For the fourth year running a project conceived by Future Intelligence, Sims Recycling and Glamorgan University finds highly sensitive data on discarded hard drives.
Written by Peter Warren
Information on the launch codes and staff working on the Terminal High Altitude Area Defense system (THAAD), a critical part of the US defence shield against nuclear attack, has been found during a survey of the data thrown out on discarded computer hard drives.
Among other information found in the survey, which analysed over 300 drives bought from online auction sites and garage sales from France, Germany, the UK and the US, were details of financial transactions involving billions of dollars to finance high interest rate deals to Nigeria, Venezuela and Tunisia. Data that included correspondence with a member of the Federal Reserve Board and also indicated that there were banking investigations into some of the deals, one of which involved $50bn.
The information on the defence drive, which originated from Lockheed Martin, and on the financial transactions, has been passed on to the FBI.
Glenn Dardick, the Assistant Professor of Information Systems at Longwood University who arranged the analysis of the drives found in the US, admitted to being shocked at the information that the survey revealed.
“If this is out there, then it does beg the question, ‘What else is out there?’” said Dardick, who is also the Director of the Association for Digital Forensics, Security and Law.
The survey, conducted on behalf of BT and Sims Recycling Solutions by Longwood University in the US, Glamorgan University and the Cyber Security Research Institute in the UK and Edith Cowan University in Australia, also found confidential company information and personal details from companies including the Ford Motor Company, the interior design and clothing firm Laura Ashley, the German Embassy in Paris, Nokia, the Edinburgh-based Scottish law firm Henderson Boyd Jackson (HBJ), Swindon Council in the UK, Lanarkshire NHS Trust in Scotland, and a number of UK schools, as well as information from personal drives from around the world.
THAAD problems
THAAD has been problematic for a number of years now for Lockheed Martin, the massive US defence company.
Started under President Reagan back in the days of the Strategic Defense Initiative (SDI) – popularly known as ‘‘Stars Wars” – THAAD was intended to be one of the US’s most important lines of defence against incoming intercontinental ballistic missiles.
Dismissed by some experts as the least likely of the US’s missile projects to succeed, it has been dogged by technical problems that have seen its costs soar to tens of billons of dollars. Initially scheduled for deployment in 2012, that date has now been brought forward to 2009.
According to a Lockheed spokesperson, the first unit will be operational at Fort Bliss in Texas by the end of the year.
The hard drive containing details of the THAAD system has been described as “manna from heaven to hackers” by Dardick. The data on the drive included the THAAD project directory with names and phone numbers, templates for Lockheed, design documents, subcontractor documents, security policies and blueprints of facilities, as well as a Lockheed Test Launch Procedure PDF, employee personal info and social security numbers. It also included an insurance complaint letter from health-benefits company Cigna and pictures of co-workers.
Capable of destroying an incoming missile at around 93 miles above the Earth, THAAD is a “hit to kill” system without a warhead that homes in on its target and collides with it “like a bullet hitting a bullet”. At that height, according to experts on the website Missilethreat, the subsequent impact will safely diffuse “any nuclear, chemical, or biological weapons, thus minimizing the risk of missile debris raining down on civilian or military populations”.
Fallout from the loss of the drive has not yet reached Lockheed Martin.
A spokesperson for the company said: “Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. In addition, no governmental or law enforcement agency has notified us of any such data loss.”
Significant security risk
However, news of the drive’s loss has sparked concern among experts.
“From the point of view of espionage, knowing who is working on a project is tremendously useful. This is a horrible violation of privacy. If it fell into the wrong hands then it opens up the possibility of a range of blackmail options,” said Peter Zimmerman, Emeritus Professor of Science and Security at the Department of War Studies at London’s King’s College – a noted arms control expert who is the former Chief Scientist of the Senate Foreign Relations Committee. “You could use this to glean a lot of intelligence. I would not be happy if this fell into anyone’s hands,” Zimmerman added.
Alan Paller, the Director of Research for the Sans Institute, who conducted research into attacks on the US defense establishment known as Titan Rain – which targeted individuals using information harvested from the web and other sources – said the data loss would have provided a foreign power with the tools to gather even more information on THAAD.
“It’s a perfect targeting system for espionage. It’s a very difficult job to find out information on who is working on what without being seen on the radar: this effectively gives you what you need.”
In Titan Rain, hackers widely believed to be based in China and working with the sanction of the Chinese government, sent targeted emails to individuals that contained one-off computer viruses designed to infect a computer when the email was opened.
The rogue programs would then seek out particular documents associated with research work, such as CAD/CAM files and PDFs, and then transmit them back to the hackers.
Knowing who’s who in an organisation allows a hacker to masquerade as an individual that you already know. That hacker can then send infected emails to colleagues that they will unwittingly open, thus planting a virus on their machine.
That the drive would have been of value to those behind Titan Rain is incontrovertible; it would also have been of immense value to the Chinese military, which last year launched its own “hit to kill” missile, which destroyed a disused satellite.
Discarded drives now sought by criminals
The current view among computer security professionals is that the odds on someone buying a drive who has the contacts to be able to dispose of it, to someone who is willing to buy it, are so great, that the data on discarded drives does not constitute a threat.
However, it is a view at variance with the evidence that is now emerging.
In Nigeria, it has recently been discovered that discarded phones now sell for 50 per cent more if they have data left on them. According to Jon Godfrey, a director for Sims – which runs the largest electrical recycling plant in Europe – the company is now finding that 90 per cent of the PCs sent to them for recycling have had their hard drives removed before they arrive.
“We are fairly certain that the drives are not being removed by those disposing of the PCs because the drives being rejected are the smaller and older ones, which would have less value as spares and less recent data on them. Over a third of devices discarded contain data which has its highest value in the wrong hands.”
It was this revelation that caused Paller to describe the data lost on hard drives as “a big problem”. He added: “That piece of information means that the risk is now a third more dangerous than was thought.”
Just how dangerous it is was clearly demonstrated by the study – now in its fourth year in Europe and its first year in the US – which once again has turned up other notable losses. With the drives from companies there were also three drives containing paedophile information, including graphic violence, which were referred to the UK police, and one drive from a machine belonging to an Asian man that showed him posing with a pistol in Pakistan – which was referred to the UK Special Branch.
Other organisations compromised
The drive from Ford appeared to contain information on the company’s new ‘Ka’ model, obtained before the car’s launch in Europe earlier this year. Also on the drive was information marked “Confidential – Ford Motor Company – this is unpublished work which is a trade secret… FMC own all rights to this work to preserve its trade secret status.”
“This could have been very bad for Ford,” said Professor Andrew Blyth, who carried out the analysis at Glamorgan University. “Intellectual property is at the heart of companies. Loss of intellectual property can have a severe impact on an organization.”
A spokesperson for Ford commented: “On average Ford deals with 3,000 computers a year in the UK alone. Ford is investigating this issue with Glamorgan University to identify the computer from which the hard disk originated so that we can determine its history. The hard disk is also being passed on to Ford so that the data it contains can be analysed.
“While this investigation is underway, the return of Ford PCs and laptops to suppliers has been suspended, and a review is taking place of all the processes involved in removing data from computers and returning equipment.”
The data on the Laura Ashley drives contained information on internal email, company financial data and customer names and addresses.
A spokesperson from Laura Ashley said: “We are surprised to see the results due to our rigorous and clear equipment disposal policy. We are pleased that this issue has been highlighted to us.
The Nokia drive, which also had files marked as “company confidential”, held images of cell-phone circuitry, minutes of meetings, names and personnel evaluation forms.
A spokesperson from Nokia said: “Nokia has strict procedures in place for disposing of sensitive company data and information. Due to confidentiality reasons, we do not disclose information on these processes.”
The HBJ drive contained detailed information on the company’s website and client correspondence. A spokesperson for HBJ said: “It’s the first and only time we’ve had such a breach, and we’re taking the issue extremely seriously. We’re already working with Glamorgan University to establish precisely how this information got through our extensive security procedures and to ensure there can be no repeat.”
Former studies have turned up information on multinationals ranging from Man Trucks, Skandia, Scottish & Newcastle, Monsanto and Vodafone to individuals including Sir Paul McCartney, heads of charities and Tyneside publicans.
“This year, there was more data than ever,” said Professor Andrew Jones, Head of Security Research for BT. “This is the fourth year we have done this, and I think the only thing that can be said is, ‘When are people going to wake up?’ It’s not a new problem: organizations do lose disks, but some of these losses are inexcusable.”
_________________________________________________________________________
This story first appeared in the Guardian on the 7th of May, 2009 under the headline ‘Anti-missile defence details found on secondhand computer’.
