There’s a Reuters article on new types of fraud using stolen medical records. I don’t know how much of this is real and how much is hype, but I’m certain that criminals are looking for new ways to monetize stolen data.
Entries Tagged "data breaches"
Page 3 of 11
The article says they were Chinese but offers no evidence:
The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.
This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.
This makes a lot of sense.
Viviane Reding dismissed recent fines for Google as “pocket money” and said the firm would have had to pay $1bn under her plans for privacy failings.
Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously.
And she questioned how Google was able to take so long to getting round to changing its policy.
Ms Reding, who is also vice-president of the European Commission, wants far tougher laws that would introduce fines of up to 5% of the global annual turnover of a company for data breaches.
If fines are intended to change corporate behavior, they need to be large enough so that avoiding them is a smarter business strategy than simply paying them.
The Brazilian television show “Fantastico” exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I’m more interested in the tactical details.
The video on the webpage is long, and includes what I assume is a dramatization of an NSA classroom, but a few screen shots are important. The pages from the training presentation describe how the NSA’s MITM attack works:
However, in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events“) and also allows spies to collect information about specific SSL encryption certificates.
It’s that first link—also here—that shows the MITM attack against Google and its users.
Here’s another story on this.
Assume it’s really true that the NSA has no idea what documents Snowden took, and that they wouldn’t even know he’d taken anything if he hadn’t gone public. The fact that abuses of their systems by NSA officers were largely discovered through self-reporting substantiates that belief.
Given that, why should anyone believe that Snowden is the first person to walk out the NSA’s door with multiple gigabytes of classified documents? He might be the first to release documents to the public, but it’s a reasonable assumption that the previous leakers were working for Russia, or China, or elsewhere.
Former NSA director Michael Hayden lists three effects of the Snowden documents:
- “…the undeniable operational effect of informing adversaries of American intelligence’s tactics, techniques and procedures.”
- “…the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law.”
- “…the erosion of confidence in the ability of the United States to do anything discreetly or keep anything secret.”
It’s an interesting list, and one that you’d expect from a NSA person. Actually, the whole essay is about what you’d expect from a former NSA person.
- This, I agree, is actual damage. From what I can tell, Snowden has done his best to minimize it. And both the Guardian and the Washington Post refused to publish materials he provided, out of concern for US national security. Hayden believes that both the Chinese and the Russians have Snowden’s entire trove of documents, but I’m less convinced. Everyone is acting under the assumption that the NSA has compromised everything, which is probably a good assumption.
- Hayden has it backwards—this is good. I hope that companies that have cooperated with the NSA are penalized in the market. If we are to expect the market to solve any of this, we need the cost of cooperating to be greater than the cost of fighting. If we as consumers punish companies that have complied with the NSA, they’ll be less likely to roll over next time.
- In the long run, this might turn out to be a good thing, too. In the Internet age, secrecy is a lot harder to maintain. The countries that figure this out first will be the countries that do well in the coming decades.
And, of course, Hayden lists his “costs” without discussing the benefits. Exposing secret government overreach, a secret agency gone rogue, and a secret court that’s failing in its duties are enormously beneficial. Snowden has blown a whistle that long needed blowing—it’s the only way can ever hope to fix this. And Hayden completely ignores the very real question as to whether these enormous NSA data-collection programs provide any real benefits.
I’m also tired of this argument:
But it takes a special kind of arrogance for this young man to believe that his moral judgment on the dilemma suddenly trumps that of two (incredibly different) presidents, both houses of the U.S. Congress, both political parties, the U.S. court system and more than 30,000 of his co-workers.
It’s like President Obama claiming that the NSA programs are “transparent” because they were cleared by a secret court that only ever sees one side of the argument, or that Congress has provided oversight because a few legislators were allowed to know some of what was going on but forbidden from talking to anyone about it.
Edward Snowden has set up a dead man’s switch. He’s distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him.
Dead man’s switches have a long history, both for safety (the machinery automatically stops if the operator’s hand goes slack) and security reasons. WikiLeaks did the same thing with the State Department cables.
“It’s not just a matter of, if he dies, things get released, it’s more nuanced than that,” he said. “It’s really just a way to protect himself against extremely rogue behavior on the part of the United States, by which I mean violent actions toward him, designed to end his life, and it’s just a way to ensure that nobody feels incentivized to do that.”
I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.
Sidebar photo of Bruce Schneier by Joe MacInnis.