A serious lapse in the enforcement of encryption has led to hard drive resale controversy
Confidential US defence data that was found on a second hand hard drive shows a ‘serious lapse in encryption and security procedures'.
Michael Callahan, senior vice president at Credant Technologies, claimed that revelations about a hard drive purchased on eBay that reportedly contained the launch procedures for a US military air defence system is extremely worrying.
Callahan said: “This is obviously a serious lapse of security procedures for the agency concerned, but the worrying aspect about the incident is that it may not be a one-off. US government agencies - and, indeed, all government agencies worldwide - should have a policy of crushing hard drives once they have been removed from office PCs.
"But this isn't a one-off situation - if we go back to April 2006, there was the well-publicised incident of a flash drive with US spy data being sold in an Afghan bazaar for just $40. The ensuing investigation into that incident revealed the fact that the data had been downloaded from an unencrypted hard drive."
He said that the root cause was the lack of encryption rather than a lack of enforced policies on disposal of old drives as, if the data on the PC used in Afghanistan in 2006 and the data on the drive reportedly sold on eBay had been encrypted, the ensuing press embarrassment for the US military would not have happened.
"I suspect that the investigation by BT's security research centre and a number of international universities will reveal other serious security failures with hard drives. The bottom line, as these incidents clearly prove, is that government IT security procedures, policies and enforcement systems need to be multi-layered and multi-faceted, with encryption forming the mainstay of such protection," said Callahan.