insiders Archives - Page 3 of 9 - Schneier on Security

Entries Tagged "insiders"

Page 3 of 9

Stealing a Billion

The report said Shor and his associates worked together in 2012 to buy a controlling stake in three Moldovan banks and then gradually increased the banks’ liquidity through a series of complex transactions involving loans being passed between the three banks and foreign entities.

The three banks then issued multimillion-dollar loans to companies that Shor either controlled or was connected to, the report said.

In the end, over $767 million disappeared from the banks in just three days through complex transactions.

A large portion of this money was transferred to offshore entities connected to Shor, according to the report. Some of the money was then deposited into Latvian bank accounts under the names of various foreigners.

Moldova’s central bank was subsequently forced to bail out the three banks with $870 million in emergency loans, a move designed to keep the economy afloat.

It’s an insider attack, where the insider is in charge.

What’s interesting to me is not the extent of the fraud, but how electronic banking makes this sort of thing easier. And possibly easier to investigate as well.

Posted on May 8, 2015 at 6:13 AM • View Comments

More Data on Attributing the Sony Attack

An analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds—which implies an insider.

Our Gotnews.com investigation into the data that has been released by the “hackers” shows that someone at Sony was copying 182GB at minimum the night of the 21st—the very same day that Sony Pictures’ head of corporate communications, Charles Sipkins, publicly resigned from a $600,000 job. This could be a coincidence but it seems unlikely. Sipkins’s former client was NewsCorp and Sipkins was officially fired by Pascal’s husband over a snub by the Hollywood Reporter.

Two days later a malware bomb occurred.

We are left with several conclusions about the malware incident:

The “hackers” did this leak physically at a Sony LAN workstation. Remember Sony’s internal security is hard on the outside squishy in the center and so it wouldn’t be difficult for an insider to harm Sony by downloading the material in much the same way Bradley Manning or Edward Snowden did at their respective posts.
If the “hackers” already had copies, then it’s possible they made a local copy the night of the 21st to prepare for publishing them as a link in the malware screens on the 24th.

Sony CEO Michael Lynton’s released emails go up to November 21, 2014. Lynton got the “God’sApstls” email demand for money on the 21st at 12:44pm.

Other evidence implies insiders as well:

Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014.

The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack.

The investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony’s anti-piracy stance, to infiltrate the company’s networks.

I have been skeptical of the insider theory. It requires us to postulate the existence of a single person who has both insider knowledge and the requisite hacking skill. And since I don’t believe that insider knowledge was required, it seemed unlikely that the hackers had it. But these results point in that direction.

Pointing in a completely different direction, a linguistic analysis of the grammatical errors in the hacker communications implies that they are Russian speakers:

Taia Global, Inc. has examined the written evidence left by the attackers in an attempt to scientifically determine nationality through Native Language Identification (NLI). We tested for Korean, Mandarin Chinese, Russian, and German using an analysis of L1 interference. Our preliminary results show that Sony’s attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.

The FBI still blames North Korea:

The FBI said Monday it was standing behind its assessment, adding that evidence doesn’t support any other explanations.

“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” a spokeswoman said in a statement. “There is no credible information to indicate that any other individual is responsible for this cyber incident.”

Although it is now thinking that the North Koreans hired outside hackers:

U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month’s massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said, U.S. investigators are looking at the possibility that Pyongyang “contracted out” some of the cyber work.

This is nonsense. North Korea has had extensive offensive cyber capabilities for years. And it has extensive support from China.

Even so, lots of security experts don’t believe that it’s North Korea. Marc Rogers picks the FBI’s evidence apart pretty well.

So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.

But, as I wrote earlier this month:

Tellingly, the FBI’s press release says that the bureau’s conclusion is only based “in part” on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq’s weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

I also wrote that bluffing about this is a smart strategy for the US government:

…from a diplomatic perspective, it’s a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Of course, this strategy completely backfires if the attackers can be definitely shown to be not from North Korea. Stay tuned for more.

EDITED TO ADD (12/31): Lots of people in the comments are doubting the USB claim.

Posted on December 31, 2014 at 7:52 AM • View Comments

How to Stop an Insider from Stealing All Your Secrets

This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I’m not sure it would have been effective against such a skilled and tenacious leaker. What’s missing is the one thing that would have worked: have fewer secrets.

Posted on May 16, 2014 at 12:34 PM • View Comments

"A Court Order Is an Insider Attack"

Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack:

To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.

From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.

This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.

Also on BoingBoing.

Posted on October 17, 2013 at 12:50 PM • View Comments

NSA Increasing Security by Firing 90% of Its Sysadmins

General Keith Alexander thinks he can improve security by automating sysadmin duties such that 90% of them can be fired:

Using technology to automate much of the work now done by employees and contractors would make the NSA’s networks “more defensible and more secure,” as well as faster, he said at the conference, in which he did not mention Snowden by name.

Does anyone know a sysadmin anywhere who believes it’s possible to automate 90% of his job? Or who thinks any such automation will actually improve security?

He’s stuck. Computerized systems require trusted people to administer them. And any agency with all that computing power is going to need thousands of sysadmins. Some of them are going to be whistleblowers.

Leaking secret information is the civil disobedience of our age. Alexander has to get used to it.

Posted on August 12, 2013 at 2:33 PM • View Comments

Obama's Continuing War Against Leakers

The Obama Administration has a comprehensive “insider threat” program to detect leakers from within government. This is pre-Snowden. Not surprisingly, the combination of profiling and “see something, say something” is unlikely to work.

In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues based on behavioral profiling techniques that are not scientifically proven to work, according to experts and government documents.

The techniques are a key pillar of the Insider Threat Program, an unprecedented government-wide crackdown under which millions of federal bureaucrats and contractors must watch out for “high-risk persons or behaviors” among co-workers. Those who fail to report them could face penalties, including criminal charges.

Another critique.

Posted on July 29, 2013 at 6:28 AM • View Comments

NSA Implements Two-Man Control for Sysadmins

In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins:

NSA chief Keith Alexander said his agency had implemented a “two-man rule,” under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it would take time to spread across the whole agency.

[…]

Alexander said that server rooms where such data is stored are now locked and require a two-man team to access them—safeguards that he said would be implemented at the Pentagon and intelligence agencies after a pilot at the NSA.

This kind of thing has happened before. After USN Chief Warrant Officer John Walker sold encryption keys to the Soviets, the Navy implemented two-man control for key material.

It’s an effective, if expensive, security measure—and an easy one for the NSA to implement while it figures out what it really has to do to secure information from IT insiders.

Posted on July 24, 2013 at 6:18 AM • View Comments

The Effectiveness of Privacy Audits

This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”

Posted on July 9, 2013 at 12:17 PM • View Comments

Lessons From the FBI's Insider Threat Program

This article is worth reading. One bit:

For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting out bad behavior. Compared to the predictive capabilities of Punxsutawney Phil, the groundhog of Groundhog Day, that system did a worse job of predicting malicious insider activity, Reidy says.

“We would have done better hiring Punxsutawney Phil and waving him in front of someone and saying, ‘Is this an insider or not an insider?'” he says.

Rather than getting wrapped up in prediction or detection, he believes organizations should start first with deterrence.

Posted on March 20, 2013 at 11:51 AM • View Comments

Insider Attack Against M&A Information in Document Titles

Protecting against insiders is hard.

Kluger and two accomplices—a Wall Street trader and a mortgage broker—allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades….

Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state….

Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes.

Posted on June 23, 2011 at 6:29 AM • View Comments

←Previous 1 2 3 4 5 … 9 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.