I was as surprised as most when FBI Director Comey recommended no charges for Clinton over her email server shenanigans. I thought there would be more comments about the way she had the email server sterilized before it was handed over to the FBI. Smells like obstruction of justice to me. To make matters worse, the sterilization sabotaged efforts to investigate the massive 2014 breach of the State Department email system. This 19 Feb 2015 article from the Wall Street Journal touches on the extent of that breach.
******************************
Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn’t been able to evict them from the department’s network, according to three people familiar with the investigation. Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter said. Each time investigators find a hacker tool and block it, these people said, the intruders tweak it slightly to attempt to sneak past defenses.
Investigators believe that hackers first snuck into State Department computers last fall after an employee clicked on a bogus link in an email referring to administrative matters, a type of attack known as a “phish.” That loaded malicious software onto the computer—a common hacker trick that has worked in countless corporate and government breaches.
From there, the hackers spread through the State Department’s sprawling network that includes machines in thousands of offices across the U.S., embassies and other outposts. It isn’t clear why the hackers were able to gain such wide access and whether the State Department routinely cordons off portions of its network to limit such maneuvers. (WSJ)
******************************
Could Clinton’s basement email server have been the key that allowed the wider DOS system hack? Unfortunately, the answer to that depends on your political position. We’ll never know for sure since that server was sterilized before it could be analyzed. The open source articles of a year ago attribute the hack to a DOS employee who opened a phishing email enclosure. Could be, but I doubt that’s the end of the story. Why were the DOS and NSA still having trouble eradicating the hostile code in the system months after discovering the breach? Well it’s my not so humble (in this case) opinion that the NSA and DOS are fools if they believe this phishing attack is the only source of malicious code in this system. Prior to Clinton even becoming Secretary of State, I knew hackers were infesting the DOS system and many other government systems. Most of these were kids, although some had government connections. They were in the routers and switches. I bet they’re still there. That’s far more insidious than hacking email servers.
At the time, this DOS breach was billed as the worst attack ever against a government agency. Unfortunately the DOS didn’t hold that dubious record for long. The OPM breach was announced in April 2015. This 8 Jun 2015 article from Ars Technica, “Why the “biggest government hack ever” got past the feds,” is quite informative.
******************************
In April [2015], federal authorities detected an ongoing remote attack targeting the United States' Office of Personnel Management (OPM) computer systems. This situation may have gone on for months, possibly even longer, but the White House only made the discovery public last Friday. While the attack was eventually uncovered using the Department of Homeland Security's (DHS) Einstein—the multibillion-dollar intrusion detection and prevention system that stands guard over much of the federal government's Internet traffic—it managed to evade this detection entirely until another OPM breach spurred deeper examination.
While anonymous administration officials have blamed China for the attack (and many in the security community believe that the attack bears the hallmark of Chinese state-sponsored espionage), no direct evidence has been offered. The FBI blamed a previous breach at an OPM contractor on the Chinese, and security firm iSight Partners told The Washington Post that this latest attack was linked to the same group that breached health insurer Anthem.
The OPM hack is just the latest in a series of federal network intrusions and data breaches, including recent incidents at the Internal Revenue Service, the State Department, and even the White House. These attacks have occurred despite the $4.5 billion National Cybersecurity and Protection System (NCPS) program and its centerpiece capability, Einstein. Falling under the Department of Homeland Security's watch, that system sits astride the government's trusted Internet gateways. Einstein was originally based on deep packet inspection technology first deployed over a decade ago, and the system's latest $218 million upgrade was supposed to make it capable of more active attack prevention. But the traffic flow analysis and signature detection capabilities of Einstein, drawn from both DHS traffic analysis and data shared by the National Security Agency, appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks. Once such attacks are executed, they tend to look like normal network traffic. (Ars Technica)
******************************
The cyber defense community put all its eggs into the Einstein basket. Isn’t that the American way? They put all their hopes and dreams into a massive technical solution. I was a voice in the wilderness arguing for a stronger HUMINT effort. Oh well. Rage against the machine.
This 29 Sep 2015 Washington Post article shows a real life impact of this attack. I wrote of some of the potential impact of this data breach some time ago.
******************************
The CIA pulled a number of officers from the U.S. Embassy in Beijing as a precautionary measure in the wake of the massive cybertheft of the personal data of federal employees, current and former U.S. officials said. The move is a concrete impact of the breach, one of two major hacks into Office of Personnel Management computers that were disclosed earlier this year. Officials have privately attributed the hacks to the Chinese government. Because the OPM records contained the background checks of State Department employees, officials privately said the Chinese could have compared those records with the list of embassy personnel. Anybody not on that list could be a CIA officer. (Washington Post)
******************************
This 31 Aug 2015 Ars Technica article, “China and Russia cross-referencing OPM data, other hacks to out spies,” alludes to something that I discovered through my time exploring the world of hackers. They are different. They decide who they will trust, share with, hide from and lie to based on their own thought processes and mores. Russian and Chinese intelligence and cyber security agencies have tolerated and sometimes embraced this difference much more effectively than our own IC.
******************************
The identities of a group of American technical experts who have provided assistance to covert operations by the US government overseas have been compromised as the result of cross-referencing of data from the Office of Personnel Management (OPM) and other recent data breaches, according a Los Angeles Times report. The Times' Brian Bennet and W. J. Hennigan cited allegations from two US officials speaking under the condition of anonymity that Chinese and Russian intelligence agencies have worked with both private software companies and criminal hacking rings to obtain and analyze data. (Ars Technica)
******************************
I wrote this post and assembled these articles partially in response to Colonel Lang’s question, “Who would the Russian “hackers” have been?” Russia, China, Israel, Wikileaks and many other entities have a wealth of information that they can use whenever they want to the best of their advantage. Or one of these entities can get a wild hair up their ass and release something juicy just for shits and grins. Those who we refer to as “non-state hackers” are far more technically sophisticated, ingenious and patient than what we think. They may not be as socially and politically adept as the critters that infest Washington D.C., but that’s what draws me to them. Don’t ever sell them short.
I also wanted to put the consequences of Clinton’s unauthorized basement email server in perspective without excusing her egregious actions in this matter.
As a parting thought, I recommend the USA Network series “Mr.Robot.” It’s the most realistic depiction of the hacker world I’ve seen without actually participating in that world. The second season recently started. Here’s the plot summary from USA Network. That’s a scene from the show in the above picture.
“Young, anti-social computer programmer Elliot works as a cybersecurity engineer during the day, but at night he is a vigilante hacker. He is recruited by the mysterious leader of an underground group of hackers to join their organization. Elliot's task? Help bring down corporate America, including the company he is paid to protect, which presents him with a moral dilemma. Although he works for a corporation, his personal beliefs make it hard to resist the urge to take down the heads of multinational companies that he believes are running -- and ruining -- the world.”
TTG
TTG:
I was not, just as I was not when Admiral Poindexter and Col. North did not suffer any serious troubles.
Posted by: Babak Makkinejad | 25 July 2016 at 02:24 PM
Babak,
Damned good point.
Posted by: The Twisted Genius | 25 July 2016 at 02:32 PM
Nicely put together! Thanks.
Posted by: Old Microbiologist | 25 July 2016 at 02:46 PM
Pertinent to note it was WJC who gutted HUMINT.http://blog.stephenleary.com/2008/09/intelligence-budgets-during-clinton.html
Posted by: Old Microbiologist | 25 July 2016 at 02:48 PM
TTG,
Is it probable that, in addition to ghosts, there are also spooks in the system?
Ishmael Zechariah
Posted by: Ishmael Zechariah | 25 July 2016 at 02:49 PM
IZ,
Most definitely. Well put.
Posted by: The Twisted Genius | 25 July 2016 at 02:52 PM
TTG
IT security is more than software & systems, it is also about process. What are the processes to insure that information on and transmitted between computer systems are secure? Many believe that getting the latest firewall or IDS or some other whizbang will keep their servers secure. But if the guy with root access has a password called root or Admin, all the big bucks spent ain't gonna make a difference.
Similarly, when Hillary decided she was going to use her home-based servers for all sensitive State Dept communications, it would be obvious there would be unauthorized access.
The tools available to beat access control are getting more sophisticated. And the Chinese and the Russians are persistent and have a lot of people working on hacking into all IT infrastructure not just the federal government's systems. People want convenience and they're lazy. Convenience means more vulnerabilities and laziness means more opportunities.
Posted by: Sam Peralta | 25 July 2016 at 03:59 PM
I happen to know first hand that all State Department employees are required to take an online cybersecurity examination every year in order to maintain access to the system, and that there is an entire section on the examination regarding phishing and how to avoid being victimized by it. It is also a fact that on at least one occasion several years ago, the State Department was forced to fire one of its contractor IT professionals who committed visa fraud when he immigrated from China.
The huge number of Chinese immigrants who work for DC area Beltway Bandit contractors would be a huge surprise to most Americans, and given the slipshod way most employee background investigations are handled (also by contractors), the surprise isn't that government computer systems are being compromised, it's that it doesn't happen even more often.
Posted by: Karl Kolchack | 25 July 2016 at 05:32 PM
TTG,
Fascinating. Thank you.
I also wanted to put the consequences of Clinton’s unauthorized basement email server in perspective
Assange said that in his next dump of emails he proves that she had one declassified to send through an unsecure server. Plus some tied to the Clinton Foundation.
Seems worse than Nixon.
Posted by: Cee | 25 July 2016 at 06:51 PM
The private, now sterilized, email server is a classic.
You can have a system secured behind a high level firewall with key personnel allowed access via VPN/SSH. If those people are careless about saving the login credentials on a home computer and they leave the computer on 24/7, connected to the net, all the hacker needs to do is compromise the home computer (easy as falling out of bed) and he's in with all he needs to access the secured network.
I know this because I employ such systems.
This was a housewife's amateur move. And she "would be king"?
Posted by: Erik | 25 July 2016 at 06:54 PM
What amazes me is that few people understand just how devastating this OPM breach was. Nearly every U.S. military member's personal information. And, information on their family members and friends (references). How handy do you think it would be for an enemy to have all the addresses and personal cell numbers of USAF colonels and generals or the names and addresses of all their children and immediate family members? Or the addresses and cell numbers of colleagues of Raytheon executives? Or special agents for DSS, IRS, et al.? And this is just information off of the SF-86. Any criminal, psychological, drug, alcohol issues discussed during the interview would available to the OPM hackers.
What makes this whole thing orders of magnitude more egregious is that the vulnerability was due in part incompetent government bureaucracy and greed-based private contracting companies. The initial breach came through KeyPoint, a private (profit über alles) company owned by a private equity firm (read reviews by their investigators on Glassdoor). USIS, the biggest private company doing OPM investigations, lost the contract after they were falsifying investigations and dumping them for profit. And now KeyPoint employees formerly employed by USIS are saying KeyPoint is now much worse than USIS ever was. But OPM is desperate and relies on the private companies to do most of the [box-checking] investigative work. But it all becomes more outrageous when you learn more about it.
OPM uses the Department of Interior’s IT. As the tech blog Arstechnica explains:
“The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center, and the central database behind “EPIC,” the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.”
http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/
Around the same time it was discovered that Assistant Director of IT at the Department of Interior, Faisal Ahmed, faked having college degrees. He didn’t have any, but made fake diplomas and transcripts to put in his federal employment file. He faked a bachelor’s degree from the University of Wisconsin and a master’s degree from the University of Central Florida. This went on for a half-decade and no one found out. It was only because of an inquisitive alumni person from the University of Central Florida that this was uncovered.
National Journal (7/15/2015): How a Federal Employee with Fake Diplomas Worked at the Department of the Interior for Five Years
http://www.nationaljournal.com/tech/how-a-federal-employee-with-fake-diplomas-worked-at-the-department-of-the-interior-for-five-years-20150715
The system OPM is using can't be encrypted because it is a DOS (disk operating system)-based, COBOL-programmed system.
COBOL and Outdated Technology Cited as Factors in OPM Hack
http://www.fedtechmagazine.com/article/2015/06/cobol-and-outdated-technology-cited-factors-opm-hack
In 2015 people in the OPM investigations field were sure heads would roll and security clearance investigations would be stripped from OPM, a big bureaucratic government HR agency, and returned to DoD. But the reforms by Clapper and ODNI resulted in nothing more but more bureaucratic BS. Oh, and a name change (from OPM-FIS [Federal Investigative Service] to OPM-NBIB [National Background Investigation Bureau]. But there is rumor of some changes in the process this fall. I wouldn't expect much.
Posted by: Glenn G | 25 July 2016 at 07:22 PM
Sorry, that National Journal link it bad. Here's a good one on the subject Faisal Ahmed, former IT Asst. Director at Dept of Interior: http://www.govexec.com/pay-benefits/2015/07/ig-fed-fake-diplomas-worked-interior-five-years/117934/
Posted by: Glenn G | 25 July 2016 at 07:38 PM
The Clintons have connections with the hacking community going way back...
https://www.youtube.com/watch?v=oqQUuZ3RAOg
Posted by: C Webb | 25 July 2016 at 07:40 PM
TTG,
In the 90s it was the Clipper chip. Today it's building back doors into hard/software couched in lazy security reasons. http://www.thenewamerican.com/tech/computers/item/22701-mcafee-gov-t-backdoors-are-destroying-national-security
Does the USG safeguard information and assets against its own successful breaches when systems are updated?
Posted by: Lesly | 25 July 2016 at 07:54 PM
Karl,
Yeah, but it's racist to notice that.
Posted by: Tyler | 25 July 2016 at 08:26 PM
The Sony Server's Admin passwords, were "password".
Posted by: Brunswick | 25 July 2016 at 08:34 PM
Could it be that Hillary's computers were less hacked than the DOS computers and thus, more secure in reality?
Posted by: Origin | 25 July 2016 at 08:49 PM
Brunswick,
A lot of routers and switches had default passwords and default services active when I was working the scene. These devices are most often sitting out of sight in a data center so they are forgotten until something goes wrong.
Posted by: The Twisted Genius | 25 July 2016 at 09:14 PM
Origin,
It's possible that her email server wasn't hacked, but that would only be an attempt at security through obscurity. Any .mil or .gov address is a magnate for hackers. Given that she was Secretary of State, she really could not rely on security through obscurity. My guess her server was hacked no more nor no less than the DOS networks.
Posted by: The Twisted Genius | 25 July 2016 at 09:27 PM
Lesly,
No. The IC is more interested in exploiting back doors and vulnerabilities in target systems than in protecting our nation's information systems from outside enemies. Half of NSA is supposed to do this, but I don't see it being done.
I worked with JTF-CND (Joint Task Force - Computer Network Defense) for a while. They were dedicated to the mission and I enjoyed supporting them. They were eventually subsumed into Cyber Command. I don't know how the defense mission is handled now within our government.
Posted by: The Twisted Genius | 25 July 2016 at 09:37 PM
TTG,
It's possible that HRC's server was a vector for attacks, but without a whole lot more info than is in these links, it's hard to come to any conclusions.
I am surprised that they have had such difficulties eradicating the infection. Given the stakes involved, I would have expected a radical solution, such as a staged physical and digital replacement via an encrypted, internal firewalled network that treats the DOS network as hostile territory. Replacing certain software systems that have infected backups might be a challenge, but going back to from scratch installations and data-only restores is a possible way around that.
It is hard to know without more information. Some of those guys at the NSA are no dummies (hi, Dr. Bob :-)), but the sophistication of attacks has increased tremendously (don't forget to turf printers, routers, switches and networked devices).
Posted by: Freudenschade | 25 July 2016 at 10:35 PM
COBOL was obsolete by the late '70's. You have GOT to be kidding me.
Posted by: Imagine | 25 July 2016 at 10:43 PM
Shifting so much of operations to computers -- the "paperless" office idea -- has created many more problems than it has solved. Even courts are held hostage to it. Because most bankruptcy paperwork for filing in court consists of forms, federal bankruptcy courts started experimenting with electronic forms and scanning of forms and paperwork. Then they went to mostly an electronic filing system with electronic files. That more or less worked, because of the heavy use of forms. But then the promoters of electronic filing went after the other, non-bankruptcy, federal courts to get them to use electronic filing. Unfortunately, they did so. Then State courts got romanced into it. It is an absolute mess. The State court clerks I know in Texas hate it. It has become another example of private companies making a lot of money from providing the computer and filing software, the computers receiving the files, and maintenance and storage for the court electronic filing system, which has added extra filing fees to each case filed.
I wonder what computer operating system the U.S. State Department uses? Microsoft Windoze, the walking security hole? Putting all the Office of Personnel Management files on a computer system was just asking for trouble, and they got it.
Then there was the odd event earlier this year when the Justice Department and FBI went after Apple Computer using the All Writs Act to try to force a backdoor into Apple's cellular phone software. The reason was a cell phone from the San Bernardino, California incident that they said they could not unlock. The iconoclastic John McAfee, a computer programmer who tried (unsuccessfully) to be the Libertarian Party candidate for president this year, publicly offered to unlock the cell phone in question for free, and finally explained how--
https://www.youtube.com/watch?v=MG0bAaK7p9s
McAfee also made the startling statement in at least two other interviews that a young person had hacked into the FBI computer system around early February of this year and made off with a lot of records. No media outlet picked up on the story, and the government has been completely silent about it otherwise.
McAfee has also commented on the fact that some talented computer programmers and hackers appear quite odd in both demeanor and appearance, and so the government gets the jitters and usually will not hire them.
Clifford Stoll, an unusual personality himself, was involved in investigating the "Internet Worm" back in the 1980's. Brian Lamb of C-Span interviewed him in 1989, and worked to keep his own composure while doing so. One of Cliff Stoll's books is "Silicon Snake Oil". He gave a talk after that book was published in 1996--
https://www.c-span.org/video/?71065-1/second-thoughts-information-highway
One of the most foolhardy things to be developed is using computers to run the electrical grid. Much of the grid could likely be brought down and crashed by hacking into the controlling computer systems themselves; you would not even need an electromagnetic pulse device to fry the computer chips in the controlling computers. Anyone desiring to cause great damage and havoc does not need nuclear weapons. They would only have to attack the computers that control the electrical grids.
And a computer-controlled grid does not even save a lot of money, if any. A couple of years ago I went to a legal seminar about energy law, and one lecture was about the computer system that controlled the electrical grid in Texas, which is pretty much a standalone, independent system. I asked the presenter whether the computers made electricity cheaper. His answer boiled down to, "well, maybe sometimes, but not necessarily".
Posted by: robt willmann | 25 July 2016 at 11:20 PM
Another unfounded bashing of COBOL and related technologies.
Note: COBOL in current standards is as modern as most other programming languages. COBOL code is in no way more vulnerable than other code. COBOL has the incredible advantage of being readable, structured and easily maintained. Grab some 30 year old stuff written in COBOL and, for example C. Try to understand and modify both correctly. COBOL modifications will take you only a tenth of the time than you would spend on some C fragments.
People who claim COBOL is old and must therefor be replaced do not know what they talk about. They have never been in a highly administrative organization (like a bank) which has to run and maintain hundreds of different detailed procedures. This systems may be "old" but they do what they are supposed to do. There is absolutely no reason to change them unless you are a contractor who sees big dollars coming your way.
Likewise DOS. It can be encrypted like any other disk operation system with the tools designed for it. There is no inherent limit.
---
I have written system level drivers in Assembler and C, industrial process controls in Fortran and Pascal variants and highly administrative systems in COBOL. Each language has its justification in its realm. To kick COBOL out from administrative environments (and replace it by what? eternal sins like Java?) might be profitable for some but makes otherwise no sense at all.
Posted by: b | 25 July 2016 at 11:29 PM
When I sat at a desk, every 4 months I had to change my passwords.
They could not be the same password over all platforms, had to be a minimum of 12 characters, not form an english word, include at least 2 numbers, one capital, and two punctuation pieces.
I kept my passwords written down on a slip of paper kept in my watch back, usually only needed to refer to it for the first couple of weeks after the change.
Most of the other people in the cubicle farm kept theirs on a post-it note attached to the underside of their keyboards.
And of course, the quarterly IT presentations on Security, e-mail, file shareing had no significant impact on the bi-monthly "Anna Kornakova Naked!" Episode or the monthly "send all" flame out embarrasment.
Humans are humans, but sometimes they are just lazy.
Posted by: Brunswick | 26 July 2016 at 12:00 AM