April 13, 2006 at 9:06 PM ET
Last year, a hospital in Hawaii lost one of those tiny USB thumb drives and gained a big headache. The drive contained personal information on some 120,000 past and present patients. The data, in the wrong hands, could easily lead to identity theft.
This week, it appears the U.S. military has lost control of a series of similar tiny thumb drives, with far more serious implications. According to a story first reported by the Los Angeles Times, drives sold at street markets in Bagram, Afghanistan, contain intimate details on everything from U.S. soldiers to secret informants. Data that, in the wrong hands, could easily lead to murder.
On Thursday night, NBC's investigative unit and correspondent Lisa Myers took the story a step further. Using hidden cameras, NBC brings viewers right inside a bazaar in Baghram, revealing just how easy it is to find and buy sensitive data.
To computer experts, the problem is called endpoint security. Endpoints can be almost anything -- USB drives, iPods, laptop computers, cell phones, even digital cameras with SD cards. They are all ticking time bombs, and they are all keeping information technology folks from sleeping at night. Billions of dollars have been spent making sure brilliant hackers can't attack computers from across the globe. But firewalls generally don't stop anyone from attaching a finger-size drive to a computer and stealing gigabytes worth of secrets from a company or government agency.
That's probably not what happened in Afghanistan. Instead, the data probably landed on those drives through normal, but careless, daily operations. Remember the days before networks, when you would share a file with a friend by copying it onto a floppy disk, jogging across the room, and placing it into the second computer? It's called a sneakernet, and sneakernets are back in vogue. With thumb drives so quick and so small, people often use them to transport files around the office, or to take work home.
Of course, their size is also their undoing. Thumb drives are easy to steal, and easy to forget about. According to privacy expert Larry Ponemon at The Ponemon Institute, many companies don't even know how many thumb drives they have in the building. And since they are so cheap, employees bring in their own. So when a drive full of critical data is stolen -- often, no one knows.
"This has caught everyone by surprise," Ponemon said. "We were focusing on centralized data, we bought firewalls, intrusion detection systems, but we were forgetting about sneakernets. ... and at end of day that has become next wave of security nightmares."
All these tiny storage devices can render all those billions of dollars spent on centralized network security obsolete.
"The money spent on network security has given organizations a false sense of security," said Brian McCarthy of Centennial Software. His firm maintains a blog called WatchYourEnd.com which chronicles news reports on data-filled gadget theft. Today's list of stories include an employee who committed identity theft with the help of an iPod, and a laptop computer stolen from Ernst & Young which had personal information on 38,000 BP employees. "This is a gaping hole."
It's not hopeless, just neglected
The situation is serious, but hardly hopeless. There are several technologies that make endpoints much safer. Laptops can be loaded with software that 'phones home' when an unauthorized user connects it to the Internet. Many advanced thumb drives offer encryption tools for just a few dollars more. SanDisk has a nifty product with a small hardware attachment that requires thumbprints before data can be accessed. Centennial sells software called DeviceWall that stops data from ever flying out of the USB port unless a security manager approves it and only allows the data to be read off the USB device by approved computers.
None of those technologies are fool-proof, particularly in a wartime environment. One expert warned me about the gruesome requirement for a "live test" by fingerprint readers, necessitated by the likelihood that fingers might be chopped off in an effort to defeat fingerprint security.
But when writing about the world of security and privacy, it often feels like there are actually two worlds: one, full of genius mathematicians and hackers, fighting a war on a battlefield few of us can understand; and a second world, where even the simplest safety tips are ignored.
Leaving a list of informants on a data drive that can be read by anyone who happens by and takes it is no different than leaving top secret documents lying exposed on top of a desk. It may be shocking to see sensitive military information handled this carelessly, but it's probably common.
Ponemon believes the vast majority of sloppy endpoint practices are the result of employees who are frustrated by snags in their normal work environment and are just trying to get things done quickly. A network acts up, or some encryption program gets bogged down, so a worker just goes for the easiest solution.
"It's usually just negligent people," he said. "But the probability of large numbers suggests sooner or later an endpoint is going to end up in the hands of a terrorist."
Data with no expiration date
But there are other factors that contribute to a broken system, one laid bare by the incident in Afghanistan. The biggest one: Companies and organizations have forgotten about the delete key.
Most are now very much in the habit of copying and keeping data around just for the heck of it. There are countless examples, just in the past year, of personal information lost when a laptop disappears. In many of those stories, the data lost had no business being on that laptop.
And more important, there is rarely an expiration date on any of this data. So the data just hangs around, waiting to be stolen. It's common to hear about lost laptops with stolen data dating back to the 1990s. Thanks to the plummeting prices of data storage, it's become common practice for organizations to simply keep every bit of data they ever gather. Storing it is cheaper than taking the time to occasionally clean it up.
Imagine how messy your closet would be if you had infinite space for clothes.
Hanging on to data for the heck of it may be human nature, but it's still no excuse. Clearly, companies and government agencies need to implement high-end solutions like fingerprint readers to keep data safe. But while they are thrashing about trying to select the highest technologies, some low-tech troubleshooting needs to be done immediately. Thumb drive encryption should be standard policy. Gadgets can be left at the door. And the delete key needs to find new prominence. Data should never live any longer than it's needed.