Hack The Planet

I was just reading about two more breaches when I hit the section “What was the response?”
In both cases, and in most that I have read about, they people affected, a.k.a. the victims of someone else’s mistake, are given a years subscription to a credit monitoring service. Wow, a whole year. Their data can’t possibly last longer than a year out on the internet can it? The fact is that these people will have to watch their credit for well over a year and will probably have to subscribe to a service for the rest of their lives. We like to think that this information will disappear over time but the fact is things can last forever on the internet.
Someday maybe the punishment for losing other people’s information will be high enough that people will actually protect it and care about it.

That isn’t a great name for a horror film but it is what Dell has issued a warning for. Apparently some malware just happened to slip into the motherboard, specifically “The PowerEdge R410 Rack server has spyware within its embedded systems management software.”

This happened before on some off brand Cisco equipment. More and more malware and spyware are finding their way onto your machine. If not through your OS then through your hardware.

Some British inventors have built a new technology that can transmit data and power without wires. The technology is intended to be used in submarines and other places where punching holes in walls is not a great idea. But, the ability to transmit data and power could be used by intelligence agencies to collect information without the use of modern bugging technology. Who knows though, maybe the spooks already are using this today?

The Washington Post just put out a story on Top Secret America, and it is interesting. The investigation has been ongoing for over two years and it has found some stunning information, like the fact that approximately 850,000 people have Top Secret clearance.

“Acting Director of National Intelligence David Gompert just released a wet-noodle response to Top Secret America. “The reporting does not reflect the Intelligence Community we know,” Gompert says in a statement. “We accept that we operate in an environment that limits the amount of information we can share. However, the fact is, the men and women of the Intelligence Community have improved our operations, thwarted attacks, and are achieving untold successes every day.”

Nothing to see here, move along.

In the last few days there have been a number of reports of data breaches caused by hardware getting stolen or misplaced. AMR, parent company of American Airlines, is contacting 79,000 employees and former employees because they lost a hard drive. The California Department of Health Care Services notified the authorities that it lost a CD containing over 29,000 patient records.

Not to be outdone though thieves stole thousands of laptops from a private contractor who was working for the US Special Operations Command over a nine hour period.

Why would anyone need to hack the network when they can just walk out the front door with all of the information they wanted?

Update: Apparently there are new laws that allow data breaches not to be made public. One of the worst ideas was from the HHS “For medical data breaches, the Department of Health and Human Services (HHS) has created a “risk of harm” threshold for notifications. Under HHS guidelines, if an organization determines that a data breach hasn’t caused “a significant risk of financial, reputational, or other harm to individual,” then it doesn’t have to report the breach, either to the person whose information was breached or to law enforcement agencies.” I mean, how about you let the person whose information was breached to determine if it has caused significant risk. Just throwing it out there.

Well it doesn’t just happen to banks, small companies or cities. Even giant technology firms like Cisco can have their user’s data compromised. This morning thousands of people were alerted that their personal information which included Cisco Live badge number, name, title, company address and email address were stolen. The weird thing though is that many people who did not attend the Cisco Live event were notified also. It will be curious to see if this is more than just some conference attendee data.

There is a lot of news today on the NSA’s Perfect Citizen program. The idea behind Perfect Citizen is that our nations infrastructure can be compromised and that the NSA needs to be monitoring it for attack. My major concern with this comes from the Wall Street Journal article where they say “While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.” This sounds a lot to me like “Allow us to monitor all of your network traffic or you won’t get government business.” And because this is the NSA where is the oversight and will it be public. The classified contract was awarded to Raytheon so we can guess that the oversight will be classified also.

What is to stop them from gathering more information than they are supposed to? Maybe my issue is that I remember the NSA’s illegal warrantless wiretaps and how that ended with the government giving the NSA and Telcos a free pass.

Update: So the NSA responded and said that Perfect Citizen is not about spying on individuals, it is just “vulnerability assessment and capabilities development”. The question may be, why call it Perfect Citizen then and not something related to vulnerability assessment or why was it classified if it is really just vulnerability assessment?

Update 2: Sometimes it is just nice to have someone agree with you.

When someone requests to be your friend or colleague on Facebook, Linkedin, or any other social networking site you may want to double check who they are and how they know you.

A red team hacker, Thomas Ryan, created a false profile named “Robin Sage” and started building a pool of friends and associates that is really impressive. It included people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines, a chief of staff for the U.S. House of Representatives, and several Pentagon and DoD employees. The profiles also attracted defense contractors, such as Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.

Through these connections he was able to get information from his sources that included troop location and other sensitive information.

Thomas Ryan will be presenting at Black Hat USA this year.

So there has been a lot of press on the Russian spies and their use of steganography. The idea of hiding something in plain sight that only the sender and recipient know about is interesting in that it has been around as long as humans have needed to hide information from each other. The Code Book by Simon Singh is a good read for anyone that is interested in cryptography in general.

Update: Talking about cryptography being used throughout history, apparently Plato had hidden messages in his writings that were just deciphered.