backtop


Print 57 comment(s) - last by rcc.. on May 12 at 3:17 PM


Confidential details about the U.S.'s THAAD (Terminal High Altitude Area Defense) ground to air missile defence system, used to shoot down Scud missiles in Iraq, were found on a hard drive by British researchers. The researchers also found a wealth of other personal information and medical records from Lockheed Martin and several other major corporations or government entitities.  (Source: The Daily Mail)
A hard drive has been carelessly released, but is fortunately in safe hands

Hot off the heels of the  of selling the B-2 stealth bomber's radar spectrum to a Russian national and intrusions by Chinese hackers, the U.S. Armed Forces have another leak on their hands.  Researchers analyzing 300 hard drives bought at computer fairs and on the internet auction site eBay discovered a surprise -- a hard drive containing U.S. missile defense secrets that was not properly wiped by contractor Lockheed Martin.

The research project was conducted by BT's Security Research Centre in England in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia, and Longwood University in the US.  According to British news site The Daily Mail, the researchers made the startling discovery that the hard drive in question contained highly sensitive information on test launch procedures of the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.

Also on the drive were Lockheed Martin's internal security policies, blueprints of facilities, and personal information on employees including social security numbers. 

On other hard drives, the researchers discovered a wealth of additional information from other companies on employees, including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.  The drives were purchased in or shipped to the UK, America, Germany, France and Australia.  Over 34 percent of the drives, according to researchers, contained "information of either personal data that could be identified to an individual or commercial data identifying a company or organisation."

Two disks from England's Lanarkshire NHS Trust hold patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters from Monklands and Hairmyres hospitals.  A disk from an Australian nursing home contained pictures of patients and their wound.  A disk sold in France contained network data and security logs from the German Embassy in Paris.  Other disks contained secret business information from an auto company and a UK-based fashion company.

Dr Andy Jones, head of information security research at BT, states, "This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.  For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.  Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly."

Dr Iain Sutherland of the University of Glamorgan adds, "Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data."

A Lockheed Martin spokesperson commented on the alleged data leak, "Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program.  Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source."

A spokesperson for NHS Lanarkshire blames a corporate partner, commenting, "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.  In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By NesuD on 5/9/2009 10:42:44 AM , Rating: 2
Look the DoD standard 5220.22-M 3 pass for data destruction is essentially overwrite with 3 passes of random data. The DoD has a higher standard U.S. DoD 5200.28-STD 1985 method, with seven pass extended character rotation. personally I do 5 passes of random data on any drive that is going to leave my organization for any reason even physical destruction because I have no surety after it leaves my possession. There are even much more complex standards like the Gutmann method, which uses 35 passes, with 27 random-order passes using specific data combined with eight passes using random data or the Seven-pass Schneier method, which uses two passes of specific patterns followed by five passes using a cryptographically secure pseudo-random sequence. All the Data Forensics people I have talked to have agreed that useable data is almost impossible to recover beyond 3 layers of overwrites. Not saying it is impossible but not likely to yield any useful data. Any organizations security policy should mandate at minimum DoD standard 5220.22-M 3 pass before the drive ever leaves the organizations possession even if a bonded contractor is disposing of the drives. This type of thing always gets my goat. The number of IT professionals and I use that term loosely, that seem to have no concept of data security never ceases to amaze me.




"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki