back to article USB stick found in West London contained Heathrow security data

Detailed security arrangements for London Heathrow airport, including the Queen’s precise route every time she passes through, were found on a USB stick left in a West London street, according to reports. The unencrypted USB stick was found lying under leaves on Ilbert Street, a leafy terrace near the famous Kensal Green …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Better get her majesty some new fingerprints.

  2. Anonymous Coward
    Anonymous Coward

    How as this even possible?

    Assuming that the "loser" of the USB drive was the one who complied it, HOW were they able to export sensitive data like this? I am of course taking the re-reported word of the Sunday Mirror, but lets go with that for the time being.

    There should be at least two people joining the search for new employment, because there either weren't IT safeguards in place, or they didn't work, or the resulting alerts weren't acted on by management.

    1. GruntyMcPugh Silver badge

      Re: How as this even possible?

      "Assuming that the "loser" of the USB drive was the one who complied it"

      Indeed, or that the USB stick wasn't discarded once it's content had been copied to a laptop by a 3rd party, who was perhaps paranoid the stick could be traced and didn't want it in their possession.

      Just because the stick has been returned doesn't mean the security hole is plugged.

      1. katrinab Silver badge

        Re: How as this even possible?

        I suspect that someone else was supposed to find this USB stick, and whoever left it there will have a copy they can drop somewhere else.

        1. Stuart Halliday

          Re: How as this even possible?

          The fact that a USB stick exists with open documents tells us plenty about that organisation.

          None of it good. :(

          1. Yet Another Anonymous coward Silver badge

            Re: How as this even possible?

            The fact that a USB stick exists with open documents tells us plenty about that organisation.

            That in the current climate of austerity they can no longer afford to lose entire laptops

          2. Commswonk

            Re: How as this even possible?

            The fact that a USB stick exists with open documents tells us plenty about that organisation.

            Not sure that's either true or fair. It certainly tells us something about one person within the organisation, but finding that person might be easier said than done.

        2. Anonymous Coward
          Anonymous Coward

          Re: How as this even possible?

          "I suspect that someone else was supposed to find this USB stick"

          Moscow rules Smiley, Moscow rules!

      2. jmch Silver badge

        Re: How as this even possible?

        "Just because the stick has been returned doesn't mean the security hole is plugged."

        Completely true, but not only for this case. As per the quote below...

        "...had the chance passerby been someone less kindly disposed towards the UK than the finder of the stick, the consequences could have been seriously bad."

        ... that seems to assume that not only has this particular incident not resulted in a breach, and completely ignores that this is one breach that is known, and potentially there could have been more where the finder of the stick was not so kindly disposed to the UK.

      3. Anonymous Coward
        Anonymous Coward

        Re: How as this even possible?

        I met someone at a conference who had conducted a test in his organization. New IT rules had just been published and employees had to sign to say they had read them. This forbade using any external memory or device that had not been supplied or checked by the IT dept. He then placed on the ground outside the main entrance a USB stick with the company logo on it. It contained a small program (disguised as lists of salaries) that sent the IP address of the computer it was attached to*, to a test machine in IT.

        He watched the stick to see who picked it up and to check it wasn't picked up by someone other than an employee. Suffice to say most people who picked it up stuck it straight into their work computers and were then summoned for a telling off. Only one person handed the stick into IT and said that they'd found it outside. This self same person then asked if there was a reward for finding it. Another took it home to see what was on it away from the workplace.

        *Apparently he'd wanted to put something on there that also flashed the screen red with a message saying IT policy breach flashing in white. HR very sensibly had said no to this because of Epilepsy fears and to spare the miscreant public humiliation.

    2. Whitter
      Flame

      Re: How as this even possible?

      Compare and contrast:

      "We ... are confident that Heathrow remains secure".

      We have ... launched an internal investigation to understand how this happened”

      Leaking security files obtained outwith the controlled distribution list is itself a security risk. Thus until you know how it happened and can verify you've plugged that hole, you cannot declare Heathrow safe.

    3. nobody_important

      Re: How as this even possible?

      There's a bit of an assumption that this loss was "accidental" isn't it?

      On the train or by the roadside .. ok... but amongst leaves...?

      1. W4YBO

        Re: How as this even possible?

        I have a Kensington 32 Gig stick that has a nearly gooey silicone coating. Usually it sticks to the bottom of my pocket, even through a laundering, but I've found it sitting in my driveway and buried in the recliner cushions.

      2. CustardGannet
        Paris Hilton

        Re: leaves

        A fairly high percentage of the UK is covered in leaf litter at the moment, so it's not really that surprising that the stick was found in a pile of them.

        (Source : personal experience, from having spent much of yesterday tidying the garden.)

        Paris, because she knows about having a tidy garden.

    4. Stuart Halliday

      Re: How as this even possible?

      Absolutely. Doesn't matter how many procedures you make, people will settle down into the lowest state that they can get away with.

      If these are IT professionals, they need serious discipline as they are aware of their responsibilities.

      Other staff are or will exploit holes in your security and they wouldn't tell you about them.

      So, you absolutely must not allow them to do this exporting onto removable storage.

      Sure, they'll complain. But with sensitive documents, you don't let them unless they're encrypted.

      Any IT professional knows this, so there must be a very serious lack of care at this department and now that's public knowledge.

      Not a good position to be in...

    5. CrazyOldCatMan Silver badge

      Re: How as this even possible?

      or the resulting alerts weren't acted on by management.

      It was probably managment that lost it:

      "PFY - I want you to put all this info on a USB stick for me"

      "PFY - I can't read any of it because my Mac doesn't do Bitlocker! Don't encrypt it!"

      "PFY - I don't care that it breaches all the policies. I need to read it at home. Do it or get sacked. Oh - and don't tell anyone or you'll get sacked"

      1. Intractable Potsherd

        Re: How as this even possible?

        @COCM: I think you mean "PHB", not "PFY" (a mistake I regularly make when reading!)

  3. FuzzyWuzzys
    Facepalm

    Which only goes to prove yet again that security failures are all about the weakest link, and as per usual it's the dopey, soft squidgy, burger chomping, arse scratching, nose picking, fleshy drongo sitting in front of the screen!

    1. Anonymous Coward
      Anonymous Coward

      I Strongly Object!

      I find great insult in that vast generalisation.

      I never pick my nose and I'm insulted that you'd think so...

  4. Anonymous Coward
    Anonymous Coward

    I think the Brits are more sensitive to associating, being able to touch something physically, with "owning" it and it "being safe".

    Indications:

    - Much later in adopting chrome-books in education than Canada and New Zealand.

    - Greater tendency to use CDs and USB-sticks.

    - Greater tendency to have powerstruggles against networked storage (and, ironically, also a greater tendency to store company data on private cloud-accounts).

    Main surprise is that there are not many more of these discoveries.

    1. Anonymous Coward
      Anonymous Coward

      The UK is not exactly built to embrace cloud technologies like other more technically developed countries, our broadband infrastructure expensive at the good end and piss poor at best at the affordable end compared to most of the world (US and Australia aside). Maybe project loon could hover over the UK and get us in to the new age of fastness.

      1. Anonymous Coward
        Anonymous Coward

        Re: The UK is not exactly built to embrace cloud technologies

        I thought the UKs experience with clouds was having stuff continually falling out of them.

        That is hardly going to sell them as a storage option.

    2. David Nash Silver badge

      Owning it, yes (for example I recently confused my son by buying a CD which is readily available on Spotify) but not with "being safe". I don't think we are under any illusions about the ability to copy and pass on digital data.

    3. John Lilburne

      Why would you give your data over to some cloudy thing. Doing so leaves you vulnerable to a having the cloudy thing shuttered at any time. Ask those that used Yahoo Photos, or a whole bunch of Google apps. Yeah use them as another form of backup but keep your data elsewhere and don't be dumb enough to expose yourself to the risks of being suckered into relying on some cloudy API

      1. DJSpuddyLizard

        Why would you give your data over to some cloudy thing

        "Cloud" is just shorthand for "somebody else's computer"

    4. Chairman of the Bored

      References please?

  5. Anonymous Coward
    Anonymous Coward

    Heathrow PR-head: 'Security is important to us'

    Why does the media continue to let anyone say this? Why even quote it?

    1. Voland's right hand Silver badge

      Re: Heathrow PR-head: 'Security is important to us'

      It's OK to quote it. If they also quote the round of chuckling from the audience as well.

  6. Anonymous Coward
    Anonymous Coward

    “Heathrow remains secure”

    ???????

    Obviously not...

    1. hplasm
      Facepalm

      “Heathrow remains secure”

      "England prevails"

      "Olympus London has fallen."

      1. Alister

        Re: “Heathrow remains secure”

        "Olympus London has fallen."

        They should do a film...

        Oh, wait...

      2. JimboSmith Silver badge

        Re: “Heathrow remains secure”

        “Heathrow remains secure”

        "England prevails"

        "Olympus, London has fallen."

        London Has Fallen

        That was the second worst film I've ever seen

        Olympus Has Fallen

        was the first.

        I started pointing out to my long suffering friend the things they had done in the film to make the assault on the White House easier etc. I was told to detail them later as she was trying to enjoy the film. When we came out of the cinema and I listed them off she said up until I'd pointed these things out she'd thought it was an okay film. She then agreed that the thing was a pile of crap.

        "A bit like doing a movie about a bank heist. To make the writers and producers lives easier there being no alarm and the vault doors are made of wood and left open anyway etc."

        1. Daedalus

          Re: “Heathrow remains secure”

          At least she didn't keep asking you which one was Gerard Butler and who was that guy in the Oval Office.

          1. JimboSmith Silver badge

            Re: “Heathrow remains secure”

            Oh no she knows who Mr Butler is.

        2. CrazyOldCatMan Silver badge

          Re: “Heathrow remains secure”

          I started pointing out to my long suffering friend the things they had done in the film to make the assault on the White House easier

          I do something akin to that with my wife (in my case, it's pointing out all the anachronisms in supposedly historical films).

          She won't now go to watch supposedly historical films with me..

          1. JimboSmith Silver badge

            Re: “Heathrow remains secure”

            I've been told not to talk during films if we go out. Apparently my pointing out faults with the film is as annoying as I find actually spotting them.

  7. Velv
    FAIL

    "Hmm, I've found this USB stick, lets just plug it into my computer and see what is on it"

    What a great untraceable way to start the spread of malware. Just leave some infected USB sticks lying around and wait for them to be plugged in

    1. Daedalus

      This is why you don't use library computers for anything sensitive. Make that anything at all.

      1. Flocke Kroes Silver badge

        Library computers can be handy ...

        ... for examining suspicious USB sticks. Apparently the finder in today's story spoke to journalists. Either this is a very brave man or someone with appalling opsec. I would go with the traditional written statement made from words cut from a newspaper - probably quicker than putting together a disguise and sufficient false ID to get access to a library far from home. Right at the top of the list of things not to do is to use your own printer.

    2. Mr Dogshit

      Well DUH

      1. Prst. V.Jeltz Silver badge

        re Well Duh

        I could happily use a disease ridden library computer to , say , check a train timetable, Or look at kittens. After all its had no information from me.

        1. Anonymous Coward
          Anonymous Coward

          Re: re Well Duh

          I could happily use a disease ridden library computer to, say, check a train timetable, [...]. After all its had no information from me.

          Well, except that you're likely to be travelling on one of those trains.

        2. CrazyOldCatMan Silver badge

          Re: re Well Duh

          I could happily use a disease ridden library computer

          Hopefully, the Library computers will be using some form of managed kiosk mode so that any changes introduced by someone get wiped as the machine gets nuked back to bedrock on logoff..

    3. Anonymous Coward
      Anonymous Coward

      malware spreading

      Heads should roll at the library as well.

      1. Mark 78

        Re: Heads should roll at the library as well.

        Why should heads roll at the library? The PCs are there for the public to use. The public have to have a way to save files. USB is the most convenient, so you can't disable it.

        Instead most Libraries have systems in place using things like Deep Freeze to ensure that each machine is returned to it's default state after every user, which along which A/V software, tends to make Malware an extremely small risk on library PCs.

        1. Anonymous Coward
          Anonymous Coward

          Re: Heads should roll at the library as well.

          The PCs are there for the public to use. The public have to have a way to save files. USB is the most convenient, so you can't disable it.

          Most convenient for the users that is. I hear printers will also work. Librarians like paper.

    4. David Nash Silver badge

      Malware spreading via USB stick

      As much discussed here in the past. That was the first thing that I thought of when I read the article. I wouldn't have known whether there was sensitive material on a stick like that, because I would not plug it into my PC.

      1. Cynic_999

        Re: Malware spreading via USB stick

        "

        I wouldn't have known whether there was sensitive material on a stick like that, because I would not plug it into my PC.

        "

        Just use a live CD to boot into any of the Linux distros and examine the contents of the USB stick on that. You could use any OS that will not auto-run stuff on removable media to list the files, and boot into the live CD only if anything looks interesting.

    5. Terry 6 Silver badge

      USB stick in the car park. I think that's already a well known ploy.

      And at the (volunteer,, community run , as so many are these days) local library anyone can stick a USB into the computers. And it's not only the digital viruses that you need to worry about on those machines.

    6. Anonymous Coward
      Anonymous Coward

      "Hmm, I've found this USB stick, lets just plug it into my computer and see what is on it"

      What a great untraceable way to start the spread of malware. Just leave some infected USB sticks lying around and wait for them to be plugged in

      That's why I always test strange USB drives on someone else's PC.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon