New victims, same old story…. An unprotected USB stick containing private information of Canadian residents went missing from an office of Human Resources and Skills Development in Gatineau, Quebec.
The drive was storing the names, social insurance numbers, dates of birth and loan balances of 583000 students who had borrowed money between 2000 and 2006.
The internal investigation on the affair started only two months after the discovery of the loss of the stick (Nov. 5th) and a notification was sent to the victims only last Friday.
So the question remains: Are we ever going to learn from others’ mistakes? Especially now that Device Control, Data Loss Prevention and USB encryption software has been around for ages and it’s virtually in everybody’s reach.
Jeffrey Paul Delisle, ex sub-lieutenant of the Navy Intelligence admitted that the spying charges against him were true. According to prosecutor Lyne Decarie, he willingly entered the Russian Embassy in 2007 to offer to sell confidential military information. Apparently, he was getting around $3000 per month for his services, but he declares he wasn’t doing it for the money, but for’ ideological reasons’.
He was asked to copy references about the Russians from his work PC to an USB stick, then he took the stick home and uploaded the data to an email application to share it with the people paying him.
You can find more info on this high-level spying affair here:
This Sunday an incident of the most common happened at the Lyon train station in Paris: a thief disappeared an USB stick from a car. Nothing special here, this kind of things happen everyday!
What makes this incident so special is the info stored on the memory stick. The owner of the key is an entrepreneur involved in an installation of fiber optic at some important buildings in Paris. His USB stick contained the highly confidential plans of the Elysée palace, the Internal Affairs Ministry and the Paris Police. The worst is that the stick was not encrypted, so the thief has full access to all the documents!
The questions we need to ask now is: did the thief know beforehand what type of info was on the stick or did he steal that precise stick just by accident?
Stuxnet, the worm created by the US and Israel for breaking down Iran’s nuclear plant Natanz got out of their control
An article published today in the New York Times shows that the Stuxnet virus-written and deployed by the US and Israeli government-targeting the Iranian nuclear plant Natanz got out in the wild. It seems that the purpose of the code was to set back the Iranian nuclear research program by commanding the control hardware responsible for the spin rate of the centrifuge equipment. The important aspect of this is the fact that the worm only targeted this specific nuclear plant, it was never intended to spread on the Internet.
The network at Natanz is air-gapped, which made it very difficult for the people who made the plan to introduce the code into the network. They needed someone with physical access to the site to get the worm inside through thumb drives (this is also the manner how the first versions of the worm were distributed). To quote one of the architects of the plan: ‘It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.’
The way Stuxnet spread outside Natanz’s network is most probably on a laptop. Fortunately, security researchers were able to annihilate it.
A data breach caused when an Office for Nuclear Regulation official lost an USB memory containing details about safety tests at the Hartleport power plant is currently being investigated by the authorities. While the memory stick was caring only safety “stress-test” not “significantly sensitive” data, none of the files stored had been encrypted. The stress tests the lost portable device stored are currently being carried out at European nuclear power plants in an attempt to prevent future disaster, like the nuclear disaster at Fukushima power plant caused by the Japan earthquake last year.
According to an official ONR statement, the reports contained by the memory stick would have been made public after their completion, yet the office completely forbids the use of unencrypted devices for transporting documents with security classification. This means that the official responsible for the breach has broken ONR security regulations. The Hartlepool plant, operated by EDF Energy, confirmed the lost USB stick did not have important data. They also mentioned that when they would have been published, the results of the tests would have been less detailed. Read more
Curiosity is stronger than any sense of security or any fear of hackers and other malicious individuals, this was the conclusion of a security study run by the US Department of Homeland Security. The study proved how easily hackers and other individuals outside companies can easily go beyond firewalls and other security measures by simply planting USB sticks or computer disks in the right place.
The test tempted government employees by dropping the said USB memory sticks and computer disks in parking lots of government buildings and private contractors that work with the government, just waiting for them to take the bait. Read more
An USB stick belonging to the Manchester Police and containing over 2,000 pages of highly-sensitive and confidential information has made is way to the Daily Star news room, after apparently being dumped in the street close to the Stalybridge police station near Manchester. According to the Daily Star, the files stored on the memory stick contained anti-terrorism information, including strategies for acid and petrol bomb attacks, blast control training and the use of batons and shields.
“Describing its contents as “an essential reference for all officers”, it goes on to outline methods to combat football violence, riots, public disorder and how to deal with violent people when entering a room.
Produced by the National Police Improvement Agency, the files, bearing the title Manual On Guidance Of Keeping The Peace, cover all aspects of counter terrorism and “tactical deployment”.
The Greater Manchester Police replied the Daily Star accusation by refusing to confirm the ownership of the memory stick. Read more