Most of us have traveled by air at least once or if you’re like me you may travel by air at least two to three times a month. We have all probably heard of someone losing their luggage or accidently leaving an item behind to never be reclaimed in a rush to de-board the airplane. We might even have experience this unfortunate event ourselves. So where do all these lost items end up? A vast majority of these items end up in a mom and pop run small business in Scottsboro, Alabama called Unclaimed Baggage.
I like to refer to Unclaimed Baggage as my own little treasure-hunting outlet, as you can never really predict what you may find there. I have seen everything from US military missile simulators in pelican cases to consumer electronics to fancy designer clothing and novelty items. I tend to buy quite a bit of my personal electronics there, as you really cannot beat the prices.
Back in January of 2012 I got the idea to launch a small project I now call “The Data You Left Behind”. It all started when I stumbled across a bucket full of USB drives being sold at Unclaimed Baggage and thought to myself “I wonder what information could be recovered from these drives and if these drives would tell any interesting stories about their owners?”
To keep the project simple and repeatable by anyone I set a few basic restrictions. I established a small budget of $100 dollars and decided to allocate no more than 20 hours of actual work effort consisting of the time it would take to recover and analyze the data from the drives. With those two restrictions in place I selected 33 USB drives from the bucket and purchased them for a grand total of $98 dollars. When shuffling through the bucket of USB drives I selected some of the most beat up and probably most undesirable drives in hopes of finding drives that had been heavily used.
Next I decided to download the live Linux distribution Deft Linux. The goal here was to select the least technical solution for performing file recovery and well, Deft just so happens to be a very well put together and simple forensics toolkit with the file recovery
It should be noted that the USB drives are in fact formatted by Unclaimed Baggage before they are sold, but I do not blame them for not fully understanding that formatting the drive does not really erase the data on the drive. Like I said at the very beginning of this post they are a small business in reselling, and not the security business. Honestly it isn’t their responsibility to protect your data and at least they did what I would suspect most second hand resellers would do to quickly prep a storage device for resell, format it.
So with all that set up what do you think I discovered?
I was actually extremely caught off guard at the types of information I recovered from the drives. I was anticipating finding things such as boarding passes, sales brochures, presentations, family photos, and probably even some porn. Very little porn was found, but the amount of sensitive data I found scared the hell out of me. Within the first five drives I analyzed I almost called the entire project quits just because of the vast amounts and types of sensitive and private data that was recovered.
Let’s start by me describing just two of the USB drives I analyzed to get this first of a series of posts kicked off.
USB drive number 2 had a substantial collection of Brazilian Air Force documents such as detailed specifications of the Blackhawk helicopter, confidential marked documents, training exercise mission documents, soldiers flight medical examination results, military contact lists and personal identifiable information for high ranking military leaders.
To say the very least I instantly thought to myself, “oh crap I just unintentionally breached some form of military security of a foreign nation.” I should also note that in analyzing these documents I had to use a cloud tool to translate them since they were all in Portuguese. With that in mind Google Translate if you’re storing those documents behind the scenes you are now my accomplice!
Here are just a few extracted examples of what I recovered from this drive, and yes I tried to make sure the data was non-sensitive in nature before posting here, as my goal isn’t to breach sensitive data to the public.
Now if you’re anything like me, you’re probably thinking to yourself at least those documents were not U.S. military or U.S. government documents like we have seen in the past with incidents associated with Wikileaks or the Anonymous Hacktivist group. I mean really in 2012 and with policies like no USBs allowed at all in the DOD for the last 5 or so years nothing like that could ever happen to us, right? Well I hate to disappoint you and be the bearer of bad news but USB drive number 4 previously belonged to a Major General (O-8) in the US Air Force National Guard.
This drive contained an Alpha Roster for an entire US Air Force National Guard Unit that exposed 3,390 Airmen’s personal data such as: full name; rank/grade; date of birth; social security number; date of entry into the service; security clearance level, date of issue, and number; expected transition date, unit assigned, job title/position, home address, and a whole lot more! To say the least this file in a criminals hands provided just about everything one would need to carry out identity theft. In a foreign military’s hand it contained a lot of actionable information about the personnel that make up this unit.
That same drive also included a bunch of other interesting documents such as unit strength and man power documents, unit classifications, and even the personal contact information for 54 other General grade officers and their spouses to include email addresses, phone numbers and mailing addresses. It didn’t stop there either, as this drive contained the login information for the Major General’s MyPay account; his daughters MyPay account (she is also in the service based off of graduation photos); his family members tax returns, W2 forms for the past few years which included mailing addresses, social security numbers, etc; Turbo Tax login credentials, and even Tricare documents that detailed social security numbers of an Airmen and his spouse that appears to be unrelated to the General other than maybe being assigned to the same unit.
Luckily this data will never see the light of Wikileaks or any other public outlet, as the images I took of these drives never touched an unencrypted drive and I have no intentions of ever releasing them to the general public. I will however provide a few “blacked out” or CIA style sanitized documents to prove this is no hoax.
This was only the beginning of what I found in that lot of 33 USB drives and actually marked the end of any military documents I uncovered.
If you attended GFIRST 2012 in Atlanta a few weeks ago this information isn’t news to you, as GFIRST was the first place I presented these findings. I received a tremendous amount of great feedback and thanks from people in large corporations, government organizations and even InfraGard chapters for disclosing these findings. Most of the people that attended the presentation appeared to have enjoyed it and I have received numerous requests to give the presentation to their organizations in the near future. I believe this is one of the first times most people have actually seen or come into contact with a project of this nature, as we all talk about what could happen if you do not encrypt your data and use removable storage devices, but from the best of my knowledge no one has really demonstrated it quite like this.
I will detail more of my findings in upcoming posts, so If you want to see for yourself some of the other stuff I uncovered you are just going to have to read the future blog posts or attend one of my upcoming presentations where I go over the entire project in detail. If you think this topic is something you would like presented to your organization feel free to contact me.
Founder and Managing Partner