Page 3 of 9
This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I’m not sure it would have been effective against such a skilled and tenacious leaker. What’s missing is the one thing that would have worked: have fewer secrets.
Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack:
To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.
Also on BoingBoing.
General Keith Alexander thinks he can improve security by automating sysadmin duties such that 90% of them can be fired:
Using technology to automate much of the work now done by employees and contractors would make the NSA’s networks “more defensible and more secure,” as well as faster, he said at the conference, in which he did not mention Snowden by name.
Does anyone know a sysadmin anywhere who believes it’s possible to automate 90% of his job? Or who thinks any such automation will actually improve security?
He’s stuck. Computerized systems require trusted people to administer them. And any agency with all that computing power is going to need thousands of sysadmins. Some of them are going to be whistleblowers.
Leaking secret information is the civil disobedience of our age. Alexander has to get used to it.
The Obama Administration has a comprehensive “insider threat” program to detect leakers from within government. This is pre-Snowden. Not surprisingly, the combination of profiling and “see something, say something” is unlikely to work.
In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues based on behavioral profiling techniques that are not scientifically proven to work, according to experts and government documents.
The techniques are a key pillar of the Insider Threat Program, an unprecedented government-wide crackdown under which millions of federal bureaucrats and contractors must watch out for “high-risk persons or behaviors” among co-workers. Those who fail to report them could face penalties, including criminal charges.
Another critique.
In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins:
NSA chief Keith Alexander said his agency had implemented a “two-man rule,” under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it would take time to spread across the whole agency.
[…]
Alexander said that server rooms where such data is stored are now locked and require a two-man team to access them—safeguards that he said would be implemented at the Pentagon and intelligence agencies after a pilot at the NSA.
This kind of thing has happened before. After USN Chief Warrant Officer John Walker sold encryption keys to the Soviets, the Navy implemented two-man control for key material.
It’s an effective, if expensive, security measure—and an easy one for the NSA to implement while it figures out what it really has to do to secure information from IT insiders.
This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”
This article is worth reading. One bit:
For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting out bad behavior. Compared to the predictive capabilities of Punxsutawney Phil, the groundhog of Groundhog Day, that system did a worse job of predicting malicious insider activity, Reidy says.
“We would have done better hiring Punxsutawney Phil and waving him in front of someone and saying, ‘Is this an insider or not an insider?'” he says.
Rather than getting wrapped up in prediction or detection, he believes organizations should start first with deterrence.
Protecting against insiders is hard.
Kluger and two accomplices—a Wall Street trader and a mortgage broker—allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades….
Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state….
Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes.
For years, an employee of Cubic Corp—the company that makes the automatic fare card systems for most of the subway systems around the world—forged and then sold monthly passes for the Boston MBTA system.
The scheme was discovered by accident:
Coakley said the alleged scheme was only discovered after a commuter rail operator asked a rider where he had bought his pass. When the rider said he’d purchased the pass on Craigslist, the operator became suspicious and confiscated the ticket.
An investigation by the MBTA Transit Police found that despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said.
Although you’d think the MBTA would poke around the net occasionally, looking for discount tickets being sold on places like Craigslist.
Cubic Transportation Systems said in a written statement that it is cooperating with authorities. “Our company has numerous safeguards designed to prevent fraudulent production or distribution of Charlie Tickets,” the statement said, referring to the monthly MBTA passes.
It always amuses me when companies pretend the obvious isn’t true in their press releases. “Someone completely broke our system.” “Say that we have a lot of security.” “But it didn’t work.” “Say it anyway; the press will just blindly report it.”
To be fair, we don’t—and probably will never—know how this proprietary system was broken. In this case, an insider did it. But did that insider just have access to the system specifications, or was access to blank ticket stock or specialized equipment necessary as well?
EDITED TO ADD (5/22): More details:
On March 11, a conductor on the commuter rail’s Providence/Stoughton Line did a double-take when a customer flashed a discolored monthly pass, its arrow an unusually light shade of orange. The fading, caused by inadvertent laundering, would have happened even if the pass were legitimate, but the customer, perhaps out of nervousness, volunteered that he had purchased it at a discount on Craigslist, Coakley said.
That raised the conductor’s suspicion. He collected the pass and turned it over to the Transit Police, who found no record of its serial number and began investigating. Working with State Police from Coakley’s office, they traced it to equipment at the Beverly branch of Cubic Transportation Systems Inc. and then specifically to an employee: Townes, a 27-year-old Revere resident.
Auditing could have discovered the fraud much earlier:
A records check would have indicated that the serial numbers were not tied to accounts for paying customers. But the financially strapped MBTA, which handles thousands of passes and moves millions of riders a month, did not have practices in place to sniff out the small percentage of unauthorized passes in circulation, Davey said.
A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and—during the routine background check—someone investigated why his wife was on the no-fly list.
Okay, so he’s an idiot. And a bastard. But the real piece of news here is how easy it is for a UK immigration officer to put someone on the no-fly list with absolutely no evidence that that person belongs there. And how little auditing is done on that list. Once someone is on, they’re on for good.
That’s simply no way to run a free country.
Sidebar photo of Bruce Schneier by Joe MacInnis.