'Trust Us With More Data,' Say Government Agencies Hacked By A 16-Year-Old

from the the-best-defense-is-calls-for-encryption-bans,-apparently dept

We live in a world where a 16-year-old who goes by the handle of "penis" on Twitter can dive into the servers of two of America's most secure federal agencies and fish out their internal files.

This 16-year-old is allegedly part of the same crew that socially engineered their way into the inboxes of CIA director John Brennan, Director of National Intelligence James Clapper and the administration's senior advisor on science and technology, John Holdren.

We also -- somehow -- live in a world where these same agencies are arguing they should be entrusted with massive amounts of data -- not just on their own employees, but on thousands of US citizens.

The DHS, FBI and NSA all want more data to flow to them -- and through them. The cybersecurity bill that legislators snuck past the public by attaching it as a rider to a "must pass" appropriations bill contains language that would allow each of these affected agencies to partake in "data sharing" with private companies. This would be in addition to the data these agencies already gather on American citizens as part of their day-to-day work.

The DHS -- one of the more recent hacking victims -- is the only agency that expressed a reluctance to partake in the new data haul. This isn't because it wouldn't like to have access to the data, but because it would be the agency responsible for "scrubbing" the data before passing it on to other agencies. DHS officials likely took a look at this requirement and saw it for what it was: a scapegoat provision. Should any legal action or public outcry have resulted from the new "sharing" demands, the DHS would have been the agency offered up to appease the masses.

Fortunately for the DHS -- but less fortunately for anyone concerned about expanding domestic surveillance efforts -- this requirement has been altered. A bit. The Attorney General will now examine the DHS's "scrubbing" efforts and determine whether or not they're Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that's not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.

This is the government that feels it can protect the nation from hackers: the government that can't protect itself from hackers.

The IRS seems to suffer from attacks almost daily, thanks to its treasure trove of social security numbers, addresses and other personally identifiable information. The OPM -- which oversees federal hiring -- coughed up plenty of the same personal info when it was hacked.

The agencies involved in the cybersecurity efforts have shrugged at the government's inability to protect personal information, arguing that these hacks only highlight how essential the new cybersecurity legislation is. More power and more data is what's needed, apparently, not an internal effort to shore up security before foisting their demands on the private sector. The government can't protect itself against politically-motivated teenagers. What chance does it have against organized criminals or state-sponsored attacks?

It's insanity. It's like hearing Wal-Mart claim -- after a large data breach -- that the best way to ensure this doesn't happen in the future is to allow it to store customer data collected by its competitors as well. Why make criminals and hackers work harder? Why not house as much data as possible in fewer locations?

To make matters worse, agencies like the FBI and NSA are pushing for greater offensive capabilities, all the while claiming they're very interested in defending the nation against cyberattacks. The two efforts are at odds. One side needs security holes to exploit. The other side needs holes closed as quickly as possible. Even without access to black book budgets, one can easily assume the offensive side will be receiving the majority of funding and manpower. When a vulnerability is discovered, who decides how it's used: the fixers or the exploiters?

The NSA thinks there's no inherent friction in playing both sides. It has decided -- against the recommendations of the President's Review Group -- to merge its defensive and offensive cybersecurity wings. The NSA is the only entity that doesn't see this as a problem. Nicholas Weaver, writing for Lawfare, explains exactly why it shouldn't be doing this.

[T]he... job of protecting US interests generally is far harder. This mission requires that the Agency work with industry as an honest broker. It cannot be seen as intent on using information gathered to sabotage industry's customers or general system security. The trust necessary for this job went up in smoke following the Snowden revelations, which revealed both the vastness of the SIGINT mission and at least one explicit betrayal of the core IA mission. NSA has a long, long way to go in rebuilding this trust.

[...]

The NSA should abandon the merger plans because—regardless of the technical merits—the offensive-defensive merger is viewed by the world as a substantially untrustworthy act. I recognize that offense is part of practicing good defense. But you don't see me writing botnets or high-speed worms. Or breaking into systems without permission. Or providing information to those who do. I manage to defend systems without offense as a core mission, and my defense is not likely to be improved by giving offense a leg up.
Defense isn't something these agencies care about. It may occasionally occur as a result of offensive efforts but it's never the focus. There are no "good guy only" exploits just as certainly as there are no "good guy only" encryption backdoors. The government will never be able to secure its own backyard as long as it believes developing weapons is more important than hardening defenses.

The FBI would rather break into servers halfway around the world and run child porn sites as honeypots than work with other entities to improve their defenses. After all, if someone is hacked, the FBI can always hunt down the perpetrator. As an investigative agency, this makes sense. But it doesn't make sense when the same agency claims it wants to be part of information sharing related to cyberdefense. It's only interested in offensive actions. It only wants evidence and leads.

The DHS, despite containing the words "Homeland Security," isn't truly interested in securing the homeland either -- at least not to the extent that it's interested in opening its own investigations. The NSA is much more in its element performing surveillance and exploiting compromised systems -- neither of which can be considered "defensive" efforts.

In fact, despite the bill's passage, there is no government body tasked solely with the defensive side of "cybersecurity" -- which would seem to be the key element. Defense is apparently meant to be folded in with the rest of their normal activities. Supporters of the legislation think the key is information sharing. It could be, but government agencies have proven over the years they're incapable (or unwilling) to share information with each other. How another layer of government non-sharing is supposed to result in better security is unexplained. Private entities are expected to believe the Cybersecurity Act will turn everyone involved into one big team, but the reality is that it will do little more than add to stores of personal information the government has already proven unable to defend.


Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Anonymous Coward, Feb 19th, 2016 @ 6:42am

    These agencies are literally out of control. That is to say that there is absolutely no control over these agencies.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, Feb 19th, 2016 @ 6:48am

    hey, maybe this is an admission that these dopes and their agencies are helpless. maybe the only way to safeguard the important information they have is to inundate it with relatively trivial goop to the point that nobody - including the dopes themselves - can find a damn thing.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, Feb 19th, 2016 @ 6:51am

    Re:

    How naive.

    Of course they are under control - but not by those who we are told should be.

    reply to this | link to this | view in thread ]

  4. identicon
    jim, Feb 19th, 2016 @ 6:57am

    Re:

    Dopes, these are the best in american contractors can buy. These are real jauns and achmeds working for pennies, while the bosses make millions. I doubt if they even have high speed dialup where they are at in amerika.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Feb 19th, 2016 @ 6:59am

    When 1 16 year old is smart enough to hack into the government's networks, then the government simply cannot be trusted with our information.

    I find it odd that the government keeps arguing for weak encryption on smartphones and yet their own networks are so insecure that a 16 year old teenager can crack their own networks?

    The government needs to find this 16 year old teenager and hire him to secure their networks.

    reply to this | link to this | view in thread ]

  6. identicon
    mcinsand, Feb 19th, 2016 @ 7:01am

    and this outfit wants a backdoor to all of our security

    As if we needed any more reason to fight against software backdoors, this is one more. The less of our personal information they have to protect, the better our national security. That information could be very useful in the wrong hands, especially if those hands are any good at data mining to figure out how the information could work against us. If the NSA cared one whit about security, they would be pushing for legislation to punish those that do not use encrypted, backdoor-free communications.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:11am

    Re:

    You are falling for a common misconception, that young hackers are very lever. As often as not their success is a combination of luck and persistence while using code and scripts available online.

    reply to this | link to this | view in thread ]

  8. icon
    That One Guy (profile), Feb 19th, 2016 @ 7:16am

    Re: Re:

    So what you're saying is that a potentially stupid, though persistent and/or lucky 'hacker', with tools easily available online, was able to break into systems that should be incredibly secure?

    ... yeah, that makes the government look so much better.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:28am

    Re: Re: Re:

    Not making a mistake is far harder to do than for someone to find mistakes by random probing.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:28am

    Not to mention they are actively trying to weaken security and encryption, too. It's like they got the whole thing BACKWARDS.

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:38am

    They Don't Care...

    They don't care that they are hacked, except when it goes public...
    They don't care about your liberty or rights, no exception...
    They don't care about the nation, except when forced to care...

    They do care to have information on you so that YOU can be put down like a dog when they have decided you no longer need to be a citizen.

    There is not a single president standing that will benefit this nation, each on carries either a police state mentality or a national suicide plan.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:39am

    Re: They Don't Care...

    meant to say "presidential candidate"

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, Feb 19th, 2016 @ 7:46am

    Re: Re: Re:

    And government IT should have better real time intrusion detection and trace back of the intruder.

    Yes, I'm dreaming!

    reply to this | link to this | view in thread ]

  14. icon
    Whatever (profile), Feb 19th, 2016 @ 8:24am

    Re:

    "I find it odd that the government keeps arguing for weak encryption on smartphones and yet their own networks are so insecure that a 16 year old teenager can crack their own networks?"

    If you pay attention, the hack was "social engineering" and not some major network failure. It's about convincing or tricking someone with high enough access to give up their user name and password because they think they should or have to.

    The only way you avoid that hack is to get rid of the wetware.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, Feb 19th, 2016 @ 9:08am

    Re:

    You have to admit that it isn't hypocritical: "We want your personal online security to be as bad and easily penetrated as ours is in the federal government"

    reply to this | link to this | view in thread ]

  16. icon
    That One Guy (profile), Feb 19th, 2016 @ 9:14am

    Re: Re:

    Avoiding it completely isn't likely to happen, but given the sensitive nature of the databases in question they could make it a lot harder by requiring anyone who loses their login credentials to either show up in person, and/or provide information that only they could be expected to know, such as a separate password the loss of which would lead to the loss of a job, with no exceptions granted no matter who claimed to be asking.

    Why this will never happen? Because it would make things more difficult for higher-ups who screw up and need to recover their password, who would throw fits over having to travel anywhere or remember something else.

    reply to this | link to this | view in thread ]

  17. identicon
    Rich Kulawiec, Feb 19th, 2016 @ 10:01am

    They're building the wrong thing

    and in doing so, they're making a mistake that we see quite often. They think they're building a weapon that will be useful in the "war" on terror or against crime. But in reality, they're building a target -- an enormous, valuable motherlode of data that all kinds of adversaries will attack.

    Why?

    Because there are two ways to acquire vast amounts of useful intelligence: the first is tediously acquire, catalog, and store it. The second, which is often vastly easier and cheaper, is to let someone else do the hard work -- and then steal it from them.

    reply to this | link to this | view in thread ]

  18. identicon
    Stosh, Feb 19th, 2016 @ 10:32am

    And if they can get Apple to break encryption, the hackers can access the rest of your bank accounts, credit cards and other information all the easier.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, Feb 19th, 2016 @ 10:34am

    So they want to drown in a sea of data

    Hey guy's, I've got a great, instead of simply looking for a needle in a haystack. Why why don't go big and look for a needle in a haystack made of needles that's inside a barn house brimming full with hundreds of needle stacks.

    Those three letter agencies should be careful what they wish for, they just might get what ask for.

    I'd love to see the look on the director's of those's groups faces when he or she realizes they've effectively become little more than an always on camera.

    If such a mandate ever came to pass, those three letter acronyms would have to sift through every iota of every us citizen ad infinitum, all in the name of national security.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, Feb 19th, 2016 @ 11:18am

    Re: Re:

    Why are the servers accessible via the internet? Seems a bit optimistic doesn't it?

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, Feb 19th, 2016 @ 11:23am

    The problem is that this 16 year old teenager has made the government look extremely incompetent, even though the government doesn't need anyone's help to look THAT incompetent.

    This doesn't look good for a government who argues that technology companies should make their devices more insecure at a time when the government can't even secure their own networks.

    Until the government starts doing a better job at securing their networks, they shouldn't be arguing anything before the courts, or for that matter, the public.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, Feb 19th, 2016 @ 12:39pm

    let the blackmail and police state building commence

    reply to this | link to this | view in thread ]

  23. icon
    ECA (profile), Feb 19th, 2016 @ 12:45pm

    dATA/INFORMATION CONTROLS

    REALLY?

    you want to SORT all data..
    You dont want ANYONE to have encryption..

    This is old..They have tried to monitor things for along time, but Compression and encryption make things abit HARD..
    After getting TONS AND TONS of day, decrypting it takes MORE time..
    They need everyone to NOT encrypt things..so they can Sort it out easier..

    Anyone here, understand the AMOUNTS of data, per day, sent on the internet? JUST in the USA..
    Want to Cut this back to just Cellphone calls, and CHAT channels? it would STILL fill a 20x20 room 4-6 feet HIGH in PAPER..
    Does not include Game channels to chat..

    I dont care how you sort it, or HOW big a computer you have...IF you are monitoring the WORLD, the amopunt of data compared to JUST the USA...would require the resources of Every person in the USA to monitor, sort, and pass on the data to SOME ONE WHO CARES..

    reply to this | link to this | view in thread ]

  24. icon
    SirWired (profile), Feb 19th, 2016 @ 1:41pm

    To be fair to the agencies...

    To be fair to the agencies, the DHS and FBI internal employee telephone and e-mail directory is not exactly on the level of our most precious national secrets here... I suspect you could get the same information for an individual employee by just calling the switchboard and asking.

    reply to this | link to this | view in thread ]

  25. icon
    Coyne Tibbets (profile), Feb 19th, 2016 @ 3:38pm

    Re:

    No kidding. Even this quote from the article:
    Fortunately for the DHS -- but less fortunately for anyone concerned about expanding domestic surveillance efforts -- this requirement has been altered. A bit. The Attorney General will now examine the DHS's "scrubbing" efforts and determine whether or not they're Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that's not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.
    That's not a recipe for responsibility, it's a recipe for finger pointing. DHS will say, "The Attorney General reviewed this and was satisfied with it." The Attorney General will say, "I was mislead." When we ask for information to settle the dispute, both will yell in unison, "National Security!" Presto! No one in the cross-hairs.

    reply to this | link to this | view in thread ]

  26. icon
    nasch (profile), Feb 21st, 2016 @ 5:34pm

    16

    How do you know he's 16?

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, Feb 21st, 2016 @ 8:35pm

    Re: Re:

    So what you're saying that grown adults dumb enough to get fooled by a 16-year-old should remain in charge of government security.

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, Feb 29th, 2016 @ 2:09pm

    Re: 16

    Yeah, uhhhh.

    The linked Motherboard piece says nothing about Mr. penis being a 16-year-old. Only that he 'wishes to remain anonymous.'

    [citation needed], Tim.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Super-Early Holiday Gear Sale

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.