Government (and Its Expensive Contractors) Really Need to Secure Their Data Collections

Given two recent high profile hacks, the government needs to either do a better job of securing its data collection and sharing process, or presume people will get hurt because of it.

After the hackers Crackas With Attitude hacked John Brennan, they went onto hack FBI’s Deputy Director Mark Giuliano as well as a law enforcement portal run by the FBI. The hack of the latter hasn’t gotten as much attention — thus far, WikiLeaks has not claimed to have the data, but upon closer examination of the data obtained, it appears it might provide clues and contact information about people working undercover for the FBI.

Then, the hackers showed Wired’s Kim Zetter what the portal they had accessed included. Here’s a partial list:

Enterprise File Transfer Service—a web interface to securely share and transmit files.

Cyber Shield Alliance—an FBI Cybersecurity partnership initiative “developed by Law Enforcement for Law Enforcement to proactively defend and counter cyber threats against LE networks and critical technologies,” the portal reads. “The FBI stewards an array of cybersecurity resources and intelligence, much of which is now accessible to LEA’s through the Cyber Shield Alliance.”

IC3—“a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime.”

Intelink—a “secure portal for integrated intelligence dissemination and collaboration efforts”

National Gang Intelligence Center—a “multi-agency effort that integrates gang information from local, state, and federal law enforcement entities to serve as a centralized intelligence resource for gang information and analytical support.”

RISSNET—which provides “timely access to a variety of law enforcement sensitive, officer safety, and public safety resources”

Malware Investigator—an automated tool that “analyzes suspected malware samples and quickly returns technical information about the samples to its users so they can understand the samples’ functionality.”

eGuardian—a “system that allows Law Enforcement, Law Enforcement support and force protection personnel the ability to report, track and share threats, events and suspicious activities with a potential nexus to terrorism, cyber or other criminal activity.”

While the hackers haven’t said whether they’ve gotten into these information sharing sites, they clearly got as far as the portal to the tools that let investigators share information on large networked investigations, targeting things like gangs, other organized crime, terrorists, and hackers. If hackers were to access those information sharing networks, they might be able to both monitor investigations into such networked crime groups, but also (using credentials they already hacked) to make false entries. And all that’s before CISA will vastly expand this info sharing.

Meanwhile, the Intercept reported receiving 2.5 years of recorded phone calls — amounting to 70 million recorded calls — from one of the nation’s largest jail phone providers, Securus. Its report focuses on proving that Securus is not defeat-listing calls to attorneys, meaning it has breached attorney-client privilege. As Scott Greenfield notes, that’s horrible but not at all surprising.

But on top of that, the Intercept’s source reportedly obtained these recorded calls by hacking Securus. While we don’t have details of how that happened, that does mean all those calls were accessible to be stolen. If Intercept’s civil liberties-motivated hacker can obtain the calls, so can a hacker employed by organized crime.

The Intercept notes that even calls to prosecutors were online (which might include discussions from informants). But it would seem just calls to friends and associates would prove of interest to certain criminal organizations, especially if they could pinpoint the calls (which is, after all, the point). As Greenfield notes, defendants don’t usually listen to their lawyers’ warnings — or those of the signs by the phones saying all calls will be recorded — and so they say stupid stuff to everyone.

So we tell our clients that they cannot talk about anything on the phone. We tell our clients, “all calls are recorded, including this one.”  So don’t say anything on the phone that you don’t want your prosecutor to hear.

Some listen to our advice. Most don’t. They just can’t stop themselves from talking.  And if it’s not about talking to us, it’s about talking to their spouses, their friends, their co-conspirators. And they say the most remarkable things, in the sense of “remarkable” meaning “really damaging.”  Lawyers only know the stupid stuff they say to us. We learn the stupid stuff they say to others at trial. Fun times.

Again, such calls might be of acute interest to rival gangs (for example) or co-conspirators who have figured out someone has flipped.

It’s bad enough the government left OPM’s databases insecure, and with it sensitive data on 21 million clearance holders.

But it looks like key law enforcement data collections are not much more secure.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

8 replies
  1. bloopie2 says:

    It can no longer be argued, with a straight face, that Obama has not given us The Most Transparent Administration Ever.

  2. bloopie2 says:

    I’m curious on two technical points. First. As to something like the mentioned law enforcement portal, which I assume is available to members likely numbering in the tens or hundreds of thousands, is it really possible, technically, to make it ‘secure’? Or would doing so cause it to become so unwieldy and cumbersome to use (by its totally non-technical members) that it would become, effectively, useless or non-used? Second. Would such ‘securing’ involve mostly ‘user names and passwords’ that could be left lying about or be easily given out? If so, what’s the point?

    • emptywheel says:

      I think it might be accessible to *just* 10,000. The hackers released 2,400 names, and the file I looked at, which was just A to C, wasn’t all that many. But I’m not sure whether that was 2,400.

      It would be easier to say if we knew how the hackers got into it, though they may have stolen credentials from Giuliano, in which case no, it’s not going to be secure so long as someone’s credentials — especially someone so senior, whose credentials would presumably be able to access the whole thing — is available.

      But part of that is the downside to sharing so much data: it’s so accessible if anything goes wrong. For example, depending on the credential it MIGHT be possible to access both teh cyber sharing portals and the organized crime ones. But the people who really need to have access to both SHOULD be relatively small.

  3. omphaloscepsis says:

    Those affected by the OPM breach will find this under “Terms and Conditions” when they sign up for the cure (assuming they read it, rather than just click on OK):

    “10. Arbitration

    You, on the one hand, and ID Experts and each of the Service Poviders, on the other, agree that any claim or dispute (“Claim”) between us shall, at the election of any one of us, be resolved by binding arbitration administered by the American Arbitration Association under its rules for consumer arbitrations. It is the parties’ intent that this arbitration provision be construed broadly, including that this arbitration agreement include any Claims by You against ID Experts or the Service Providers, as well as their respective corporate affiliates. You agree that, by entering into this Agreement, You, ID Experts and the Service Providers are each waiving the right to a trial by jury or to participate in a class action. At your request, we will pay the first $125 of your arbitration fees. You will be solely responsible for your arbitration fees and costs in excess of $125.”

    I believe the technical term is “adding insult to injury”.

  4. Bonky Moon says:

    Sharing:  What a gawd-awful word that turned out to be.
     
    Perhaps the moronic Dianne Feinstein needs to have her PII lobbed around like a football.  That’d be worth a laugh & a half.

  5. orionATL says:

    i spent some time recently trying to understand what the cisa was about, in particular how it would protect large-scale corporate computer systems, e.g., home depot and target. i failed, perhaps because i don’t know enough to appreciate what the cisa could do. for the life of me i could not see how cisa would protect any corporate or governent coputer systems – except maybe in a haystack-halflife, that is, in the data-diametric long run.

    the cisa gives corps stay-out-of-court-free cards but seems not to makes any demands on those same corps to demonstrate maximum effort on their part.

    excuse me ma’am, but can i just interject here: the congress is an idiot AND the congress is a collection of pharisees.

Comments are closed.