Earlier this week it was reported widely in the media that a New Zealand man had discovered confidential US military files on a $15 MP3 player he had bought at an Oklahoma thrift shop.
29-year-old Chris Ogle found on the MP3 player data containing the names, cellphone numbers, social security numbers and other personal details of US soldiers serving in Afghanistan and Iraq. In addition the USB device contained information about a mission briefing and equipment deployed to bases.
ONE News in New Zealand went so far as to ring some of the phone numbers on the device to confirm their accuracy.
All of this is, of course, highly embarrassing for the US military.
Last November, Wired reported that the US Army was cracking down on the use of USB storage devices, after defence networks became infected by the SillyFDC worm. Examination of the data held on Chris Ogle’s MP3 player suggests it hails from 2005 – but the fact that the data leaked into the public domain is still likely to have caused red faces.
So, how was it that a New Zealand man was able to buy US military secrets for $15 from a thrift shop?
Well, maybe the following video has the answer. According to this report from ABCNews, an American woman has admitted that when her home was broken into last year flash drives containing sensitive military information were stolen.
I love the bit where Chris Ogle says he was visited by officials from the US embassy (who swapped his secret-carrying MP3 player for a shiny new one), and that he found they “don’t take sugar in their coffee.”
And I’m perplexed as to why the reporter describes the officials in “men and suits”, when the video footage clearly shows that they aren’t wearing suits at all – one of them is in jeans and a short sleeved shirt for goodness sake!
Seriously though, uncontrolled use of USB flash drives is getting completely out of hand with organisations all the time having to go into red alert as they realise that their data has been lost often through sheer carelessness.
No-one is denying that USB memory sticks are useful. But, if they are going to carry sensitive information, encryption must be used. And if you haven’t already done so, put in place a policy which can detect and block unauthorised use of removable storage devices.