Investigative Report on "Buckshot Yankee"
This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known.
Entries Tagged "secrecy"
Page 8 of 21
NSA Acronyms
The second document in this file is the recently unclassified “Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980,” from the NSA
Note that there are still some redactions.
Open-Source Software Feels Insecure
At first glance, this seems like a particularly dumb opening line of an article:
Open-source software may not sound compatible with the idea of strong cybersecurity, but….
But it’s not. Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They’ll figure out how it works. They’ll find flaws. They’ll—in extreme cases—sneak back-doors into the code when no one is looking.
Of course, these statements rely on the erroneous assumptions that security vulnerabilities are easy to find, and that proprietary source code makes them harder to find. And that secrecy is somehow aligned with security. I’ve written about this several times in the past, and there’s no need to rewrite the arguments again.
Still, we have to remember that the popular wisdom is that secrecy equals security, and open-source software doesn’t sound compatible with the idea of strong cybersecurity.
Declassified World War I Security Documents
The CIA has just declassified six (1, 2, 3, 4, 5, and 6) documents about World War I security techniques. (The media is reporting they’re CIA documents, but the CIA didn’t exist before 1947.) Lots of stuff about secret writing and pre-computer tradecraft.
WikiLeaks Cable about Chinese Hacking of U.S. Networks
We know it’s prevalent, but there’s some new information:
Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches—colorfully code-named “Byzantine Hades” by U.S. investigators—to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.
Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.
U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department’s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were “involved in Byzantine Hades intrusion activity in 2006.”
The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the “precise” postal code in Chengdu used by the People’s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. “Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other” electronic spying units of the People’s Liberation Army, the cable says.
[…]
What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.
The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst—that any network is vulnerable.
Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their emails—such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.”
The spear-phish are “the dominant attack vector. They work. They’re getting better. It’s just hard to stop,” says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.
Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as “Byzantine Anchor,” “Byzantine Candor,” and “Byzantine Foothold.” A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.
A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. “Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks” which succeeded in “gaining access to hundreds of (U.S. government) and cleared defense contractor systems,” the cable said. The emails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.
By the way, reading this blog entry might be illegal under the U.S. Espionage Act:
Dear Americans: If you are not “authorized” personnel, but you have read, written about, commented upon, tweeted, spread links by “liking” on Facebook, shared by email, or otherwise discussed “classified” information disclosed from WikiLeaks, you could be implicated for crimes under the U.S. Espionage Act—or so warns a legal expert who said the U.S. Espionage Act could make “felons of us all.”
As the U.S. Justice Department works on a legal case against WikiLeak’s Julian Assange for his role in helping publish 250,000 classified U.S. diplomatic cables, authorities are leaning toward charging Assange with spying under the Espionage Act of 1917. Legal experts warn that if there is an indictment under the Espionage Act, then any citizen who has discussed or accessed “classified” information can be arrested on “national security” grounds.
Maybe I should have warned you at the top of this post.
Recently Declassified NSA History Document
“American Cryptography During the Cold War 1945-1989; Book IV: Cryptologic Rebirth 1981-1989.” Document was first declassified in 2009. Here are some newly declassified pages.
U.S. Strategy to Prevent Leaks is Leaked
As the article says, it doesn’t get any more ironic than that.
More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.
Me:
I think the government is learning what the music and movie industries were forced to learn years ago: it’s easy to copy and distribute digital files. That’s what’s different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it’s trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don’t know what those new models will be, but they will be different.
The more I think about it, the more I see this as yet another example of the Internet making information available. It’s done that to the music and movie industry. It’s done that to corporations and other organizations. And it’s doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.
Shutting WikiLeaks down won’t stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.
EDITED TO ADD (1/27): The story turned out to be too good to be true; it’s been retracted.
WikiLeaks
I don’t have a lot to say about WikiLeaks, but I do want to make a few points.
1. Encryption isn’t the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and—so it seems—put into an archive on SIPRNet, where lots of people had access to them in their unencrypted form.
2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public.
3. I’m not surprised these cables were available to so many people. We know access control is hard, and it’s impossible to know beforehand what information people will need to do their jobs. What is surprising is that there weren’t any audit logs kept about who accessed all these cables. That seems like a no-brainer.
4. This has little to do with WikiLeaks. WikiLeaks is just a website. The real story is that “least trusted person” who decided to violate his security clearance and make these cables public. In the 1970s, he would have mailed them to a newspaper. Today, he used WikiLeaks. Tomorrow, he will have his choice of a dozen similar websites. If WikiLeaks didn’t exist, he could have made them available via BitTorrent.
5. I think the government is learning what the music and movie industries were forced to learn years ago: it’s easy to copy and distribute digital files. That’s what’s different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it’s trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don’t know what those new models will be, but they will be different.
EDITED TO ADD (12/10): Me in The Economist:
The State Department has learned what the music and film industries learned long ago: that digital files are easy to copy and distribute, says Bruce Schneier, a security expert. Companies are about to make that discovery, too. There will be more leaks, and they will be embarrassing.
Never Let the Terrorists Know How We're Storing Road Salt
This seems not to be a joke:
The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk.
[…]
Chiaffarano filed an OPRA request for the state’s building plans, but was denied her request as the state cited a 2002 executive order by Gov. James McGreevey.
The order, issued in the wake of the Sept. 11 terrorist attacks on the World Trade Center and the Pentagon, allows the state to decline the release of public records that would compromise the state’s ability to “protect and defend the state and its citizens against acts of sabotage or terrorism.”
Lisa Ryan, spokeswoman for the Department of Community Affairs, declined to comment on the pending lawsuit.
Camouflaging Test Cars
In an effort to shield their still-secret products from prying eyes, automakers testing prototype models, often in the desert and at other remote locales, have long covered the grilles and headlamps with rubber, vinyl and tape the perfunctory equivalent of masks and hats. Now the old materials are being replaced or supplemented with patterned wrappings applied like wallpaper. Test cars are wearing swirling paisley patterns, harlequin-style diamonds and cubist zigzags.
Sidebar photo of Bruce Schneier by Joe MacInnis.