British army officer leaves laptop at pub

[fourier jr]

LONDON, Feb. 12 (UPI) -- A British army officer left a laptop containing information on military exercises, weapons locations and private information at a pub, The Sun reported.

A Royal Engineers captain reportedly left his laptop under the booth at a London pub following a night of drinking. A patron gave the computer to The Sun, the newspaper said Tuesday.

The laptop contained private information of more than 200 soldiers and their families in addition to the military information, the report said.
etc etc

http://www.upi.com/NewsTrack/Top_News/2008/02/12/british_army_officer_leaves_laptop_at_pub/2351/

As a Canadian I can't really point & laugh. Back in the 1980s Canada's minister of defence took a big folder full of sensitive NATO documents with him to a strip club in Germany. (at least he resigned soon afterwards)

 

[mgb_phys]

The government just lost a couple of CD with the name,address and bank account details of 20million people on them! It put them in the post and they never arrived - that was standard operating procedure for tranferring data!

Last year it lost a laptop containing the name, bank details and passport info for 600,000 people who had applied to join the army.
http://www.theregister.co.uk/2008/01/22/mod_gives_away_data/

 

[CaptainQuasar]

That would seem to imply that the hard drive wasn't encrypted. I knew they'd scrapped plans to have a nuclear-powered navy but the British military must really be strapped for cash because that kind of technology is available http://www.truecrypt.org/".

⚛​

 

[Huckleberry]

Why would someone who knew that the laptop belonged to a military officer take that information to the press instead of returning it to the military? And why would an officer bring sensitive military information into a public bar? I don't trust my government completely either, but I don't understand intentionally sabotaging it for any particular reason. The courteous thing to do is to return property to the owner, regardless of what one thinks of them. Someone stole the laptop and the information on it and should be held accountable for it.

 

[CaptainQuasar]

Assuming that the laptop is eventually returned to the military and that the newspaper vouchsafed that it would be, was the laptop really stolen? Holding the government accountable for being delinquent in its duties like national security rates much higher for me than holding someone accountable for maybe stealing property. And if the laptop had gone directly back to the military I doubt anyone would have found out about the security slip-up. There is not any sort of civic duty to help the government cover up its messes and mistakes, in fact your civic duty is exactly the opposite, to make sure the government is held accountable.

One of the points made in Michael Moore's movie Sicko was “In America the people are afraid of the government, in France the government is afraid of the people.” A nationalist and bombastic sentiment to be sure by the Frenchman who said it but here in the U.S. we ought to be trying harder to make sure the government is afraid of us rather than the other way around.

⚛​

 

[NeoDevin]

And if the laptop had gone directly back to the military I doubt anyone would have found out about the security slip-up. There is not any sort of civic duty to help the government cover up its messes and mistakes, in fact your civic duty is exactly the opposite, to make sure the government is held accountable.

What you say is true to some extent, but I would say there is a difference between covering up the government's mistakes, and exposing potentially sensitive information to the media. To me, a more appropriate course would be to return the laptop to the rightful owner/government, but inform the media of what happened. I don't know the nature of the information on the laptop, so I can't say how serious it is that it got leaked.

 

[Moonbear]

Why would someone who knew that the laptop belonged to a military officer take that information to the press instead of returning it to the military? And why would an officer bring sensitive military information into a public bar? I don't trust my government completely either, but I don't understand intentionally sabotaging it for any particular reason. The courteous thing to do is to return property to the owner, regardless of what one thinks of them. Someone stole the laptop and the information on it and should be held accountable for it.

I was thinking this too. Who takes a found laptop straight to the media? Why not give it over to the pub owner to return when someone comes looking for it?

For that matter, how did the person who found it know it contained anything worth handing over to the press, and I agree, why was he carrying around the laptop like that to a pub anyway?

Something about this all sounds hinky. Was the officer disgruntled about something and set up the scenario to leak something to the press? Perhaps it was intentionally leaked for some reason only known to the military (faked plans to throw the press off the trail of their real plans)?

 

[mgb_phys]

The old cock-up vs conspiracy arguement.

The explanation for a lot of these problems is that since IT for government and military has been outsourced it is very difficult to use any of it since any request immediately turns into large consulatancy bills that need levels of approval - so there is an unoffical parallel IT system of Excel spreadsheets and Access databases being passed around people's laptops.
Ironically extra security requirements seems to have made this worse - if it now takes you 2 hours to get to read your email because you have to go to a special secure terminal and have it's use approved by 3 senior officers there is a strong incentive to just forward everything to your hotmail account.

Anyone who has worked in engineering spends most of their time trying to work around new processes put in place by management for either security or economy or accountablility - looks like the army is no different.

 

[CaptainQuasar]

What you say is true to some extent, but I would say there is a difference between covering up the government's mistakes, and exposing potentially sensitive information to the media. To me, a more appropriate course would be to return the laptop to the rightful owner/government, but inform the media of what happened. I don't know the nature of the information on the laptop, so I can't say how serious it is that it got leaked.

But if the laptop was simply returned outright and no one actually examined it, don't you think that the military would have simply said that it was his personal laptop and it didn't have any sensitive material on it, and that their security procedures are working flawlessly? If you're going to put so much trust in the government to be honest why not put the same trust in journalists?

Doesn't sensitive material usually fall into the hands of “the enemy” through government malfeasance, rather than journalistic malfeasance?

⚛​

 

[mgb_phys]

Doesn't sensitive material usually fall into the hands of “the enemy” through government malfeasance, rather than journalistic malfeasance?

Except the enemy are the journalists.
If the enemy find a secret they can't do anything with it unless there's a war.
If the press find out, your job is in danger the next morning!

 

[mheslep]

The most recently famous US case must be that of John O'Neil, the FBI counter terrorism specialist who raised many alarms about AQ prior to 9/11. O'neil lost his job w/ the FBI after leaving classified documents in a hotel. He subsequently became the WTC security chief and was killed in a tower collapse.

 

[Brisar]

Sh*t happens. What you going to do now? I think, they suppose to have all their info on the net

 

[Evo]

When I worked with a laptop that carried sensitive information, when I left work, I carried the laptop with me. If we decided to stop somewhere after work, we had two choices, lock the laptop in the car, or bring it in with you.

You'd think locking it in the car would be safe. No. On one occasion one of my co-workers had his laptop locked in the trunk. Thieves broke into the car and stole his laptop. We all then ran out to the parking lot to check on our cars and we then brought our laptops into the bar to keep them with us. Of course our laptops had all kinds of security that prevented the laptop from working, you'd have to enter a password, and then there was a separate "card" that would display a nine digit number every 60 seconds that was synched to only my laptop that had to be entered. Otherwise nothing would happen, you would never complete setup.

Anything can be hacked, but your normal thief would find the computer to be useless.

 

[f95toli]

Why would someone who knew that the laptop belonged to a military officer take that information to the press instead of returning it to the military?

I suspect the answer is at the end of the quote: "...The Sun reported".
I think we can safely assume that whoever brought the laptop to The Sun made some money.
The Sun is the worst kind of tabloid and they thrive on stories that makes the government (regardless of which party is in power) look incompetent.
I must admitt I also have some prejudice against people who read The Sun on a regular basis.

 

[CaptainQuasar]

Anything can be hacked, but your normal thief would find the computer to be useless.

Anything can be hacked, anything can be socially engineered, but using a hard drive encryption tool is waaaaay safer than just relying on your password or possession of a computer to physically protect really sensitive data. For exactly this lost laptop scenario. And as I noted above extremely high-quality hard drive encryption tools are available for http://www.truecrypt.org/", so there's no excuse.

Although if I was a bad guy I would suck all the existing data off of it, load it up with spying and infiltrating viruses, and then return it. I hope the military et cetera has decontamination procedures for when things like this happen.

Despicable though tabloids like the Sun are I think that in this case by serving their craven self-interest they're actually doing a public service. A military or government organization would normally have to pay top dollar (£?) for this kind of security http://en.wikipedia.org/wiki/Penetration_testing" . If their procedures and rules are tidied up at all because of this it has done good, whether it's because those procedures aren't in place or because the guy who the laptop belonged to didn't understand them.

⚛​

 

[mgb_phys]

And as I noted above extremely high-quality hard drive encryption tools are available for http://www.truecrypt.org/", so there's no excuse.

The problem is that truecrypt isn't the MOD standard so you aren't allowed to use it. The official standard of course won't be available on the laptop because they generally run about 10years behind current technology and the standard will have to include all sorts of stuff about TEMPEST sheidling and explosive self destruct so isn't practical - the result is no security at all.


The missing CD-ROMS was funnier. The dept had a security policy for encrypting data when sent between departments but the worker who sent the data wasn't allowed to know about it because the security policy was classified

 

[Evo]

Anything can be hacked, anything can be socially engineered, but using a hard drive encryption tool is waaaaay safer than just relying on your password or possession of a computer to physically protect really sensitive data. For exactly this lost laptop scenario.[/SIZE][/RIGHT]

Believe me whatever was possible to prevent access to information on the hard drive was on this laptop, the main issue was what my computer was capable of accessing that had to be disabled.

Having an additional password that changes every 60 seconds makes things a bit harder to get into.

 

[CaptainQuasar]

The missing CD-ROMS was funnier. The dept had a security policy for encrypting data when sent between departments but the worker who sent the data wasn't allowed to know about it because the security policy was classified

Ha.

⚛​

 

[mgb_phys]

Ha.

There isn't a lot of logic about security services.
At work we got a defence contract so there was a call for anyone who had security clearance.
But having a classified clearance is itself classified.
But you would only know that if you had classified clearance!

So you couldn't say yes and couldn't say no !

 

[CaptainQuasar]

The explanation for a lot of these problems is that since IT for government and military has been outsourced it is very difficult to use any of it since any request immediately turns into large consulatancy bills that need levels of approval - so there is an unoffical parallel IT system of Excel spreadsheets and Access databases being passed around people's laptops.

I can definitely confirm that. The same thing happens in many of my larger clients because the IT staff is siloed.

Anyone who has worked in engineering spends most of their time trying to work around new processes put in place by management for either security or economy or accountablility - looks like the army is no different.

I can say that I've had the pleasure of avoiding that because I've mostly worked at high-tech startups. But on the other hand I've also seen engineers at those sorts of companies do some incredibly shoddy engineering (often again under the frenzied lash of managers) that ends up getting shipped directly to the customer.

⚛​

 

[Moonbear]

Having an additional password that changes every 60 seconds makes things a bit harder to get into.

Unless you do like most people with those things and just drop the fob into the computer bag so all the thief needs to do is look through the pockets to find it. Human nature is the worst enemy of security, and the more complicated they make the security, the more people have to make it less secure so they don't forget how to get into the computer themselves.

 

[Evo]

Unless you do like most people with those things and just drop the fob into the computer bag so all the thief needs to do is look through the pockets to find it. Human nature is the worst enemy of security, and the more complicated they make the security, the more people have to make it less secure so they don't forget how to get into the computer themselves.

Even worse, the number that popped up on the display had to be used in conjuction with a "secret pin" number, which people wrote down and inserted into the carrying case for the secure access device.

 

[chemisttree]

There isn't a lot of logic about security services.
At work we got a defence contract so there was a call for anyone who had security clearance.
But having a classified clearance is itself classified.
But you would only know that if you had classified clearance!

So you couldn't say yes and couldn't say no !

Your company's security POC knows all who have the required clearance. It should be pretty straightforward from there. The security misstep occurred in the first place when a global announcement was made referring to the defence contract itself. The contract POC (company lawyer?) and the person who responded to the RFP should have known this and handled it completely differently...

 

[Huckleberry]

But if the laptop was simply returned outright and no one actually examined it, don't you think that the military would have simply said that it was his personal laptop and it didn't have any sensitive material on it, and that their security procedures are working flawlessly? If you're going to put so much trust in the government to be honest why not put the same trust in journalists?

Doesn't sensitive material usually fall into the hands of “the enemy” through government malfeasance, rather than journalistic malfeasance?

⚛​

Yup, if the laptop was returned to the military and someone asked them later what was on it they probably would have lied. It's not like they would just wipe the sweat from their brow and say "Dodged a bullet there, that was a close one." They will hold their own military investigation and hold this officer accountable for his negligence.

Civilian authorities have no jurisdiction in this matter. Going public with this information only lowers the credibility of the military, and potentially exposes sensitive information to people that are not authorized to view it. The only purpose I see in that is someone creating panic and doubt and placing the lives of people in danger for a few quid. I don't see how he was doing anyone a public service in this case. There is no cover-up being exposed. There is no military plot here. Most likely it is just that one person made a mistake. Any military investigation that takes place now will only be hampered by the publicity created by the nature of this incident.

I don't know if information is leaked to the enemy more often from media or military, but I certainly don't think that the media is a good place to entrust military information.

 

[CaptainQuasar]

Most likely it is just that one person made a mistake.

I disagree. This demonstrates that, as I theorized and mgb_phys confirmed, the MOD as an organization is using antiquated and inadequate security technology in combination with modern laptops and data and document applications. There's no reason at all to keep the consequences of that under wraps.

Maybe there are some cases where the military or government establishment can be trusted with this sort of information but the public cannot. But history shows it's fairly frequently the other way around and I think that's true in this case.

⚛​

 

[mgb_phys]

From recent stories on theregister

"WASHINGTON - Between three and four FBI laptop computers are lost or stolen each month on average and the agency is unable to say in many instances whether information on the machines is sensitive or classified, the Justice Department's inspector general said Monday."

"A PC containing the personal details of as many as 26.5m US veterans has been stolen from the home of a worker at the Department of Veterans Affairs (VA), sparking a major security alert."

"IRS: When inspectors looked into the matter, they found that 490 laptops had been reported stolen between January 2, 2003 and June 13, 2006. Unfortunately, because reporting procedures for stolen laptops were often not followed, there isn't a real way to know whether this number is accurate."

"Three laptops, containing the payroll and pension details of more than 15,000 Met Police officers, have been nicked from the offices of LogicaCMG"

"Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk."

Several of these companies + the UK govt. then claimed that since there was a passwd the data was secure and there was no need to report the theft! Not encrypted note, just a passwd (probably an MS office passwd on a spreadhseet!)

 

[Huckleberry]

The article states that the Ministry of Defense already has a policy of not allowing laptops with personal information on them to leave government buildings. The laptop was not secure. It contained information on about 200 soldiers, military exercises and weapons locations. The officer in question was, at the minimum, negligent of the existing regulations. I'm not sure there is a regulation that can be created that prevents individuals from making mistakes or being subversive, though perhaps you are right that the result of this will be an improvement in security for the MOD.

The results will not justify the negligence of the officer, the theft of the information or the espionage of the media. It seems that the Sun in particular cannot be trusted with military information. So now, rather than just strengthening security, which they would have done regardless of the media exposure, the military also has to treat any information on that laptop as compromised, and deal with it appropriately. Depending on the specific information, that could cost taxpayers millions.

People should already understand the consequences of poor military security. I guarantee that the military understands this more than anyone. I do not consider it my civic duty to take property that does not belong to me, whether it be physical or intellectual property. It is not my duty to spy on my government in the hopes of making a small profit at the expense of the safety of others. If nobody had viewed this information and the story were just about an officer that left a laptop in a pub then I would have no complaints(edit-about the media story). However, this isn't a story just about a laptop. It's about information, and that cannot be returned. They had no right to spy on the government without just cause. Finding a wallet in the street does not entitle one to the money inside it.

 

[Moonbear]

T Finding a wallet in the street does not entitle one to the money inside it.

Or, perhaps more appropriate to the scenario, if one finds a wallet, you can open to find identification to help return it to the correct owner, but once you've found that, it's not right to then hand the wallet to the media so they can scrutinize every scrap of paper in it and publish a story about whose phone numbers and photos the owner had in it.

For all we know, The Sun has made a copy of all that data and handed it off to a foreign government to know what the British Army is up to.

Why would people assume they would do nothing about it if it was discovered quietly? One could have called the military base to return it, and thereby ensured the error of the officer was known by superiors without compromising the security of the information. Those IN the military have far more to risk from confidential information being leaked than your average reader of The Sun. I have no doubt that they'd come down hard on him if it were discovered, even if it was kept out of the public spotlight.

 

[Huckleberry]

Or, perhaps more appropriate to the scenario, if one finds a wallet, you can open to find identification to help return it to the correct owner, but once you've found that, it's not right to then hand the wallet to the media so they can scrutinize every scrap of paper in it and publish a story about whose phone numbers and photos the owner had in it.

For all we know, The Sun has made a copy of all that data and handed it off to a foreign government to know what the British Army is up to.

Why would people assume they would do nothing about it if it was discovered quietly? One could have called the military base to return it, and thereby ensured the error of the officer was known by superiors without compromising the security of the information. Those IN the military have far more to risk from confidential information being leaked than your average reader of The Sun. I have no doubt that they'd come down hard on him if it were discovered, even if it was kept out of the public spotlight.

There is also the possibility that the person who sold the information to the Sun will also look for more profit by finding others that are interested in the specifics of the information that the Sun was so kind as to reveal the general nature of to the public. There may also be people who hope to subvert the MOD who will seek this information themselves. Now they know where to find it.

 

[Evo]

My question is, was the information on that laptop completely unprotected? Not even a simple password was required? I seriously doubt that was the case, which means that they hacked into the computer to get the information. Isn't hacking into a Military and/or Government computer considered a serious crime?

 

[Poop-Loops]

Breach of national security, I'd say.

 

[cristo]

It's a little suspicious how the Sun always manage to get their hands on these juicy items, and thus the juicy stories that go along with them. But then, it is a reliable newspaper, and we should listen to everything it says...

 

[CaptainQuasar]

It is not my duty to spy on my government in the hopes of making a small profit at the expense of the safety of others.

It is a civic duty for a citizen of a free nation to keep an eye on their government, whether or not the government wants anyone to keep an eye on it.

Certainly not for a profit, though. I'm not saying it's impossible that anything wrong was done here, I'm just saying that simply finding out whether or not there had been a substantial breach of security is not a wrong or unethical action.

My question is, was the information on that laptop completely unprotected? Not even a simple password was required? I seriously doubt that was the case, which means that they hacked into the computer to get the information. Isn't hacking into a Military and/or Government computer considered a serious crime?

If the files were not encrypted or otherwise specially protected all you would have to do is connect the laptop's hard drive to another computer to get at them. The passwords you would need to get into the laptop when it is turned on would not offer any protection.

⚛​

 

[mgb_phys]

The requirement not to remove laptops from buildings was a kneejerk reaction introduced at the end of January after a previous loss was announced.
The trouble is that there wasn't any thought - it was just an automatic ban.
"From now on, no laptops or drives containing personal data should be taken outside secured office premises."

Don't know this particular case but for example -
Say you need to discuss plans with a colleague in NATO/the Navy/etc - you can't take the data out of your building, to them they can't take it out off theirs to come to you. There is a standard for secure information transfer but they aren't compatible, aren't implemented yet or don't attach to this system.
So you need a work-around, but since any sensible solution is banned your only approach is to take the easiest option.

The argument for not reporting it is a bit weak - don't report any military screwups because it weakens defence. Then don't report police mistakes because it reduces public trust in the police and any mistakes will be handled by an internal inquiry.
Then what about hospitals, politicians etc...

 

[Evo]

If the files were not encrypted or otherwise specially protected all you would have to do is connect the laptop's hard drive to another computer to get at them. The passwords you would need to get into the laptop when it is turned on would not offer any protection

Then you have for all intents and purposes intentionally bypassed normal access and would be guilty of illegally accessing information.