Illegal e-waste dumped in Ghana includes unencrypted hard drives full of US security secrets

The much-vaunted anti-terror eagles at the TSA have subcontractors whose hard-drives turn up in Ghanain junk-markets in heaps of illegally disposed-of e-waste. The drives are stuffed full of unencrypted, sensitive documents:

A team of journalists investigating the global electronic waste business has unearthed a security problem too. In a Ghana market, they bought a computer hard drive containing sensitive documents belonging to U.S. government contractor Northrop Grumman.
The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained "hundreds and hundreds of documents about government contracts," said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked "competitive sensitive" and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.
The data was unencrypted, Klein said in an interview. The cost? US$40..."It was a wonderful, ironic twist," Klein said. "Here were these contracts being awarded based on their ability to keep the data safe."
Off-camera, sources in Ghana told the reporters that data thieves routinely scour these hard drives for sensitive information, Klein said.

Reporters find Northrop Grumman data in Ghana market (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Civlib • Environment • Ghana • International • politics

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

jimkirk

Some interesting info here: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

For physical disk destruction, no piece should be larger than a single 512 byte record block, about 1/125th of an inch. So forget the drill, use a grinder.
gollux

Awesomes.

Between the desire, And the spasm
Between the potency, And the existence
Between the essence, And the descent
Falls the Shadow
For Thine is the Kingdom

For Thine is, Life is, For Thine is the

This is the way the world ends
This is the way the world ends
This is the way the world ends
Not with a bang but a whimper.

Third world data mining, who’d a thunk it?

Don’t worry, we’ll hurry up and close the barn door after the horses are out. All that shredding and ruination is “Too little, Too late”.

Plus, if there was no verification that things were being wiped, who really thinks that the cut rate contractors will waste money on the energy to shred the stuff. Easier to palletize and sell, that way you get paid twice.
zuzu

Gotta get paid, y’know!

“Get’er’done!”

-or-

“Lisa, if you don’t like your job, you don’t strike. You just go in every day and do it really half-assed. That’s the American way.”
Anonymous

Anyone else think this would make a great plotline for a techno-thriller? Some massive wrongdoing by a US security agency, and this kid in Ghana has the only evidence. Now an international techno-game of techno-cat and techno-mouse ensues!
bardfinn

SO.ANGRY.
blueelm

yikes! I have a friend who worked for them, but they were bought out by another company. I imagine there are actually a lot of leaks this way.
dculberson

And that’s why you always degauss. (or put a drill through the platters.)
DWittSF

Well, security was yesterday’s gold rush. Today, these businesses are probably chasing ‘green’ contracts. These businesses were just playing a part in US Security Theaterâ„¢. Gotta get paid, y’know!
Anonymous

Aren’t they worried about the security of their $*!#?
http://www.youtube.com/watch?v=563QNm_A7WI
Anonymous

From the article, it’s not clear that this is “US Security Secrets.” “Competition Sensitive” is not a US Govt. security marking, and more often than not covers pricing data, rather than technical data. Embarassing? Yes. Security leak? Not so clear.
Lord Xenu

http://www.dban.org, bitches! My data is SAFE!
Adam Stanhope

This story appeared on Frontline/World earlier this week. Frontline/World is a fantastic documentary series – highly recommended for your Tivo Season Pass list.
demidan

Degauss, drill and BFH (big frigging hammer, or give ‘em to me I kill hard drives just by being near them.

War on terror = war on braainz.
LightningRose

Thermite is a cost effective solution for a variety of problems.
Anonymous

This is on top of a UK study undertaken recently where they bought second hand drives from eBay and looked at what was on them, one had launch codes for a US missile and had come from Lockheed Martin.

Witnessed destruction is indeed the only way, send the newest tech down with them, pay the money, feel the comfort.
Anonymous

CPU and server hard drives are only a small part of the picture.

Printers/scanners/copiers – many have a 5gb to 20gb hard drive – containing the details of the last several hundred print/scan/copy runs.

Cell phones, Blackberrys, PDAs all have a lot of personal data held on them. Even GPSs have your family and friends addresses.

Routers, Switches? No company data but static IP addresses and other network data – helps open up your network to attack.

Witnessed destruction – take your drives/equipment to an ewaste shredding company and watch them go into the shredder – sure it’ll cost you a few hundred bucks, but i bet Northrup wish they had done that rather than get back a few bucks by selling the equipment for “asset management” (read: Brand Destruction)
Marcel

Redundancy will get you no matter what. That’s how they got the nazis.
They kept records of everything, meticulously.

Every day, big containers with thousands and thousands of old computers are being shipped to low-cost nations to be dismantled and disposed of.

That’s because some private company said they could dispose of your old shit at a ridiculously low price, and now they’ve got the contract.

They do not Degauss, drill, or anything else but ship it.
Drew from Zhrodague

Simply wiping the disk would work. I had to do this at a couple of my employers. I recommend not destroying a perfectly good disks, as people like me and apparently Ghanans, can make good use of an old hard disk.

Where else am I going to get refrigerator magnets?
Anonymous

Hey this could really be useful! Imagine if terrorist people “accidentally” had a PC whose HDD went its long way to Ghana!
We could even prevent some future attacks if those secret plans got unveiled! I would even see this as a chance to prevent mischief…
dculberson

Actually, Marcel, more and more organizations are requiring the waste processing contractors to shred the electronics prior to shipping. The military has changed its standards to where the material has to either be shredded before leaving the site or an employee has to witness the shredding before title passes to the disposal contractor.

I think it’s a terrible idea. Yes, it solves the data leaks, but it wastes an incredible resource and adds immensely to the waste stream and energy usage. Why shred perfectly usable parts when it’s a tiny fraction of them that causes problems? Simply set an internal standard for separating the drives and sell them (and only them) on a must-shred contract. The data loss issue is solved while still preserving untold amounts of energy and preventing toxin releases.

I guess the military has more reasons for the shredding, though; their problem was some unauthorized countries (i.e. Iran) were buying fighter parts through third parties that came from US military surplus. But it shouldn’t be too hard to restrict only those material classes that would represent a security problem.
a_user

Wiping the disk doesn’t remove the data. It just makes it harder (read more expensive) to retrieve.

The ‘standard’ for wiping data is to over write the disk multiple times using alternating data patterns. Until not so long ago, seven passes were thought sufficient, based on the way flight recorders can give up 7 separate ‘recordings’ from its loop of metal wire which serves as the internal recording media,.

Forensic software, designed to be used by police or governments, but freely available to whoever can afford it, has upped the acceptable limit to 20 or so passes. However the longer something is kept on magnetic media the harder it will be to remove completely, where there can be a ‘screen burn’ effect. Thus it’s possible to examine magnetic media with electron microscopes to determine patterning of the magnetising agent.

The question you have to ask yourself is how badly would someone want anything you might have stored on your hd.

If you’re a defence contractor, then the physical destruction of the media makes a lot of sense.