London Heathrow doesn't know how its super-secret data ended up on a street corner. But an unencrypted flash key got lost somehow.
Worryingly, it includes plans of secret tunnels and other OpSec used by the queen.
LHR, Europe’s busiest airport and the world’s second-busiest international airport, is left reviewing all its procedures. In this week’s Security Blogwatch, we get away from it all.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Nature of Sound …
What’s the craic? Dan Warburton dials the hyperbole up to 11—Terror threat as Heathrow Airport security files found dumped in the street:
Heathrow chiefs [have] launched a “very, very urgent” investigation after [I] alerted them to the frightening security lapse. The USB stick … was not encrypted and did not require a password. [It contained] a massive 2.5GB of … maps, videos and documents. … Some were marked as “confidential” or “restricted.”
…
It revealed: The exact route the Queen takes when using the airport and security measures used. … Files disclosing every type of ID needed … to access restricted areas. … Maps pinpointing CCTV cameras and a network of tunnels and escape shafts. … Routes and safeguards for [government] ministers and foreign dignitaries. … Those “exempt from screening,” details of drivers ferrying VIP guests to the suite and radio codes in the case of an “aircraft hijacking.”
…
The USB stick was found by a member of the public. … Police detectives were liaising with airport chiefs to work out how [it] ended up in the street.
…
Police fear it may have been copied and circulated on the “dark web”. … The level of detail could have taken years to compile.
…
Keeping Heathrow safe — with four passenger terminals and one for cargo — is a mighty task. More than 80 airlines fly 75 million passengers a year to 185 destinations in 84 countries.
Oops. What does the airport have to say for itself? An LHR spokesdroid talked to Hilary McGann and Ralph Ellis:
Heathrow's top priority is the safety and security of our passengers and colleagues. The UK and Heathrow have some of the most robust aviation security measures in the world and we remain vigilant to evolving threats by updating our procedures on a daily basis.
…
We have reviewed all of our security plans and are confident that Heathrow remains secure. … We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.
Asking the question we’re all asking, it’s InternetPersonv6:
What boggles my mind is that someone plugged in a random USB drive found on the street. Has no one watched Mr. Robot?
But the best answer comes from evv:
Most people would happily plug a random USB stick off the street into their computer.
…
This unemployed London man clearly knows his **** - he plugged the stick into a … computer [in a public] library!
Do you worry that this story is kinda hard to believe? Graham Cluley searches for clues: [You’re fired!—Ed.]
It is hard to believe.
…
Was the USB drive really found lying in the street by someone who then took it to a … newspaper? Or had it been planted there by [a whistleblower] who wanted to highlight the poor security at the airport, but … wanted to distance themselves?
…
Have the security teams at Heathrow confirmed that the data contained on the USB stick is accurate and current rather than false or out-of-date?
…
Does Heathrow airport allow staff to use unencrypted USB drives, and what data-leak-prevention technology is in place to make it harder for sensitive information to leave?
…
Are audit logs in place to determine who accesses sensitive information and when?
In a similar cynical vein, here’s Carbonman:
Possibly an innovative way to increase the IT security budget of the organization.
…
“Our budget’s so tight that we can’t even afford encrypted USB sticks. More funding would have prevented an occurrence like this.”
But isn’t there a simpler explanation? Yes, says Antique Geekmeister:
I've certainly seen high level bureaucratic and security staff take data home on private media. I've even seen them insist that security costs more than it gains, and refuse to protect the backup media, or deliberately make personal copies of critical data because getting past the encryptions and security at work is too much effort.
Or what about this interesting theory? Martin Spamer sends us this unsolicited text:
The reported fact that this was found on the street amongst fallen leaves is highly unlikely and suspicious.
…
The newspaper that published this story, offers to pay for stories. My belief is that [this is an] assembly of public source data to get a reward/story bounty from the newspaper.
…
The likelihood that this would be 'found' in this way, that it would include sensitive data, that it would not be encrypted all amounts to a fail of Occams Razor in a very big way.
…
That the device contain sensitive data, that it was found … that it found its way into the hands of a journalist all stretch the base assumption well beyond breaking point.
So what’s Heathrow going to do now? Ask rasz:
Windows keeps a log of every USB drive ever plugged in, tracing who used that drive will be trivial if theres ever an investigation (obviously won’t be if CISO suddenly realizes his jacket pockets are empty)
And what of the presumed insider? Ask castleblanc:
They need to be publicly flogged. This is why we don't walk around with sensitive data on unencrypted storage, people. I think if they make a good example of whoever it is that put this stuff on this drive, it should hit home and create that sense of urgency in people.
…
Of course, this assumes that the person who put that stuff on the drive had rights to do so. Maybe it was dropped by a clumsy criminal—or another dumb*** contractor/employee for a security agency walking out of work with sensitive data.
But freakzilla149 is more pragmatic:
It is incredibly common for highly sensitive info to be poorly handled.
…
It's incredibly tedious, and people usually take shortcuts very quickly. … People are always the weakest link, they either can't be bothered to implement proper procedures, or even set them up in the first place.
Meanwhile, emocalot brings us down to earth with a bump:
I know … companies [that] drop sticks in the parking lots and see what employees will now be enrolled in end-user security awareness training.
The moral of the story: What are you doing to prevent users losing your secrets?
And finally …
A triumphant return to form by MelodysheepYou have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: UK Government (cc:by)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
