Security

One of the main points of the creation of the Department of Homeland Security in 2004 was to centralize oversight over a wide array of agencies with responsibility for the safety and security of the United States and its territories. The 9/11 Commission made 41 specific recommendations to Congress, and one of those was “create a single, principal point of oversight and review for homeland security.” But that’s one that hasn’t been accomplished–DHS oversight by Congress is through 86 separate committees and subcommittees (see chart below, click on it for the full-sized image). The Center for Public Integrity and the Center for Investigative Reporting have joined forces to investigate the effectiveness of the Department of Homeland Security’s efforts since its creation, and will be publishing a series of reports over the next several months which should prove quite interesting.

I just came across an April 2009 BBC story which shows that USAF Col. Williamson is still promoting his idea of building a U.S. military botnet to engage in offensive denial of service attacks against foreign targets on the Internet. But I haven’t seen him respond to any of the criticisms of his bad idea, including in the online forum of the journal where he published it. I think a more effective idea would be to adjust the computer crime statutes to provide immunity to prosecution (or at the very least an affirmative defense to criminal charges) for private responses to attacks that meet certain criteria, so that ISPs, security researchers, and competent individuals could engage in offensive actions against compromised machines to disable malicious software or take them off the network. Perhaps some kind of licensing or bonding would do the trick, and ISPs could put an exception into their acceptable use policies for entities that met the criteria. That’s also my partial response to this more recent BBC story about “what rules apply in cyber-wars” which led me to find the Williamson article.

Yesterday’s New York Times has an interesting article about how security researchers at the University of Toronto have helped uncover online spy activity, apparently conducted by the Chinese government, against the Dalai Lama’s office in India. One odd comment in the article: “And why among the more than 1,200 compromised government computers representing 103 countries, were there no United States government systems?" I find this particularly odd in that I’ve seen compromised U.S. government systems plenty of times in my information security career, including spam issued from military computers. I don’t find it plausible that the U.S. government has recently improved the security of all of its computers and networks so that there are no more compromised systems. In the context of the article, it’s discussing more specifically compromises due to the particular spy ring being monitored. The preceding sentences point out that they weren’t able to determine with certainty who was running it, and the immediately preceding sentence asks, “Why was the powerful eavesdropping system not password-protected, a weakness that made it easy for Mr. Villeneuve to determine how the system worked?" The question should actually have asked why it wasn’t encrypted, rather than “password-protected,” but the possibilities suggested to me here are that (a) this particular activity is being run by amateurs or (b) this particular activity was intentionally detectible as either (i) a distraction from other, more hidden activity or (ii) to put the blame on China by somebody other than China. ...

There’s FUD spreading about Sec. 14 of the Cybersecurity Act of 2009, maintaining that it amounts to an effective repeal of the 4th Amendment for the Internet. That’s not so–the scope is restricted to “threat and vulnerability information” regarding the Internet, which I interpret to mean network service provider knowledge about compromised systems, botnets, etc., much of which is no doubt already being voluntarily shared with the government as is permissible under the Electronic Communications Privacy Act of 1986, when, in the course of a provider’s normal service monitoring, it becomes aware of possible criminal activity. I expect I’ll have more to say after I have a chance to read through the whole bill (PDF).

Remember how the press was all over the story of the 29-year-old millionaire white supremacist and fan of Adolf Hitler in Maine who was building a dirty bomb that he planned to set off at Obama’s inauguration, but it didn’t happen because his wife shot and killed him? Me neither, but James G. Cummings of Belfast, Maine, had (quoting Wikileaks) “four lots of one gallon containers of bomb-grade hydrogen peroxide, uranium, thorium (also radioactive), lithium metal, thermite, aluminum powder, beryllium (radiation booster), boron, black iron oxide and magnesium ribbon” which he somehow planned to set off at the inauguration. Personally, I don’t think that volume of material could have been easily smuggled in anywhere near the inauguration activities without raising suspicion. Why no press coverage of this story, apart from the Bangor Daily News? Wikileaks has a summary; Wonkette has summarized that; the Washington D.C. Regional Threat and Analysis Center report (PDF) is here. ...

For a second time, a U.S. appeals court has found unconstitutional the provision of the USA PATRIOT Act which forbids recipients of National Security Letters from disclosing that they have received them. After the first time around, Congress amended the law to introduce some minimal judicial review, but maintained the burden of proof on the recipient if the government claimed there were national security reasons for the NSL to remain secret. The courts have ruled that this burden needs to fall on the government. If this continues to stand, then perhaps the rsync.net warrant canary will become superfluous.

Lawsuits by the National Security Archive of George Washington University and the watchdog group Citizens for Responsibility and Ethics in Washington (CREW) have won a ruling from a U.S. district court judge that the White House can be forced to recover the five million “lost” emails that were deleted between March 2003 and October 2005. Those emails were required to have been preserved under the Presidential Records Act. Another set of emails from the office of Vice President Dick Cheney from September 30, 2003 to October 6, 2003 were found to be “lost and unrecoverable” by an Office of Administration investigation. 65,000 backup tapes have been preserved as part of the litigation, and those tapes will apparently be available for review to recover some of the five million lost emails. More details at IntelDaily.

Looks like the air marshals have a problem similar to the TSA and the Border Patrol: Shawn Nguyen bragged that he could sneak anything past airport security using his top-secret clearance as a federal air marshal. And for months, he smuggled cocaine and drug money onto flights across the country, boasting to an FBI informant that he was "the man with the golden badge." Michael McGowan used his position as an air marshal to lure a young boy to his hotel room, where he showed him child porn, took pictures of him naked and sexually abused him. And when Brian "Cooter" Phelps wanted his ex-wife to disappear, he called a fellow air marshal and tried to hire a hit man nicknamed "the Crucifixer." Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan. More details at USA Today. UPDATE (8 March 2015): Another air marshals scandal: What began as an internal investigation into allegations of harassment and threats stemming from a spat between ex-lovers has expanded into a criminal inquiry focused on the Federal Air Marshal Service’s dispatch hub in Herndon, Virginia. More than 60 federal employees are under scrutiny as investigators look into whether flights considered at risk of hijacking or a terrorist attack were left without marshals on board, sources with knowledge of the investigation told Reveal. Historical Comments Sheldon (2008-11-18): Wow! Thats 36 Federal law enforcment officials who had passsed the background checks to fill those positions, and then went bad, some very bad. Pretty scary when you think about it.Thanks. ...

Newsweek reports some interesting tidbits from behind the scenes of the election process in both the McCain and Obama campaigns: Both the McCain and Obama campaigns had computers compromised by “a foreign entity or organization [which] sought to gather information on the evolution of both camps’ policy positions.” And that entity was successful in collecting such data, apparently. Palin’s shopping spree was more extensive and expensive than has previously been reported: “While publicly supporting Palin, McCain’s top advisers privately fumed at what they regarded as her outrageous profligacy. One senior aide said that Nicolle Wallace had told Palin to buy three suits for the convention and hire a stylist. But instead, the vice presidential nominee began buying for herself and her family—clothes and accessories from top stores such as Saks Fifth Avenue and Neiman Marcus. According to two knowledgeable sources, a vast majority of the clothes were bought by a wealthy donor, who was shocked when he got the bill. Palin also used low-level staffers to buy some of the clothes on their credit cards.” The spending was allegedly tens of thousands of dollars more than reported. McCain rarely spoke to Palin during the campaign, and although she wanted to speak in Phoenix along with McCain for his concession speech, this was vetoed by McCain’s campaign strategist, Steve Schmidt.The Secret Service reported “a sharp and disturbing increase in threats to Obama in September and early October, at the same time that many crowds at Palin rallies became more frenzied."Palin attacked Obama about his connection to William Ayers before the campaign had finalized its plan about that issue–McCain had not given his approval, and a top advisor was resisting it.Hillary Clinton was on much better terms with McCain than with Obama, and McCain feared that Hillary Clinton would be named as Obama’s VP, and was glad when he chose Biden.There are lots of other interesting bits in the article, as well.

Jeffrey Goldberg explains why in The Atlantic. The check for whether you’re on the no-fly list is at the time of ticket purchase and check-in; there is no validation of your actual ticket against your ID at the TSA checkpoint (you can easily print and use a fake boarding pass at the TSA checkpoint); there is no check of ID when you board the plane. The checks for substances and items at the TSA checkpoint are easily subverted, with the restrictions on liquids probably the most absurd and pointless. We’re throwing away billions of taxpayer dollars per year on security theater. (Hat tip to John Lynch.) (Previously, previously, previously, previously, previously, previously.)