Posts

Richard Clarke: The Chamber Broke the Law

I’m really deep in the weeds on the Jack Goldsmith memo right now (I should have a weedy post up later).

But in case you’re bored w/bmaz’s rant about the assault on Miranda rights, I thought I’d point to this TP post describing Richard Clarke suggesting that the Chamber of Commerce (funded by foreign sources, he notes) may have broken the law in targeting Chamber opponents.

Clarke denounced the scandal in no uncertain terms. Noting accurately that the Chamber “took foreign money in the last election,” a story also uncovered by ThinkProgress, Clarke said the Chamber had conspired to commit a “felony”:

FANG: Hi. You talked a lot about classifying and recognizing cyber security threats, but you mostly focused on foreign threats. I’m curious about a story that broke last month, that the US Chamber of Commerce, the world’s largest trade association, based here in DC, had contracted or attempted to contract military defense firms like HB Gary Federal, Palantir, and Berico, to develop proposals to use the same type of cyber warfare tactics normally reserved for Jihadi websites against left-wing activists, trade — labor unions, and left of center think tanks here in America. What do you think about that type of threat from a lobbyist or a corporation targeting political enemies, or perceived enemies here in the US?

CLARKE: I think it’s a violation of 10USC. I think it’s a felony, and I think they should go to jail. You call them a large trade association, I call them a large political action group that took foreign money in the last election. But be that as it may, if you in the United States, if any American citizen anywhere in the world, because this is an extraterritorial law, so don’t think you can go to Bermuda and do it, if any American citizen anywhere in the world engages in unauthorized penetration, or identity theft, accessing a number through identity theft purposes, that’s a felony and if the Chamber of Commerce wants to try that, that’s fine with me because the FBI will be on their doorstep in a matter of hours.

Now if only we had Feds anymore that would consider busting big business…

DOD Promises to Defend the Networks They Failed to Defend after 2008

There’s something hysterical about the promise a Quantico spokesperson made that DOD would take any threats to its IT networks–in this case, threats made by Anonymous–seriously.

A Quantico spokesman, Lieutenant Agustin Solivan, said officials had referred the matter to law enforcement and counter-intelligence agencies. “We are aware of the threat and any threats to defence department information systems and networks are taken seriously,” he said. “The intent or stating that you are going to commit a crime is a crime in itself,” he added.

You see, back in 2008, DOD got badly hit by malware introduced via a thumb drive or some other removable media. And in response, DOD instituted measures that–it said–would clear up the problem.

The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to “floppy disks,” is supposed to take effect “immediately.”

[snip]

Servicemembers are supposed to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware,” one e-mail notes.

Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out.

In other words, back in 2008, an enemy force attacked DOD’s IT system using an embarrassing security vulnerability. In response DOD immediately banned all removable media. That ban was supposed to be permanent on classified networks like SIPRNet.

Just over one year later, a low-ranking intelligence analyst in Iraq brought in a Lady Gaga CD, inserted it into his computer attached to SPIRNet, and allegedly downloaded three huge databases of classified information.

Throughout the WikiLeaks scandal, DOD has been the functional equivalent of someone who, just weeks after getting cured of syphilis, went right back to his old ways and–surprise surprise!–got the clap, all the while denying he bore any responsibility for fucking around.

According to Bradley Manning’s description, there was a virtual orgy of IT security problems at his base in Iraq.

(01:52:30 PM) Manning: funny thing is… we transffered so much data on unmarked CDs…

(01:52:42 PM) Manning: everyone did… videos… movies… music

(01:53:05 PM) Manning: all out in the open

(01:53:53 PM) Manning: bringing CDs too and from the networks was/is a common phenomeon

(01:54:14 PM) Lamo: is that how you got the cables out?

(01:54:28 PM) Manning: perhaps

(01:54:42 PM) Manning: i would come in with music on a CD-RW

(01:55:21 PM) Manning: labelled with something like “Lady Gaga”… erase the music… then write a compressed split file

(01:55:46 PM) Manning: no-one suspected a thing

(01:55:48 PM) Manning: =L kind of sad

(01:56:04 PM) Lamo: and odds are, they never will

(01:56:07 PM) Manning: i didnt even have to hide anything

(01:56:36 PM) Lamo: from a professional perspective, i’m curious how the server they were on was insecure

(01:57:19 PM) Manning: you had people working 14 hours a day… every single day… no weekends… no recreation…

(01:57:27 PM) Manning: people stopped caring after 3 weeks

(01:57:44 PM) Lamo: i mean, technically speaking

(01:57:51 PM) Lamo: or was it physical

(01:57:52 PM) Manning: >nod<

(01:58:16 PM) Manning: there was no physical security

(01:58:18 PM) Lamo: it was physical access, wasn’t it

(01:58:20 PM) Lamo: hah

(01:58:33 PM) Manning: it was there, but not really

(01:58:51 PM) Manning: 5 digit cipher lock… but you could knock and the door…

(01:58:55 PM) Manning: *on

(01:59:15 PM) Manning: weapons, but everyone has weapons

(02:00:12 PM) Manning: everyone just sat at their workstations… watching music videos / car chases / buildings exploding… and writing more stuff to CD/DVD… the culture fed opportunities

Incidentally, note that no one has been fired for having left SIPRNet open to the same vulnerability that had already been targeted in a hostile attack? It’s all Bradley Manning’s fault. Sure, DOD was fucking around. But it can’t be held responsible!

So now, weeks after HBGary emails made it clear that DOD and DOJ and CIA were already investigating Anonymous, they’re telling us they’re investigating. For real now.

And don’t you worry! Ain’t no way Anonymous can hurt them. Because they know how to defend against such threats.

Online Personas and Congress

I’ve been meaning to return to our government’s contracting for persona software for a while. Last week RawStory had a good story providing details of the persona management contract the Air Force put out for bid. RS reveals that the contract was awarded to Ntrepid, a firm in LA with the kind of website that screams “cover.” And it has this from CENTCOM’s digital media engagement team.

According to Commander Bill Speaks, the chief media officer of CENTCOM’s digital engagement team, the public cannot know what the military wants with such technology because its applications are secret.

“This contract,” he wrote in reference to the Air Force’s June 22, 2010 filing, “supports classified social media activities outside the U.S., intended to counter violent extremist ideology and enemy propaganda.”

Speaks insisted that he was speaking only on behalf of CENTCOM, not the Air Force “or other branches of the military.”

While he did reveal who was awarded the contract in question, he added that the Air Force, which helps CENTCOM’s contracting process out of MacDill, has even other uses for social media that he could not address.

It’s secret, Sparks says, even the stuff that gets contracted openly.

In a post that looks like pushback against the concerns raised in the RS story, Jeff Stein has the same spokesperson reassuring us that these Cyberwar tactics won’t be directed against us.

Centcom spokesman Cmdr. Bill Speaks acknowledged in an interview last week that the Air Force had a contract for the Persona Management Software, but denied it would be deployed against domestic online protesters.

“The contract, and the Persona management technology itself, supports classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.,” Speaks told SpyTalk. “The contract would more accurately be described as supporting U.S. Central Command, rather than the Air Force — the Wing here at MacDill provides contracting support for us — efforts.”

Speaks said the software would “absolutely” not be used against law-abiding Americans.

Only, it looks like Stein asked the obvious follow-up question and got something less reassuring.

Update: Speaks adds, “The phrase [law-abiding] suggests that we might use it against Americans who are not law-abiding. The truth is that these activities are not directed towards Americans, without qualification.”

And how do they know that? Do they refuse to interact online with anyone whose IP address shows them to be in the US? Our Cyberwar folks do know that the InterToobz are global, don’t they? I feel like this gets us back to the old reverse targeting problems with the government’s replacement to FISA, with a very easy loophole to not “direct” fake personas at US persons, but to influence them with fake personas nevertheless.

Which brings me back to the point I always return to in these discussions: to the evidence that DOD generally is hiding its Cyberwar programs from Congress, and the Air Force in particular has issued strict guidelines prohibiting its people from telling Congress about AF Special Access Programs.

Read more

If a TBTF Bank Lost Its Quant Code to Chinese Hackers and No One Knew, Would We Still Have a Functioning Market?

Bloomberg has an excellent catch from the HB Gary emails, revealing that Morgan Stanley was one of the 20-200 companies targeted by the Chinese-based Aurora hack in 2009.

Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to e-mails stolen from a cyber-security company working for the bank.

The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret.

“They were hit hard by the real Aurora attacks (not the crap in the news),” wrote Phil Wallisch, a senior security engineer at HBGary, who said he read an internal Morgan Stanley report detailing the so-called Operation Aurora attacks.

As McAfee made clear when it first announced the hack, the hackers were after the targets’ intellectual property (though note the understanding of the timing of the hack has changed).

Similar to the ATM heist of 2009, Operation Aurora looks to be a coordinated attack on many high profile companies targeting their intellectual property. Like an army of mules withdrawing funds from an ATM, this malware enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays.

Now, Bloomberg–with backing from an FBI officer and a reminder that Morgan Stanley is the world’s larger mergers and acquisitions adviser–seems to be most concerned about what the hackers learned about impending M&A.

FBI Deputy Assistant Director Steven Chabinsky said that hackers have increasingly targeted information related to mergers and acquisitions, data that can give companies involved an advantage in negotiations.

But the description of the targeted information as IP immediately made me think about quant code, the algorithms that banks use to conduct high frequency trading. When Sergey Aleynikov attempted to sell Goldman Sachs’ high frequency trading code, the Goldman and the government treated it like a capital offense. For good reason, because if another firm got that code, it would be able to game out Goldman’s moves. So how do we know that these hackers didn’t steal MS’ quant code?

In any case, the hack seems to raise real questions about disclosure. Should Morgan Stanley have had to reveal this to its stockholders and potential M&A clients (remember that MS led GM’s IPO last year, though hopefully long enough after this hack for the merger not to be exposed by it). Should MS have had to reveal this–with the potential implications for markets–to Congress? Did it?

I just can’t help but think that the Aurora hackers may well have gotten the same kind of information that Congressional oversight committees have requested from the Fed, but were refused.

“Tactics Developed for Use against Terrorists May Have Been Unleashed against American Citizens”

Hmmm. “Tactics developed for use on terrorists may have been unleashed against citizens.” That sounds like something I would have written about the HB Gary scandal. Twice.

It’s nice to see some members of Congress understand what the entire problem with this scandal is about.

In a letter to be released Tuesday, Rep. Hank Johnson (D-Ga.) and more than a dozen other lawmakers wrote that the e-mails appear “to reveal a conspiracy to use subversive techniques to target Chamber critics,” including “possible illegal actions against citizens engaged in free speech.”

The lawmakers say it is “deeply troubling” that “tactics developed for use against terrorists may have been unleashed against American citizens.”

[snip]

The companies proposed forming a “corporate information reconnaissance cell” and discussed tactics such as creating online personas to infiltrate activist Web sites; planting false information to embarrass U.S. Chamber Watch and other groups; and trolling for personal information using powerful computer software.

You almost wonder whether this is why Aaron Barr resigned? To try to stave off attention to how common it is for corporations to treat citizen speech as terrorism?

HB Gary CEO Aaron Barr Resigns

He’ll probably just get picked up by TASC, which was about to buy out HB Gary Federal anyway. But I do take some pleasure at his recognition that his reputation is for shit.

Embattled CEO Aaron Barr says he is stepping down from his post at HBGary Federal to allow the company to move on after an embarassing data breach.

[snip]

In an interview with Threatpost, Barr said that he is stepping down to allow himself and the company he ran to move on in the wake of the high profile hack.

“I need to focus on taking care of my family and rebuilding my reputation,” Barr said in a phone interview. “It’s been a challenge to do that and run a company. And, given that I’ve been the focus of much of bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm.”

Good riddance, I say!