Friday, April 14, 2006

info pirates and sneaker-phreakers of afghanistan

remember afghanistan? things haven't been going so well there since the US decided to invade iraq rather than stick around in afghanistan and finish the job. the taliban is effectively back in control, heroin is once again the #1 crop, and now we learn about a new information security crisis.

the bazaars and street markets in afghanistan sell all kinds of stuff. on monday, the la times reported that some of these bazaars are selling flash drives—small USB hard drives about the size of a lighter—stolen from US military bases, complete with classified data:

A reporter recently obtained several drives at the bazaar that contained documents marked "Secret." The contents included documents that were potentially embarrassing to Pakistan, a U.S. ally, presentations that named suspected militants targeted for "kill or capture" and discussions of U.S. efforts to "remove" or "marginalize" Afghan government officials whom the military considered "problem makers."

The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.

After choosing the name of an army captain at random, a reporter using the Internet was able to obtain detailed information on the woman, including her home address in Maryland and the license plate numbers of her 2003 Jeep Liberty sport utility vehicle and 1998 Harley Davidson XL883 Hugger motorcycle.

despite military attempts to crack down on the black market sale of these drives, they're still available, and reporters have been buying them up, finding even more alarming data on the drives:

This week, an NBC News producer, using a hidden camera, visited the bazaar and bought a half dozen of the memory drives the size of a thumb known as flash drives. On them, NBC News found highly sensitive military information, some which NBC will not reveal.

Some of the data would be valuable to the enemy, including:
  • Names and personal information for dozens of DOD interrogators;
  • Documents on an "interrogation support cell" and interrogation methods;
  • IDs and photos of U.S. troops.
With information like this, "You could cripple our U.S. intelligence collection capability in Afghanistan," says Francona.

Among the photos of Americans are pictures of individuals who appear to have been tortured and killed, most too graphic to show. NBC News does not know who caused their injuries. The Pentagon would not comment on the photos.

and that's not all:

One flash memory drive, the Times reported Thursday, holds the names, photos and phone numbers of people described as Afghan spies working for the military. The data indicates payments of $50 bounties for each Taliban or al-Qaida fighter caught based on the source’s intelligence.

Other shopkeepers on Wednesday were selling memory drives as well — including one with the Social Security numbers of four American generals.

The surfacing of the stolen computer devices has sparked an urgent American military probe for the source of the embarrassing security breach, which has led to disks with the personal letters and biographies of soldiers and lists of troops who completed nuclear, chemical and biological warfare training going on sale for $20 to $50.

but these pirates are not necessarily 1337 hackers:

One shopkeeper, who spoke on condition of anonymity because of fears he may be arrested, said he was not interested in the data stored on the memory sticks and was selling them for the value of the hardware.

"They were all stolen from offices inside the base by the Afghans working there," he said. "I get them all the time."

About 2,000 Afghans are employed as cleaners, office staff and laborers at the Bagram base. Though they are searched coming in and out of the base, the flash drives are the size of a finger and can easily be concealed on a body.

The shopkeeper showed an Associated Press reporter a bag of about 15 and allowed them to be reviewed on a laptop computer. Only four contained data. The rest did not work or were blank.

indeed, as bob sullivan explains, the source of the data leak is most likely laziness and weak endpoint security rather than any concerted efforts by afghan hackers to steal military data:

To computer experts, the problem is called endpoint security. Endpoints can be almost anything -- USB drives, iPods, laptop computers, cell phones, even digital cameras with SD cards. They are all ticking time bombs, and they are all keeping information technology folks from sleeping at night. Billions of dollars have been spent making sure brilliant hackers can't attack computers from across the globe. But firewalls generally don't stop anyone from attaching a finger-size drive to a computer and stealing gigabytes worth of secrets from a company or government agency.

That's probably not what happened in Afghanistan. Instead, the data probably landed on those drives through normal, but careless, daily operations. Remember the days before networks, when you would share a file with a friend by copying it onto a floppy disk, jogging across the room, and placing it into the second computer? It's called a sneakernet, and sneakernets are back in vogue. With thumb drives so quick and so small, people often use them to transport files around the office, or to take work home.

it sounds like the perfect anecdote for next year's network security textbooks: tight military security brought down by sneakernets, defeated by a floppy disk mentality.

No comments: