Guest Post; Sometimes You Hack the Bear; Sometimes the Bear Hacks You
Our buddy and homeboy, John Ready sends us this guest post;
OK, so now we’ve got another country hacking into the federal government’s so-called “secure” information systems. This time it’s apparently individuals allied with Russia, and the target was the National Security Agency itself. The juggernaut that is supposed to protect us, and which receives stupid amounts of our tax money to accomplish that, has had its secrets pilfered.
Nice job…
As if the theft of Personally Identifiable Information (PII) from the Office of Personnel Management-the government’s Human Resources department-wasn’t catastrophic enough. I mean, it’s not like 23 million past, present, and future government employees (like Yours Truly), had their sensitive information extracted by the Chinese military. Approximately 5 million of those individuals had their digitized fingerprints stolen; many of those are intelligence operatives and undercover officers. Now, they risk being unmasked by whomever buys their prints on the black market. Worse, they could be targeted with assassination, you know from the bad guys they are trying to fight.
With all of that still fresh in our memories, you’d think that those tasked with protecting our secrets would be more vigilant. Sadly, that’s what I get for trusting people to do the right thing.
Back in 2010, the first digital weapon was unleashed. It came to be known as Stuxnet. It was brilliant in its sophistication, and how it targeted its victim-the uranium enrichment facility at Natanz, Iran-with laser-like focus. It took a while for security experts to determine its origin, but it was finally traced to a joint NSA-Israeli partnership.
Stuxnet was the digital equivalent of a pre-emptive airstrike. It was developed solely for the purpose of causing physical damage to Iran’s centrifuges, while allowing the US and Israel the ability to deny their involvement. You see, Israel doesn’t take kindly to its neighbors building anything remotely nuclear, whether it’s weapons or reactors. I can’t say I blame them; you don’t know what a nuclear facility’s true purpose is until there’s a mushroom cloud over Tel Aviv.
In the past, the Israelis bombed reactors in Iraq and Syria. This time, President Obama convinced Benjamin Netanyahu that the strike should be more discreet, so as not to cause more unrest in the Middle East. So, the two nations collaborated on the weaponized worm we now know as Stuxnet.
However, the department within NSA, dubbed Tailored Access Operations (TAO: Oh, how very clever!) responsible for developing Stuxnet has now been hacked itself, and a good chunk of its digital weaponry pilfered, this time by some folks in Russia. The perpetrators call themselves “The Shadow Brokers.” The NSA is supposed to be the brain trust, staffed with brilliant technicians and programmers.
Here’s an example of just how “brilliant” these folks are. An NSA employee took a number of documents home with him. He copied them to his “personal home computer, so that he could refer to them while he tweaked his resume.” Besides being a violation of agency rules, it was also against the law. The employee’s PC was running Kaspersky Lab, antivirus software developed in Russia, and installed on computers across the globe. Investigators have long supposed that this software company was in collusion with Russian hackers, and that there was a back-door installed, through which they could directly access his data…sorry, OUR data.
You’d think that there would be increased vigilance, knowing that the rest of the world understands that we are capable of developing Stuxnet and its variants.
The Shadow Brokers are now selling these digital weapons-paid for with our tax dollars-on the Black Market. The prices on some of these weapons are very high. This means that only parties which have that large amounts of capital, such as a rogue nation like North Korea, could unleash them on the United States, all the while claiming innocence, since the origin of the attack could be masked.
Some of these digital weapons have now been turned on two of our country’s allies: Britain and the Ukraine. The implications of this theft are dire. Instead of the Ukraine having its power grid taken down for long periods, it could be us. Such an attack could mimic the Northeast Power Outage in August 2003, which lasted for three days. What’s more, if the attack took out certain sections of the grid, it could cause an even more widespread outage.
Bad, see also: Not good.
As for the NSA employee who took the family jewels off the reservation, he won’t need a resume for his next job. He just needs to practice his new spiel:
“Would you like fries with that?”
Category: Foreign Policy
That particular NSA ex-employee needs a different new spiel: “Hello Mr. Tiny.”
Or maybe he should hear: “Would you like a last cigarette?”
I like the second one.
As an IT dude… I must take exception (and I admit, it is a pedantic argument over semantics…) to calling this breach a “Hack”.
In any information system, the weakest link is ALWAYS going to be the one between the chair and the keyboard. We preach, plead, scream, threaten, teach and sometimes even punish our users for putting their information in the wrong places – and still they continue to do it. When I heard that “the Russians hacked the NSA!” I imagined some unconfigured firewall, or an unsecured server. Nope. Just like the “Russians hacked the DNC!” fiasco, it was not the skill of the Russians, it was the stupidity of the users that exposed the sensitive information. The DOD has already outright banned any and all USB mass storage devices, and on the SIPR, even burning data to optical drives (DVD, CD, etc…) is outright banned. (Thanks Manning!) And the move to ban optical drives on the NIPR is on the horizon and coming fast – for just this reason. If we force users to only transfer information across networks we control, then we can try to prevent them transferring information to places it doesn’t belong, and if they find some way around that, we can at least have an audit trail to know who to fire when they succeed.
In my (not so) humble opinion, this is NOT a “Hack” – it is an idiot who thought he was above the rules, who most likely thought that all of the IT staff were paranoid wienies whose entire purpose in life is to make his life hard, who exposed our country to a horrific threat – because his resume needed some fluffing, and he couldn’t be bothered to get out a pen and paper and make some notes.
That is all…
As another long-term ITiot myself, I could not agree more, Geet.
Absolutely. And I’m not so sure he was an idiot. Stealing THAT much information? This was very intentional, and it definitely was NOT a hack. I’ve worked there, and I am very much aware of the kind of security precautions that are taken on the high side. They are extensive. This wasn’t agency incompetence. This was evil. Plain and simple. Harold Martin needs to spend the rest of his life in PMITA prison.
I gotta confess – I hadn’t heard any more details on this event than what is in the post above, so I can’t argue with your assertion that it was a malicious leak.
However, I can say that I have absolutely no doubt that it could have been an arrogant user who thought “that information never needed to be classified in the first place.” and\or “I don’t have time to go all the way to the vault to get that info every time I need it…” (actual quotes from an actual idiot I actually had to clean up after once…)
Thank you for saving me a rant. What word scares the shit out of Network Defenders everywhere? Spillage.
The easiest part of a computer system to hack is the users.
First assertion; “first digital weapon”; untrue.
Next assertion; cyber professionals are not doing their jobs; it is hard to tell whether that is the case or not. Defenders have to be correct 100% of the time. Attackers only have to be successful once. Because we have no metrics or measures of effectiveness, let’s just say that people are working very hard, but no one really knows how effective the methods are.
Last assertion; person leaving with the crown jewels causes much damage; true (but not for the reasons given).
Real story; personnel security system is worthless and leadership is a non-factor.
Time spent addressing root cause; zero words.
Next…
I want my fucking tax money back. All of it.
Ex-PH2,
Certainly, the government will be happy to give you a refund. Please click the link to our webpage and enter the necessary information, including your full name, SSN, DoB, blood type, dog’s name, and other miscellaneous (and completely harmless) information. Don’t worry, our server is 100% secure and we guarantee that your data will not be leaked in any way. Thanks!
[very much /s] … of course if you look at how Equifax handled their breach, by asking people to provide more personal information, then it is less /s and more /s(ad).
Yeah, I got one of those letters telling me that I was one of the “extra 2.4++ million” people whose information had been compromised. The excuses I got were 4th grade level.
That Equifax shit burned my ass to a crisp. “Please provide your FULL SSN in this UNMASKED textbox”. YGBFSM. And since then? Crickets from them.
Same here, my thought, when that showed up in my inbox was, you already have that info, is this really Equifax?
Strange, haven’t heard a word from them since I deleted that email.
If you can claim Head Of Household…you can get all your money back, and some you didn’t even pay in.
See how that works?
Another reason some of us prefer to have a very lean government – the more employees, the more opportunities for sheer stupidity to overcome the most expensive security systems possible.
Absolutely, every time someone comes up with something they think is idiot-proof, *POOF!*, along comes a more powerful idiot!
How do they know it is idiot proof when they never use idiots to test the things?
What makes you think we don’t use idiots to test?
Hint, if an IT developer comes to you to test a piece of software that you did not order – you may have been identified as an ID-10-T user.
I can neither confirm nor deny that the Help Desk might keep a record of users which may, or may not, be a ID-10-T pool for testing.
Absolute truth!
I’ve “transitioned” from being a grunt into an IT guy of sorts. Part of what I do is build and maintain Excel and Access products for tracking training. Two key performance indicators:
The dumbest guy in the room has to be able to use it
-and-
The dumbest guy in the room can’t be able to break it
Hey Korg!
Urrgh?
Whaddya thing of this new app?
Urr.. BAM! BAM! URRGHH!
Cool. Thanks.
ADM Mike Rogers needs to go…he’s more than anything just a wily political animal and the shit that has gone down on his watch would likely have gotten him canned in a Navy billet…the problem is more than just him of course but he’s ultimately accountable….maybe if he were a blue flag, he’d understand that…
A number of years ago, two idiots tried to hack into the NSA as they admitted in court, to steal secrets to sell. At that time, the NSA had what was called an “aggressive polymorphic virus” loaded just for such an event, which basically backloaded into the intruder’s computer and made it destroy itself. The two idiots sued the NSA for breaking their computer, and this is when they freely admitted they were trying to steal classified information to sell. Judge ruled that NSA had to remove the virus, pay for the idiots’ computer, then had them taken into custody for admitting to committing a federal felony. Were something like that in place, this shit would not be happening.
Truisms:
Artificial Intelligence can never permanently defeat natural stupidity.
The only difference between classified information and common knowledge is that common knowledge is harder to obtain.
More like common sense is what is on the endangered list!
When did it become fashionable to call criminal acts such as this one something as innocuous as “a hack?” Kinder, gentler society, maybe.
Never mind. It’s corollary to inanimate objects being responsible for things humans do. Blame the gun. Blame the car. Blame anything and everything other than the human who made the decision to do something wrong.
The OPM hack will go down in history as possibly the greatest penetration, ever. And I don’t think it will ever be ‘topped’, in terms of timing, relevance, and damage done.
And exactly who is being held accountable, again?
Who? -us-
I think 99.0%+ of the ‘free world’ still does not grasp how dire the effects of the OPM breach are. Even worse, I believe a significant % don’t really give a damn, even if they were somewhat aware of the consequences.
There’s already guys cold in the ground over this – guys who put it all on the line to aid the US in her espionage war vs. China who did so in the name of freedom (eventual, distant-future freedoms for their countrymen).
Key US personnel should be looking at decades or life behind bars.
‘In a perfect world’.
Professionally speaking, the Intel Os responsible for the ID/exploitation of OPM have earned a lifetime of top shelf hookers and booze. Their kids as well.
The Chinese IC has already created their own specific facebook-like database and app specifically for easy access and usage of the intel from the breach.
At some point, I have to wonder when folks who tend to play at the outside edge of rules, and maybe a little over them form time to time, might decide that playing -way- outside the rules is how to fix these things.
There is an abyss staring back at us from there, but it must seem mighty tempting sometimes, to start kicking assholes over that precipice.
And at the same time, a kid is doing the better part of a decade in federal prison for a couple of pictures of the inside of a submarine.
Yeah, yeah, I know–it’s classified. I’m not saying he should have skated, but let the punishment fit the crime.