Tag Archives: Chinese hacking

The secret reason behind the Chinese hacking

For quite some time I’ve been puzzled by the alleged Chinese hacking of our databases. I could understand if they hacked our advanced research and development– that would save them time, effort and money. But why the databases? Then it dawned on me: it’s a savvy business strategy.
We routinely encounter problems with our databases. One organization can’t find our file, another somehow has the wrong information about us, and all too often they certainly can’t get their act together, and we see classic cases of the left hand not knowing what the right one is doing . The pre-9/11 non-sharing of intelligence is a good illustration. In other words, we have a somewhat messy general situation with our databases; we’re used to taking this in stride; and we just sigh when we have to deal with some organization that accuses us of something we aren’t guilty of.
The Chinese understood the problem, but they just never got used to it. For many centuries they had a much bigger population than other countries, but somehow they always managed to know exactly who is who, who is related to whom, and what he/she is doing.
So naturally they wanted to have the same level of knowledge about the rest of the world. To their dismay, in the US they found disorganized databases and mismatching records. So they had to process all that information to make sense of it for themselves. And suddenly they saw a perfect business opportunity: they would develop a gigantic and very efficient database of the US, and then sell this data back to us piecemeal, retail. This would give them full and exact knowledge of the US, and the US would pay for the project, with a significant profit for the Chinese. For us this would be a very valuable service, a kind of of involuntary outsourcing where we (both the Government and the private sector) can get relevant and reliable data at a modest price. Makes perfect business sense.
This approach has a special bonus for the US Government: when buying data abroad they won’t have to deal with privacy restrictions imposed by the US Constitution and constantly debated by Congress. The logic is impeccable: we bought it abroad, and if the Chinese know it, we are entitled to know what they know about us.

That Office of Personnel Management (OPM) hack: the depth of the damage

The somewhat belated (just 7 months!) timid admission by the Federal Government that security clearance files of Government employees and contractors had been hacked was hardly a shocking surprise. Media discussion largely focused on the breadth of the security breach – the number hacked started with 4 million and pretty quickly grew to 21 million. But the depth of the security breach was not really addressed. It is, however, a major aspect of the loss.
Unbeknownst to most of the general public, and ironically even to many of those Government employees who are actually responsible for this security breach, all security files are not created equal. At one end of the spectrum are security clearance files of personnel whose proximity to Government secrets is very limited and often only symbolic, such as facilities maintenance workers. At the other end of the spectrum are people with security clearances well beyond the proverbial Top Secret level, those who are entrusted with the deepest and most sensitive Government secrets, such as nuclear arms and Government communications security experts.
Candidates who apply for a Government job are routinely asked to a sign privacy release allowing the Government to conduct an investigation into the applicant’s background that would otherwise be in violation of their privacy rights. Of course, applicants usually sign the form without looking at it too much. But even the lowest level of security clearance is far more invasive than your “thorough” bank investigation before granting you a loan. At the low end there’s a cursory search to make sure that the applicant has no significant criminal offences and is not involved in known criminal organizations. For a high-end clearance it’s a totally different story. Thorough investigation may include numerous connections, including relatives and present and past personal friends, hobbies, clubs affiliations, financial transactions over a significant period of time, and so on. Present and past spouses, “close friends” and partners are definitely of interest. Investigations may include interviews with neighbors and government informants, and maybe even one or another form of surveillance.
Many who are subjected to such investigation don’t realize how much of their personal privacy they surrender to the Government, but surrender they do, and some of them find that out only if things turn sour in their relations with the Government. However, they all at least implicitly rely on the Government to guarantee the security of their private information.
The OPM hack shattered that expectation. If the hack was done as alleged, by the Chinese, it is also most certain that the Russians had also done it before. Moreover, whichever intelligence service has the files, they may well trade some of them in exchange for other intelligence. Needless to say, among all those in supersensitive jobs are clandestine intelligence operatives, including the DEA, CIA, and Special Forces, and this situation puts their lives in real and immediate danger.
As a practical matter, those affected should demand to know exactly what information was stolen. Classified as it may be, it is not classified anymore. After all, if the Chinese know something about me, I am certainly entitled to know what they know too.
One more unanswered but very important question: do those files contain personal biometrics beyond fingerprints (leaking which is bad enough) — such as DNA, and retinal scans? I haven’t seen anyone asking that.

A classic hot potato—political hacking

Media attention to cyber attacks can be divided into two categories: the endless stream of examples of institutions hacked, and cautious descriptions of potential (and very real) horrors of our vital systems being attacked.
But there’s one area of cyber attacks that conspicuously has received little or no media attention: political hacking.
Practically all our electronic systems are vulnerable to cyber attacks to varying degrees. Political systems rank close to the high end of vulnerability, and indeed most of them are virtually undefended against even a low-skilled hacker.
It’s pretty obvious that these systems are extremely valuable targets for some political activists, and certainly for the aggressive ones. It’s not too far-fetched to assume that some of these activists, whatever their focus, either possess hacking expertise themselves or have access to guns for hire, whether for money or some other consideration.
This hacking potential may impact our lives more than we realize. It’s not technically difficult to hack into a voting system and “adjust” the outcome to the hacker’s liking. Such hacking targets can be at any level – from a poll on a local ordinance to allow dogs on the beach to the election for a head of state. Importantly, it’s not easy to detect such interference, and even if done successfully it takes a lot of time. We can only imagine the political mess if a couple of months after an election it’s determined that a group of teenagers (or some mysterious “Russian or Chinese hackers”) materially changed the outcome, and the wrong people were sworn in to their new hard-earned and increasingly expensive jobs.
On a more subtle indirect note such “adjustments” can be made to the results of public opinion polls, manipulating public opinion in a very effective way.
While it’s understandable that nobody wants to discuss this classic case of a very hot potato, nevertheless we have to realize that we ignore this threat at our own peril.

Utilities Hacking Paradigm Shift

 

With the pleasant long weekend over, now is a good time to check up on recent cyber history. It’s a common Government practice to release potential “hot potatoes” just before a holiday in the hope that they will pass generally unnoticed. So it’s useful to review the pre-holiday week’s releases right after the holiday. There is something there that caught my eye that I would like to address.

Interesting questions were raised by the following article, oddly published by an Australian publication on May 22: http://www.gizmodo.com.au/2014/05/hackers-broke-into-a-public-utility-control-room-by-guessing-a-password   (“Hackers Broke Into A Public Utility Control Room By Guessing A Password.”) In short, the story is commenting on the DHS announcement of the discovery and fixing of a hackers’ break-in into an unspecified public utility’s controls. This raises at least two questions.The first question is why the announcement was made at all. Everybody who is anybody in cybersecurity knows that within the US-Russia-China triangle practically all internet-connected utilities have been penetrated for decades. Malware representing electronic bombs have been mutually installed by these countries and have gone through several generations of upgrades; they are ready to use, and extremely difficult to detect. Obviously, the most vulnerable side of the triangle is the US, since it has the most advanced and most connected network of utilities. The existing status quo in the triangle is somewhat similar to the famous MAD – Mutually Assure Destruction– of the Cold War, and the situation is pretty stable. So, if it’s not news, why announce it? This question can probably be answered by the second question.

The second question is: what has been left unsaid in the announcement? This is probably the key to the whole thing. The announcement mentioned “hackers,” with no hints as to their identity. But the interesting detail is that the attack was performed by a very unsophisticated “brute force” approach, which any hacker with a  modern computer can do that easily. So, the only plausible explanation for the whole announcement is to tacitly acknowledge that some rogue hackers were able to penetrate a public utility, and to suggest that more such attacks may be coming. Obviously, rogue hackers of many denominations do not have the mutual restraints of the US-Russia-China triangle, and without such restraints they can do real damage.

Overall, it looks like the DHS is laying down the proposition that when some real damage is done, they can say that now anybody can take control of our utilities, as we warned you.

US charges Chinese military (legally)

The indictment of five Chinese military officers on charges of hacking American companies shows a blatant disrespect for intelligence of the American voters.

This legal pursuit at best is plain silly. Despite a couple of other unsubstantiated claims, spying is the world’s oldest profession. Spying has been going on for thousands of years, is going on, and will go on for the foreseeable future. Furthermore, it is the duty of every national military to provide intelligence for its country. How are we going to assert jurisdiction over military officers of another country acting on their own territory? How we are going to prove beyond reasonable doubt that it was they who indeed did or controlled the hacking? The indicted officers must be grateful for this recognition of their efforts and doubtlessly will be decorated and promoted. This will be the only real result of our action.

This legal charade perfectly fits the election cycle and is clearly aimed at showing American voters that the current Administration is doing something about the daunting problem of hacking. However, American voters are surely smart enough to understand that instead of developing real defenses against cyber attacks we are wasting money on a legal farce. What should we expect next? The indictment of every designer, manufacturer, and operator of foreign satellites and eavesdropping equipment?

We probably have enough lawyers to sue every foreigner that spies on us, but not enough money to pay for them. As a nation we would be much better off effectively defending ourselves rather that whining about being helpless victims and becoming the world’s laughing-stock.