According to http://www.dn.se/nyheter/sverige/hemliga-polisdokument-saljs-i-den-undre-varlden-1.923949 (sorry, it’s in Swedish), secret documents from the Swedish police and our “federal” police have leaked into the hands of criminals. The documents are now being sold to criminals by criminals. They contain names and addresses to criminals in different gangs, their families and known affiliates to them. Some of the addresses are to people in rivalizing gangs also which could make for some interesting reading if you’re the other part.
The question to be asked here is that with so much technology available for encryption and auditing, how come it wasn’t encrypted? How come someone can bring the information out of the house? How come they don’t know who brought it out?
We could start off with Truecrypt, which would let you encrypt the information and you’d need a password to open it. Not that very enterprise friendly, but on a need to know basis it’d probably work.
If we instead took the route of “stuff that costs money” we could encrypt it with EFS, which would require a Windows-based file server and a PKI infrastructure in place. One could assume that they have smart cards for entrance through doors and login to their computers, so everything is there assuming that they also have a Windows based file server.
Then we could always add Rights Management Server (RMS). This would allow us to specify who can print, email, read and copy the information. Complete this circle with NTFS auditing and we’d know who last accessed (or try to access) the information also.
In a greater perspective it’s kind of scary that THIS list, which deals with “heavy criminals” can leak. Considering that all our emails and phonecalls are supposed to be monitored later (or at least who calls who and who emailed who) I’d be happy to know that what I do or who I speak to doesn’t leak. Not that it’s a secret, but the personal integrity would be nice to have intact.
Of course the list was leaked… But with for example RMS it’s possible to encode into the document whos copy it is. Same goes with EFS, and with the right technology in place the leaked list would’ve been useless outside the accepted perimeter (let’s say the building, with no access to internal RMS-server).
Considering the line of business your company does I’d guess that leaked information would be very bad. (Won’t post company name though, but reverse lookups are done by almost every CMS these days)
Because the list was leaked by someone with access to it. The worlds best lock is just as terrible if you hand out keys to the wrong people.