USB stick with anti-terror training found outside police station
A memory stick containing anti-terror training manuals and other sensitive material was reportedly found on a street outside a Manchester police station. The Greater Manchester Police-branded stick, which also held personnel files, was found by an unnamed businessman outside a cop shop in Stalybridge, Greater Manchester, the …
Yet again sloppy security from those who should know better.
Why are DVD/CD drives & USB ports even available to users ? Just superglue the lot & the problem disappears.
Leaving only laptops, Blackberrys & smartphones to be left in wine bars, trains, etc.
you can get USB sticks that can be encrypted, now that's magic!
How good they are is another matter entirely. On some the 'encryption' is barely worth the name, while even FIPS-140-2 approved devices from big brands have turned out to be vulnerable, much to their competitors' delight. Still I suppose even something simple will stop the chap in the street seeing what's on there by plugging it into a computer, reducing the temptation to hand it to the papers.
http://www.gss.co.uk/news/article/7037/Kingston_owns_up_to_USB_stick_hack/
http://www.h-online.com/security/features/USB-stick-with-hardware-AES-encryption-has-been-cracked-746215.html
https://www.ironkey.com/usb-flash-drive-flaw-exposed
Given all these leaked sticks and whatnot I really wonder when encryption will finally start being mandatory. Losing a stick is easy cracking an encrypted stick not so much.
why on earth was someone even allowed to copy the information to the drive in the first place?
surely a system holding that kind of data should have had the USB ports disabled.
and if they really do have to copy the information, there are plenty of solutions out there that can do it easily, and free.
i use truecrypt myself. it might not be perfect, but its better that nothing and its going to stop world+ dog reading the data
black helicopter? well.
"Why was it copied to the drive in the first place?"
By design. It's put into a distributed format so that it can be carried around and held in multiple locations so that it can be accessed anywhere when required in the event of an incident.
Totally agree it should be more secure though!
Its not like our police force are actually any good at anti terror training is it.
i imagine it just says "if they got a tan and a funny accent, beat them up then bill the tax payer"
i imagine it just says "if they got a tan and a funny accent ***, beat them up then bill the tax payer"
***You missed out "or camera".
They used to be good - during the time of the IRA they actually did a damn good job (only a couple got through). The problem is that it's not a job where you can advertise success rates, so you actually have no idea what they do, and not owning up to mistakes isn't exactly helping.
However, it is unforgivable that they don't encrypt portable devices. That's, er, criminal..
I think the Guildford Four or the Maguire Seven might disagree that the police did a "damn good job" during the time of the IRA.
"***You missed out "or camera"."
Yes. The camera.
*Very* provocative.
Not to mention the rather well developed tan.
I’ll reserve my tears for the Guildford Four and Maguire Seven until I hear what the Guildford & Woolwich Seven have to say on the matter, and perhaps the Birmingham Twenty-one as well. We’ll need a séance though, seeing as the IRA murdered them. Their autobiographies won’t be coming out any time soon. And we’ll be waiting a long time for their film.
... Until you cna use them responsibly, you don't get to play with the fancy USB sticks. I mean, is it really that difficult to, oh I don't know, make sure it's in a zipped pocket before heading out or even more crazily, using one of those lanyards that most suppliers give away with their sticks to tie it to something in the bag?
Still, I'm quit surprised the finder wasn't tazered, beaten and detained as a ter'rist.
Please forward to < www.wikileaks.org > or < http://cryptome.org/ >.
Let's not go feeding Assange's massive ego, and stick with the guys who do it for the cause, not for self-publicity.
.. which he won't, because what else is going to do to get attention?
...just about now, the guy that found the stick is being branded a terrorist, having his door kicked in and will be found to be in possesion of kiddie porn and beastilaty videos.
Absolutely. Firstly, what sort of bloody idiot stuffs an unknown USB stick into their OWN pc?? Keyloggers, viruses (or viri) and all manner of crap could have got onto his machine.
Secondly, the rozzers are VERY good at exacting revenge on soft targets. The poor sap will be pulled over every time he starts his car and, as AC above mentions, will magically be pulled for having all manner of kiddie and donkey pron on his pc.
Quite why the 'businessman' didn't just hand the thing in at the police station is beyond me... actually, no it isn't. There's a chance the newspapers will pay more than the police?
Well, the person that found it is actually guilty of an offence, and so they could in theory be arrested, charged and convicted.
The article states that the USB stick was clearly branded, and it was obvious it belonged to The Greater Manchester Police and that they would almost certainly want it back. By taking it home and examining the contents, rather than taking reasonable steps to return the object to its rightful owner, the finder is guilty of "theft by finding".
If I ever found anything belonging to the local constabulary, I'm pretty sure I'd return it straight away rather than risk getting on the wrong side of those with the power to make my life a misery.
...most of them, I'd say. 'Lost' USB sticks could easily be the new Social Engineering, in getting people to install malware on their pooters.
So the new rules are... find something lost/abandoned, take it, go to the nearest public library with USB ports active, dump the lot on cryptome, find a big river, smash USB key with a rock and toss into said river.
After all, if they can freely snoop on us and come up with all sorts of excuses why it is lawful or maybe just not unlawful, surely it is our right as citizens to do what is necessary to keep them in check when we can. If the USB device is handed back, or handed to the press, then it will be "lessons will be learned" or some other stock phrase. That's not going to result in any changes, nor is having government agencies lacking the balls to do anything (ICO are you listening?) and a judicial system that seems as complicit as everybody else...
> Well, the person that found it is actually guilty of an offence
I think you'll find he isn't.
> The article states that the USB stick was clearly branded, and it was obvious it belonged to The
> Greater Manchester Police
No. It says that the stick had some branding. Given what is quoted in the article, I certainly wouldn't have associated it with the Police.
> the finder is guilty of "theft by finding".
Not so. Theft offences are described in the Theft Act 1968, and involve an act permanently to deprive the owner of something. There was no such act in this case.
> If I ever found anything belonging to the local constabulary, I'm pretty sure I'd return it straight
> away rather than risk getting on the wrong side of those with the power to make my life a
> misery.
I, too, am worried by the tendency of certain Police forces to behave in inappropriate or illegal ways. But that doesn't mean that this guy broke any laws - he just embarrassed some people with a tendency to take the law into their own hands when caught doing something wrong...
> Not so. Theft offences are described in the Theft Act 1968, and involve an act permanently to
> deprive the owner of something. There was no such act in this case
6.-(1) A person appropriating property belonging to another without meaning the other permanently to lose the thing itself is nevertheless to be regarded as having the intention of permanently depriving the other of it if his intention is to treat the thing as his own to dispose of regardless of the other's rights; and a borrowing or lending of it may amount to so treating it if, but only if, the borrowing or lending is for a period and in circumstances making it equivalent to an outright taking or disposal.
> The article states that the USB stick was clearly branded, and it was obvious it belonged to The
> Greater Manchester Police
I have lots of USB sticks branded by Micorsoft, Intel, and assorted other companies. They are all free promo items.
Unless the stick said something like Property of the Greater Manchester Police, if found please return to... There is no way of knowing if this was some free public relations item.
But it could also be a booby trapped stick that someone had dropped there hoping a cop would find and plug into a police computer, so I would use great care checking the contents.
Oh please - any person with at least two brains cell has disabled the autoplay feature a long time ago...
I say, sack the IT manager who allows computer policies that do not disable unregistered USB storage sticks and allows data to be transferred to USB or CD/DVD/floppy discs without auto-encryption.
Also make it a sack-able offence if staff are caught during a random search who do use USB/DVD/CD storage with no encryption.
> 6.-(1) A person appropriating property belonging to another without meaning the other
> permanently to lose the thing itself is nevertheless to be regarded as having the intention of
> permanently depriving the other of it if his intention is to treat the thing as his own to dispose of
> regardless of the other's rights;
that condition is not met.
> and a borrowing or lending of it may amount to so treating it if, but only if, the borrowing or lending
> is for a period and in circumstances making it equivalent to an outright taking or disposal.
And nor is that one.
Most people don't understand the risk of just plugging in a USB stick. A lot of computer security auditors will sprinkle cheap sticks around a location and sit back and watch the naive "self-report" as they plug in newly-found sticks to see what is on them or who might own them.
Sounds to me like this was a USB stick given to everyone who went to a seminar. Probably after 3 solid days of powerpoint, the poor plod was brain dead and didn't notice that they dropped it!
As for encryption on USB; the problems I've found is that the necessary software often has to run on an administrator account to be able to set-up a device driver. Then it doesn't work if you plug it into a different PC that doesn't give you admin rights, or it craps out if you need to use it on Vista or Win7, and in some cases then the USB stick cannot be recognised by the OS ever again (even to access the non-encrypted part)...
> As for encryption on USB; the problems I've found is that the necessary software often has to run on an administrator account to be able to set-up a device driver. Then it doesn't work if you plug it into a different PC that doesn't give you admin rights, or it craps out if you need to use it on Vista or Win7, and in some cases then the USB stick cannot be recognised by the OS ever again (even to access the non-encrypted part)...
Rubbish. Data is data. OS is irrelevant.
What program needs admin rights to open a file for god sake?
As said, a driver - to make seamless contact with the encrypted file to make it appear to be just another file system. Oh, you want plod to use a command line tool and pack the sensitive data into an encrypted file himself? Nice try. The chance of this actually happening is left as an exercise for the reader...
Actually U3 keys use admin level privs as they present to the usb subsystem as a cdrom AND a file partition. So the cdrom is mapped in as a cdrom by the os with admin privs, then the autorun on it installs their U3 support utilities, encryption, putty/other apps direct from usb key etc. There are some brands that instead of taking this approach to bootstrap themselves in, actually ask the user...
With a dodgy U3 the user sitting at the pc doesn't need admin privs only because the U3 exploits a known weakness in the usb key handling by windows. Which is why all good security minded types fill the damn ports with araldite or disable them some way...
Ive got a U3 here with a rather interesting toolkit on the "cdrom partition" in place of the original helpful utilities, and its housed in a new housing so it looks like a old normal usb stick. Automated rooting of a pc when inserted with no interaction from the user...
As for what program needs admin rights to open a file, its not, its having to open a filesystem and mount it from that file which they usually do by mounting the file handle as some sort of loopback device and insert themselves between the o/s and the file itself to handle this. Or do o/s's allow unauthenticated programs to access the loopback filesystem to do this with no privs in lala land of late?
Posting anon, because although its my trade to know these things, I really don't trust anyone.
I'd just make plod's admin's install FreeOTFE everywhere to fix... But there again, we do seem to implement IT in the worst possible way possible at any given point in time, so quelle surprise this hasn't been done.
Why is it imperative for government to put personally sensitive information on just about every thing that can carry data? Or is that it what makes them lose those data carriers? Inquiring citizens demand to know.
Lesson #1
Arrest anyone and everyone taking a picture of anything at all.
we gave up on this circus? I mean the current bunch of "terrorists" are pretty amateurish (with two noticeable exceptions) compared to the IRA or ETA. Let's stop poking the middle east problem areas with a big stick and most of them will gradually go away. We seem to be more at risk from our own police these days than any real terrorists.
While I was working in areas where the IRA were bombing we had the attitude of "carry on as normal and don't let them change our way of life, we won't let them win", nowadays we seem to love to live in fear and suspicion. And, before anyone asks, I was close enough to hear the bombs go off and have had to enter buildings where we thought there might be bombs, I walked past a house where the IRA were placing a car bomb (unbeknownst to me until the next day)... I know I wasn't the only one with these kind of experiences. No, I don't consider myself particularly brave, that's just how it was.
The main reason terrorists have been needed for the past decade or so was because the axis of evil Blair-Bush was busy filling its pockets. People that are afraid don't ask questions, even when you take their rights away. Starting a war was inevitable - it's the fire hose approach to obtaining tax money.
Why did they need all that CCTV and those privacy reductions? Well, if you had your hands in the trough right up to your armpits, you would like to know too who was growing wise to it. And the good news is that if you manage to get away with it you can write your memoirs and rip off the naive sheep once more.
I remember the time of an active IRA. I think the news blackout was a good idea, and the Met Police actually did a good job at keeping them at bay (although a couple got through) without turning into the harassing idiots with WAY too many privileges you find today - it's like giving a character deficient parking warden a gun(*). However, I think that's where some basic principles were established - those who directed those bombing campaigns are now, *cough*, "respected", *cough* politicians..
The moment people stop being afraid they will start asking questions. See the expense scandal as an example..
(*) yes, yes, I know I'm repeating myself with "character deficient" and "parking warden" in the same sentence. Live with it.
/conspiracy mode
Actually the Met & others did a lot of harrasment in the 70's - wrongful imprisonment, coerced confessions and a light beating doesn't sound too far off the mark.
What's changed is our standards, and the wide reporting of it when they do overstep the mark. Any regular Reg reader knows coppers inappropriately harrass photographers, but how would you have known this in 1980?
... bin Laden got George Bush reelected. How come they haven't been able to find him after all these years?
his cabinet wanted a way to run for a 3rd term.
The person who found the stick, found it outside of the police station, it was marked with the police departments branding......Why did the person not do honourable thing and just walk into the Police station and hand the device into the main desk saying they found it outside.
"Why did the person not do honourable thing and just walk into the Police station and hand the device into the main desk saying they found it outside."
Because there was more money in taking it to the local paper instead.
Because if they had, the Police would have just gone "Phew! That was a close one, but not *learned* anything from the experience!"
Each story like this just illustrates the complete ignorance of basic security provisions by those who are supposed to *protect* our security and until they get the message, there will be yet more such stories.
"Because if they had, the Police would have just gone "Phew! That was a close one, but not *learned* anything from the experience!""
Exactly this. The only way public bodies learn is through public embarrassment. Hading it in = non-story = they do it again, but this time it might not be a nice, honourable person picking it up. I'd rather it gets sent to the papers than ends up in the hands of criminals, whatever data are on it.
You'd prefer police "personal data" in the hands of the Daily Star? Yikes.
I'd have had no idea until now that their police force was called the GMP. A lifetime of American TV shows would have lead me to expect it to end in "PD".
Plus, as someone above has said- I've got USB sticks labelled Microsoft, Sonardyne, HP, Dell and Fluke. Unless it had a tag on it saying "Property of Gr't'r M'ch'st'r Police" or something I'd not have had the labelling down as the owner.
But they really shouldn't have had this data available stored on a USB stick anyway. Or if they HAD to have it in an unencrypted form, say if every anti-terror plod had a copy to let them respond quickly and needed to be able to read it on any random PC, then it should have been carabinered/velcroed into a zipped up waterproof pocket on their uniform.
At the very least they could have put a password on it if it's a PPT/Word Doc/PDF. Doesn't stop anyone who wants to breaking into it, but at least you'd be committing an offence if you opened it.
You find what is clearly police property outside a police station. Do you -
A) Return it to the police.
B) Plug in into your laptop to see how cops are told to deal with photographers.
C) Give the story to a tabloid paper.
"A" could get you arrested of course.
is the only one that shouldn't get you arrested, the others would be classed as stealing by finding.
B) is stealing the physical memory stick, as well as some king of hacking offence, unauthorised access.
C) is probably B + anything else they can think of to hit you with for embarrassing them!
Ahh of course with the Extreme Pr0n laws meaning possesion regardless knowledge or means of aquisation is the crime, just stick Extreme pr0n on USB sticks as standard, that way if anyone has the audacity to find one that has been lost they can immediatly be arrested and locked up :)
I love how the usb stick was branded with the police details - I wonder if the MI5 and MI6 usb sticks are branded with the words "Top Secret"!?
Mines the one with the word "Coat" printed on it!
...I've got photographic evidence of coppers in one London Borough having left the keys to one of their squad car lying on a wall , where they were lucky enough that someone stupid/honest found them and handed them in rather than using them to go for a joyride/nick whatever interesting stuff they had in the car/get up to other nefarious fun enabled by plod carelessness.
...my company would kick me out the door in a heart beat.
We have company policies about not coping company sensitive material onto non company devices (eg personal laptop) or removable media.
Was anyone sacked the last few times government officials lost unencrypted media?
I wonder if they will take the finder at his word that he didn't copy it or if they will double check his PC for him.
Sign up, sign up for The Register's weekly IT security newsletter - click here
