[ISN] White House Emails and The Case of the Missing BlackBerrys

From: InfoSec News (alerts@private)
Date: Tue Apr 29 2008 - 22:22:30 PDT


http://www.motherjones.com/mojoblog/archives/2008/04/8082_stolen_blackber.html

By Nick Baumann 
Mother Jones Blog
04/28/08

During a summit in New Orleans last week, a press aide for the Mexican 
government took two unattended BlackBerrys belonging to U.S. officials. 
The aide, Quintero Curiel, has since been fired, but questions remain. 
Curiel told Mexican newspapers that he thought the PDAs had been 
abandoned and insists he planned to return them. So his intentions may 
have been noble. The devices have been recovered, and disaster may have 
been averted.

Of course, he could be lying. Fox News reported that while Curiel 
"initially denied taking the devices, but after agents showed him 
[security camera footage of him taking them], [he] said it was purely 
accidental, gave them back, claimed diplomatic immunity and left New 
Orleans with the Mexican delegation." The two BlackBerrys that were 
taken can each hold around 28,000 printed pages worth of information, 
and all that data can be easily copied to other devices. And Curiel.an 
employee of the Mexican government.likely had the PDAs in his possession 
for more than enough time to copy and either hide or transmit all of the 
data they contained. No one is saying whether there was sensitive 
information on the devices. And no one is saying whether Curiel was 
working for Mexico's intelligence agency, CISEN, or spying for any other 
country. But if he was, it is very likely that nearly 60,000 pages worth 
of potentially sensitive material is now in foreign hands.

David Gewirtz, an IT expert who publishes two of the top magazines for 
email professionals, writes that the government's lax information 
security measures have worrying implications for national security.

"The thing is, those BlackBerry devices could have contained anything. 
They could have home addresses of relatives of key U.S. officials. They 
could have pictures of their kids. They could have passwords, access 
codes, phone numbers, directions to evacuation locations. They could 
have anything. And now, likely, the Mexican government (and anyone they 
decide to share with) has everything that was on the devices."

Part of the problem is that, in a blatant violation of best practices, 
the White House has no real program for distributing, tracking, or 
securing most of its computer equipment. That includes hard or external 
drives, CDs, DVDs, jump, zip, hard, or floppy disks. So it's no wonder 
that this same issue.the insecurity of the White House's portable 
electronic devices.has come up repeatedly in the legal battle 
surrounding several million missing White House emails. A ruling (PDF) 
[1] issued by a magistrate judge on Friday points to one example of the 
problems caused by the White House's lack of a complete asset management 
system. The ruling makes several recommendations to Judge Henry H. 
Kennedy, the main judge in the emails lawsuit. Prominent among the 
magistrate judge's recommendations is the suggestion that the White 
House be ordered to secure portable devices that could contain versions 
of some of the missing emails. It's amazing that a court order would 
even be necessary to compel the administration to keep track of so much 
potentially sensitive information. But right now, it seems that the 
administration doesn't even know for sure which of its employees have 
which devices. With that kind of lax monitoring, it's no wonder that 
Curiel was able to slip away with the BlackBerrys.

Whether or not it was actually espionage, this incident serves as a 
reminder that the White House emails story isn't really about anyone 
trying to "stick it" to the Bush administration. Yes, federal records 
are the property of the people, and it would be great if millions of 
emails from a crucial period of American history hadn't somehow gone 
missing. But there is more at stake than finding out whether or not Dick 
Cheney really ordered the leak of Valerie Plame's covert identity. It 
goes beyond that.this is a national security issue. It is obvious that 
there has been a major failure of information security and IT 
professionalism in the executive branch. The Curiel episode is a 
frightening demonstration of the ways in which that kind of IT 
incompetence can lead to dangerous breaches of national security. So how 
do we fix the problem? Gewirtz, who has been harping on this point for a 
long time (and even wrote a book [2] about the connection between the 
missing emails and national security), has some suggestions [3]:

    [B]oth the White House and businesses need to establish a complete 
    end-to-end asset management policy for handheld devices. Guidelines 
    need to be established for where these devices can be taken, when 
    they can be removed from one's person, and how they should be 
    handled in secured situations like that which occurred [in New 
    Orleans].

    Finally, a true rapid-response operation needs to be established so 
    data can't fall into the wrong hands. I've recommended that no 
    communication device be issued to White House staffers without two 
    key features: location and destruction.

    It is possible to both remotely erase certain BlackBerry devices and 
    remotely locate them. When lost, a team ... should first trigger the 
    remote erase and then a tracking team needs to be dispatched to 
    recover these little mobile nightmares as quickly as possible.

We can only hope that this security breach has served as a wakeup call 
for the Bush administration. Next time a BlackBerry goes missing, it 
might not fall into the hands of a country as friendly as Mexico. That 
would be a preventable tragedy.

[1] http://www.gwu.edu/~nsarchiv/news/20080424/04242008%20order%20on%20show%20cause.pdf
[2] http://www.emailsgone.com/
[3] http://www.outlookpower.com/issues/issue200804/00002164001.html


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 22:36:15 PDT