« Who would the Russian "hackers" have been? | Main | Health Care »

25 July 2016

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Babak Makkinejad

TTG:

I was not, just as I was not when Admiral Poindexter and Col. North did not suffer any serious troubles.

The Twisted Genius

Babak,

Damned good point.

Old Microbiologist

Nicely put together! Thanks.

Old Microbiologist

Pertinent to note it was WJC who gutted HUMINT.http://blog.stephenleary.com/2008/09/intelligence-budgets-during-clinton.html

Ishmael Zechariah

TTG,

Is it probable that, in addition to ghosts, there are also spooks in the system?

Ishmael Zechariah

The Twisted Genius

IZ,

Most definitely. Well put.

Sam Peralta

TTG

IT security is more than software & systems, it is also about process. What are the processes to insure that information on and transmitted between computer systems are secure? Many believe that getting the latest firewall or IDS or some other whizbang will keep their servers secure. But if the guy with root access has a password called root or Admin, all the big bucks spent ain't gonna make a difference.

Similarly, when Hillary decided she was going to use her home-based servers for all sensitive State Dept communications, it would be obvious there would be unauthorized access.

The tools available to beat access control are getting more sophisticated. And the Chinese and the Russians are persistent and have a lot of people working on hacking into all IT infrastructure not just the federal government's systems. People want convenience and they're lazy. Convenience means more vulnerabilities and laziness means more opportunities.

Karl Kolchack

I happen to know first hand that all State Department employees are required to take an online cybersecurity examination every year in order to maintain access to the system, and that there is an entire section on the examination regarding phishing and how to avoid being victimized by it. It is also a fact that on at least one occasion several years ago, the State Department was forced to fire one of its contractor IT professionals who committed visa fraud when he immigrated from China.

The huge number of Chinese immigrants who work for DC area Beltway Bandit contractors would be a huge surprise to most Americans, and given the slipshod way most employee background investigations are handled (also by contractors), the surprise isn't that government computer systems are being compromised, it's that it doesn't happen even more often.

Cee

TTG,

Fascinating. Thank you.


I also wanted to put the consequences of Clinton’s unauthorized basement email server in perspective


Assange said that in his next dump of emails he proves that she had one declassified to send through an unsecure server. Plus some tied to the Clinton Foundation.
Seems worse than Nixon.

Erik

The private, now sterilized, email server is a classic.
You can have a system secured behind a high level firewall with key personnel allowed access via VPN/SSH. If those people are careless about saving the login credentials on a home computer and they leave the computer on 24/7, connected to the net, all the hacker needs to do is compromise the home computer (easy as falling out of bed) and he's in with all he needs to access the secured network.
I know this because I employ such systems.

This was a housewife's amateur move. And she "would be king"?

Glenn G

What amazes me is that few people understand just how devastating this OPM breach was. Nearly every U.S. military member's personal information. And, information on their family members and friends (references). How handy do you think it would be for an enemy to have all the addresses and personal cell numbers of USAF colonels and generals or the names and addresses of all their children and immediate family members? Or the addresses and cell numbers of colleagues of Raytheon executives? Or special agents for DSS, IRS, et al.? And this is just information off of the SF-86. Any criminal, psychological, drug, alcohol issues discussed during the interview would available to the OPM hackers.

What makes this whole thing orders of magnitude more egregious is that the vulnerability was due in part incompetent government bureaucracy and greed-based private contracting companies. The initial breach came through KeyPoint, a private (profit über alles) company owned by a private equity firm (read reviews by their investigators on Glassdoor). USIS, the biggest private company doing OPM investigations, lost the contract after they were falsifying investigations and dumping them for profit. And now KeyPoint employees formerly employed by USIS are saying KeyPoint is now much worse than USIS ever was. But OPM is desperate and relies on the private companies to do most of the [box-checking] investigative work. But it all becomes more outrageous when you learn more about it.

OPM uses the Department of Interior’s IT. As the tech blog Arstechnica explains:

“The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center, and the central database behind “EPIC,” the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.”

http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/

Around the same time it was discovered that Assistant Director of IT at the Department of Interior, Faisal Ahmed, faked having college degrees. He didn’t have any, but made fake diplomas and transcripts to put in his federal employment file. He faked a bachelor’s degree from the University of Wisconsin and a master’s degree from the University of Central Florida. This went on for a half-decade and no one found out. It was only because of an inquisitive alumni person from the University of Central Florida that this was uncovered.

National Journal (7/15/2015): How a Federal Employee with Fake Diplomas Worked at the Department of the Interior for Five Years
http://www.nationaljournal.com/tech/how-a-federal-employee-with-fake-diplomas-worked-at-the-department-of-the-interior-for-five-years-20150715

The system OPM is using can't be encrypted because it is a DOS (disk operating system)-based, COBOL-programmed system.

COBOL and Outdated Technology Cited as Factors in OPM Hack
http://www.fedtechmagazine.com/article/2015/06/cobol-and-outdated-technology-cited-factors-opm-hack

In 2015 people in the OPM investigations field were sure heads would roll and security clearance investigations would be stripped from OPM, a big bureaucratic government HR agency, and returned to DoD. But the reforms by Clapper and ODNI resulted in nothing more but more bureaucratic BS. Oh, and a name change (from OPM-FIS [Federal Investigative Service] to OPM-NBIB [National Background Investigation Bureau]. But there is rumor of some changes in the process this fall. I wouldn't expect much.

Glenn G

Sorry, that National Journal link it bad. Here's a good one on the subject Faisal Ahmed, former IT Asst. Director at Dept of Interior: http://www.govexec.com/pay-benefits/2015/07/ig-fed-fake-diplomas-worked-interior-five-years/117934/

C Webb

The Clintons have connections with the hacking community going way back...

https://www.youtube.com/watch?v=oqQUuZ3RAOg

Lesly

TTG,

In the 90s it was the Clipper chip. Today it's building back doors into hard/software couched in lazy security reasons. http://www.thenewamerican.com/tech/computers/item/22701-mcafee-gov-t-backdoors-are-destroying-national-security

Does the USG safeguard information and assets against its own successful breaches when systems are updated?

Tyler

Karl,

Yeah, but it's racist to notice that.

Brunswick

The Sony Server's Admin passwords, were "password".

Origin

Could it be that Hillary's computers were less hacked than the DOS computers and thus, more secure in reality?

The Twisted Genius

Brunswick,

A lot of routers and switches had default passwords and default services active when I was working the scene. These devices are most often sitting out of sight in a data center so they are forgotten until something goes wrong.

The Twisted Genius

Origin,

It's possible that her email server wasn't hacked, but that would only be an attempt at security through obscurity. Any .mil or .gov address is a magnate for hackers. Given that she was Secretary of State, she really could not rely on security through obscurity. My guess her server was hacked no more nor no less than the DOS networks.

The Twisted Genius

Lesly,

No. The IC is more interested in exploiting back doors and vulnerabilities in target systems than in protecting our nation's information systems from outside enemies. Half of NSA is supposed to do this, but I don't see it being done.

I worked with JTF-CND (Joint Task Force - Computer Network Defense) for a while. They were dedicated to the mission and I enjoyed supporting them. They were eventually subsumed into Cyber Command. I don't know how the defense mission is handled now within our government.

Freudenschade

TTG,

It's possible that HRC's server was a vector for attacks, but without a whole lot more info than is in these links, it's hard to come to any conclusions.

I am surprised that they have had such difficulties eradicating the infection. Given the stakes involved, I would have expected a radical solution, such as a staged physical and digital replacement via an encrypted, internal firewalled network that treats the DOS network as hostile territory. Replacing certain software systems that have infected backups might be a challenge, but going back to from scratch installations and data-only restores is a possible way around that.

It is hard to know without more information. Some of those guys at the NSA are no dummies (hi, Dr. Bob :-)), but the sophistication of attacks has increased tremendously (don't forget to turf printers, routers, switches and networked devices).

Imagine

COBOL was obsolete by the late '70's. You have GOT to be kidding me.

robt willmann

Shifting so much of operations to computers -- the "paperless" office idea -- has created many more problems than it has solved. Even courts are held hostage to it. Because most bankruptcy paperwork for filing in court consists of forms, federal bankruptcy courts started experimenting with electronic forms and scanning of forms and paperwork. Then they went to mostly an electronic filing system with electronic files. That more or less worked, because of the heavy use of forms. But then the promoters of electronic filing went after the other, non-bankruptcy, federal courts to get them to use electronic filing. Unfortunately, they did so. Then State courts got romanced into it. It is an absolute mess. The State court clerks I know in Texas hate it. It has become another example of private companies making a lot of money from providing the computer and filing software, the computers receiving the files, and maintenance and storage for the court electronic filing system, which has added extra filing fees to each case filed.

I wonder what computer operating system the U.S. State Department uses? Microsoft Windoze, the walking security hole? Putting all the Office of Personnel Management files on a computer system was just asking for trouble, and they got it.

Then there was the odd event earlier this year when the Justice Department and FBI went after Apple Computer using the All Writs Act to try to force a backdoor into Apple's cellular phone software. The reason was a cell phone from the San Bernardino, California incident that they said they could not unlock. The iconoclastic John McAfee, a computer programmer who tried (unsuccessfully) to be the Libertarian Party candidate for president this year, publicly offered to unlock the cell phone in question for free, and finally explained how--

https://www.youtube.com/watch?v=MG0bAaK7p9s

McAfee also made the startling statement in at least two other interviews that a young person had hacked into the FBI computer system around early February of this year and made off with a lot of records. No media outlet picked up on the story, and the government has been completely silent about it otherwise.

McAfee has also commented on the fact that some talented computer programmers and hackers appear quite odd in both demeanor and appearance, and so the government gets the jitters and usually will not hire them.

Clifford Stoll, an unusual personality himself, was involved in investigating the "Internet Worm" back in the 1980's. Brian Lamb of C-Span interviewed him in 1989, and worked to keep his own composure while doing so. One of Cliff Stoll's books is "Silicon Snake Oil". He gave a talk after that book was published in 1996--

https://www.c-span.org/video/?71065-1/second-thoughts-information-highway

One of the most foolhardy things to be developed is using computers to run the electrical grid. Much of the grid could likely be brought down and crashed by hacking into the controlling computer systems themselves; you would not even need an electromagnetic pulse device to fry the computer chips in the controlling computers. Anyone desiring to cause great damage and havoc does not need nuclear weapons. They would only have to attack the computers that control the electrical grids.

And a computer-controlled grid does not even save a lot of money, if any. A couple of years ago I went to a legal seminar about energy law, and one lecture was about the computer system that controlled the electrical grid in Texas, which is pretty much a standalone, independent system. I asked the presenter whether the computers made electricity cheaper. His answer boiled down to, "well, maybe sometimes, but not necessarily".

b

Another unfounded bashing of COBOL and related technologies.

Note: COBOL in current standards is as modern as most other programming languages. COBOL code is in no way more vulnerable than other code. COBOL has the incredible advantage of being readable, structured and easily maintained. Grab some 30 year old stuff written in COBOL and, for example C. Try to understand and modify both correctly. COBOL modifications will take you only a tenth of the time than you would spend on some C fragments.

People who claim COBOL is old and must therefor be replaced do not know what they talk about. They have never been in a highly administrative organization (like a bank) which has to run and maintain hundreds of different detailed procedures. This systems may be "old" but they do what they are supposed to do. There is absolutely no reason to change them unless you are a contractor who sees big dollars coming your way.

Likewise DOS. It can be encrypted like any other disk operation system with the tools designed for it. There is no inherent limit.
---

I have written system level drivers in Assembler and C, industrial process controls in Fortran and Pascal variants and highly administrative systems in COBOL. Each language has its justification in its realm. To kick COBOL out from administrative environments (and replace it by what? eternal sins like Java?) might be profitable for some but makes otherwise no sense at all.

Brunswick

When I sat at a desk, every 4 months I had to change my passwords.

They could not be the same password over all platforms, had to be a minimum of 12 characters, not form an english word, include at least 2 numbers, one capital, and two punctuation pieces.

I kept my passwords written down on a slip of paper kept in my watch back, usually only needed to refer to it for the first couple of weeks after the change.

Most of the other people in the cubicle farm kept theirs on a post-it note attached to the underside of their keyboards.

And of course, the quarterly IT presentations on Security, e-mail, file shareing had no significant impact on the bi-monthly "Anna Kornakova Naked!" Episode or the monthly "send all" flame out embarrasment.

Humans are humans, but sometimes they are just lazy.

The comments to this entry are closed.

My Photo

February 2021

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            
Blog powered by Typepad