http://www.motherjones.com/mojoblog/archives/2008/04/8082_stolen_blackber.html
By Nick Baumann
Mother Jones Blog
04/28/08
During a summit in New Orleans last week, a press aide for the Mexican
government took two unattended BlackBerrys belonging to U.S. officials.
The aide, Quintero Curiel, has since been fired, but questions remain.
Curiel told Mexican newspapers that he thought the PDAs had been
abandoned and insists he planned to return them. So his intentions may
have been noble. The devices have been recovered, and disaster may have
been averted.
Of course, he could be lying. Fox News reported that while Curiel
"initially denied taking the devices, but after agents showed him
[security camera footage of him taking them], [he] said it was purely
accidental, gave them back, claimed diplomatic immunity and left New
Orleans with the Mexican delegation." The two BlackBerrys that were
taken can each hold around 28,000 printed pages worth of information,
and all that data can be easily copied to other devices. And Curiel.an
employee of the Mexican government.likely had the PDAs in his possession
for more than enough time to copy and either hide or transmit all of the
data they contained. No one is saying whether there was sensitive
information on the devices. And no one is saying whether Curiel was
working for Mexico's intelligence agency, CISEN, or spying for any other
country. But if he was, it is very likely that nearly 60,000 pages worth
of potentially sensitive material is now in foreign hands.
David Gewirtz, an IT expert who publishes two of the top magazines for
email professionals, writes that the government's lax information
security measures have worrying implications for national security.
"The thing is, those BlackBerry devices could have contained anything.
They could have home addresses of relatives of key U.S. officials. They
could have pictures of their kids. They could have passwords, access
codes, phone numbers, directions to evacuation locations. They could
have anything. And now, likely, the Mexican government (and anyone they
decide to share with) has everything that was on the devices."
Part of the problem is that, in a blatant violation of best practices,
the White House has no real program for distributing, tracking, or
securing most of its computer equipment. That includes hard or external
drives, CDs, DVDs, jump, zip, hard, or floppy disks. So it's no wonder
that this same issue.the insecurity of the White House's portable
electronic devices.has come up repeatedly in the legal battle
surrounding several million missing White House emails. A ruling (PDF)
[1] issued by a magistrate judge on Friday points to one example of the
problems caused by the White House's lack of a complete asset management
system. The ruling makes several recommendations to Judge Henry H.
Kennedy, the main judge in the emails lawsuit. Prominent among the
magistrate judge's recommendations is the suggestion that the White
House be ordered to secure portable devices that could contain versions
of some of the missing emails. It's amazing that a court order would
even be necessary to compel the administration to keep track of so much
potentially sensitive information. But right now, it seems that the
administration doesn't even know for sure which of its employees have
which devices. With that kind of lax monitoring, it's no wonder that
Curiel was able to slip away with the BlackBerrys.
Whether or not it was actually espionage, this incident serves as a
reminder that the White House emails story isn't really about anyone
trying to "stick it" to the Bush administration. Yes, federal records
are the property of the people, and it would be great if millions of
emails from a crucial period of American history hadn't somehow gone
missing. But there is more at stake than finding out whether or not Dick
Cheney really ordered the leak of Valerie Plame's covert identity. It
goes beyond that.this is a national security issue. It is obvious that
there has been a major failure of information security and IT
professionalism in the executive branch. The Curiel episode is a
frightening demonstration of the ways in which that kind of IT
incompetence can lead to dangerous breaches of national security. So how
do we fix the problem? Gewirtz, who has been harping on this point for a
long time (and even wrote a book [2] about the connection between the
missing emails and national security), has some suggestions [3]:
[B]oth the White House and businesses need to establish a complete
end-to-end asset management policy for handheld devices. Guidelines
need to be established for where these devices can be taken, when
they can be removed from one's person, and how they should be
handled in secured situations like that which occurred [in New
Orleans].
Finally, a true rapid-response operation needs to be established so
data can't fall into the wrong hands. I've recommended that no
communication device be issued to White House staffers without two
key features: location and destruction.
It is possible to both remotely erase certain BlackBerry devices and
remotely locate them. When lost, a team ... should first trigger the
remote erase and then a tracking team needs to be dispatched to
recover these little mobile nightmares as quickly as possible.
We can only hope that this security breach has served as a wakeup call
for the Bush administration. Next time a BlackBerry goes missing, it
might not fall into the hands of a country as friendly as Mexico. That
would be a preventable tragedy.
[1] http://www.gwu.edu/~nsarchiv/news/20080424/04242008%20order%20on%20show%20cause.pdf
[2] http://www.emailsgone.com/
[3] http://www.outlookpower.com/issues/issue200804/00002164001.html
_______________________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 22:36:15 PDT