[ISN] MoD suppliers' laptop turns up on rubbish tip

InfoSec News isn at c4i.org
Wed Apr 27 01:22:36 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


By John Leyden
26th April 2005 

An Oxfordshire-based security company claims to have found sensitive
MoD-related files on a laptop bought from council rubbish dump.

The partner of a back-office worker at penetration testing outfit
SecureTest bought the IBM Thinkpad laptop for £80 from a colleague at
a council rubbish tip earlier this month.

SecureTest staff looked at machine for a favour. The technician who
investigated files left on the machine with forensic tools (called
ENcase) was shocked at what he found: recovered tenders for military
communications software contracts, technical information and minutes
of meetings with Navy personnel marked restricted. "It looks like a
MoD supplier.s laptop," Ken Munro, managing director of SecureTest
told El Reg. No secret files were involved but even so the case raises
further questions about the disposal of PCs containing potentially
sensitive military information.

Last week the MoD announced it was launching an investigation after a
Hampshire man found sensitive Ministry of Defence plans on a laptop he
was given at a rubbish dump*, circumstances that eerily parallel the
SecureTest find. SecureTest is yet to inform the MoD of its find.  
Munro declined to name the dump involved or the IT contractor whose
laptop, although ultimately beyond economic repair, contained
sensitive data.

Wombles of Wimbledon quizzed by MI5

Despite the government bringing in a new standard last August for the
secure destruction of data (InfoSec standard 5) many government
departments have failed to implement it successfully and most business
are unaware of it, according to Jon Godfrey, a data destruction expert
and managing director of Life Cycle Services (LCS). In a recent
research study by LCS and Glamorgan University, nearly half of a
sample of over 100 discarded hard drives contained personal
information, contravening the Data Protection Act. One in five (20 per
cent) contained financial information about the organisations which
owned the disks. Less then 10 per cent of the drives left functional
were completely clear of data.

One contained personal information about an extramarital affair and
could have been used for blackmail. Another contained information
about children. "I am constantly amazed at how lackadaisical major
organisations and even government can be regarding this issue", said
Godfrey, who is calling for regulations to established licensed PC
disposal centres. ®

* Sounds odd but apparently you can get anything from working stereos
  to PCs from council dumps, apparently. Steptoe and Son, eat your  
  heart out.

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list