Paper on the Going Dark Debate

I am pleased to have been a part of this report, part of the Berkman Center's Berklett Cybersecurity project:

Don't Panic: Making Progress on the "Going Dark" Debate

From the report:

In this report, we question whether the "going dark" metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not. The question we explore is the significance of this lack of access to communications for legitimate government interests. We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow.

In short our findings are:

  • End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
  • Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
  • Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
  • Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
  • These trends raise novel questions about how we will protect individual privacy and security in the future. Today's debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.

New York Times coverage. Lots more news coverage here. Slashdot thread. BoingBoing post.

EDITED TO ADD (2/8): Eleven news articles: one, two, three, four, five, six, seven, eight, nine, ten, and eleven.

Posted on February 2, 2016 at 2:20 PM • 25 Comments

Comments

MattFebruary 2, 2016 2:35 PM

Let's not forget the weakest element in all security systems: the human element. There's always going to be people who make mistakes, or deliberately leak info; you'll always be able to plant a mole or find a traitor.

Eventually technology will progress to the point where everything has built-in top-notch flawless encryption all the time, but people will still be people.

ZitFebruary 2, 2016 4:38 PM

@Matt

What? You mean good old fashioned police work is still possible??? NOOOO.... haven't you heard???? we're GOING DARK.... Soon police won't be able to do ANYTHING... and terrorists will kill us all... we're all going to die... unless we IMMEDIATELY trample or willingly give up every human right and basic freedom, and live in cages!

X-RayFebruary 2, 2016 4:43 PM

Very good bullet list, nice to see this getting such coverage.

Also can be noted, that corporations and other entities need inspection not just for usability, but also for security.

Tor is a good example of a system that does not even implement anonymous security mechanisms and suffers significantly for it. Endpoints get "known" everywhere, and banned. Not because of the many legitimate users, but because of abusers relying on the anonymity of the system.

If you pay a little bit of money for a professional vpn system, that won't come into play. And they are very likely to have at the least some manner of IDS to detect their system being used for attacks.

Same principle applies anywhere, and certainly not just with literal hacking. Voice and other communications systems can allow for "verbal" attacks. True end to end corporate encrypted communication systems can be used by outside attackers, or inside abusers. Relying on Amazon vpn on your company system to stream television to home system, for instance.

@Matt

There's always going to be people who make mistakes, or deliberately leak info; you'll always be able to plant a mole or find a traitor.

I like seeing someone else saying that.

For code systems, there is open source. Anybody who qualifies and contributes can join in.

http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/

For corporate, companies will hire anyone from anywhere.

They have zero knowledge on their real background, especially if they are sponsered by an intelligence agency.

Cheap is important and good.


Then, there is the possibility for intel agencies recruiting developers. Probably even under a secondary context. Pay them to write such and such code. Or simply gain access to their development system -- or, as one of the first backdoors did, to the build system.

Sancho_PFebruary 2, 2016 6:00 PM


”Many technological security failures of today can be traced to failures of encryption. In 2014 and 2015, unnamed hackers — probably the Chinese government — stole 21.5 million personal files of U.S. government employees and others. They wouldn’t have obtained this data if it had been encrypted.” (Bruce Schneier, Lawfare)

Stopped there to read because I think it’s not fair.
On the contrary, without naming facts / evidence it might be a misinformation.
China? Really? Or defamation?
Not obtained if encrypted? How come?

I smell the style of Comey & Co, sorry.

X-RayFebruary 2, 2016 11:43 PM

@Sancho_P

Come on, that is a little harsh...

The statement is correct, if the data were *properly* encrypted, the attackers would not have been able to make off with it.

Removing the word "properly" hardly means it is not there.

And he did state "probably" in fingering China. Considering that the US Government very strongly has implicated China in that attack, it is certainly well worth noting that "probably China did it".

We do know that hack was tied to Anthem, and together, they probably did have substantial evidence to go by.

Not many parties would be capable of such things. Even fewer would have motive. I don't think France would have hacked Anthem and OPM.

I also do not think Russia did it. Russia likes to hack oil and gas companies and VIPs.


China is a guzzler for all kinds of information from everywhere.


There could be some really far fetched truth behind it all. But, certainly, "probably" more then generously covers such incredibly unlikely scenarios.


FigureitoutFebruary 3, 2016 12:56 AM

End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies
--It's getting built into a lot of wireless chips, the end user doesn't have to worry about it if you get some of the latest chips that are integrating crypto. Something nice and simple like XTEA (probably use XXTEA w/ newer chips) over sending in the clear is becoming very easy (and better than nothing) and you can just drop in at around "application layer", so it shouldn't break anything important. If you don't have embedded and below resource constraints, you have less excuses to not use crypto in your products as a lot of the ground work is done for you; it'll just be a potential usability and performance issue... I may try to push it at my work, it should be a selling point and it already is for wireless companies. Of course you should go for at least AES if you can get good entropy be able to send it to receiver securely (if you use an IV).

This is one of my motivators for nRF_Detekt, my little pet project. I'm only encrypting the 32byte dynamic data portion of a packet sent, so metadata of the rest of the protocol is spewed out in the clear (preamble is the same almost always b/c how else do you initiate an exchange on some somewhat static part? So there's your way in...) around heavily crowded 2.4GHz (and surveilled, albeit at 2Mbps (there were mentions of sniffing issues w/ the highest speed) and w/ pretty low power). I don't know how to "encrypt" the entirety of the transmission.

Anyway I've got XTEA for it right now and Keyloq looks straightforward. It is not connected to the internet (I'll infact avoid the major wifi channels entirely, simple trick that works pretty well, but it's different for other countries) and I want "forward error correction" but am not sure again how to implement correctly and it won't be stable turning off ACK's in say noisy environments.

Not allowing companies to securely encrypt comms opens up attacks to something like stop light controllers to script kiddies. At intersections involving 55mph and above, this is a concern...Camera evidence can also be tampered w/ if it's internet connected and supports remote flash updates. I don't know why this doesn't freak out lawyers/judges like it should...

AndrewFebruary 3, 2016 1:40 AM

Just a thought:
Internet of things is not dangerous, the phone spies on you enough not to worry about your coffee maker...

blakeFebruary 3, 2016 4:23 AM

@Andrew

I'm not sure that's how risk mitigation works. In fact, it sounds like the opposite of attack surface management.

Any time you cross the road there's a small chance you might be hit by a car. This doesn't mean you walk across a highway without even checking if anything is coming.

Sancho_PFebruary 3, 2016 5:50 PM

@X-Ray

Nope, but let me explain:

First, Bruce's statement is incorrect (or incomplete / oversimplified).
If the data were “properly” encrypted the attackers may have obtained them anyway just to try to break the encryption at home.
At least the US boyz would have done it with China's internals.
Encryption, regardless of how it is done, does not prevent from theft.

So these are different shoes, access and encryption.
And for the OPM, let me ask how someone who has access to the system would have a problem with properly encrypted data?

Second:
Here in the blog’s comment section, you and I may call the POTUS “probably being a criminal”.
No one will care, no one will trust. We are null and void, anonymous, irrelevant.
It’s absolutely not important what you and I think or not, as bright as it may be.

So it depends where and who points at someone calling him ”probably guilty of crime”,
thereby probably pulling the landau for the shenanigans.
If necessary, better say the truth, e.g:
We don’t have substantial evidence.
Yes, even we, the world's leader in IT technology, don’t know for sure who did it,
let alone we know how prevent it in the future.
It didn’t help that our gov IT is years behind in modern, actual technology.
Data security is broken, by design.

Who did it?
Probably it was done by the communists?

X-RayFebruary 3, 2016 9:57 PM

@Sancho_P

First, Bruce's statement is incorrect (or incomplete / oversimplified). If the data were “properly” encrypted the attackers may have obtained them anyway just to try to break the encryption at home.

Yes, it is oversimplified, but he is talking to the masses there. That is the NYTimes.

You surely work in a related field and know how difficult it is to talk about work.

Really serious oversimplification.


So these are different shoes, access and encryption.And for the OPM, let me ask how someone who has access to the system would have a problem with properly encrypted data?


Yes you certainly can have encrypted data on a system, have that system compromised, and the data not broken. You know this. Everyone knows this.

Sure, there are caveats, like "if the attacker sees you decrypt it, they can they grab the encrypted data", but those are caveats and this is OPM we are talking about and the whole SF-86 database going back over a decade and a half, at least.

We don't know much about the OPM hack, but we do know the remote attackers absconded with that entire database either in the plaintext or in some other weakened state - such as having a key that could unlock the entire database - and that certainly could have been prevented.

Probably, the data was not encrypted at rest.

Ultimately, however the attackers got in and stayed in, they were able to get access to that whole database, unencrypted. So, ultimately, it was an encryption problem. Maybe key management, maybe bad access implementation or controls, and so on.

Who did it? Probably it was done by the communists?

It is more complicated then that, as are probabilities and statistics one uses when considering various theories. This is what we do all the time in security. (Some fields more then other, many of the tech fields very much moreso even then what detectives or analysts would have to deal with.)

Definitely, one can say "probably China did it". You can even pull off the cuff some truly abstract figure, like "eighty percent chance China did it". Ultimately, if China did not do it, that is meaningless. 100% chance China did not do it.

But, that is not how probabilities work.

Personally, I think China probably did do it. I have seen China hacking left and right across the country in every quarter for the past fifteen years. All across business, government. I have known Chinese researchers and talked to them. I have talked to these business and government folks. I have even worked with organizations that have been hacked by them.

I doubt this was England or France or Israel, seriously.

Maybe Iran, maybe North Korea.

Russia, probably not.

Very unlikely, but possible, some smaller group, or organized crime, or even a very talented singular individual. Why on that last part? Besides the fact that there would be no money involved (unless they sold to a nation state, and then you are back to the above equation), nobody has said anything. They would if they did this privately. That is the main motivator for such hackers.

But, intelligence, and very professional intelligence, you won't ever hear a peep.

Which leaves us with the usual suspects.

England, France, Israel, etc... these countries would have way too much to lose if they did this.

Russia, just hasn't been their style of late.

North Korea, frankly? They like to talk, just like little guy hax0rs.

So, China is the most likely suspect from those very ad hoc levels.

But, then you have the NSA and FBI, and some other organizations swearing they found evidence, on top of all of that.

Could they be lying or wrong? Sure. Unlikely, however. What is it to gain?

You can walk through the possibilities there, and the cards are small and poor.

Sancho_PFebruary 4, 2016 5:35 PM

@X-Ray

Seems you live in a funny world where the lawfareblog is the NYTimes (audience), and a compromised system (unauthorized access) is ultimately called an encryption problem.
But as I wrote above, here you may call it whatever you like, no one will care.

Sorry for my “who did it, the communists?”, I wasn’t clear enough:

I’m not interested who could “probably” have done it because I know it:
NOBUS.
In town, place your wallet onto the cowling of your car and leave for a stroll.
Blame the bad people if it’s gone when you’re back.
Allow “admin” as secret (!) super-password and blame Russia for that backdoor.
-> I’m tired of people blaming others for their own incompetence.
They will never encounter, let alone fix, the source of a problem.

So I wrote “Data security is broken, by design”,
and by “who did it” I meant the design.

Obviously it was designed by the arch enemy, the communists,
and if you promise to keep it secret I can tell you:
A friend of mine, ex-official in the Cuban gov, speaking in condition of anonymity, told me that some of the US IT design details were obtained from honeypots (due to an “encryption error”) placed by Russia and Fidel Castro (a bad hacker at his time btw.) to stop imperialism and to destroy America.

That said, now let’s play the national anthem in loop, vote for the pony and then nuke ALLBUS, regardless of any probability, just to make sure!

BuckFebruary 4, 2016 6:53 PM

@X-Ray

Probably, the data was not encrypted at rest.
That's a pretty disingenuous conclusion for you to draw from the publicly available evidence... There are probably reasons why the data (even going back over a decade and a half) have to be processed still today. Good reasons? Beats me! If not? Then those old records would have been locked away in a large filing cabinet with decent enough physical security. Encrypted or not, nobody would have been walking away with nearly as many as supposed.

X-RayFebruary 4, 2016 7:31 PM

@Buck

That's a pretty disingenuous conclusion for you to draw from the publicly available evidence... There are probably reasons why the data (even going back over a decade and a half) have to be processed still today. Good reasons? Beats me! If not? Then those old records would have been locked away in a large filing cabinet with decent enough physical security. Encrypted or not, nobody would have been walking away with nearly as many as supposed.

Hah.

I wasn't sure if my record was in there or not. I briefly had very basic clearance for a job, but then left the job because of constraints. Turned out, I never signed the finishing paperwork. Then, my wife received one of their letters and promises of credit watching services a few months ago. I have never received a letter. Only reason she got that was because she was my wife, and so her information was in there that way.

(Unless my wife is a spy... hrrm....)

They do have great physical security from what I read.

And hired Chinese outsourcing to remote in for software work.

[Arstechnica, somewhere.]


No encryption expert, but surely all of the contents never had to be decrypted at any one time. They probably just kept it all on plaintext and set google desktop on it.

Save some dollars.


I get organizations being low on budgetary money.

Really, in my opinion, that was where the real problem lay. And it remains a huge problem in the industry.

Sony, before the attack, "I won't spend 10 million dollars to protect 1 million dollars of data". :/

X-RayFebruary 4, 2016 8:03 PM

@Sancho_P

Seems you live in a funny world where the lawfareblog is the NYTimes (audience), and a compromised system (unauthorized access) is ultimately called an encryption problem. But as I wrote above, here you may call it whatever you like, no one will care.

Nope, just didn't care enough to follow all of the links and so make clear as to what the NYTimes coverage link pointed to.

Lawfareblog, I know a lot of lawyers, and they very usually tend to not know much of anything about information security.

Really, very same difference...

Not sure what the big deal is. We agree to disagree. I see and participate in a lot of oversimplifications.

’m not interested who could “probably” have done it because I know it: NOBUS. In town, place your wallet onto the cowling of your car and leave for a stroll. Blame the bad people if it’s gone when you’re back. Allow “admin” as secret (!) super-password and blame Russia for that backdoor. -> I’m tired of people blaming others for their own incompetence. They will never encounter, let alone fix, the source of a problem.


That is a different issue, and you are preaching to the choir there.

Also, I personally would not have put OPM in the context of a proof against the dangers of bad encryption.

As I just mentioned to Buck, my major blame, I give in that, is at ALL the departments who sent in records to OPM, trusted OPM, and never did due dilligence to check up on how their records were stored.

I did not and do not like the blame OPM got. Not because they did not deserve it. Yes, the head should have been fired. But who hired her? Who was sustaining her and their organization and teams?

And their main fault, from my opinion? Besides clearly being very unaggressive about seeking proper budget, being so uneducated about their job -- they clearly did not even know they should have!


So, no. I am covered there.

Blaming others is a major pet peeve of mine, in fact. Usually, it is absolutely worthless, very often it is an excuse for personal failure. In security, very often you can blame those who do not do what you want them to do. But, you have to get them to do what you want them to do. So, you work until you get a success at that.

Those who get the same results using the same tactics, are entering into the Einsteinian definition of insanity.


And yes, I believe the US has probably scapegoated China in this. I do doubt their evidence. I am suspicious, frankly, of anyone who says that "if the NSA attributes something, believe it". Even if they appear to be a hippy SF'r. Lol. Sorry. (It was the NSA engaged in the Gulf of Tonkin event, later found out to have been an effective false flag operation which legitimized and effectively started the Vietnam War.) [Reference, to other recent thread with the head of TAO speaking issue.]


Error is a condition to approach with cold neutrality, not disgust or revulsion -- unless disgust or revulsion helps change! If any emotion, mercy.


If you sincerely deal with carefully correcting errors all the time, you know this. Otherwise, you are just going about being a part of the error feed.


Obviously it was designed by the arch enemy, the communists,and if you promise to keep it secret I can tell you:A friend of mine, ex-official in the Cuban gov, speaking in condition of anonymity, told me that some of the US IT design details were obtained from honeypots (due to an “encryption error”) placed by Russia and Fidel Castro (a bad hacker at his time btw.) to stop imperialism and to destroy America.

Right. You are in the "in" club. You have some secret. Obtained with difficulty. Why would you lie? So, it is more plausible.

You do have one problem on this OPM issue, one of the intel heads (I do not keep track of their names) praised China for the hack, and said that was cowboy badass.

In whatever his weird language was. I am paraphrasing.

Albeit, that little devil, you know he smiled about how smart his statement was later. See how the joke and unexpected praise misdirected from the fact he was injecting a truism to the audience? Ala, implicit message, underneath the horseshit, "China did it".

And why? I said there was little motive. Sure, for going ALL out. They are guessing. But why guess with such assurance? I don't think they want it to have been China so badly. They can't go to war with China. But, it can be used for impetus, internally, to pad budgets and keep up operations against China. And it can be used for diplomatic fuel.

So why not China.

But, then, I kind of don't think Iran or North Korea would come forward and say, "We did it". Or pull a Sony with all that data.


Fact is, both hacks were very severe. Anthem and OPM. And, if they really know "China did it", what are they doing about it?

Both Anthem and OPM are acting as if it may have been everyday criminals, both have spent enormous sums to give the tens of millions (is it hundreds) of victims various services that costs quite a bit of money. I have seen estimates well into the billions for overall costs -- costs related to taking it for granted that PII might be being used in credit card fraud and other forms of criminal fraud.

Never mind that multiple US officials came out to the press to say both Russia and China are using the OPM data:

http://arstechnica.com/security/2015/08/china-and-russia-cross-referencing-opm-data-other-hacks-to-out-us-spies/

Problem is, if China stole the data, no way would they share it with Russia. Which means that the attribution of China is quite possibly a guess.


But, in terms of valueless words, perhaps. Anyone here, probably is already well sold on negligence on the issue.

Quite a few probably think the collective US intel heads should be jailed for all sorts of reasons. Quite a few probably think they should be sent to the Hague for war crimes. Quite a few, like myself, think they should have all be fired long ago.

Probably anyone this deep in the thread has read all of the ars articles on the topic, so they know just how terrible their security was.


BuckFebruary 4, 2016 8:07 PM

@X-Ray

surely all of the contents never had to be decrypted at any one time
At any one particular point in time? No, probably not. At a rate fast enough to collect an extremely large number of potentially useful records? Quite likely! Then again, I'm sure you're already more than well aware of the somewhat recent Target credit card heist. Google CALEA breach, maybe..? Who done it? Who knows!? The data is in motion...

BuckFebruary 4, 2016 8:24 PM

Both Anthem and OPM are acting as if it may have been everyday criminals, both have spent enormous sums to give the tens of millions (is it hundreds) of victims various services that costs quite a bit of money. I have seen estimates well into the billions for overall costs -- costs related to taking it for granted that PII might be being used in credit card fraud and other forms of criminal fraud
Lol. Sorry. The data is still in motion...

ianfFebruary 5, 2016 5:03 AM


@ Andrew: IoT is not dangerous, the phone spies on you enough not to worry about your coffee maker...

You're right for the all wrong reason, and then you're wrong for the right ones. The phone spying is most probably by your own, native IC, to positively exclude you from those potentially capable of anti-establishment subversion. Once excluded, that counts in your favor the next time that you again are spied on.

The coffee maker, on the other hand (socket), merely spying on your volume/ frequency/ time of day imbibing habits, knows it is but a bit player in that field; hence, to gain a degree of self-respect, it must up the ante.

So its server-master aggregates your data points, correlates them with those of fellow age cohort shared geo location coffeembibers, then packages 'em up for sale to Brands bent on poaching consumers of other Brands in order to enlarge own Brand's market share… sounds confusing? Mission accomplished.

Or maybe not. Because, once aggregated and repurposed, those coffeemaker user data will not simply "wither away." In time they'll "migrate" (in ways as yet unknown to Science) to become part of this, the coming Digital’s final frontier: Tracking the customer journey through retail space

    What if retailers could measure visits to their physical stores in the same way that Google Analytics tracks visits to e-commerce sites? Now they can, by leveraging the latest ubiquitous technology: Wifi-enabled smartphones. […]

(Written up 2 years ago as an "what-if" scenario by a wolf in digital mass-exploitation sheep's clothing Joel Bergqvist. Sometimes the damnedest of things are found when one is looking for fresh intel on MH370's demise [present in the same blog]).

X-RayFebruary 5, 2016 8:57 AM

@Sancho_P

@Sancho_P

You had a good point in your response, I did not address:

No one will care, no one will trust. We are null and void, anonymous, irrelevant.It’s absolutely not important what you and I think or not, as bright as it may be.
But as I wrote above, here you may call it whatever you like, no one will care.

Noting, your comments accompanying, 'even if we are the bright and brightest in IT'.

This is potentially a mystery as to 'why' anyone would ever post anywhere. With one's real name, or otherwise. I certainly have respect for the power of the word. I have respect for truth, even if that truth is set on vagaries. Indeed, often the most powerful truth is that truth which destroys the arrogance of the presumption of knowledge.

Patient Zero, people like to talk about. With virii. My belief is, in the viral instrumentation of truth, patient zeroes are very often entirely unknown. With serious diseases, it is critical to figure out who Patient Zero was or is. But, with trends, fads, opinions, this is impossible for people to know, and they do not even try. No small reason for this is, we are all ultimately much more controlled by our unconscious processes, then our conscious ones.


However, this is not why I bother to form opinions, and not why I ever post anywhere.

I have my own reasons for that which are not guessable.

I know them. And I will tell people I am close to I know them. But it is certainly not the sort of material to state widely, it is private.


I will point out, at times in my life, I often felt as if I was "doing something" for audiences in my past. For instance, the delusion of returning to my hometown, and thinking how it would be if some girl saw how well I had done. Some invisible audience one is startled to find has actually always been in one's mind, all along. And motivating to "do something".

Quite odd, how people work sometimes.

X-RayFebruary 5, 2016 10:01 AM

@Buck

regarding Anthem & OPM hacks

Both Anthem and OPM are acting as if it may have been everyday criminals, both have spent enormous sums to give the tens of millions (is it hundreds) of victims various services that costs quite a bit of money. I have seen estimates well into the billions for overall costs -- costs related to taking it for granted that PII might be being used in credit card fraud and other forms of criminal fraud

Lol. Sorry. The data is still in motion...

Neither does me any harm. I certainly knew people who worked in security at Blue Cross, but not Anthem (double checked, looked at their state list). As far as I know, my record was not in the OPM hack, and even if it was, at worst, what? Very well my record may have been pulled because I had classified details in there, and ironically, about intelligence dealings with China. :P

Literally, Chinese hackers and their government. :-) Lol.

The form asked for that information.

Worst case, for me, China would come across that. But, I am definitely already on their list for that.

And, it was innocuous. I deal with security researchers all across the world, or have.

I was engaged in projects and at companies which would make a China think otherwise, but that was long ago. And I am sure they long ago would have decided I am nobody, don't do anything, don't know anything. At worst, I get some Chinese hacker or surveillance on me, until they are convinced of that.

The other worst case is if it was NK and they "do a Sony" with that data.

But, then, even if my data is there, I would be lost in the crowd of twenty two other million people - and a hundred or two hundred million others in the list of spouses and children with PII data.

As that material would be an intelligence goldmine, highly unlikely anyone would do that.

NK was shaking in their boots in denial just after Sony. It was sad. They wouldn't dare go that far.

They were like teenage girls caught smoking by the teacher in the HS bathroom.

I would feel and do feel for the victims, but they are all in the exact same boat.

Who hasn't had their credit card taken up in one of the recent hacks?


You mentioned Target. Target, the attackers actually could not find a way into the perimeter. Target was "good". The attackers had to find an obscure way in. Maybe OPM attackers did the same, I do not know, but the two are very different class. Target is not OPM. Target did good, but had a minor mistake. That scares everyone, and rightly so.

OPM, OTOH, should have had way more funding then a target, and far better resources.

BuckFebruary 5, 2016 4:37 PM

@X-Ray

Neither does me any harm.
Irrelevant.
Target is not OPM.
I bring up Target because you suggest the OPM data was not encrypted at rest (implying that having done so could have prevented such an attack). Not so. Supposedly Target never stored any credit card numbers unencrypted... The malware simply swiped them all as they were being used.

So maybe we could have outsourced any secure data processing to some company that specializes in this sort of thing... Cloudflare, Kaspersky, FireEye, FoxIT, Symantec , etc. Then, those new higher value data processing services wouldn't have been similarly hacked, because -- magic?

X-RayFebruary 5, 2016 9:16 PM

@Buck

I bring up Target because you suggest the OPM data was not encrypted at rest (implying that having done so could have prevented such an attack). Not so. Supposedly Target never stored any credit card numbers unencrypted... The malware simply swiped them all as they were being used.

My real contention is just oversimplification is absolutely necessary in communication and certainly does not denote a malicious lie. And there is considerable, albeit circumstantial evidence China was behind the OPM attack, which certainly does allow for a "probably" -- that is that it is certainly okay to speak in vagaries and probabilities when discussing such matters. Maybe poor taste if you are discussing a criminal case which is ongoing, but not poor taste on such a matter as this. Indeed, to even put a "probably" in the statement 'China probably did it' is extremely generous, as the audience probably has zero doubt in their mind.

I am aware of this possibility of the data being so frequently used by OPM, say via web searches, that, over time, the attackers were able to touch all of it. More likely, they could have gotten it in one fell swoop of an attack by compromising the entire database, or they gained a singular key which provided unlimited access to all of the data with zero limitation on sessions having ended or not.

*Possibly*, the data could have been encrypted at rest, and they simply found a sql injection flaw which would have allowed the web server application supplying the information to decrypt the information for them... as they purloined the entire contents across seas to China. Or wherever.

I did not recall enough specifics of the Target hack to recall the attackers had to put malware on - who knows how many pos terminals - and gather all of that data together. Had they been able to just waltz into the database server as admin, their job would have been far simpler, and far quicker. It would not have had to involve such a complicated plan as managing a distributed attack botnet living across the country on pos terminals.

I do recall that in the Heartland attack, and related attacks, they were fortunate enough to get on the wire, so they could slurp up all the records as they came across the wire. In which case, the traffic was improperly encrypted across the wire.

Ultimately, the attackers did get the data unencrypted, and that should not have been the case. Likely, the poor use of encryption, perhaps in implementation, surely played a role, overall, in the attack. As it usually, if not always, does.

At least in APT attacks.

Encrypting data at rest is not - at all - a cure all. Far from it. Especially considering the very real and often present danger of sql injection attacks. For instance.

But it is one important layer of security to have, especially when you have a very real threat from APT.


So maybe we could have outsourced any secure data processing to some company that specializes in this sort of thing... Cloudflare, Kaspersky, FireEye, FoxIT, Symantec , etc. Then, those new higher value data processing services wouldn't have been similarly hacked, because -- magic?

Actually, I was thinking in terms of far better resources then those companies have available. BBN level resources, dedicated resources of top engineers who are dedicated to the singular pursuit of specialized data protection in specialized circumstances.

Safenet, btw, would have been a more appropriate resource, in terms of database protection, btw.

I am not stating none of those companies do not have supergenius technicians working for them - I know people at some of those companies - they do. But, they tend to be going from 'this to that'.

What we do know from the arstechnica report is they contracted out cheaply and horribly.

... actually, in looking up the attack, I found this detail, and while the title disagrees with the assessment that "encryption was broken", I disagree with their assessment:

http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

No multifactor authentication, is bad implementation of encryption, especially in the case of exactly how critical that data was.

And, frankly:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

The DHS chief, no security specialist in the least, was guessing. "Likely through a phishing attack". Usually, as far as people know from caught attacks, the entry way is through phishing. But once on a network, they look for as much information as they can going across the wires, or unencrypted anywhere.

You can teflon the shit out of your chest, but that doesn't mean shit if someone shoots you in the head.

Or if there is a giant gaping bullseye hole right in the middle of that chestpiece.

Encryption is as a piece of very strong metal, if it is strong, but the implementation is where the grooves and cracks and fitting pieces are.

Improperly covering those cracks and crevices with rotten authentication and authorization systems ruins the whole thing.

X-RayFebruary 6, 2016 1:54 AM

@Sancho_P

Short of it: China did it. Encryption failure a core flaw.

All dumb ass, unprofessional, crazy, "get me fired or demoted" conspiracy theories aside.

To the tune of go hard, kreayshawn.

X-RayFebruary 6, 2016 2:07 AM

Honeztly and frankly, a core problem in technical security is we have way too many unprofessional chumps mouthing off in their ignorance, despite their glaring lack of knowledge, experience, or heart.

But the universal solomons baby problem.

Inpotent observers w/o hope.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.