Hack The Planet

Some British inventors have built a new technology that can transmit data and power without wires. The technology is intended to be used in submarines and other places where punching holes in walls is not a great idea. But, the ability to transmit data and power could be used by intelligence agencies to collect information without the use of modern bugging technology. Who knows though, maybe the spooks already are using this today?

The Washington Post just put out a story on Top Secret America, and it is interesting. The investigation has been ongoing for over two years and it has found some stunning information, like the fact that approximately 850,000 people have Top Secret clearance.

“Acting Director of National Intelligence David Gompert just released a wet-noodle response to Top Secret America. “The reporting does not reflect the Intelligence Community we know,” Gompert says in a statement. “We accept that we operate in an environment that limits the amount of information we can share. However, the fact is, the men and women of the Intelligence Community have improved our operations, thwarted attacks, and are achieving untold successes every day.”

Nothing to see here, move along.

In the last few days there have been a number of reports of data breaches caused by hardware getting stolen or misplaced. AMR, parent company of American Airlines, is contacting 79,000 employees and former employees because they lost a hard drive. The California Department of Health Care Services notified the authorities that it lost a CD containing over 29,000 patient records.

Not to be outdone though thieves stole thousands of laptops from a private contractor who was working for the US Special Operations Command over a nine hour period.

Why would anyone need to hack the network when they can just walk out the front door with all of the information they wanted?

Update: Apparently there are new laws that allow data breaches not to be made public. One of the worst ideas was from the HHS “For medical data breaches, the Department of Health and Human Services (HHS) has created a “risk of harm” threshold for notifications. Under HHS guidelines, if an organization determines that a data breach hasn’t caused “a significant risk of financial, reputational, or other harm to individual,” then it doesn’t have to report the breach, either to the person whose information was breached or to law enforcement agencies.” I mean, how about you let the person whose information was breached to determine if it has caused significant risk. Just throwing it out there.

Well it doesn’t just happen to banks, small companies or cities. Even giant technology firms like Cisco can have their user’s data compromised. This morning thousands of people were alerted that their personal information which included Cisco Live badge number, name, title, company address and email address were stolen. The weird thing though is that many people who did not attend the Cisco Live event were notified also. It will be curious to see if this is more than just some conference attendee data.

There is a lot of news today on the NSA’s Perfect Citizen program. The idea behind Perfect Citizen is that our nations infrastructure can be compromised and that the NSA needs to be monitoring it for attack. My major concern with this comes from the Wall Street Journal article where they say “While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.” This sounds a lot to me like “Allow us to monitor all of your network traffic or you won’t get government business.” And because this is the NSA where is the oversight and will it be public. The classified contract was awarded to Raytheon so we can guess that the oversight will be classified also.

What is to stop them from gathering more information than they are supposed to? Maybe my issue is that I remember the NSA’s illegal warrantless wiretaps and how that ended with the government giving the NSA and Telcos a free pass.

Update: So the NSA responded and said that Perfect Citizen is not about spying on individuals, it is just “vulnerability assessment and capabilities development”. The question may be, why call it Perfect Citizen then and not something related to vulnerability assessment or why was it classified if it is really just vulnerability assessment?

Update 2: Sometimes it is just nice to have someone agree with you.

When someone requests to be your friend or colleague on Facebook, Linkedin, or any other social networking site you may want to double check who they are and how they know you.

A red team hacker, Thomas Ryan, created a false profile named “Robin Sage” and started building a pool of friends and associates that is really impressive. It included people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines, a chief of staff for the U.S. House of Representatives, and several Pentagon and DoD employees. The profiles also attracted defense contractors, such as Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.

Through these connections he was able to get information from his sources that included troop location and other sensitive information.

Thomas Ryan will be presenting at Black Hat USA this year.

So there has been a lot of press on the Russian spies and their use of steganography. The idea of hiding something in plain sight that only the sender and recipient know about is interesting in that it has been around as long as humans have needed to hide information from each other. The Code Book by Simon Singh is a good read for anyone that is interested in cryptography in general.

Update: Talking about cryptography being used throughout history, apparently Plato had hidden messages in his writings that were just deciphered.

There is a lot of heat coming down on Google Security Researcher Tavis Ormandy after he released an code to exploit Microsoft Windows XP just five days after alerting M$ to the vulnerability. There is also rumor that is was done to fuel the fire already going between M$ and Google.

I know that there is a lot of bickering between the different giants of technology but I don’t believe that Google would go so far as to have an employee post an exploit just to make a point. It is more likely that “Ormandy seems to believe Microsoft, which is not exactly known for the speed of its responses to security (and many other) issues, would never have acted to patch this hole unless he, or someone else, had also provided code to exploit it.”

Many security experts feel this way but to release the exploit into the wild after only five days is really irresponsible because the people you are really hurting are the folks that get their computers compromised, not M$.

I was just alerted to the fact that a large number (114,000 to be exact) of Apple iPad 3g owners had their information exposed. The list includes military personal, media types and even Mayor Bloomberg. The article goes into specifics of how the breach was done.

Sometimes you have to “reboot your thinking”. It is a little sad and a little hilarious all rolled into one.