Hello, National Security Agency: Preventing this sort of thing is your job. Once you're done snarfing up my personal data, perhaps you could attend to it.
IMO securing Presidential communications is of paramount importance to national security. Even the non-classified stuff. But there's little reward or glory for doing that. It's really a "small" task.
Compare to spending billions of dollars building gigantic data centers, tapping fiber everywhere possible, recording every scrap of communication metadata that exists, actively subverting computers, doing quid pro quo spying on our allies domestic communications in exchange for them doing the same to us. Etc. Etc. Etc.
The grandiose profligacy is unending. That's how bureaucrats get promoted and get job satisfaction.
Actual "National Security" for the President, well, that's obviously beneath them.
A week ago a Russian group that used an Android trojan to steal money using a banking app has been busted [1]. You don't read about this because they targeted a Russian bank so it's of little interest to the people outside Russia. When you read news in Russian you will get much more on the Russian hackers. Same, I believe, is true for Chinese though I don't read Chinese news myself so I could be mistaken here.
America is a one of the countrie most targeted by hackers. Because Americans have $$$. Out of that big number, a few hackers get caught, and you hear it on the news. That ones that don't get caught do not make the news.
In other words without knowing how many hackers get away you can't make any assumption about the effectiveness of American hacker catching abilities.
These networks would be under the white house communications agency, a subset of the defense information systems agency which is not affiliated with NSA. Supposedly his blackberry is run through NSA (See, e.g., the fishbowl project), and was not implicated in this breach.
That being said NSA is involved in plenty of national defenses measures, its part of their mandate to help defend American networks. They also basically led the US Cyber Command and pioneered most of the systems used to monitor traffic/threats signatures (Einstein).
Once they find out the foreign location of the attacker, I'm sure it gets handed off to NSA at some level. And recently it seems the FBI isn't scared to seek criminal charges either.
It's not that it's the President's email that's vulnerable. It's that _all_ people's email is vulnerable.
Some of those people are key to national security, many aren't. But they all deserve privacy and protection.
And yes, one of NSA's mandates is to secure U.S. communications:
"The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information. "
> And yes, one of NSA's mandates is to secure U.S. communications:
No, their mandates is to secure military and national security systems. From your own link, their responsibilities with respect to information assurance are (emphasis mine):
- Act as the National Manager for National Security Systems as established in law and policy, and *in this capacity be responsible to the Secretary of Defense and to the Director, National Intelligence*
- Prescribe security regulations covering operating practices, including the transmission, handling, and distribution of signals intelligence and communications security material *within and among the elements under control of the Director of the National Security Agency*
The legal definition of National Security System is[1]:
(1) National security system.— In this section, the term “national security system” means a telecommunications or information system operated by the Federal Government, the function, operation, or use of which—
(A) involves intelligence activities;
(B) involves cryptologic activities related to national security;
(C) involves command and control of military forces;
(D) involves equipment that is an integral part of a weapon or weapons system; or
(E) subject to paragraph (2), is critical to the direct fulfillment of military or intelligence missions.
(2) Limitation.— Paragraph (1)(E) does not include a system to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).
NIST has responsibility for providing guidance on securing unclassified government systems and commercial networks.[2] Like the parent commenter said, securing White House communications in particular falls under the purview of the White House Communications Agency, which is subordinate to DISA.[3]
Most of the efforts to bring the NSA and the rest of the intelligence agencies into the fold with regards to securing U.S. communications at large have been heavily protested: [4][5]
You read my comment wrong. It wasn't making a point, it was stating a fact that there isn't just one agency responsible for network security in the Federal Government.
Your point is the more important one. The danger here is not the breach, since it was an unclassified system, but rather the universal surprise that it was possible. That demonstrates a dangerous level of ignorance in our society.
I am under the impression that attribution is a very difficult and often impossible process. If that is true, what is the point of including "Russian" in this headline? I would guess the most probable response would be something involving "fulfilling a narrative." Even if that is true, what makes "Russian" hackers more exciting then just "Hackers?"
I am not trying to pose some profound question. I am genuinely confused by this.
The article goes on to mention "Iranian hackers" and "Chinese hackers". Obviously all those enemies of the United States are up to no good and the US must raise a cyber army against them. Just for defence, of course. Like drone strikes and boots on the ground.
> what makes "Russian" hackers more exciting then just "Hackers?"
It's all about what ultimately happens to the information harvested. If it's some kids in mom's basement doing it for lulz, that's not very concerning.
But, presumably, Russian hackers, even if not actual Russian government employees, would pass on useful information to their government. Even if non-classified, that could be very damaging to national security.
From the article, the attacks were relatively sophisticated. Which makes it more likely that "state actors" were involved. The article also claims that the two most common state actors are Chinese and Russian, and the fingerprints of this operation pointed more to Russia than China.
YMMV. As you say, "attribution is a very difficult and often impossible process".
Russian hackers (and most of russian programmers) don't support current government and would never give such important information to government. This title is just part of the information war. In Russia government is trying to create image of "cruel Americans", so maybe it's the try to make something similar from USA side. Or not :)
In the US (and a few other places in the world), the NSA has capabitilites that private hackers don't, because they get to place their equipment on the backbone. The Russian version of the NSA has no special access in the US, so what Russian government hackers can do, any private hacker can do. Any private hacker can damage national security just as much (or more) by selling the data to the highest bidder(s) or releasing it publicly.
Because of this, there is no difference for national security whether Russian government hackers did it, or anyone else. The only piece of useful info is that the systems were hacked and how they were hacked. The attribution is just for show (and as always in these cases, not very reliable either).
Sounds like a mention in passing of the most likely culprit by a background source turned into definitive proof in original article, then all other media repeat ad nauseum. This is a very typical newscycle, and doesn't mean officials have solid proof. Though it doesn't mean they do not either.
I think it's more likely a deliberate move by the White House. They want us to believe it was Russia, but they either aren't ready to publicly substantiate the claim or don't want to be held to it politically, so they make the accusation through an anonymous source.
Sounds perfectly alright to me. Remember that there are levels of classification. Unclassified (the lowest level) could be running through Gmail in plain text for all anyone at the White House cares. Anything of even minute importance will get a classification status.
(Also, Re: the NSA—they do the government's COMSEC, securing the classified data. OPSEC, the risk/reward policies regarding what data should be classified and so on, is a more distributed policy-making task, though they might have a hand in it. Requirements on a document's classification levels given its content are set by top-down Executive Orders.)
In today's political climate, it doesn't really have to be "classified" for it to damaging. All they need is an email of the president making some sort of offbeat joke about conservatives or something, and that would be a major crisis for him once the media gets their hand on it.
Thats inescapable today, especially for public figures, so everyone must be very very careful what they email on semi-private channels. Especially to 3rd parties they don't 100% trust.
The president is no doubt instructed on the level of security he should expect from non-secure channels. I would hardly feel bad for politicians vs maybe some young teenager in highschool who doesn't yet know any better.
Perfectly alright to the functioning of the government, I mean. It might ruin the President's personal life—and thus get him kicked out of office, maybe—but that's a far less damaging thing than ruining his professional life and thus damaging e.g. peace talks with some foreign power.
To put it another way, there are two Presidents: one is a man, and the other is a role. The point of OPSEC is to ensure that the continued execution of the role is not compromised by attacks on the man.
Actually there are various sub-designations for unclassified material[0]. Just because it's unclassified does not mean it's not confidential, or problematic if certain individuals have access to it. The burden of classifying all communications would be too great, too restrictive. Everything electronic would have to be over classified networks, leaks would have to be handled appropriately, and nobody could ever have a public conversation about anything. Doesn't mean everything should be plaintext in gmail though.
I always wonder how these hackers know which IP range to attack. Is it just like a hit and miss kinda thing? Or do they have insiders who leak those info to them.
Chicken and egg, but that Romanian guy that broke into Clinton's email (and thereby had a hand in exposing that she was using her own server) probably saw email to and from the White House. Metadata, after all, is the gift that keeps on giving. An innocent IP leads to an interesting IP leads to blackmail, extortion, spying and all kinds of other fun.
Actually, it's not that difficult. The v4 blocks assigned to DoD are quite well known, but that's a pretty large swath by itself (/8's), so one would want to tighten the target a little. That's not a hard task at all.
If you wanted to figure it out starting with something like whitehouse.gov is a bad place to begin. That's a public facing media engine at best, not really used for "government" per se. In fact, it's likely not even homed on a DoD or GOV network. Many of the media engine type sites in the government are outsourced to third party hosting.
You'd want to find something more specific, like perhaps a protected access web system, like a Sharepoint portal or website, or even a mail relay conveniently pointed out by an MX record. Trace that system back and you likely will find either its reverse proxy, a front end system, or an SMTP entry point. This gives you the parameter subnet (DMZ) that you can probe from there. Then, using available DNS records, you could start mapping out the parameter looking for proxies, mail relays, and web servers. If you had access to web traffic logs you could use them as well to look for egress points from networks. If you had e-mail traffic to look at you'd likely see leaked internal subnets as well in the headers. However, this would only work for services they have blessed for access to the public internet.
It is absolutely no different than how you'd map any other network.
> Am I the ONLY one who has a hard time believing that these hackers ONLY got "unclassified" stuff? Riiiiiiiiight. They just don't want us to know how deeply in these folks got. Why would they just get "unclassified" stuff?
I know what you said is a little bit tongue-in-cheek, but as someone running a news startup there are two types of news consumers:
1. People looking to understand what's happening
2. People looking for ammunition to reinforce their already-unstoppable notion as to how the world works.
In terms of root causes, this incident should cast a spotlight on NSA/IC strategy and the balance between "Information Assurance" goals and SIGINT goals: is the NSA going to deliberately leave everyone vulnerable (including, apparently, POTUS) to enable offensive operations of questionable value, or should NSA and its partners re-emphasize their IA mission and work toward securing the systems everyone uses? I can only hope Obama is leaning toward the latter after being personally affected.
The NYT article doesn't have many tech details. It would be interesting to know whether it was ineptly configured and managed. Was this a dusty old server in the cellar running unpatched Windows 2008 and an old version of Exchange, or was it a hardened and well-managed system?
Somebody on Computerworld said that the State Dept was spearphished, and that POTUS's system was breached from there.
If only the government could create a honeypot network full of simulated traffic and meticulously faked communications designed to mislead the would-be snoopers... Then this article could be another step in the ruse.
That would probably too much money and effort, though.
45 comments
[ 155 ms ] story [ 1520 ms ] threadCompare to spending billions of dollars building gigantic data centers, tapping fiber everywhere possible, recording every scrap of communication metadata that exists, actively subverting computers, doing quid pro quo spying on our allies domestic communications in exchange for them doing the same to us. Etc. Etc. Etc.
The grandiose profligacy is unending. That's how bureaucrats get promoted and get job satisfaction.
Actual "National Security" for the President, well, that's obviously beneath them.
Case in point: when was the last time you heard Russia/China arresting a hacker?
Not that the USA doesn't have plenty of malicious infosec hackers, that's just a silly notion.
[1] http://safe.cnews.ru/news/top/index.shtml?2015/04/13/594827
In other words without knowing how many hackers get away you can't make any assumption about the effectiveness of American hacker catching abilities.
Once they find out the foreign location of the attacker, I'm sure it gets handed off to NSA at some level. And recently it seems the FBI isn't scared to seek criminal charges either.
It's not that it's the President's email that's vulnerable. It's that _all_ people's email is vulnerable.
Some of those people are key to national security, many aren't. But they all deserve privacy and protection.
And yes, one of NSA's mandates is to secure U.S. communications:
"The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information. "
https://www.nsa.gov/about/mission/index.shtml
It's not just the President the NSA are failing.
No, their mandates is to secure military and national security systems. From your own link, their responsibilities with respect to information assurance are (emphasis mine):
The legal definition of National Security System is[1]: NIST has responsibility for providing guidance on securing unclassified government systems and commercial networks.[2] Like the parent commenter said, securing White House communications in particular falls under the purview of the White House Communications Agency, which is subordinate to DISA.[3]Most of the efforts to bring the NSA and the rest of the intelligence agencies into the fold with regards to securing U.S. communications at large have been heavily protested: [4][5]
[1] https://www.law.cornell.edu/uscode/text/40/11103
[2] http://csrc.nist.gov/publications/nistbul/csl91-02.txt
[3] http://www.disa.mil/Careers/WHCA
[4] https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and...
[5] https://en.wikipedia.org/wiki/Cybersecurity_Information_Shar...
Your point is the more important one. The danger here is not the breach, since it was an unclassified system, but rather the universal surprise that it was possible. That demonstrates a dangerous level of ignorance in our society.
I am not trying to pose some profound question. I am genuinely confused by this.
It's all about what ultimately happens to the information harvested. If it's some kids in mom's basement doing it for lulz, that's not very concerning.
But, presumably, Russian hackers, even if not actual Russian government employees, would pass on useful information to their government. Even if non-classified, that could be very damaging to national security.
From the article, the attacks were relatively sophisticated. Which makes it more likely that "state actors" were involved. The article also claims that the two most common state actors are Chinese and Russian, and the fingerprints of this operation pointed more to Russia than China.
YMMV. As you say, "attribution is a very difficult and often impossible process".
Because of this, there is no difference for national security whether Russian government hackers did it, or anyone else. The only piece of useful info is that the systems were hacked and how they were hacked. The attribution is just for show (and as always in these cases, not very reliable either).
(Also, Re: the NSA—they do the government's COMSEC, securing the classified data. OPSEC, the risk/reward policies regarding what data should be classified and so on, is a more distributed policy-making task, though they might have a hand in it. Requirements on a document's classification levels given its content are set by top-down Executive Orders.)
It's stupid, but that's just how it is.
The president is no doubt instructed on the level of security he should expect from non-secure channels. I would hardly feel bad for politicians vs maybe some young teenager in highschool who doesn't yet know any better.
To put it another way, there are two Presidents: one is a man, and the other is a role. The point of OPSEC is to ensure that the continued execution of the role is not compromised by attacks on the man.
Or, in short: long live the king.
[0] http://en.wikipedia.org/wiki/Sensitive_but_unclassified
; <<>> DiG 9.8.3-P1 <<>> mx whitehouse.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26690 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;whitehouse.gov. IN MX
;; ANSWER SECTION: whitehouse.gov. 9982 IN MX 110 mail6.eop.gov. whitehouse.gov. 9982 IN MX 105 mail2.eop.gov. whitehouse.gov. 9982 IN MX 110 mail5.eop.gov. whitehouse.gov. 9982 IN MX 105 mail1.eop.gov. whitehouse.gov. 9982 IN MX 105 mail4.eop.gov. whitehouse.gov. 9982 IN MX 105 mail3.eop.gov.
If you wanted to figure it out starting with something like whitehouse.gov is a bad place to begin. That's a public facing media engine at best, not really used for "government" per se. In fact, it's likely not even homed on a DoD or GOV network. Many of the media engine type sites in the government are outsourced to third party hosting.
You'd want to find something more specific, like perhaps a protected access web system, like a Sharepoint portal or website, or even a mail relay conveniently pointed out by an MX record. Trace that system back and you likely will find either its reverse proxy, a front end system, or an SMTP entry point. This gives you the parameter subnet (DMZ) that you can probe from there. Then, using available DNS records, you could start mapping out the parameter looking for proxies, mail relays, and web servers. If you had access to web traffic logs you could use them as well to look for egress points from networks. If you had e-mail traffic to look at you'd likely see leaked internal subnets as well in the headers. However, this would only work for services they have blessed for access to the public internet.
It is absolutely no different than how you'd map any other network.
> Am I the ONLY one who has a hard time believing that these hackers ONLY got "unclassified" stuff? Riiiiiiiiight. They just don't want us to know how deeply in these folks got. Why would they just get "unclassified" stuff?
> Only unclassified emails. Right.
Do people even read articles these days?
I know what you said is a little bit tongue-in-cheek, but as someone running a news startup there are two types of news consumers:
1. People looking to understand what's happening 2. People looking for ammunition to reinforce their already-unstoppable notion as to how the world works.
This unfortunate announcement is one of those things lawmakers love to use to justify exploitative and unethical policies.
Let's hope that's not the case
Somebody on Computerworld said that the State Dept was spearphished, and that POTUS's system was breached from there.
That would probably too much money and effort, though.