Tag Archives: Security

“Hackback”: A New Approach

Today we read about the likely death in a drone attack of an ISIS hacker/warrior/cyber-jihadist:

http://www.forbes.com/sites/seanlawson/2015/09/12/with-drone-strike-on-isis-hacker-u-s-escalates-its-response-to-cyber-attacks/

In the infosecurity world, we’ve heard for years about the idea of “hackback“, basically an offensive response to an offensive action. Every couple of years this idea comes back around as someone gets frustrated with feeling like the attackers have all the advantages (and fun) and wants to take the fight back to them.

It’s an understandable idea. And, in some measured cases may even make sense. But as a blanket rule, no it’s not a good idea.

This latest development shows that “hackback” doesn’t need to be contained to computer tactics: a physical or kinetic response is just as (if not more) effective.

The bigger story though is how this shows that the idea of “infosecurity” is more and more an empty concept and that it’s all just “security”.

Clinton Official Statement: Email Security Sections

Following up my posting of the relevant section of the press conference transcript, Business Insider has posted the full official statement as well. Here are the relevant sections related to email security.

Was classified material sent or received by Secretary Clinton on this email
address?

No. A separate, closed system was used by the Department for the sole purpose of
handling classified communications which was designed to prevent such
information from being transmitted anywhere other than within that system,
including to outside email accounts.

How did Secretary Clinton receive and consume classified information?

The Secretary’s office is located in a secure area. Classified information was
viewed in hard copy by the Secretary while in the office. While on travel, the
Department had rigorous protocols for her and traveling staff to receive and
transmit information of all types.

Where was the server for her email located?
The server for her email was physically located on her property, which is protected
by U.S. Secret Service.

What level of encryption was employed? Who was the service provider, etc?

The security and integrity of her family’s electronic communications was taken
seriously from the onset when it was first set up for President Clinton’s team.
While the curiosity in the specifics of this set up is understandable, given what
people with ill-intentions can do with such information in this day and age, there
are concerns about broadcasting specific technical details about past and current
practices. However, suffice it to say, robust protections were put in place and
additional upgrades and techniques employed over time as they became available,
including consulting and employing third party experts.

Was the server ever hacked?

No, there is no evidence there was ever a breach.

Was there ever an unauthorized intrusion into her email or did anyone else
have access to it?

No.

What was done after her email was exposed in February 2013 after the hacker
known as “Guccifer” hacked Sid Blumenthal’s account?

While this was not a breach of Secretary Clinton’s account, because her email
address was exposed, steps were taken at that time to ensure the security and
integrity of her electronic communications.

Clinton Press Conference Transcript: Email Security Sections

For those following the Clinton Email Situation, I’ve gone ahead and taken the full press conference transcript that Time posted and have pulled out the sections that pertain specifically to questions around the email server and its security.

CLINTON: Yes?

QUESTION: Did you or any of your aides delete any government- related e-mails from your personal account? And what lengths are you willing to go to to prove that you didn’t?

Some people, including supporters of yours, have suggested having an independent arbiter look at your server, for instance.

CLINTON: We did not. In fact, my direction to conduct the thorough investigation was to err on the side of providing anything that could be possibly viewed as work related.

That doesn’t mean they will be by the State Department once the State Department goes through them, but out of an abundance of caution and care, you know, we wanted to send that message unequivocally.

That is the responsibility of the individual and I have fulfilled that responsibility, and I have no doubt that we have done exactly what we should have done. When the search was conducted, we were asking that any email be identified and preserved that could potentially be federal records, and that’s exactly what we did.

And we went, as I said, beyond that. And the process produced over 30,000 you know, work emails, and I think that we have more than met the requests from the State Department. The server contains personal communications from my husband and me, and I believe I have met all of my responsibilities and the server will remain private and I think that the State Department will be able, over time, to release all of the records that were provided.

QUESTION: Madam Secretary, two quick follow ups. You mentioned the server. That’s one of the distinctions here.

This wasn’t Gmail or Yahoo or something. This was a server that you owned. Is that appropriate? Is it — was there any precedent for it? Did you clear it with any State Department security officials? And do they have — did they have full access to it when you were secretary?

And then separately, will any of this have any bearing or effect on your timing or decision about whether or not you run for president? Thank you.

CLINTON: Well, the system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.

So, I think that the — the use of that server, which started with my husband, certainly proved to be effective and secure. Now, with respect to any sort of future — future issues, look, I trust the American people to make their decisions about political and public matters. And I feel that I’ve taken unprecedented steps to provide these work-related emails. They’re going to be in the public domain. And I think that Americans will find that you know, interesting, and I look forward to having a discussion about that.

QUESTION: Were you ever — were you ever specifically briefed on the security implications of using — using your own email server and using your personal address to email with the president?

CLINTON: I did not email any classified material to anyone on my email. There is no classified material.

So I’m certainly well-aware of the classification requirements and did not send classified material.

(CROSSTALK)

QUESTION: (OFF-MIKE)

CLINTON: Because they were personal and private about matters that I believed were within the scope of my personal privacy and that particularly of other people. They have nothing to do with work, but I didn’t see any reason to keep them.

Comment Article on the Clinton Email Server Issue

My latest posting over at Geekwire is my analysis and commentary on why Hillary Clinton using a “homebrew” email server is a major security problem.

http://www.geekwire.com/2015/why-the-clinton-email-server-story-matters-and-why-it-may-be-worse-than-you-think/

Comments on the Stratos Digital Wallet Card

I got to talk with KIRO Radio here in Seattle recently about some of the risks with new, untested digital wallet cards like the new offering from Stratos. Plus, my comments on how cash may make a comeback.

http://mynorthwest.com/11/2723041/Digital-payment-is-waiting-in-line-for-when-credit-cards-die

A Trip to the Doctor

Or, more accurately, the local urgent care clinic.

I had to make a trip there today to get looked at for the latest crud that I’ve been battling for the last week.

My check-in was a good example of how you have to be assertive to protect your security and privacy these days. Sometimes, very uncomfortably so.

While I was doing the usual check-in paperwork, the admissions clerk asked me, “Can I get your driver’s license to scan please?”

I asked, “why do you need that?”

She replied, “Because the copy we have is expired.”

I looked puzzled and she rotated her monitor for me to see the black and white scanned copy of my old, expired license.

It’s been years since I’ve been here, but I don’t remember them ever telling me they were taking a scan of my driver’s license on check-in. Probably one time when I was sick I wasn’t paying enough attention to ask my usual “Why do you need it, what are you going to do with it” questions.

I explained to her that I wasn’t comfortable with her taking a scan. I was happy, I said, to show it to them, but not to retain a copy.

She then said that the point was to protect my identity. I said, I understand but holding that information is itself a threat to my identity. I said, when this clinic’s information is stolen like Anthem’s was it will be harder to steal my identity since they won’t have my drivers’ license.

She said she understood and we moved on in the check-in process.

Later, I was chatting about identity theft to try and lighten things after having to say “no”. While we were talking she told me how she was herself the victim of identity theft. Someone stole mail out of her mailbox and was able to steal her identity. She said it was finally cleared up but it took years and included a knock at the door at 3AM from a sheriff looking to serve a warrant on her meant for the identity thief.

It was a good exercise in real world security and privacy protection. It underscores how you have to be active and sometimes push back, even to the point of seeming like you’re being difficult. It underscores too how you have to always be paying attention since I can’t recall how they got my old driver’s license into the system in the first place. And it also shows that identity theft is very real, very prevalent, very hard to untangle, and has nasty consequences. Finally, it reminds me that we can’t just focus on the digital side of things. Physical mail theft and phone scams are old but still delivering; so they’re still active threats.

It really reinforces the fact that I think real-time identity theft monitoring and monthly checking of accounts and records are critical for all of us.

It really is dangerous out there. It really is hard to do the right thing, even when you know what it is.

At least some of us have job security.