Unclean Military Hard Drives Sold On eBay

An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay. The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.' Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."

please...

[VMaN]

Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.

This challenge has stood for more than a year.
http://16systems.com/zero.php [16systems.com]

Re:Scary that they sold the disk at all

[bleh-of-the-huns]

There are much quicker ways then that. In fact, at my old office, we had NSA approved degaussing equipment for hard drives, that destroyed the data permanently (no amount of forensics will be able to retrieve it), but left the drive itself intact for reuse or resale.

The fun part of course is that when you turn it on.. 2 or 3 floors of lights all dimmed at the same time for a few seconds while it powered up and it hummed.. loudly... Thats a powerful magnet :)

Probably illegally sold

[roger_that]

The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.

Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)

Re:DoD wiping standards

[bleh-of-the-huns]

Certain 3 letter facilities in the US do that.. in fact, any electronic equipment going in.. never leaves. I have seen the destruction of a thumb drive that accidentally made it into the facility (many people arrived for a meeting there), but was caught on the way out and destroyed.

Same facility provides all electronic equipment needed for various press events and what not.

Re:Uhh

[linzeal]

The problem is when people have a whole bunch of them and 100 40 gig hard drives sold at a flea market can pickup 2000 dollars some weekends. I did a pull once where the guy was savvy enough to wipe the hard disks but did not check all the CD-Rom drives, half of which had CDs in them with corporate information. Looking it over I could of easily sold the info to an unscrupulous competitor but decided to just send them to him COD for cost of postage.

Re:Financial Firms Do the Same

[Moschaef]

At our company the policy is to destroy all drives withdrawn from operations. The problem is with our local IT support telling management they've destroyed the drive but then selling them for their own personal gain. They're already stealing property so I doubt that they're much concerned about proprietary/sensitive data.

We had a similar problem several years back when we switched 1,000+ CRT monitors to LCDs. The CRTs weren't the issue, no one wanted them, rather it was the DVI cables. The techs used the old VGA cables and sold the DVI cables on EBAY for $5 bucks a piece.

Of course this is something no reader of SlashDot would ever condone... Right...

DoD standards

[konigstein]

Are to overwrite the harddrive 9 times, then degauss (which makes a loud POP and the magnetic information is GONE, and THEN to drill 6 holes through the drive. The DoD policy memo can be found here http://www.drms.dla.mil/turn-in/usable/cpu-memo-jun01.pdf [dla.mil]

Re:Little OT Anecdote

[bleh-of-the-huns]

The problem is not necessarily from a gov branch, but most likely a supporting contractor, in this case Lockheed martin.

Same reason why those same contractors are forbidden from using VPN from gov facilities (DOD and Federal atleast) to their home offices. In the past, a certain contractor from a certain company at a certain 5 pointed facility introduced some lovely malware that spread like wildfire fromthe contractors company to the gov facility.

However, like I said, while policy says what not to do, deadlines and management looking the other way sometimes to meet those deadlines and whatnot go against those policies, sometimes nothing happens, sometimes bad things happen.

SInce When

[cfkboyz]

I just got out of the Military and was in there for 6 years. Not one time did we ever wipe a hard drive, not because we did not care nor to lazy. We never sold the hard drives or gave them away. We either reused the drive or we smashed it and then recycled it. The Army is so paranoid that we even had to take RAM out of old computers that processed classified information just because it MIGHT have information left...

Re:Why not just destroy these disks?

[camperdave]

Why does the DoD not simply destroy the disks in question?

Sometimes it's easier to detect a security problem by letting some information leak.

Re:I have to wonder

[DZign]

After reading the book 'spies among us' I've learned that making contact for selling information is just as simple as walking
to an embassy/consulate from the specific country and asking to speak with someone about information..

Re:For Highly Classified Data, it's more than a wi

[tippe]

I prefer the muriatic acid formatting [google.com] approach myself. You know, just in case there are any confidential bits or bytes left in the drive's PCB traces or ICs, or sticking to the side walls of the platter enclosure. You can never be too careful....

That cuts both ways

[kaladorn]

It is possible that the people who want to sell you a product don't want to announce the capability they wish to sell you is not necessary.

Besides, if the government is after you, they have such a variety of options to figure out what goes on (pin cameras, laser mics, various other forms of mics, analysis programs that can guess what you are typing, installation of keyloggers, and just simple acquisition with legal means like a warrant) that worrying about whether they may, beyond all known capabilities of industry, be able to recover data off your drive is absolutely hilarious.

If you're that paranoid, just never, ever do or say anything the government will pay attention to. In the maxima, this means never doing or saying anything. Ever.

Re:Unclean?

[Anonymous Coward]

I don't get why everybody doesn't use DBAN

Speaking as someone who owns a box of obsolete unwiped drives (some of them have been sitting in that box for over a decade), here's how it happens.

At some point, I need to replace drives; either the box just can't physically hold more (so I'm taking small drives out and putting bigger ones in) or I'm upgrading to a totally new computer and for whatever reason I don't want to use the old drives.

Somehow I move my old data to my new drives. Now I have the old drives. They need to be wiped, but..

For the next few days, they're a good backup. Maybe that new drive is going to fail. This is a time when failure does happen to be more likely than usual. So, I shouldn't wipe 'em right away.

I want 'em disconnected from the box right away, though.

So the "plan" is .. um, I'll wipe 'em, but I'll do that .. later because (in all seriousness) later really is better than now. Some limited procrastination (and "limited" really is the key, here) is not only acceptable, but actually The Right Thing.

It's just that I never get to it. And then things happen, and I eventually I can't even talk to my old drives. I don't have a SCSI adapter. I have these SCSI drives, with personal information sitting on them, but no way to get at it myself. (If I wait much longer, the PATA drives are going to have the same problem.) The only practical(?) solution is a sledgehammer and fire, rather than "wiping."

And so they sit there in that fucking box. I can't use 'em and I can't throw 'em away. :(

Re:Unclean?

[TehDuffman]

I don't know if its just the Marines but we just get a sledge hammer and take turns beating the shit out of the hard drives. Seems to do a good enough job to me.