>“Just to clear this up,” Cracka tweeted on Thursday about the breach of the JABS database. “CWA did, indeed, have access to everybody in USA’s private information, now imagine if we was Russia or China.”
If this is true, I'm a little surprised and disappointed. The U.S. can spend trillions on its military conflicts around the world, but can't do good cyber security? Even when handled with the highest precision, a massive cyber security team would be much less costly than building warships and the next space-age jet fighter, surely. How is it possible for a country with the resources of the U.S. to miss such important areas of technological security, such that a team of "crackas", as they call themselves, can come along and exploit it? Is awareness of the needs of the digital age really so far behind the technology itself?
As I mentioned in a recent thread[1], the government's approach to cybersecurity has been 100% offense. I suspect this may be a pre-network strategy being applied to a networked world, where concepts like border security and enumerating threats[2] actually worked.
In the late-80s/early-90s, I used to laugh at the common sci-fi trope of always having some convenient way to hack into anything. I originally assumed this was literary license[3]; surely nobody would actually be dumb enough to to put critical systems on a publicly-accessible network! Well... I guess I was wrong. Not only were we stupid enough to connect everything to a network, some people are trying to start an entire industry based on the idea of plugging things into the internet.
We've simply gotten lucky so far; we have barely scratched the surface of what can be done. I know rare problems are notoriously hard to model. Getting people to properly prepare for these events or even simply understand the actual cost of failure can be incredibly difficult, but that doesn't mean the problem can be ignored.
I almost see a similarity to the martingale[4] betting strategy. It works ok until you get your first rare set of consecutive losses and you bottom out your bankroll. The core problem in martingale is that it requires you to have an unbounded pool of cash to work with, so maybe the answer insecurity is related to only accepting risks if the risk has known bounds.
>the government's approach to cybersecurity has been 100% offense.
I also read your other comment that you posted in the comment
>This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.
I agree. Yes its embarrassing and they keep claiming "Do more Penetration Testing, more Vulnerability Scanning, more Risk assessment" Nobody even knows what the hell that even means and we're still getting breached! The biggest mistake we've made is to claim, "a great offense is always the best defense."
We should be doing Security Compliance aka Defense in Depth! But everybody seems to think Defense in Depth is somehow different from Security Compliance.
>Defense in Depth is when multiple layers of security controls are placed throughout a critical environment. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
If they actually went through the diligence of conforming with the security controls (ISO 27002, FEDRAMP, NIST 800-53) that they defined (much like financial compliance conforms to policies, standards, or laws), they'd be in a much more comprehensive shape. Even PCI-DSS...just replace the word cardholder data with sensitive data and you have more defense than whatever snake-oil Security Risk Plan is out there.
"Defense in Depth" is always important. The article I linked to above[2] about how it's incredibly stupid to try an enumerate badness (aka "default permit") has in it's list other stupid excuses we hear all the time:
"We don't need a firewall, we have good host security"
"We don't need host security, we have a good firewall"
I bet the people that say that kind of nonsense have a lock on their server room door even after hiring a guard that watches the building's main entrance.
This kind of practical defense isn't the only thing we've been skipping. We need a lot more basic research into how to secure modern technology. We need a design culture that isn't building features that require insecurity.
It is limiting top think of this problem as a "cybesecurity" problem. These same technologies will create problems in all areas of life, so we need a lot more education about what capabilities exist how they can be used. We need to be teaching people - from a very young age - what happens to your {meta,}data in a world with permanent data storage and powerful machine learning analysis. We need this education "yesterday", as these problems are not theoretical anymore[5].
We're working on something in this vein -- https://www.trycryptomove.com -- our technology does security via continuous concealment. Actively defends against insider attacks and catastrophic breaches, because the attacker can't even identify the data.
We've gotten two types of reactions: (1) we get it, layered security, defense in depth; (2) solution in search of a problem, we have good host security, we have a good firewall, legacy data-at-rest security is good enough. Thankfully far more of #1 than #2, but it's telling about an organization's approach to security.
the government's approach to cybersecurity has been 100% offense
That is completely wrong. The CSS is largely devoted to IA and IP, not to mention many other defensive cyber support units. In fact DHS, FBI and FCC have heavily invested in Critical Infrastructure protection, NETSEC and related capabilities.
Is it sufficient? No, but saying that the USG strategy is 100% offensive is completely and totally untrue.
I don't think it's a question of resources, it's a question of priorities. The US government spends tons of money on all sorts of things, but spending that money instead on security would mean they'd have to stop doing some of those other things that we actually pay them to do. The Navy could stop buying warships and spend all the extra money on security, but then they wouldn't have any warships, which is what the Navy is actually for.
This is by no means a government only issue. Multi-billion dollar companies keep getting hacked for basically the same reason. They too have lots of resources, but they are also spending those resources actually doing something. The BEST result you can get from spending on security is...nothing bad happens.
I completely understand the counter-argument that spending on security saves you the costs associated with getting owned, but that's clearly a hard argument to make to people who see all the other ways their money can be spent directly producing the results expected of them. It's the same basic problem IT has always faced ("it costs money, it doesn't MAKE money"), but it's worse with security since you don't even see it for the most part, except maybe as an annoyance.
>The BEST result you can get from spending on security is...nothing bad happens.
That's crap =]. A secret about security compliance (aka defense in depth) is that it actually reduces your technical debt, doesn't increase it. That's the best result in the world, low technical debt!
Right, and also good security solutions should have active defense features that fight breaches as they occur. Most breached organizations don't know they've been breached until months later...
They probably figured out an individual's password. Maybe the system shouldn't allow outside access to individuals with just a password, but it isn't really that shocking that they got into it.
I like how grandiose that tweet is, as if Xi Jinping starts every meeting by making fun of a few felony mug shots, look at the mustache on this guy, hahaha.
They are just like every IT worker in a large non-software industry: instructed by their boss that more important employees than you are currently unable to do their jobs because of your security restrictions, so remove them or be fired.
To be fair, as long as you are building systems on top of general purpose operating systems and exposing them to the internet, you're going to be vulnerable to one hack or another. No matter how much money you throw at the problem, this won't be the last time someone hacks someone's email account or figures out a password to a police computer.
I don't disagree that cyber-warfare is becoming a more important consideration in the context of modern military doctrine, but electronic warfare has been around since long before the internet. It's just one more evolution.
In defense of kinetic war-fighting, it's easier for us to turn off the internet than it is for the other guys to turn off an aircraft carrier.
>To be fair, as long as you are building systems on top of general purpose operating systems and exposing them to the internet, you're going to be vulnerable to one hack or another. No matter how much money you throw at the problem, this won't be the last time someone hacks someone's email account or figures out a password to a police computer.
This is crap =]. There's only 3 ways an attacker can get in.
1. Software Bug - 0-day exploits are only effective until the developer fixes the bad code (patch).
2. Configuration Drift - Attackers can only pop boxes that have drifted away from being updated or hardened. That's why they can only pop one of the boxes...not all the boxes. That's why you Recon more than Infiltrate.
3. Social Engineering - Why does the person who is easily susceptible to phishing have keys to the castle?
All-the-time diligence (not point-in-time diligence) implemented on security controls is what's needed. Not more cyber-offense (e.g. Penetration Testing, Vulnerability Scanning, Risk Assessments)
the real issue on this is you don't know what you don't know. the IT directors/management may even have a security dept which is doing "work", but doesnt have talented enough folks who recognize the real risk and address it. Im sure some project manager in the department has been producing vulnerability reports and defects closed to management, demonstrating how secure they are.
> How is it possible for a country with the resources of the U.S. to miss such important areas of technological security
The US is a democracy. Most of the voters are not very intelligent. That means, most of the politicians elected to run the government aren't very intelligent either. I mean, voters would have to be intelligent themselves in order to tell the difference between a dumbass political candidate and an intelligent one. And I think it's the politicians who usually hire the people who run intelligence agencies, law enforcement agencies etc.
It's probably a result of the early days of the internet. Nobody knows we have this network, and we have passwords after all so we're good. On top of that base, the contracts that built these systems probably didn't specify much in the way of security.
Even with the recent OPM breaches, probably nobody thinks it's their problem, and weak contracts are probably still being bid.
> which is supposed to be available only to the FBI and other law enforcement agencies around the country.
I think that a group one million possibly armed users with access to a secret shared database and private IM client shouldn't be reduced by by the adverb "only".
"Only" in this context doesn't mean "few". If you take it out of the quoted sentence, then the portal could also be available to veterinarians, carnival barkers, and scuba instructors. But it's not supposed to be available to those people, only to the FBI and other law enforcement agencies.
>Sealed arrest records are also quite common in hacker investigations when law enforcement officials quietly arrest an individual, then flip him to work as a confidential informant with agents to capture others.
So I guess they'll be able to foresee when one of their crew gets turned al la lulzsec.
Yeah, I don't think this is going to turn out well for them. Granted lulzsec was broken up by having a mole so it might make it more difficult for law enforcement, but then again the FBI has been known to use blackhat means to track people across tor[0] and use malware to obtain information[1].
I remember when Lockheed got hacked, I thought, why the hell were their CAD workstations connected to the Internet at all? So the engineers could check Facebook? And with so-called "Internet of things" it's only going to get more ludicrous.
Have you ever seen an organization that secured valuable data effectively?
I don't mean one where they followed some standards or had the right policy, but where, as implemented by IT and as practiced by users and admins, the data was secured so well that attackers would not steal the data - where it was too difficult to be worthwhile. I mean an organization you know intimately, where you know how the sausage is made.
Generally, the reality I've seen is security through obscurity.
Classic and common modus tollens. That you don't know of one does not mean they don't exist.
But to your question yes, I have seen one. It all hinged on people actually internalizing security measures such that it was part of how they lived their lives.
The news media don't have access to British Telecom's internal systems, so any hacking they do is outside of internal security controls. Here, BT != bluetooth (which may indeed be the attack vector for many hacks).
I don't get what these hackers are after by pastebin'ing their attack.
It can't be money (as mentioned, by selling the data to gossip magazines they could earn more Bitcoins than MtGox), it can't be security (or else they'd have posted how they gained entry) and it can't really be fame as the feds will stop at nothing to hunt them down now...
>Free Palestine. The United States government funds Israel, and in Israel they kill innocent people. We're going to do it until they stop funding Israel or until we get raided.
>I'm below the age of 22 years old. I smoke pot. And I live in America
>I'm going to go to Russia and chill with Snowden because I know the government is pretty mad about this I'm probably going to get tortured. I'm actually a pretty fast runner.
>The government and the police. Like the White House people. They're losers.
If this is true, I'm a little surprised and disappointed. The U.S. can spend trillions on its military conflicts around the world, but can't do good cyber security? Even when handled with the highest precision, a massive cyber security team would be much less costly than building warships and the next space-age jet fighter, surely. How is it possible for a country with the resources of the U.S. to miss such important areas of technological security, such that a team of "crackas", as they call themselves, can come along and exploit it? Is awareness of the needs of the digital age really so far behind the technology itself?