Protecting Classified Information

While we focused during the election on possibly classified emails on Hillary Clinton’s mail server, in Europe they have their own version.

Shodan, the IoT search engine turned up on an Internet connected disk drive that was not password protected.  While Trump says that Clinton should be thrown in jail, in Europe they said it was the result of an “absent minded European Union police officer”.

In this case, Mr. Absent Minded took 700 pages of documents on Europol investigations without permission and stored them on an unprotected Internet connected disk drive.

While the information was old, it was “packed” with personally identifiable information on terrorism suspects and also details on a number of Europol investigations on terror attacks such as the 2004 Madrid train bombing and other terrorism incidents.

The disk drive is a Lenovo Iomega drive.

As is common in the computer hardware and software industry, Lenovo says that security is the responsibility of the owner.  Said differently, don’t sue us, read the license agreement, we are not responsible.,

What this seems to indicate is that until computer vendors have at least some skin in the game, they are going to ignore security and vulnerabilities, since, after all, protecting your information is not their problem.  What this does mean is that you have to be responsible for both the vendor and yourself.

Getting back to the Europol police officer, the data taken was for personal use and in violation of policy, but as we all know, easy to do.  99% of the time,  we don’t hear about these incidents as they are swept under the rug – or not even detected.

For all organizations, you can replace classified with proprietary with the same results.  Employees often take data and rarely do organizations find out about it.  If they do find out about it, they often don’t prosecute because they want to avoid the bad PR.

This is not case of someone making a mistake or security which is too hard to follow.  Instead, this is a case of someone intentionally taking information which they did not have authority to take.  Unfortunately, this happens all too often and often times is not even detected.

Information for this post came from SC Magazine.


Leave a Reply

Your email address will not be published.