain Sutherland of the University of Glamorgan adds, "Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data."

A Lockheed Martin spokesperson commented on the alleged data leak, "Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program.  Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source."

A spokesperson for NHS Lanarkshire blames a corporate partner, commenting, "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.  In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Why don't we...
By MrBungle123 on 5/8/2009 11:54:48 AM , Rating: 5
Just require that any hard drive from a system that has been used for work on sensitive information of a national security nature be physically destroyed when the comptuer is removed from service, or the drive is replaced with a larger/faster/newer one. This should effect systems used directly by the government and defense contractors alike. There ya go, done, it never happens again.

RE: Why don't we...
By ClownPuncher on 5/8/2009 12:28:53 PM , Rating: 5
Sounds too easy, why don't we just hire a committee of uninformed beaurocrats to make descisions like these instead?

RE: Why don't we...
By ClownPuncher on 5/8/2009 12:36:08 PM , Rating: 2
I can spell, I swear. Bureaucrat, wow time for some coffee.

RE: Why don't we...
By jhb116 on 5/8/2009 10:41:22 PM , Rating: 4
We did - Congress

RE: Why don't we...
By BansheeX on 5/9/2009 2:32:20 PM , Rating: 5
It's okay, our language's phonetic orthography sucks.

RE: Why don't we...
By MrBungle123 on 5/8/2009 2:10:50 PM , Rating: 5
I can see it now...

Technical Advisor: "the guys in IT say that before we dispose of these old systems they should be scrubbed"

Congressman: "Ok, great! Lets create a new department to clean off all the dust and grime from all the old computers before we sell them at auction."

Committee Treasurer: "Do we have funding for this new program?"

Congressman: "We'll allocate $5.6 Billion in the new bio-degradable road paint bill."

<cheering and clapping>

RE: Why don't we...
By BadAcid on 5/8/2009 12:55:13 PM , Rating: 5
This tape will self-destruct in 5 seconds

RE: Why don't we...
By Bateluer on 5/8/2009 1:07:16 PM , Rating: 2
When I worked in the CSS while active duty, this was standard policy. When a PC was replaced, the hard drive was yanked and destroyed, which was also fun to do. We had a magnetic roller, then the drive got the hammer treatment.

RE: Why don't we...
By afkrotch on 5/8/2009 2:39:38 PM , Rating: 5
If the drives still work, we reuse the drives. If they're too small or broken, they get destroyed.

Breaking drives is fun, until you have around 50 or more of them to break.

RE: Why don't we...
By Souka on 5/8/2009 3:34:02 PM , Rating: 5
how about thousands?

Years ago I worked at Boeing in the IT dept. After a large upgrade on PC systems throughout the NW region it was decided to be too costly to re-use or re-sell the drives.

Re-use runs risk of drive failure from a 2+ yr old drive.
re-sell means having to wipe drives, and also verify they're wiped.

Result? All drives were sent to the IT security dept in the next building...truck loads. They had what was essentially a wood-chipper, but designed to chew metal.

They used shovels to toss them into the chipper.....loud to say the least....

RE: Why don't we...
By crystal clear on 5/9/2009 1:46:11 AM , Rating: 1
how about thousands?

No problem-you have managers that need to fired, simple as that.

Solution-bring in <road roller & roll them flat !>

Is it so difficult-is so expensive-do you need a contracter for that ?

RE: Why don't we...
By Whedonic on 5/8/2009 10:52:07 PM , Rating: 2

RE: Why don't we...
By Captain828 on 5/9/2009 4:37:41 AM , Rating: 1
Neah, plans for a "top secret laser system" might be blown so high in the sky that it would land in enemy hands

I say we nuke 'em! That way the drives will be totally trashed.
A special area would be needed for such an operation, but the Pentagon should suffice.

RE: Why don't we...
By DrMrLordX on 5/9/2009 9:23:20 PM , Rating: 2
I say we take off and nuke the entire site from orbit. It's the only way to be sure.

RE: Why don't we...
By djcameron on 5/8/2009 2:51:37 PM , Rating: 2
The stupidity of all this is that we used to stand around a fire barrel burning the removed/replaced pages of Army helicopter technical manuals that were only "For Official Use Only", yet they resell hard drives that contained far more sensitive material?

RE: Why don't we...
By crystal clear on 5/9/2009 1:52:08 AM , Rating: 1
Fire that manager who gave the order to sell and you can be sure it will never happen again.

As a owner of my own business, I have learnt from experience that "managers realize their mistakes only when they get fired & then ofcourse regret it.

RE: Why don't we...
By MozeeToby on 5/8/2009 3:21:35 PM , Rating: 2
That is the policy for anything Secret or Top Secret where I work, I'm not sure about confidential though. In any event, you have to submit a report to your security office saying how you're going to dispose of anything that has touched classified data. That report has to be cleared by the powers that be (NSA I think, not sure though) before you can hook up anything.

In other words, someone didn't follow the established procedure. In other words, the biggest security risk is the people you give access to. The company, or at least the department, shouldn't be allowed to bid on projects for 6 months or a year; but, because it's Lockheed and they have all kinds of political clout, that will never happen.

RE: Why don't we...
By kittleson on 5/8/2009 6:10:05 PM , Rating: 2
I don't even work in a security-sensitive industry, and physical destruction of disks is our standard policy. The leak discussed in this article is totally inexcusable.

RE: Why don't we...
By Oregonian2 on 5/11/2009 8:05:58 PM , Rating: 2
And probably a big reason that the new drives with built-in encryption are coming out (to cut down on disclosure upon improper disposal).

RE: Why don't we...
By ipay on 5/9/2009 12:19:56 AM , Rating: 2
Why don't we just require that any hard drive from a system that has been used for work on sensitive information of a national security nature be physically destroyed when the computer is removed from service?

They are doing it.. At least the military is doing it with their sensitive systems. They dig a hole in the field, and burn them with special flares at extreme temperatures to the point that hard drives melt. It's the dumb contractors that always treat everything as business as usual. That's what you get for outsourcing important work to incompetents..

but how much porn did they find?
By kattanna on 5/8/2009 11:48:19 AM , Rating: 4
seriously.. that be an interesting study too

RE: but how much porn did they find?
By AnnihilatorX on 5/8/2009 12:14:33 PM , Rating: 2
That's why I encrypt my porn collection with TwoFish+Serpent and then AES with TrueCrypt.

RE: but how much porn did they find?
By Mojo the Monkey on 5/8/09, Rating: -1
RE: but how much porn did they find?
By xRyanCat on 5/8/2009 2:09:04 PM , Rating: 5
... Um no? Do you even know how encryption works?

Unless NSA has some magical prime numbers or an infinite number of roadrunner clusters, we're all in the clear.

And all the encryption algorithms I can think of ARE open source... AES, TrueCrypts implementation, Serpent, Twofish, Blowfish... All open source or in the public domain. Sorry to put an end to your conspiracy theories.

By cornelius785 on 5/8/2009 2:29:44 PM , Rating: 3
I completely agree with you. One of the fundmental concepts in cryptography is that the algorithm is well known to all, thus ALL of the security comes from the key. I forget the actaully term for this. I would never trust an encryption algorithm that wasn't 'open'. I highly doubt there are any backdoors in any widely used encryption algorithm. It would have been discovered through cryptanalysis as a 'flaw' and the algorithm would be shelved.

There is a speck of truth in the 'backdoor in encryption algorithm' conspiracy thing, check into DES, NSA, and S-boxes.

RE: but how much porn did they find?
By callmeroy on 5/8/2009 2:50:09 PM , Rating: 3
Serioulsy i agree with the others --- do you even know what you are talking about here? At least go to a website for foundational knowledge.....

RE: but how much porn did they find?
By Mojo the Monkey on 5/8/2009 4:55:39 PM , Rating: 2
I actually read a very interesting and sourced article about this a couple of years ago. I'll try to find a link.

By Mojo the Monkey on 5/8/2009 5:15:59 PM , Rating: 2
Cant find it, but some examples:

The actual article I read was in print, which might be why I'm having trouble finding it. It details the history of some of the first early cryptographic programmers and their harassment by the intelligence agencies to build backdoors into their standards.

From the articles above, it looks like they're still at it. Who knows what we dont know.

Please Provide Links
By rcc on 5/8/2009 6:35:22 PM , Rating: 2
contained highly sensitive information on test launch procedures of the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.

Please provide link(s). Because, while the Patriot Missile System (the THAAD predecessor) was used to shoot down SCUDs, I don't believe that THAAD has yet had the opportunity.

They have run tests against SCUD like missiles.

Anything is possible, but I'd like some confirmation.

RE: Please Provide Links
By Captain Orgazmo on 5/8/2009 7:02:23 PM , Rating: 2
THAAD has only ever been test fired, never used operationally. In 2003 the Patriot missile system intercepted 8 Iraqi SCUDS.

In case you haven't noticed, Jason Mick is an incredibly amateurish writer, usually embellishing or sensationalizing his stories. He often adds statements or "facts" intended to give his articles the appearance of more depth, but in reality are completely ridiculous or false. I just read and commented on an article written by him mentioning the "gasoline well to pump to tailpipe" supply chain or something. I suppose in Mickland you just poke a hole in the ground, and out comes crystal clear 87 octane.

RE: Please Provide Links
By crystal clear on 5/9/2009 3:12:30 AM , Rating: 2
used to shoot down Scud missiles in Iraq.

Wrong the patriot missile was used against scuds in ISRAEL.

Israel experienced on an average 40 scud missiles attacks for days continously.
(I was there when it happened)

No Scud missile hit their desired targets (They are highly inaccurate due to their construction & design) & NO patriot missile succeeded in shooting down a SCUD.

Patriots were a failure ! - note they were operated by US army in Israel.

Dont believe all what the pentagon claims like malfunction etc etc - we all saw in the patriots in action against the scuds in Israel.

I repeat they were a failure-waste of money & ineffective.

The Israelis had in their R&D another solution namely the Arrow that was ultimately was taken up by the pentagon.

The US govt then financed the Israelis for further R&D work & test on the ARROW anti missile. systems.

All the R&D work/material/results was shared between the 2 countries.

The ARROW was test fired in/from Israel numerous times & tested against the SCUDS numerous times in the Mediterranean sea.

Now you will ask where did the scuds come from & who operated the scuds systems (truck mounted) for these test?

Russians immigrants in Israel who previousily worked in the Soviet Union on the SCUD manufacturing & testing + immigrants who served & trained in units that operated the SCUDS.

These Russian immigrants did the SCUD launching !....

The Israelis picked these SCUD systems + missile on the black market.

Corrupt generals/officials in the Soviet Unnion made their millions during the break up of the Soviet Union to sell anything to foreign countries (arms dealers & intelligence agencies) they wanted & worth the millions.

The Israelis picked up a lot secret material/blue prints etc plus equipment from these sources on just anything under the sky from the scuds to katuyashas to radar systems & more & more.

The pentagon has used Israel as a testing ground in all previous wars & miltary operations in betweeen & after till today.

The pentagon has/had tested all their top of the line arms/equipment in Israel -from the airforce to the army & navy in these real time situations.

Based on these results the equipments/tactics/stratergies are refined/modified/corrected/discarded or even better more R&D work for new arms & ammunations.

RE: Please Provide Links
By TerranMagistrate on 5/10/2009 1:12:42 PM , Rating: 2
You see, that's what I call planning ahead.

With Putin & friends at the helm of Russia for about a decade now, Israel getting it's hands on these aforementioned weapon systems would've a little bit harder. But luckily they got it done in the 90's.

RE: Please Provide Links
By rcc on 5/12/2009 3:12:18 PM , Rating: 2
I can't speak for Israel, but Patriot missiles did down SCUDs.

Having said that, I don't disagree that the Patriot system was waaaay overhyped by the media, mostly to make everyone feel secure. But the success that the system enjoyed was enabled by targeting inputs from the DSP satellites. Without that early warning net telling the batteries exactly where to aim to detect and lock on it would have been more of a "Target wha..... boom" exercise.

RE: Please Provide Links
By rcc on 5/12/2009 3:17:32 PM , Rating: 2

I'm disappointed that you have not either backed up your article/blog with links or data, or corrected/admitted the error.

Either way, take pride in your work.

Hard Drive Clean
By flurazepam on 5/8/2009 12:02:37 PM , Rating: 5
How the military should wipe its hard drives

RE: Hard Drive Clean
By TennesseeTony on 5/9/2009 12:39:57 PM , Rating: 2
Too bad they didn't brace the hard drives, the AP round lost a lot of energy when the drives were allowed to be knocked back.

I think [H]ardocp should sell THOSE drives on eBay.

RE: Hard Drive Clean
By IvanAndreevich on 5/9/2009 3:17:34 PM , Rating: 2
No, because 1/18 drives would still survive :)

RE: Hard Drive Clean
By Justin Time on 5/10/2009 12:47:05 AM , Rating: 2
This is how they should be disposed of:

...and then send the output to be recycled.

Peace Sells...
By Machinegear on 5/8/2009 1:00:38 PM , Rating: 2
U.S. Missile Defense Secrets, UK Medical Records Accidentally Sold on eBay

So, how much did the hard drive go for?

RE: Peace Sells...
By callmeroy on 5/8/2009 2:49:03 PM , Rating: 3
a cup cake, a can of tuna , three peanuts and .50 cents....

plus shipping.....

RE: Peace Sells...
By TSS on 5/9/2009 12:54:39 PM , Rating: 3
i think your confusing the goverment's harddrive with what Macguyver needs to build a harddrive.

By fic2 on 5/8/2009 1:59:37 PM , Rating: 2
Isn't this the purpose of thermite?

RE: Thermite?
By Thrawn on 5/8/2009 4:42:52 PM , Rating: 2
Might not be the most cost effective but it sure is the fastest AND the most secure way I know of from what I have read.

RE: Thermite?
By robertisaar on 5/8/2009 7:17:51 PM , Rating: 2
not cost effective? it only costs a few cents to make enough thermite to permanately kill a hard drive. all its made of is rust and aluminum shavings, pretty cheap and commonly availible.

By Golgatha on 5/8/2009 11:44:32 AM , Rating: 1
A spokesperson for NHS Lanarkshire blames a corporate partner, commenting, "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment. In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."

I would hate to be the owner of this company right about now.

By Breathless on 5/8/2009 12:52:40 PM , Rating: 3
I don't think I would mind being the owner of that company right about now. A slap on the wrist, someone chews you out over the phone, maybe a fine, then I go home with a nice fat paycheck! :)

By m0mentary on 5/8/2009 10:15:18 PM , Rating: 2

By ketchup79 on 5/8/2009 10:24:39 PM , Rating: 2
Taking this story at face value, how in the world could a person be so stupid as to put used drives from the government on eBay? The sale price on these things had to be next to nothing, definitely not worth the time it probably took to set up the auctions. My old hard drives had data on them that was probably useless to anyone else, yet I didn't even consider putting them on eBay, as I don't want any possibility of my personal files being "out there."
My second point is that all the hands these hard drives had to go through to end up on eBay. This is not only inefficient from a monetary standpoint, it creates even more possibility the information on these drives could have been compromised in the process.
With the U.S. economy the way it is, I would like to see our government become more efficient. (OK, you all can stop laughing now, I know it's just a pipe dream.)

By Divide Overflow on 5/8/2009 10:35:44 PM , Rating: 2
You know, I can't help but think that this would be a perfect opportunity for counterintelligence measures. You want to mitigate those Chinese hackers? Let "slip" a couple of hard drives into the public with planted conflicting / misleading data.

Oops. Did I just compromise a code word project there??

By Kyanzes on 5/9/2009 8:57:36 AM , Rating: 2
Actually, if you think about it, it could have been a deliberate misinformation attemp.

By NesuD on 5/9/2009 10:42:44 AM , Rating: 2
Look the DoD standard 5220.22-M 3 pass for data destruction is essentially overwrite with 3 passes of random data. The DoD has a higher standard U.S. DoD 5200.28-STD 1985 method, with seven pass extended character rotation. personally I do 5 passes of random data on any drive that is going to leave my organization for any reason even physical destruction because I have no surety after it leaves my possession. There are even much more complex standards like the Gutmann method, which uses 35 passes, with 27 random-order passes using specific data combined with eight passes using random data or the Seven-pass Schneier method, which uses two passes of specific patterns followed by five passes using a cryptographically secure pseudo-random sequence. All the Data Forensics people I have talked to have agreed that useable data is almost impossible to recover beyond 3 layers of overwrites. Not saying it is impossible but not likely to yield any useful data. Any organizations security policy should mandate at minimum DoD standard 5220.22-M 3 pass before the drive ever leaves the organizations possession even if a bonded contractor is disposing of the drives. This type of thing always gets my goat. The number of IT professionals and I use that term loosely, that seem to have no concept of data security never ceases to amaze me.

By aikiwolfie on 5/9/2009 2:03:52 PM , Rating: 2
The author of the article needs to brush up on his or her geography. Lanarkshire is in Scotland! England is only one part of The United Kingdom of Great Britain and Northern Ireland.

Just a suggestion
By Zingam on 5/9/2009 2:56:12 PM , Rating: 2
Just load them on a plane and drop them on Afghan villages. They would destroy property and kill and even some survive the local goat farmers wouldn't know what to do with them. So you effectively save money to destroy the drives, and resuse them for cluster bombs and you save the money for the bombs too. That would work in these tough economic times!

dban or dd
By singlepass on 5/9/2009 3:58:30 PM , Rating: 1
All it really takes is two letters (and some arguments) XD
pretty hard to control the third party when you outsource though. lesson learned?! is a data recovery competition.
just the concept is what i want to communicate, i am not too concerned with the details of the competition (e.g. rewards)
It is easy to protect yourself in this situation, you don't even need to spend any serious money.

By friedrice on 5/9/09, Rating: 0
"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki