Today’s Topics:
- FBI Lapses in Securing Sensitive Storage Media Exposed by OIG Audit
- Pavel Durov Arrested: French Police Target Telegram’s Content Oversight Issues
- How can Netizen help?
FBI Lapses in Securing Sensitive Storage Media Exposed by OIG Audit
The FBI’s handling of sensitive and classified electronic storage media has recently come under scrutiny, according to an audit by the Department of Justice’s Office of the Inspector General (OIG). The report reveals several critical weaknesses in the FBI’s procedures for managing decommissioned storage devices, such as hard drives and thumb drives, which contain both sensitive but unclassified information and classified national security information (NSI).
The audit found that once these devices were removed from computers marked for destruction, they were often left unaccounted for and improperly stored. In some instances, internal hard drives from Top Secret systems were kept on pallets in shared spaces for extended periods, without proper oversight or protection.
The OIG’s investigation highlighted a significant issue: the FBI personnel failed to properly label and track these storage devices after their removal. While computers were labeled with appropriate classification markings, the extracted storage media were often left as standalone items without any indication of their classification level. This lack of labeling and accountability created substantial risks, making it challenging to verify whether these devices had been destroyed or accessed by unauthorized individuals.
At the facility where these storage devices were meant to be destroyed, there were major gaps in physical security. Media that was marked as non-accountable—those removed from sensitive systems—was stored on a pallet with torn wrapping in a shared workspace accessible to nearly 400 personnel. This facility also housed other FBI operations, including logistics and IT equipment fulfillment, which further complicated security measures. Contractors from at least 17 companies and FBI task force officers had access to the facility, adding to the security concerns.
The OIG report revealed that the FBI could not account for whether any devices had been removed from the unsecured pallets. Both FBI supervisors and contractors admitted that no process was in place to track or monitor the media after extraction.
Furthermore, the audit pointed out deficiencies in the FBI’s procedures for securing electronic media before destruction. According to the Open-Storage Secure Areas, Closed-Storage Secure Areas, and Controlled Unclassified Areas Policy Guide (1264PG), FBI personnel are required to follow a clean desk policy and store classified materials in locked containers at the end of each day. However, the audit found that these standards were not consistently followed.
In response to the OIG’s concerns, the FBI stated that they would start storing unsanitized hard drives and solid-state drives (SSDs) in a secure cage within the facility until they could be processed properly. Despite this commitment, the OIG noted during follow-up visits in early 2024 that additional security measures, such as a new camera system, had been delayed. As of June 2024, the FBI was still working on obtaining a waiver to install video surveillance at the facility.
To address these vulnerabilities, the OIG has provided the FBI with several recommendations to improve its control over the storage and disposal of electronic media. These include:
- Revising procedures to ensure that all storage media containing sensitive or classified information are properly accounted for, tracked, and sanitized before destruction.
- Implementing measures to clearly mark electronic storage media with the appropriate classification level, in line with FBI and DOJ policies.
- Enhancing physical security controls at facilities where media is stored and processed, to prevent loss or theft.
The audit underscores the need for the FBI to strengthen its procedures for managing sensitive storage media, particularly at facilities where media is destined for destruction. With nearly 400 individuals having access to the facility and media being left unsecured for long periods, the risk of unauthorized access or loss is significant.
The OIG continues its broader audit of FBI contracts and procedures and is urging the FBI to take immediate action to safeguard its electronic storage media. The FBI has been asked to provide an update on its response to the recommendations within 90 days.
For more information or questions about the audit, the OIG encourages contacting Michael E. Horowitz, Inspector General, or Jason R. Malmstrom, Assistant Inspector General for Audit, at the DOJ.
Pavel Durov Arrested: French Police Target Telegram’s Content Oversight Issues
In a notable turn of events for digital privacy and cybersecurity, Pavel Durov, the founder and CEO of Telegram, has been arrested in France. The arrest, reported by French television network TF1, stems from a warrant related to an ongoing investigation into Telegram’s content moderation practices.
The focus of the investigation is Telegram’s alleged failure to properly moderate content on its platform, which has reportedly facilitated a range of criminal activities. These include drug trafficking, child exploitation, money laundering, and fraud. Critics argue that Telegram’s lax approach to content moderation has enabled it to become a significant hub for criminal enterprises.
Guardio Labs, a cybersecurity firm, has raised alarms about Telegram’s role in the criminal ecosystem. A recent report from the firm describes Telegram as a thriving platform where cybercriminals trade tools and data. “This messaging app has become a major conduit for seasoned and emerging cybercriminals, enabling them to exchange illicit tools and victims’ data,” the report states.
Telegram, which is headquartered in Dubai, has over 950 million monthly active users as of July 2024. The app has recently expanded its features, including an in-app browser and a Mini App Store, positioning itself as a multifunctional super app similar to Tencent’s WeChat.
Durov was apprehended at Paris’ Bourget Airport upon arriving from Azerbaijan. French law enforcement, including the Gendarmerie des Transports Aériens (GTA) and the Office National Antifraude (ONAF), detained him. The arrest warrant was issued by the Office des Mineurs (OFMIN), a branch of the French National Police’s judicial direction, due to allegations that Telegram’s lack of effective moderation made Durov complicit in the crimes facilitated through the app.
Authorities suspect that Durov’s alleged failure to cooperate with law enforcement, along with his provision of tools such as disposable phone numbers and cryptocurrencies, contributed to serious crimes like drug trafficking, child exploitation, and fraud. “Durov made a critical error by entering France knowing he was a person of interest,” a source close to the investigation commented.
The arrest marks a significant moment in the global effort to hold tech platforms accountable for criminal activities conducted through their services. The case not only aims to disrupt the criminal networks utilizing Telegram but also seeks to spur European countries towards greater cooperation in combatting cybercrime.
Telegram, known for its robust encryption and capacity for large, private groups, has faced criticism for its role in criminal activities. “Telegram has emerged as a platform of choice for organized crime,” an investigator noted, underscoring concerns about its use in the distribution of banned content and coordination of criminal activities.
As the investigation progresses, the impact of this high-profile case on future regulatory measures for digital platforms and their responsibility in content moderation remains to be seen.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.