Category Archives: Intelligence

Spycraft101 Apple podcast episode #97

Leave a reply

https://podcasts.apple.com/us/podcast/97-defecting-from-the-ussr-with-olga-sheymov/id1567302778?i=1000614816892

This week, Justin chats with Olga Sheymov. Olga has worked in high technology, on arts projects, and as a television producer. Her TV credits include the Long-Running series Russia Today, produced from 1997 until 2015, and Your Source TV among other projects. But long before she began her media career, Olga and her husband Victor Sheymov defected to the US and were smuggled out of the Soviet Union and into the Carpathian Mountains by a team from the Central Intelligence Agency in 1980. Victor was a high ranking member of the KGB and proved to be an incredibly valuable source of information for the US government for years to come, although their relationship with the CIA and FBI encountered many problems, to say the least.

Spycraft101 Apple podcast episode #97

First Recorded Breach of Security

Leave a reply

A standard first dictionary definition of security is freedom from danger. Danger or threat, as it is often labeled, has to be present or assumed to be present otherwise there is no need for security. In recent years, threat has conventionally been defined by security professionals as the sum of the opposition’s capability, intent (will), and opportunity, and can be expressed thus:

Threat = Capability + Intent (will) + Opportunity

Indeed, without a capability, an attack cannot take place. An
attacker must possess a specific capability for a specific attack. For instance, the Afghan Taliban cannot carry out a nuclear missile attack on the United States even if they have full intent and an opportunity. Intent or will is also a necessary ingredient. North Korea has the capability for a nuclear strike on South Korea, but many factors keep their will in check. Similarly, Iran may have a capability to attack a defenseless American recreational sailboat in its territorial waters, and be perfectly
willing to do so, but American recreational sailors just do not go there, providing no opportunity.

Furthermore, applying this formula usually does not produce precise results since ingredients such as capability and opportunity are usually not known exactly and often are just assumed. A classic example of this is the infamous case of Iraq’s weapons of mass destruction as justification of the last Iraq war.

The first recorded breach of security occurred in the Garden of
Eden. Apparently, there was a sense of threat, and Cherubim guarding it with flaming swords were the security measures taken. However, the security measures were insufficient, and that allowed the serpent to infiltrate the Garden of Eden and do his ungodly deed.
In fact, there is no perfect security. We can only provide degrees of protection (i.e., if there is a threat, risk is always present, though its level may vary. Often this is reflected in the statement that risk is a combination of threat and vulnerability:

Risk = Threat + Vulnerability

This looks logical since vulnerability means exposure to a certain
threat. This also leads to the assertion that:
Vulnerability is a deficiency of protection against a specific
attack.
A reasonably comprehensive definition of security would probably
be something like:
A set of measures that eliminate, or at least alleviate the
probability of destruction, theft, or damage to a being, an object, a process, or data, including the revelation of a process, or of the
content of information.

The Attack on Private Encryption

Leave a reply

The current anti-encryption political push by a choir of government bureaucrats is picking up steam and has lately been joined by the head of the British MI5. The usual scarecrow of terrorism is invoked and used bluntly in public statements that border on unabashed propaganda. I did not want to write about it, but what is going on is just too much to take. The real goal of the whole campaign is suspect, so it’s worth taking a closer look at the issues involved.
Point one – ideological: We view ourselves as a democracy. With that in mind we need to understand that encryption has existed for at least four thousand years. During that time most of the rulers were ruthless tyrants and for all of them their #1 priority was to protect their rule. But even they did not crack down on private encryption – because it’s not practical (see Point three below), and they could not enforce it anyway. We, on the other hand, are facing a bunch of bureaucrats demanding the practical end to meaningful private encryption. How come a democracy can have more restrictions for its citizens than a country suffering under the rule of a tyrant?
Point two – technical: During all these thousands of years encryption algorithms have been consistently and quickly cracked by experts, usually employed by the government. Only a very few encryption algorithms withstood scrutiny for a few years, and those strong algorithms were developed by government experts and have always been well outside the reach of the general public at the time. Contrary to popular belief, all commercially available algorithms have been cracked very quickly after their introduction. Governments have traditionally been very shy about disclosing this. The situation is no different now. If a target used commercially available encryption algorithms its communications have been quickly cracked. So, what is the technical difference in the current situation? The simple answer is the sheer volume of information passing through the Internet. Individual communications can be cracked, but not the entire Internet traffic. That’s what the government bureaucracy is after: the ability to read ALL the traffic, i.e. all of our communications.
Point three – practical: the purpose of encryption is to assure privacy of communications. There are many other ways to do this other than by encryption. One vivid example: when we were hunting Bin Laden for years he did not use the Internet at all, he used messengers. He could just as well have used the regular mail. Furthermore, it’s well known that the 9/11 terrorists were communicating over regular phones, but in Aesopian language. For example they referred to a terrorist act as a “wedding.” So are our bureaucrats next going to demand the right to read all our mail, or make a terror suspect of anyone who mentions a wedding over the phone?
Conclusion: The simple truth is that the Government can penetrate any commercial encryption available to terrorists. That is if they actually go after terrorists. However, they are now demanding the right to go after everyone, mostly law abiding citizens. If that demand is denied there’s still nothing to prevent them from going specifically after terror suspects.
The moral here is pretty straightforward: if we call ourselves an uncorrupt democracy we should be very careful about giving our bureaucrats too much power, inasmuch as they want more power than tyrants of history could not get. Furthermore, the bigger danger here is that loosing civil rights is a very slippery slope.

The secret reason behind the Chinese hacking

Leave a reply

For quite some time I’ve been puzzled by the alleged Chinese hacking of our databases. I could understand if they hacked our advanced research and development– that would save them time, effort and money. But why the databases? Then it dawned on me: it’s a savvy business strategy.
We routinely encounter problems with our databases. One organization can’t find our file, another somehow has the wrong information about us, and all too often they certainly can’t get their act together, and we see classic cases of the left hand not knowing what the right one is doing . The pre-9/11 non-sharing of intelligence is a good illustration. In other words, we have a somewhat messy general situation with our databases; we’re used to taking this in stride; and we just sigh when we have to deal with some organization that accuses us of something we aren’t guilty of.
The Chinese understood the problem, but they just never got used to it. For many centuries they had a much bigger population than other countries, but somehow they always managed to know exactly who is who, who is related to whom, and what he/she is doing.
So naturally they wanted to have the same level of knowledge about the rest of the world. To their dismay, in the US they found disorganized databases and mismatching records. So they had to process all that information to make sense of it for themselves. And suddenly they saw a perfect business opportunity: they would develop a gigantic and very efficient database of the US, and then sell this data back to us piecemeal, retail. This would give them full and exact knowledge of the US, and the US would pay for the project, with a significant profit for the Chinese. For us this would be a very valuable service, a kind of of involuntary outsourcing where we (both the Government and the private sector) can get relevant and reliable data at a modest price. Makes perfect business sense.
This approach has a special bonus for the US Government: when buying data abroad they won’t have to deal with privacy restrictions imposed by the US Constitution and constantly debated by Congress. The logic is impeccable: we bought it abroad, and if the Chinese know it, we are entitled to know what they know about us.

That Office of Personnel Management (OPM) hack: the depth of the damage

Leave a reply

The somewhat belated (just 7 months!) timid admission by the Federal Government that security clearance files of Government employees and contractors had been hacked was hardly a shocking surprise. Media discussion largely focused on the breadth of the security breach – the number hacked started with 4 million and pretty quickly grew to 21 million. But the depth of the security breach was not really addressed. It is, however, a major aspect of the loss.
Unbeknownst to most of the general public, and ironically even to many of those Government employees who are actually responsible for this security breach, all security files are not created equal. At one end of the spectrum are security clearance files of personnel whose proximity to Government secrets is very limited and often only symbolic, such as facilities maintenance workers. At the other end of the spectrum are people with security clearances well beyond the proverbial Top Secret level, those who are entrusted with the deepest and most sensitive Government secrets, such as nuclear arms and Government communications security experts.
Candidates who apply for a Government job are routinely asked to a sign privacy release allowing the Government to conduct an investigation into the applicant’s background that would otherwise be in violation of their privacy rights. Of course, applicants usually sign the form without looking at it too much. But even the lowest level of security clearance is far more invasive than your “thorough” bank investigation before granting you a loan. At the low end there’s a cursory search to make sure that the applicant has no significant criminal offences and is not involved in known criminal organizations. For a high-end clearance it’s a totally different story. Thorough investigation may include numerous connections, including relatives and present and past personal friends, hobbies, clubs affiliations, financial transactions over a significant period of time, and so on. Present and past spouses, “close friends” and partners are definitely of interest. Investigations may include interviews with neighbors and government informants, and maybe even one or another form of surveillance.
Many who are subjected to such investigation don’t realize how much of their personal privacy they surrender to the Government, but surrender they do, and some of them find that out only if things turn sour in their relations with the Government. However, they all at least implicitly rely on the Government to guarantee the security of their private information.
The OPM hack shattered that expectation. If the hack was done as alleged, by the Chinese, it is also most certain that the Russians had also done it before. Moreover, whichever intelligence service has the files, they may well trade some of them in exchange for other intelligence. Needless to say, among all those in supersensitive jobs are clandestine intelligence operatives, including the DEA, CIA, and Special Forces, and this situation puts their lives in real and immediate danger.
As a practical matter, those affected should demand to know exactly what information was stolen. Classified as it may be, it is not classified anymore. After all, if the Chinese know something about me, I am certainly entitled to know what they know too.
One more unanswered but very important question: do those files contain personal biometrics beyond fingerprints (leaking which is bad enough) — such as DNA, and retinal scans? I haven’t seen anyone asking that.

The Government wants our encryption keys. Are home keys next?

1 Reply

The just released report by 13 well known cryptographers opposing the US and British governments’ sweeping demand for encryption keys has directly addressed the increasing threat of government’s insatiable thirst for power. Any government objection to this report is bound to be disingenuous.
However, there’s one more angle that begs for further exposure. The overall issue is not a scientific or technical question; it’s an ideological one. The frequently heard loud claim that inevitably we have to give up our privacy so the government can protect us is flatly untrue and hypocritical. It is indeed technologically feasible today to build a system where everyone of us would wear an irremovable collar equipped with cameras, microphones, and GPS that would communicate our location and immediate surroundings every instant “totally securely” to some highly trusted government agency. The government may argue that a) it would only access this information upon some court order; and b) it would solve a lot of crimes and save a lot of lives. True, such a system would make the police’s job very easy, would solve a lot of crimes, and save a lot of lives. But the real question is: do we want to live in that kind of society? In the American spirit the politest answer would be, “Hell, no!” And as always with this kind of hypothetical system criminals would quickly find a solution to neutralize it, leaving us with the situation that only-law abiding citizens would be subject to this massive electronic prison.
Even as we see deeper and deeper assaults on our civil rights and liberty in the manner described above, the government is more than a little shy talking about other intelligence-gathering techniques that require more skill than a slightly trained operator just pushing a few computer keys. These methods are well known among professionals, they have existed for a long time, and can be applied to any target. The drawback of course is that they are less convenient for the operators, require greater skills, and do not include a global bulk collection of information on everyone.
Well, maybe this is just what we, the people, need and want.

Power grid: when cyber lines cross

Leave a reply

We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html

Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.

Kaspersky and Symantec Kicked Out of China – For a Reason

Leave a reply

The great cyber triangle of US-Russia-China seems to be shaping up in a definitive way. For a while China was technologically and skill-wise behind the US and Russia, the two early leaders in cyberspace, but it’s catching up, and fast.

It was announced last week that Kaspersky Lab and Symantec have been taken off the list of approved vendors in China’s government cybersecurity software market.  Reuters recently reported one example: http://www.reuters.com/article/2014/08/03/us-china-software-ban-idUSKBN0G30QH20140803

Traditionally very polite, the Chinese did not cyberwhine, did not make any fuss, did not lay any blame, but simply took the pair off the list. Some Western and Russian analysts were very quick to assume and announce  that this was a trade protectionist move to favor China’s national cybersecurity companies. That’s definitely wrong. If that were true, China would bar foreign companies from the country altogether – their private market is huge and very profitable. But they didn’t; they specifically only addressed their government cyberspace security. Apparently Chinese cyber experts found some extracurricular activities in products from both companies, which is not terribly surprising. Furthermore, they probably realized that detecting all the malware in modern software is practically impossible, and correctly decided to keep the foreign security well-wishers away, at least from their government.

The Chinese perception of individual privacy is different from the Western, and they don’t seem to be very concerned about the privacy of the regular common users, at least currently. However, they will probably watch Kaspersky’s and Symantec’s products sold to the Chinese private sector very carefully from now on. If they detect any sizeable collection of data from customers’ computers they will probably bar Kaspersky, Symantec, or both from doing business in China altogether.

The great cyber triangle is definitely becoming more and more equilateral. Interestingly, for the first time that I can recall, China is taking the lead in a trend that is logical and most likely to continue.

Kaspersky’s Intelligent Move

Leave a reply

The latest move by Kaspersky Lab is definitely intelligent, perhaps a little too intelligent.

Computer security vendors are beginning to offer integrated cross-platform security for Windows, Mac and Android devices, with Kaspersky Lab leading the pack with its Internet Security—Multi Device 2015. At first glance it looks like déjà vu, as good or as bad malware protection as any other on the market. However, Kaspersky’s has a new feature — it protects all the devices you own, up to five of them. Convenient.

Initial reviews are good: http://www.pcworld.com/article/2459156/kaspersky-internet-security-2015-multi-device-review-new-interface-same-excellent-protection.html

From a business standpoint this makes perfect sense – uncluttering  the security arrangements of your devices and bringing security to one simple point. This should upend the competition that is selling long lines of unrelated programs.

However, there‘s another angle here. The simple truth is that a security system for your computer takes over your computer, whether you like it or not. So when you have a bunch of different security products, each one of them controls only the device for which it is intended.

One of the most reliable means of accessing all data in a computer is via its security system. But, with some technical exceptions, the ultimate targets of most security or intelligence organizations are people, not their computers per se. This means that if someone wants all your data on all your devices, and chooses to do so via your security system, he has to have control of all your security systems. Not too difficult, but certainly cumbersome in a large-scale outfit. Inconvenient.

Here comes a great innovation: one-stop shopping for  all your data – an integrated security system for all your devices. All your data can be obtained via a single security system. Convenient.

It’s not a big secret that Kaspersky Lab has cozy relations with the Russian Government and thus is a valuable resource for the latter. There was a lot of debate related to Kaspersky Lab and their relations to the Russian Government, someone even suggested once that they have a lot of customers and just one client.

I’d prefer to leave that to the reader’s judgment, but simply caution that in any case integrating all your devices via one security system makes you an easier cyber prey, and may be unwise, Kaspersky or not.