nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Use of old classification

The presence of documents containing obsolete security classifications is not necessarily surprising. In an astonishing example of governmental common sense, when the new classifications came out (3 or 4 years ago) there was no requirement to re-classify existing documents unless and until they were changed.

26
0
Silver badge

Re: Use of old classification

Its a good point but Im not clear on the relevance to the story anyway. Surely if HAL are a private company the names they give their security classifications are irrelevant when compared to similarly named ones used in Government? Its the definition of those classifications which are important.

0
0
Trollface

Makes sense

They can't even serve you decent coffee at Heathrow, why should their security be any better?

24
1
Silver badge
Joke

Re: Makes sense

You sound like you've got some baggage there Zippy, was your bag latte or something?

16
0
Megaphone

Re: Makes sense

Well my advice is don't go to Pret a Manger:

https://www.bbc.co.uk/news/business-45731201

7
1

Re: Makes sense

I was unaware that it was coffee they served there

6
0
Silver badge

Re: Makes sense

It can be hard to find proper coffee generally in the UK. You can get it elsewhere so I know it can be done the coffee in NZ for eg is bloody excellent. I blame passive consumers. If nobody went to the big bland chains they would go out of business.

It's the same with unripe fruit in the supermarkets. Again having grown up in NZ I know what ripe fruit is and a vast proportion of supermarket fruit in the UK is vastly unripe. I adore apricots but haven't bought any in years, in the UK as they are universally small, hard and very, very sour. Pretty much the opposite of what an apricot should be and which I know it could be. The number of people who I have taught to recognise a good watermelon after they see me holding one up and tapping it with a fist (it should ring like a bell, if you get a dull thud, put it back). For cantaloupe type melons you have sniff them, no or little smell, put it back. The list goes on and it exists because British consumers are passive and do not demand ripe fruit or refuse to buy the unripe stuff.

2
1
DJV
Silver badge

Yes, but...

...more importantly has a HAL PR drone issued a press release saying something like "security is our highest priority" so that we can all snigger and laugh even more at their expense/lies/bulllshit?

30
0
Anonymous Coward

Re: Yes, but... re hal drones

the job of any drone is to drone (and I suppose they're well-paid for droning any nonsense the ueber-drone tells them to drone about as of today).

0
0

Re: Yes, but...

"Security is our highest priority, and we can reassure the public that the data on this memory stick would not allow any unauthorised opening of pod bay doors."

4
0
Trollface

Re: Yes, but... re hal drones

drones aren't alowed anywhere near airports....

1
0
Silver badge

The Queen

Now has to be smuggled through Heathrow as part of a hen-do to Malaga until she can make an escape via a hidden door behind the giant bars of Toblerone in duty free.

34
1
Silver badge

Re: The Queen

Was planning to go to Magaluf on the 27 Oct 18, but you've ruined her plans now.

5
0
Silver badge

Re: The Queen

If her Maj really does take the same route every time, surely that in itself is a risk?

14
0
Silver badge

Re: The Queen

In public they'll usually use various randomly chosen routes to minimise the chances of someone figuring it out. In a supposedly secure area like the "backend" of an airport it should be possible to use the same route. Because it's a rather small area with a limited number of entrances, probably a fixed "royal lounge" and a fixed ramp for the aircraft that means there's little to vary in the approach and departure routes on the airport itself anyway.

1
0
Silver badge

a national newspaper, which recorded the data

Yes I know the information should not have been lost, but is "recording" it legal? Noting its contents, maybe, but recording it? What if it was personal data? Presumably there is case law on this.

And I don't like the idea of viewing it first at a library. Do library PCs have open, functional USB ports? Was the finder worried that there might be malware on it? (And did a qualified security bod sanitise the library PC afterwards?)

9
6
Silver badge

Re: a national newspaper, which recorded the data

And I don't like the idea of viewing it first at a library. Do library PCs have open, functional USB ports? Was the finder worried that there might be malware on it? (And did a qualified security bod sanitise the library PC afterwards?)

Probably the second safest option (after not connecting it to anything) from the finder's point of view. Library computer USBs will allow connecting storage devices because one of their purposes is to let people get data off or on (e.g. for emailing), they're there to give the general public access to IT.

Interesting question though, what is the properly paranoid approach, assuming you need to read an untrusted USB device? If you're willing to believe it may have some way of compromising the machine, or at least the USB interface, then maybe it's use once and dispose of all hardware (or at least, replace all EEPROM and BIOS as well as wipe disc)?

19
0
Silver badge

@smudge Re: a national newspaper, which recorded the data

The reason the newspaper made a copy was in case HAL then denied that it had ever lost the USB stick. That would not be beyond the bounds of possibility or reason.

Also, it would have been useful if HAL then did lose the returned USB stick and asked for a copy for its investigations.

29
0
Silver badge

Re: a national newspaper, which recorded the data

but is "recording" it legal?

That was my thought too. What penalty has ICO imposed on them? Or is there to be a prosecution under computer misuse? The stick serves as a proxy for the computer on which the data was kept.

I suppose the get-out is that the only evidence that a copy was made would be the operator's own evidence which would amount to self-incrimination and might not be allowed.

1
8
Silver badge

Re: a national newspaper, which recorded the data

> Interesting question though, what is the properly paranoid approach, assuming you need to read an untrusted USB device?

Use a dedicated sanitizer device such as https://www.circl.lu/projects/CIRCLean/

4
0
Silver badge

Re: a national newspaper, which recorded the data

Use a dedicated sanitizer device such as https://www.circl.lu/projects/CIRCLean/

That's a nice answer, probably does do the job (at least, it's hard to believe an arbitrary good USB flash drive could be compromised to propagate the attack further), and looks like it's from people who know what they're doing. However when there are things like this in the mix https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ it's hard to say that you can't attack the device, even with allowed device classes locked down (to avoid all the peripheral spoofing types of attack), especially the sanitiser is a standard computer. Once you've got control of the sanitiser you can't guarantee what's been written to the 'clean' device is safe. I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

An attacker who'd gained control of the sanitiser could also attempt to include filesystem handling attacks and compromised files on the output device, but those you can at least handle by analysing from a VM and wiping it afterwards. Attacks on the interface itself seem (to me) harder to deal with, since the attacker potentially has the host OS and therefore the ability to get to the BIOS and other hardware. I suppose I was hoping for some protocol level device that could buffer and sanitise the connection. Admittedly a USB firmware worm that will propagate over a Pi seems like quite a sophisticated hypothetical attack,

2
0
Anonymous Coward

Re: a national newspaper, which recorded the data

Working for a local authority I love the idea that someone thought it might be malware and so used library PCs to check it :) having said that, funnily enough it is something that we think of with the design of public access machines and our devices completely refresh all changes to a known state using Faronics Deep Freeze. I suspect there are some authorities out there that don't go to these lengths though!

10
0
Silver badge

Re: a national newspaper, which recorded the data

If you're willing to believe it may have some way of compromising the machine, or at least the USB interface, then maybe it's use once and dispose of all hardware (or at least, replace all EEPROM and BIOS as well as wipe disc)?

Actually, when I said "sanitise", I was thinking of ensuring that it doesn't have any classified material still on it. But the possibility of malware is, of course, a real problem - probably more of a risk than, say, having some confidential information in a disk sector that had been part of the page file.

1
0

Re: a national newspaper, which recorded the data

Certainly from a DP Perspective there is a specific exemption for journalism that would allow them to process the data but can't speak for the other categories of data

1
0
Silver badge

Re: a national newspaper, which recorded the data

I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

No, device makers need to get their act together and enforce encrypted and/or signed firmware images. You need to be able to update the firmware when flaws are found, right ?

1
0
Silver badge
Coffee/keyboard

Re: a national newspaper, which recorded the data

probably more of a risk than, say, having some confidential information in a disk sector that had been part of the page file.

Paging onto a USB flash drive ?????

2
0
Silver badge

Re: a national newspaper, which recorded the data

I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

No, device makers need to get their act together and enforce encrypted and/or signed firmware images. You need to be able to update the firmware when flaws are found, right ?

In general, yes, if the thing could conceivably need firmware updates. For a flash drive? It's one use case where immutable may be better. There's not much you can do to attack it directly when plugged in, except possibly re-program it to attack the next computer it's plugged into. (You've got direct access to the storage anyway, so data destruction is not something you need to exploit a bug in the firmware for, and if there's a serious enough bug to cause data loss then you scrap it and get on with life.)

1
0

Re: a national newspaper, which recorded the data

If there were documents marked RESTRICTED or CONFIDENTIAL, as reported, then by definition it's an offence under the Official Secrets Act to have a copy unless you're an authorised person. The newspaper would have known this, but their lawyers probably told them that they estimated that the Crown Prosecution Service would not consider a prosecution to be in the public interest. I very much hope that they also stored their copies on disposable hardware: the security authorities might otherwise demand cleansing of their server networks. Look what happened to the Guardian's hard disks.

3
0
Silver badge

Re: a national newspaper, which recorded the data

I suspect most authorities out there that don't even think about this kind of issue, let alone go to these lengths.

FTFY

0
0
Silver badge

Re: a national newspaper, which recorded the data

"If there were documents marked RESTRICTED or CONFIDENTIAL, as reported, then by definition it's an offence under the Official Secrets Act to have a copy unless you're an authorised person. "

I must remember to tag all my shopping lists as "RESTRICTED" and then invoke the OSA when plod wants to see them.

0
0

Re: a national newspaper, which recorded the data

It sounds like something the library or any other place with shared computer usage should have. The scan should be run by the personnel running the place before the flash drive is allowed to be used in their equipment.

0
0
Black Helicopters

The 2% - and not interested

Obviously Elites... except, D'Oh

How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief.

The REAL eyeopener was the ICO having a complete lack of interest in the "marked" files: WTF? Guess they assume that HMG / Police / GCQH will pick up the slack... ?

I do wonder if a head rolled.

1
1
Silver badge

Re: The 2% - and not interested

"How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief."

Being trained isn't quite the same thing as having been on a training course.

8
0

Annual revenue HAL 2017 £2884M, fine 0.12M

Fine = 0.004% of revenue

If the government were serious about security it would give the powers to fine at least single digit percentages of revenue. This isn't even a slap on the wrist, more like a grain of sand in a shoe.

14
2
Silver badge

Happened in 2017, so fell under the old laws. That does mean the cap would have been £500k, but I suppose approach to determining the fine would have also had to be in line with the previous practice, rather than working it out as if it had happened after and then applying the cap.

4
0
FAIL

Fines? Pah!

If you fine a company it will only recover the costs through its customers, that's you and me, via increased prices.

Jail for accountable senior executives is possibly the only answer to them taking our data (anybody's data) seriously.

18
0

Re: Fines? Pah!

Yes who was the dimwit anyway walking around the public area with that usb stick then losing it?

11
0
Silver badge

Re: Fines? Pah!

who was the dimwit

Probably the PHB, had it been the PFY then he would have been crucified by now in public.

15
0

Re: Fines? Pah!

>f you fine a company it will only recover the costs through its customers, that's you and me, via increased prices.

True, but they should have charging higher prices and using the money to improve training, processes, monitoring etc.

0
0
Silver badge

Re: Fines? Pah!

"had it been the PFY then he would have been crucified by now in public."

In which case something even nastier, probably involving insecure windows or faulty lifts, rolls of carpet and quicklime would have happened to the PHB.

0
0
Anonymous Coward

Restrictive?

The old security classification would have been RESTRICTED, not restrictive.

5
0

This post has been deleted by its author

Silver badge
Facepalm

Re: Re. Restrictive?

Also yes if you find something like this the "right" thing to do is hand it in *IMMEDIATELY* to someone who knows what classified data is

And how would you know there could be confidential data on a stick, and not cat vids, without you plugging it in? People generally don't put labels "STRICTLY COMPANY CONFIDENTIAL" on such things, although there are ones that are sufficiently stupid to do so.

4
0

How hard can it be?

Yet again I’m left asking why an organisation allows an employee to copy data to a USB stick. Do these places not have secure VPNs that enable staff to work remotely without having sensitive information copied outside the secure perimeter?

3
0

Re: How hard can it be?

Yet again I’m left asking why an organisation allows an employee to copy data to a USB stick.

Maybe the stick was labelled "Lady Gaga".

3
0
Silver badge

Makes me wonder...

What would happen if you left a USB stick lying around with "important" information. Probably some BOFH type information that might get the "boss" in hot water.

Of course, it would all be made up, but convincing.

Then wait for the after action and laugh very hard.

Project. HAL 9000?

3
0
Anonymous Coward

"Queen's exact route used each time she travelled"

Not amused.

Betty now has to go via Claxton, Bexhill-on-Sea, Slough and Lower Slaughter each time she is driven to Heathrow!

0
0
Silver badge

Re: "Queen's exact route used each time she travelled"

The day we went to Heathrow

By way of Inverness

2
0

"Timings and routes of security patrols"

Whilst there may be defined patrol routes, the last thing you want is to execute these patrols in a predictable manner, especially in a high security environment. If your patrol management software doesn't cater for this, buy better software.

11
0

Whilst there may be defined patrol routes, the last thing you want is to execute these patrols in a predictable manner,

I agree, and I'm not some joe public here, I've played enough commandos: behind enemy lines to be qualified to have an opinion on this.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing