Yottabytes: Storage and Disaster Recovery

Oct 31 2017   1:05PM GMT

Queen’s Security Data on USB Stick

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Security

We’ve written before about the dangers of USB sticks and why it’s not a good idea to poke ones that you find lying around into your computer. But here’s a story that’s different: An unemployed guy found a USB stick in a pile of leaves in the street, plugged it into a computer in the library – bad human! Bad! – and it turned out to be the security plans for when Queen Elizabeth visits Heathrow Airport.

Oops.

According to the Mirror, which broke the story after the unemployed guy took the USB stick to them, the device contained 76 folders with 174 files totaling 2.5 GB, which were neither encrypted nor password-protected. “It revealed:

  • The exact route the Queen takes when using the airport and security measures used to protect her
  • Files disclosing every type of ID needed – even those used by covert cops – to access restricted areas
  • A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
  • Maps pinpointing CCTV cameras and a network of tunnels and escape shafts linked to the Heathrow Express
  • Routes and safeguards for Cabinet ministers and foreign dignitaries
  • Details of the ultrasound radar system used to scan runways and the perimeter fence”

So there’s three main issues here.

First, how did the files get onto a USB stick in the first place? Are they the actual files used by Heathrow Airport? If that’s the case, they’d better start locking down their security procedures (even though airport chief executive John Holland-Kaye assured members of Parliament that the airport was “completely secure”). For example:

  • Which of their computers have unsecured USB ports that support a USB stick?
  • How many people have access to those files?
  • How many of the people with access have authorization to download those files without it being logged?
  • How many people can leave the facility with a USB stick without it being detected?
  • If this was an authorized download, why wasn’t it encrypted?

If they aren’t the actual files used by the organization, what are they? Notes? Someone else’s actual files? The provenance of the data needs to be ascertained. “Given the location of the find, close to Heathrow, it is thought more likely that an airport worker had accessed the data and inadvertently lost the USB drive,” writes Simon Calder for the Independent. “But it is believed more likely that whoever lost the memory stick had security clearance to access the data, if not necessarily to take the information away from Heathrow on a portable drive.” He didn’t say, however, who thought and believed this or where he got this information.

Second, how did the files come to be on a USB stick in the street, about six miles from the airport (though one source says ten miles)?

  • Do we have a careless worker who dropped the files they were taking home to work on?
  • A careless terrorist who was supposed to bring them to a meeting? “Oops, my bad.”
  • A careless spy who dropped the files they were planning to sell to someone?
  • Someone discarding the files after they had already made copies or sold them to someone?
  • An attempt to sow fear, uncertainty, and doubt by revealing that the information was out in the world, thus making people afraid to visit Heathrow, or even London itself, for fear of a terrorist attack? As far as terrorism goes, fear of an attack – especially just before the busy holiday season — is almost as good as an actual attack, and it isn’t nearly as dangerous and doesn’t hurt people.

And if it was somebody being careless, they were doubly careless not to encrypt the files – though we know that, despite governments’ insistence that encryption is a tool for terrorists and child pornographers, terrorists often don’t encrypt their own files. On the other hand, if the release of the information was the goal, it would be important not to encrypt them, because otherwise how would people know to be afraid that the information was released?

Third, how did the files come to be on a USB stick on that street?

  • Were they dropped?
  • Were they deliberately placed there? Was it a dead drop of some sort?
  • Were they intended to be found by that person? Or by someone else and this other person picked them up? (We’ve been binging on The Americans lately; can you tell?)
  • How many other such USB sticks with the Queen’s security plans are out there? Where else might copies of that data be?

One thing is for sure: People are going to be seriously scanning the ground for USB sticks in England for a while. Hopefully they’ll take them to the police rather than poking them into their computers – because, you know, that’s still a bad thing to do.

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • kwkeirstead
    All about protocol or, more precisely, the lack of protocol, for protecting sensitive information. 

    Data written out to portable storage (USBs, portable drives, laptops need to be encrypted. 

    why not a smartwatch that can wirelessly communicate with a computer - with a default option that results in self-destruction if the watch goes too far away from the owner.
    30 pointsBadges:
    report
  • shelldozer
    So a smartwatch equipped with infallible biometric-environment sensors (ie: can detect if the nominal carrier's arm has been lopped off to stop the watch self-destructing).
    30 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: