July 23, 2008 | Comments: (0)
Data security meets disco fever
Here's a travel advisory: The next time you find yourself in a foreign city at night with nothing to do, take my advice: rent a movie in your hotel room. Don't go to discos. And if you do go out, don't bring a smart phone with you.
A high-ranking UK official got Shanghai'd in Shanghai last January, possibly compromising the cyber security of the British government. Out partying at a disco in the Forbidden City, he went home with an attractive Chinese national. He woke up with a smile on his face, but the girl and his Blackberry were missing. (Hey, at least he still had his kidneys.)
According to the Times of London:
A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence. ....Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.
Though many of the reader responses to this story are priceless, this one from “Graham” in South Africa stands out:
“I have to sympathise with this guy. Last Tuesday night I was picked up by a young lady and one thing led to another and the next morning I discovered she'd stolen 100 rand from my wallet. It happened again on Thursday night, then Saturday, and with any luck it will happen again tomorrow.”
Downing Street claims it suffered “no compromise to security” in the incident. China hotly denies its spies are involved. Right. I believe them. But with the Beijing "high-tech" Olympics coming up in a few weeks, this hasn't made anyone feel safer about cyber security in China. Again, per the Times:
Joel Brenner, the US government’s top counter-intelligence official, warned: “So many people are going to the Olympics and are going to get electronically undressed.”
Which doesn't sound nearly as much fun as being physically undressed, though equally risky. The good news: This now gives Olympics tourists something to worry about besides the air quality in Beijing. Using a Blackberry in China can't be that much more dangerous than simply breathing.
David Gewirtz, author of Where Have All the Emails Gone?, notes that US government officials are not much better at protecting their Blackberries than their lascivious British counterparts. Karl Rove has allegedly lost several of the gadgets, no doubt containing his secret plans for world domination. Last April White House staffers left a half dozen of the smart phones outside a conference room in New Orleans, then claimed they were stolen by a member of the Mexican delegation. (No doubt dressed as Salma Hayek.)
Meanwhile, in a classic display of chutzpah, the US Department of Homeland Security has issued a private warning to government officials and private executives about “foreign governments” (aka the Chinese) stopping them at the border and copying information off their laptops and smart phones -- tactics the DHS feels perfectly happy to employ for US citizens returning to this country. The DHS also warns of foreign agents quietly slurping data off cell phones via compromised Bluetooth connections and installing eavesdropping devices [PDF] on Blackberries.
The DHS won't publicly acknowledge the threat for fearing of ticking off the Chinese, who might retaliate by ... copying information off our laptops and spying on our smart phones. Or maybe they'll just send hot Asian mommas to discos looking for lonely US diplomats.
To quote my favorite British spy: “It's shagadelic, baby.” Or better yet: “Oh behave.”
Got any good data security or spy stories? Post them below or email me direct: cringe (at) infoworld (dot) com. Top tips qualify for cool swag. However, if you are captured, Notes From the Field will disavow any knowledge of your involvement.
Posted by Robert X. Cringely on July 23, 2008 06:29 AM
June 23, 2008 | Comments: (0)
Last week the House of Representatives passed a "compromise" amendment to the Foreign Intelligence Surveillance Act, though it sounds like the only things that have been compromised are our Constitutional rights. Now the Senate is poised to do the same.
Unfortunately, the FISA Amendments Act of 2008 adds little to existing FISA laws save for one very big thing: immunity for telecoms that violated FISA laws on orders from the White House. Essentially, all Ma Bell and her bastard offspring need to do is present a note that says Uncle Sam made them do it, and the 40-odd lawsuits pending against them vanish.
This rewards companies like AT&T and Verizon that failed to stand up to orders of questionable legality, while punishing companies like Qwest who declined the government's requests. Imagine the cojones it took to say no to the NSA. What are the odds anyone's likely to do that again?
Remember, three Bush appointees -- attorney general John Ashcroft, deputy AG James Comey, and FBI head Robert Mueller -- threatened to resign over this program. So this is clearly not a matter of the NSA forgetting to pick up a few subpoenas on the way home from the grocery store. This was something no one had seen before.
But what exactly was it? The worst thing about the immunity provision is that it closes the door on discovery. We will likely never find out what information the NSA sought, what it found, and what that data was used for. That's a problem.
It's very likely the spooks were involved in a massive data mining operation that involved data from millions of innocent non-terrorist law-abiding Americans. Think I'm being paranoid? Here's what USA Today revealed in May 2006:
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.
The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.
In other words, they're attempting to create a profile of terrorists, and the only way to do that is to profile a whole lot of non terrorists. And if they happen to catch anyone doing anything else borderline illegal along the way, they can pick and choose whom they want to prosecute. Why should China and Russia have all the fun?
I'm all for hunting down and ferreting out the bad guys, but I draw the line at spying on ordinary Americans. I'm happy to stand in line at the airport or the baseball stadium and have them look through my bags, even though I know it's mostly Security Theater. My phone calls, emails, and Web surfing are another story. If I'm a suspect and you've got a warrant, fine, spy on me. Otherwise, I'd like to be left alone. Is that unreasonable?
Should the telecoms get off scot-free? Post your thoughts below or email me directly: cringe (at) infoworld (dot) com. And try not to say anything too unAmerican -- you know who is probably watching.
Think you've got the right stuff to pass our tech quizzes? They're not as easy as they look:
• The InfoWorld News Quiz
• Test Your Geek IQ
• Test Your Network Security IQ
Posted by Robert X. Cringely on June 23, 2008 09:10 AM
April 28, 2008 | Comments: (0)
A Mexican press attache walked off with "six or seven" Blackberries belonging to US officials at a summit between the presidents of Canada, Mexico, and some guy named Bush in New Orleans last week.
Press officer Rafael Quintero Curiel was captured on video tape picking up the smart phones, which were deliberately left outside a meeting room by officials. He was promptly canned.
Apparently, the theft went undetected until White House staffers noticed an unusually large number of visits to Tila Tequila's MySpace page on their data account. (Note to my more literal minded readers: that was a joke.)
Curiel's own explanation of the incident is more innocent (and to my ears, more likely). He says he found two devices outside a room where White House staffers were meeting, thought they belonged to the Mexican delegation, picked them up, and handed them over to a driver to deliver to the Mexican embassy. No cloak and dagger, no poisoned lipstick, no microdots containing secret US plans glued to his eyelids.
Just the same, David Gewirtz, email geek and author of Where Have All the Emails Gone?, says this is yet more proof that the government's lax attitude toward data security could one day have disastrous consequences.
Had Curiel been an operative of a foreign government -- let's say Korea or Syria, just for fun -- he could have had access to thousands of classified emails and other documents stored on the devices, says Gewirtz:
A typical BlackBerry has 64MB of memory, at minimum (they also often have expansion slots for more memory). Let's put this in perspective. The King James Bible is about 1,120 pages, or about 2.5MB, so a typical BlackBerry could hold about 25 King James Bible's worth of information. That's the equivalent in strategic U.S. government information of about 28,000 printed pages of data, or seven complete sets of all seven Harry Potter novels.
As Gewirtz and others have noted, Blackberries can be remotely disabled and erased, but only if you know they've gone AWOL. Curiel had plenty of time to copy the data stored on each device, had he wanted to.
Lest you think I'm being partisan, the Democrats don't exactly have a lock on digital intelligence either. Despite the popularity of Blackberries, Washington DC is still mostly an analog town. But the next occupant of the White House will be facing serious digital dilemmas. Let's hope he or she hires the right geeks to handle them, before the bad guys take advantage of our smart phone stupidity.
Got hot tips or more stupid smart phone trix? Post them below or email me directly: cringe (at) infoworld (dot) com. Cool non-partisan swag awaits those whose tips make it into my blog.
Think you've got the right stuff to pass our tech quizzes? They're not as easy as they look:
• The InfoWorld News Quiz
• Test Your Geek IQ
• Test Your Network Security IQ
Posted by Robert X. Cringely on April 28, 2008 06:50 AM
March 10, 2008 | Comments: (0)
Pentagon hacks and Google Maps
I have this nosy but absent-minded Uncle. He likes to paw through my emails, peruse my web history, and tap my phones. But when it comes to protecting his own, more important secrets, he's mostly clueless.
Case in point: When alleged Chinese Hackers broke into the Pentagon's email system last June, Secretary of Defense Robert Gates sloughed it off as no big deal – nothing to see here, happens every day, please move along.
Now it turns out that the hack was a wee bit more serious than Gates let on. GovernmentExecutive.com quotes Dennis Clem, CIO for the office of the defense secretary, talking about the hack at a federal tech conference last week:
"This was a very bad day," said Clem during a panel discussion at the Information Processing Interagency Conference Tuesday. The breach continues to pose a threat, he added. "We don't know when they'll use the information they stole, [which was] an amazing amount, [including] processes and procedures that will be valuable to adversaries."
And here's how they did it, per Federal Computer Week:
The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.
So the Pentagon gets 0wned via what sounds like an ordinary spear phishing attack, and we're supposed to trust our government to sift all of our email, decide which ones are from the terrorists, and leave the rest of us alone. Got it.
In related news: The Pentagon has asked Google to pull images of US military installations from the "Street View" feature in Google Maps, and Google has complied. Apparently the images showed enough info on how to get in and out of each base to worry the commanders.
I understand one area of special interest was an Air Force test center in southern Nevada better known to X Files fans as "Area 51." The military banned all ---------- ------- -------- ------- --------- ------------- [editors note: this material has been redacted for your protection] ------------- ----------- ------------- ------- ------------ --------- ----- ---------- --------- --------------- ------- ------ --------- ------- ----------- ---------- Paris Hilton, Rudy Guiliani, and a bucket full of ferrets. Needless to say, the Pope was certainly surprised.
Do you feel like you missed something? Fill in the blanks below or email me here. Cool swag comes to those whose entries make it into this blog. Just remember: our Uncle may be is listening.
Think you've got the right stuff to pass our tech quizzes? They're not as easy as they look:
• The InfoWorld News Quiz
• Test Your Geek IQ
• Test Your Network Security IQ
Posted by Robert X. Cringely on March 10, 2008 07:21 AM
