It took five months for OPM to catch the thieves that stole the records of more than four million federal employees.
Intruders broke into Yahoo’s systems in 2013, and we don’t even know how long they were inside; Yahoo only discovered the hack when stolen data turned up for sale on the dark web. We invest more and more in our security, but the breaches just get bigger. How many more times does this have to happen before we accept that what we’re doing isn’t working?Earlier this month, during a Senate Armed Service Committee hearing, Admiral Michael S. Rogers, the director of the National Security Agency, told us what we need to do to fix the problem, recognizing two different kinds of cybersecurity: Keeping intruders out of networks. Identifying, containing, and ejecting them once they get inside. We must be able to do both, Admiral Rogers argued, noting that there is an entirely “different thought process, methodology, prioritization, and risk approach to dealing with someone who is already in your network versus trying to keep them out in the first place.”The head of the best offensive agency in the world is telling us exactly what we’re missing, but we aren’t listening. Most organizations still focus heavily on keeping attackers out, rather than trying to catch the ones that get in. A common bit of security wisdom is that hackers have the advantage because they only need to be right once to get in.
This is largely true today - hackers can launch assault after assault to try to break through your defenses, probing for a weakness until you slip.
And every security team, no matter how good, slips up eventually.
But once inside, the intruders are in your network - unfriendly territory.
They have to hide inside your environment, and they only have to slip up once to get caught.Consider the White House, one of the most secure buildings on the planet. Jumping the wrought iron fence on Pennsylvania Avenue isn’t the challenge.
The challenge is dealing with the Secret Service agents that tackle you as soon as your feet hit the lawn.
Cybersecurity teams should play to our strengths, and follow the example of both Admiral Rogers and the Secret Service. We should always work to keep intruders out, but some will always get in. We should heavily invest where we have the advantage: on our own networks. Image Source: By: Orhan Cam via Shutterstock At the White House, it is the Secret Service’s visibility and control inside the grounds that shuts down intruders.
Crossing that lawn is exposed, and the Secret Service detects intruders in seconds.
Access within the compound is limited to only where you need to go for purposes of your meeting, so visitors that step out of bounds are easy to spot.
And once an intruder is detected, there is almost always an agent nearby, with a wide range of tools at their disposal to contain the intrusion.
This is the essence of the defender’s advantage: visibility linked with control means that intruders are at a huge disadvantage once they get in.Unfortunately, we have largely ceded this advantage on our networks.
Security teams often don’t know what devices are connected, or how those devices are talking to each other.
This offers an incredible opportunity for intruders, because by understanding our networks better than we do, they can operate at their strongest when they should be at their weakest.If we are going to take Admiral Rogers’ advice, this is what we must correct.
There are emerging technologies that could help us correct this imbalance. Organizations need real-time visibility into how their devices are communicating so they can identify intruders quickly. We should limit access to important systems; segment networks and important data; patch vulnerable systems; encrypt data.
Each of these steps increases visibility and control.
They enable organizations to quickly identify intruders, act to constrain their movements, and eject them from the network. None of these tools are rocket science, but they require that we focus not just on keeping intruders out, but on catching them when they get in.This reality makes Admiral Rogers’ comments during the Senate hearing all the more poignant.
If there are two types of cybersecurity, why have we invested so heavily in the one where we are at a disadvantage, and given up the advantage we hold for the other? Related Content: As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ...
View Full Bio More Insights
Clapper welcomes "healthy skepticism" of US intel, but there's a "difference between skepticism and disparagement."
US intelligence officials today pushed back on assertions from President-elect Donald Trump that their conclusions about election-related hacks are not to be trusted.
The US intelligence community "is not perfect," James Clapper, Director of National Intelligence, told the Senate Armed Services Committee. "We're human beings and we're prone to making errors." But the community rarely gets enough credit for what it does accomplish, he continued, pointing to plots that have been thwarted.
At issue is an October report and a more recent assessment from US agencies that places the blame for last year's hacks of the Democratic National Committee and other US targets on the Russians. Trump has refused to concede that the Russians might be behind the breaches, even going so far to praise Russian President Vladimir Putin as "very smart" for not retaliating against the US when President Obama imposed sanctions over the hacks.
Great move on delay (by V. Putin) - I always knew he was very smart!— Donald J. Trump (@realDonaldTrump) December 30, 2016
On New Year's Eve, Trump told the press he wants the intel community "to be sure" they have it right, pointing to the intelligence failure with the Iraq War and weapons of mass destruction as an example of them getting it wrong. "I think it's unfair if they don't know, and I know a lot about hacking," Trump continued. When asked what he knew, the President-elect said he'd reveal more this week, but has thus far failed to do so.
Today, Clapper and Admiral Mike Rogers, Commander of US Cyber Command, declined to go into detail about their investigation into the hack. More information will be released next week in a report ordered by Obama, a non-classified version of which will be made public, they said.
When asked about Trump's criticism, Clapper says he welcomes "healthy skepticism" of US intelligence, but said there's a "difference between skepticism and disparagement."
Committee Chairman Sen. John McCain argued that "every American should be alarmed by Russia's attacks on our nation.
"There is no national security interest more vital to the United States of America than the ability to hold free and fair elections without foreign interference," McCain said. "That is why Congress must set partisanship aside, follow the facts, and work together to devise comprehensive solutions to deter, defend against, and, when necessary, respond to foreign cyberattacks."
Trump raised eyebrows again this week when he tweeted quotes from a TV appearance by Julian Assange of Wikileaks, which posted the contents of the hacked DNC emails.
"Julian Assange said 'a 14 year old could have hacked Podesta' - why was DNC so careless? Also said Russians did not give him the info!," Trump wrote. Later, Trump argued that his tweet does not mean he agrees with Assange. "I simply state what he states, it is for the people to make up their own minds as to the truth. The media lies to make it look like I am against 'Intelligence' when in fact I am a big fan!"
Clapper said today that "I don't think those in the intelligence community have a whole lot of respect" for Assange. He and Rogers both declined to "attach any credibility" to the Wikileaks founder when questioned by Sen McCain.
When asked if he stands by the intelligence community's assessment about the hacks, Clapper says he stands even "more resolutely" than before.
"We have invested billions, and we put people's lives at risk to glean such information," he said. But don't expect a full rundown. Exposing all the details on US intelligence-gathering procedures "would imperil our ability to provide such intel in the future," Clapper told the committee.
And the hacks are only going to get worse, according to Rogers, who said he can't think of any nation-state that's backing away from its hacking efforts. Russia is also not alone; US intel needs to be mindful of China, Iran, and North Korea, too.
Clapper did say that an unclassified version of the report would be released to the public early next week. However, that version is unlikely to contain any new specific evidence to support the intelligence community's assertions that the Russian government directed hacking and propaganda operations against Hillary Clinton and the Democratic Party in an attempt to deliberately affect the outcome of the US election. "We plan to brief the Congress and release an unclassified version of this report early next week, with due deference to the protection of highly fragile sources and methods," Clapper said in his opening statement. "We have invested billions, and we put people's lives at risk to get such information.
If we were to expose how we got this, we could just kiss that off. We're going to be as forthcoming as possible." Clapper and National Security Agency Director Admiral Michael Rogers both asserted, however, that the intelligence community was even more certain of Putin's involvement in the meddling in the US election than they were when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence issued a joint statement in October. "We stand more resolutely now on that statement than we did on the seventh of October," Clapper said. While Clapper said it was almost certain that no votes had been changed by hacking, he noted there was no way to determine the full impact of Russia's information campaign on voters' opinions—"We in the Intelligence Community can't tally that." Much of what Clapper and Rogers said in their testimony echoes data already available from commercial security firms and other sources, as well as the somewhat limited data shared in the DHS-FBI "joint analysis report" (JAR) issued last week.
The report to be delivered to the president will, however, take in the whole of the alleged Russian campaign to influence the election, including the use of Russian state-funded media, social media, and "fake news" to spread disinformation.
The report will likely also include specific data on how the intelligence community linked Putin to the sharing of breached data from the Democratic National Committee and others (including Clinton Campaign Chairman John Podesta) to Wikileaks. In response to a question from the committee on the role of "fake news" disinformation in Russia's election meddling, Clapper said, "Without getting too far in front of the headlights of [the upcoming report], this was a multifaceted campaign—the hacking was only one part of it.
It also entailed classical propaganda, disinformation, and fake news." Clapper acknowledged that the same sort of campaign was ongoing in Europe now, around the upcoming French and German elections. That mirrors forensic evidence that Ars has examined recently in our attempts to connect the dots between operations from the organization behind the "Fancy Bear" group of malware, tools and infrastructure used in the DNC, Democratic Congressional Campaign Committee, and Clinton campaign breaches, and the theft of data from the World Anti-Doping Agency (WADA).
Servers used in connection with some of the spear phishing attacks connected to these breaches have been also used to target French Gmail users recently. (More details of that activity and how it is connected to the information campaign against the Democrats in the US elections are being pulled together for an upcoming Ars report.) Many of the senators from both parties on the Armed Services Committee, including Sen. John McCain (R-Ariz.) and Senator Lindsey Graham (R-S.C.) threw barbs at President-elect Donald Trump for his treatment of the intelligence community and his posts apparently professing greater trust in Julian Assange than US intelligence.
Citing Assange as "the one responsible for publishing the names of people who worked for us" in Iraq and Afghanistan plus the subject of a criminal investigation, McCain asked Clapper and Rogers, "Do you think there's any credibility that we should attach to his statements?" Clapper replied frankly: "Not in my view." For his part, Donald Trump tried to back away from the appearance of endorsing Assange via Twitter: "The dishonest media likes saying that I am in Agreement with Julian Assange - wrong.
I simply state what he states, it is for the people.... to make up their own minds as to the truth.
The media lies to make it look like I am against "Intelligence" when in fact I am a big fan!" Graham was particularly angry at Trump for being overly critical and disrespectful of the intelligence community. "You don't want to undermine those people serving in this arena," he said. He also suggested Obama's sanctions against Russia amounted to "throwing pebbles" when it was time to "throw rocks," because the active campaign to interfere in the US election went far beyond passive espionage. Graham noted that Republicans should be concerned that someone else might do the same thing to them if Trump were to take on China or Iran, and the response to the Russian information operations was an opportunity to deter future interference in the democratic process. “It’s not like we’re so much better at cyber security than Democrats,” he said. Another area Graham focused on was the US Information Agency, the government operator of Radio Free Europe, and other US foreign information operations. He suggested this agency was too archaic in its focus on broadcasting.
Clapper agreed, saying in his closing remarks that what was needed to counter information warfare was a "USIA on steroids"—a new information organization that could take on misinformation from adversaries more aggressively in social media and other places online as well as in the broadcast realm. Russia has used the state-funded RT broadcast service and other outlets to more aggressively spread its version of the global narrative over the past few years.
The country has reportedly even used "troll factories" to create confusion and support nationalist populism in several European countries.
For now, a civil trial is set to begin on January 31, 2017. Earlier this week, US District Judge Robert G. Klausner rejected the motion for summary judgment filed by the plaintiffs, Paramount and CBS. He also rejected a motion filed by the defendants, Axanar Productions.
The judge was unpersuaded by Axanar Productions’ arguments that it was entitled to the fair use exception. The legal battle began in late 2015, when the two entertainment giants sued a group of filmmakers who had released an unlicensed and unauthorized short 20-minute trailer a year earlier. In that trailer, dubbed Prelude to Axanar, a group of Federation, Vulcan, and Klingon officers speak in documentary-like interviews about the Four Years War between the Federation and the Klingons.
The short film features a number of actors who have performed in previous Star Trek works, including J.G. Hertzler, now in the new role of Admiral Samuel Travis, and Gary Graham, who reprised his role as Vulcan Ambassador Soval.
The Four Years’ War, which was briefly discussed but never actually portrayed in any of the Star Trek series, is set before the beginning of The Original Series. Axanar Productions raised over $1.1 million on Kickstarter and Indiegogo, and it was expected to release a full-length film in 2016 before it got derailed by the lawsuit. In May 2016, the director of the new set of Star Trek films, J.J.
Abrams, indicated that the lawsuit would "be going away," but that still hasn’t happened.
A month later, as a result of the ongoing legal battle, Paramount and CBS released a set of guidelines that would allow fan films to proceed without getting sued. (Axanar would violate those rules.) To boldly go In his Tuesday order, Judge Klausner made it very clear that he has at least some working knowledge of Star Trek.
As he wrote: Here, there is no dispute that Plaintiffs have ownership of copyrights to the Star Trek Copyrighted Works, and that Defendants have access to these Works.
Thus, the copyright infringement claim can live long and prosper if the Axanar Works are substantially similar to the Star Trek Copyrighted Works. The court found that there was an "objective substantial similarity" between the Axanar film and the copyrighted Star Trek works.
The question of "subjective substantial similarity" would now be left to a jury to determine.
As the judge continued: Sometimes a feeling is all we humans have to go on.
But for substantial similarity, the law demands more. "The extrinsic test considers whether two works share a [substantial] similarity of ideas and expression as measured by external, objective criteria" – in a Vulcan-like manner. In additional court filings submitted on Wednesday, CBS, Paramount, and Axanar Productions all put forward their list of witnesses.
CBS said it would put John Van Citters, an executive who has worked with Paramount and CBS on Star Trek for nearly 20 years, on the stand. Van Citters, according to the plaintiffs’ attorneys, "knows the canon of Star Trek intimately as well as the history and personnel involved in the production of Star Trek in order to be able to efficiently assess whether or not material CBS is presenting to the public is accurate and fits with existing canon." Axanar Productions, for its part, will counter with Christian Tregillis, a financial consultant who will "rebut Plaintiffs’ theory of lost profits that they claim resulted from Defendants’ alleged infringement, i.e., that funds donated to making of Defendants’ works have resulted in lost revenue or profits to Plaintiffs," according to its own filing. The film company will also offer up Henry Jenkins, a professor of media studies at the University of Southern California, who is an expert on Star Trek’s historical relationship between its creators and its fans. All sides are set to meet before the judge for a pretrial conference on January 9, 2017 at 10:00am at the federal courthouse in downtown Los Angeles.
The president elect—who has repeatedly expressed admiration for dictators like Vladimir Putin and Kim Jong Un—will have at his disposal the surveillance resources to dig up dirt on political adversaries, journalists critical of his administration, or activists. With great power comes great responsibility “[Trump] is someone who displays a kind of personal vindictiveness that makes Nixon look Christlike,” Julian Sanchez, a privacy-focused research fellow for the Cato Institute, told Wired. “There’s every reason to be worried about those instincts and how they’d lead him to attempt to abuse this surveillance power.” Others are mollified with false belief that the NSA’s surveillance powers have been curtailed by law since Snowden’s revelations.
But former NSA counsel Susan Hennessey told Wired that the agency’s regulations don’t protect it from a president set on abusing its capabilities. “No one should kid themselves about the idea that in the wrong hands, it couldn’t do quite a bit that’s very scary,” she said. The fate of current NSA Director Admiral Mike Rogers remains uncertain, and Trump has yet to pick a director of national intelligence—although he is reportedly considering Carly Fiorina for the position.
But here’s what we do know about the team Trump has picked to fill key security positions. National Security Adviser: Mike Flynn As National Security Adviser, Flynn will attend daily intelligence briefings and act as a gatekeeper to President Trump on a wide range of issues. He will also oversee the National Security Council, a White House department of about 400 people involved in making policy recommendations. Past national security advisers include a long list of shrewd, strategic thinkers, from Henry Kissinger and Zbigniew Brzezinski to Colin Powell, Condoleezza Rice, and current adviser Susan Rice.
By contrast, Trump’s pick has falsely claimed that Democrats are trying to impose Sharia law in the United States and has become perhaps best known as the man behind the infamous ”Pizzagate” conspiracy theory, after tweeting a link to a baseless story connecting Clinton’s campaign to a sex cult and human trafficking. “U decide - NYPD Blows Whistle on New Hillary Emails: Money Laundering, Sex Crimes w Children, etc...MUST READ!” Flynn shrilled. “If the national security adviser is going to be the direct conduit between the president and the national security world, of course it’s a concern that that adviser is being taken in by conspiracy theories and fake news,” Tom Nichols, a professor at the U.S. Naval War College, told Fortune. Whoever has the president’s ear on international affairs, Nichols said, should have “a firm grip on what’s true and what’s false.” Retired Gen.
Barry McCaffrey recently told MSNBC that some of Flynn’s tweets “border on demented.” Powell, a retired four-star general who served under three Republican presidents, slammed Flynn in personal emails as a “right-wing nutty” and “a jerk.” And Daniel W.
Drezner, a professor of international politics at the Fletcher School of Law and Diplomacy at Tufts University, concluded in a column for The Washington Post that Flynn “should be kept as far away from power as humanly possible.” After leading the cheers of “lock her up” at the Republican Convention, it has come to light that Flynn—who was fired as director of the Defense Intelligence Agency, the Pentagon’s top spy organization— was investigated by the Pentagon for inappropriately sharing classified information. Flynn’s appointment is not subject to Senate confirmation. However, Democratic senators are asking the Obama administration to review his security clearance since he “reportedly has a record of mishandling classified intelligence.” CIA Director: Mike Pompeo Trump’s choice to lead the CIA is a fierce advocate for expanding surveillance at home and abroad, and he’s called for “the traitor Edward Snowden” to be executed. While sitting on the House Intelligence Committee, Pompeo fought Congressional efforts to rein in the NSA’s bulk collection of American’s data.
Instead, in an editorial earlier this year he advocated for “a fundamental upgrade to America’s surveillance capabilities.” Pompeo laid out a road map for expanding those powers, including re-establishing the collection of all metadata; combining it with financial and lifestyle information on American citizens in a searchable database; and removing legal and bureaucratic impediments to surveillance. The Freedom, Security & Technology Project at the Center for Democracy and Technology blasted Pompeo for his desire to give government the power to collect “the 21st-century equivalent of a dossier” on all Americans through the collection of digital data. “If there is one thing that everyone across the political spectrum believes, it’s the fundamental American value that government has no business peering into your private life without at least some indication that you’ve done something wrong,” Gabe Rottman, deputy director of the digital advocacy group, told Politico. “This would be exactly that.” The ACLU also slammed Pompeo, saying his position on digital spying raises “serious civil liberties concerns about privacy and due process.” The organization has vowed to fight his appointment. “These positions and others merit serious public scrutiny through a confirmation process,” ACLU Executive Director Anthony Romero said in a statement. “His positions on mass surveillance have been rejected by federal courts and have been the subject of several lawsuits filed by the ACLU.” In Congress, Pompeo was not one of those calling for mandated backdoors into encrypted communications, saying it would “do little good.” But he warned that using encryption for personal communication “may itself be a red flag,” which suggests that merely using “good security practices could invite government scrutiny under his watch,” The Atlantic reported. Attorney General: Jeff Sessions Civil liberties advocates have called Trump’s pick for Attorney General “a catastrophe for privacy” and “a nightmare scenario.” While serving as the Senator from Alabama, Sessions tried to add an amendment to the Email Privacy Act, a bill reforming electronic privacy law that passed in the Republican-controlled House. His amendment would have required technology companies like Google and Microsoft to turn over communications without any oversight by a court if the government said it was an emergency. “Never mind that companies already routinely hand over user data without being compelled in legitimate emergencies,” Wired wrote. “When it comes to surveillance powers, he’s more catholic than the Pope,” said Cato Institute fellow Julian Sanchez. “He wants to grant more authorities with fewer limitations than even the law enforcement or intelligence communities are asking for.” Indeed, a former homicide detective called Sessions’ emergency exception amendment “unwise and unsafe” in an editorial for The Hill. As a senator, Sessions also repeatedly worked to block NSA privacy reforms. “Sessions pushed for spying powers beyond even those supported by his Republican congressional colleagues and intelligence agents,” Wired wrote. “He fought reform of the Foreign Intelligence Surveillance Act in 2012 and against the USA Freedom Act that in 2015 placed new limits the NSA’s spying powers after the revelations of Edward Snowden—a law that passed a Republican House and Senate and was even endorsed by NSA director Michael Rogers.” Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute, told Wired that Sessions was a dangerous choice for the role of enforcing legal limits on intelligence agencies like the NSA. “Unless Congress picks up the mantle of aggressive oversight of the intelligence community, we’re looking at a situation that makes the Hoover era looks like child’s play,” Green said. Eternal vigilance is the price of liberty In light of these developments, it might be a good time to revisit Snowden’s words with The Guardian: The greatest fear I have regarding the outcome for America of these disclosures [about government surveillance] is that nothing will change. People will know the lengths that government is going to grant themselves powers, unilaterally, to create greater control over American society and global society.
But they won’t be willing to take the risks necessary to stand up and fight to change things, to force their representatives to actually take a stand in their interests. And it’s only going to get worse. Until eventually there will be a time where policies will change—because the only things that [currently] restricts the surveillance state is policy…A new leader will be elected, they’ll flip the switch, say that because of the crisis, because of the dangers that we face in the world, we need more authority, we need more power.
And there will be nothing the people can do at that point to oppose it.
And it’ll be turnkey tyranny.
A single typo in which he stated that the email was "legitimate" was enough to see the security advice ignored. "This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account," Delavan wrote in the morning of March 19. "He can go to this link: https://myaccount.google.com/security to do both." "It is absolutely imperative that this is done ASAP." The error has "plagued him ever since", Delavan told the New York Times in its 8,500 word analysis of Russian interference in the US election.
The Times story features intelligence officials, campaign insiders, and security firms laying blame at the feet of Russian president Vladimir Putin. It concludes that the attacks on the DNC and Podesta's email were successful in altering the course of the United States presidential election. President-elect Donald Trump has rejected the "high confidence" assertion of Russian involvement by US intelligence agencies. Delavan said he saw dozens of phishing emails similar that which compromised Podesta. It is unsurprising: Two Russian hacking groups widely thought to be Kremlin-backed have been identified as the culprits of systematic advanced intrusions into the DNC. Recognised Russian hacking outfits CozyBear (also known as "APT 29" or "Dukes") and the older GRU-controlled FancyBear (aka "APT 28" or "Pawn Storm") had both hacked into the DNC in separate attacks, security firms Dell SecureWorks and CrowdStrike have said. Cozy Bear penetrated the DNC mid last year after vast phishing campaigns targeting US agencies, non-profits, and corporations. The information that group and other Russian outfits gleaned would be fed through the data leaker known as Gufficer 2.0, and through Wikileaks. Those groups, which the Times says operated in isolation stealing some of the same files, pillaged emails and documents from the DNC and Republicans, representatives from the CIA told Congress last week. Those revelations prompted calls from Republican senators John McCain, Lindsey Graham, and Democrats Charles E.
Schumer and Jack Reed for a non-partisan response to the Russian attacks. “This cannot become a partisan issue," the senators wrote in the joint statement. "The stakes are too high for our country." Others have called for a stronger response. Pentagon Cyber Command director Admiral Michael Rogers expressed a desire to strike back at Moscow, sources told The New York Times, in a tit-for-tat bid to hack back and expose President Putin's financial links to Russian oligarchs.
The attack was also designed to punch holes in Russia's networks to allow dissidents there to spread messages. Deputy US National Security Adviser Avril Haines considered it an overreaction that would play into Putin's hands in a signal to the public that the US had lost control of its electoral process. For his part, outgoing President Barack Obama is said to have feared escalation in cyber conflict with Russian and was focused on establishing agreements with the nation over the conflict in Syria. The hacking campaigns have not stopped.
Germany now fears Russian influence in its upcoming election, expected in September 2017, with intelligence chief Hans-Georg Maassen saying Moscow has "enourmous resources" it is dedicating to targeting its "government officials, members of parliament, and employees of democratic parties". Security firm Volexity last month detailed wide-spread phishing campaigns sent by Russia's Cozy Bear.
The documents spotted a mere six hours after the conclusion of the US election were shipped from compromised Harvard University email accounts offering malware-laden documents and promised information on the outcome of the presidential election. "Volexity believes that the Dukes are likely working to gain long-term access into think tanks and non-government organisations," the firm's founder Steven Adair said at the time. "And will continue to launch new attacks for the foreseeable future." ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub