funsec mailing list archives
Re: Clinton's Office Says Her Passport Files Also Breached
From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 22 Mar 2008 08:58:55 -0400
[ I elided your remarks 'cause this is rather long as it is. Hopefully I've managed to respond to all of them. ] I actually toned down my initial response. No, you may not see it. ;-) Don't take this personally. I have no idea who you are. I don't really care. I'm reacting to what you've said and haven't even bothered to notice your name, let alone remember it. It's irrelevant. So -- throughout this -- read "you" as "generic you". And my reaction is a mix of astonishment, exasperation, disappointment, and outrage. Were I given this response by a freshman student on a final exam, I'd fail them for the course. I would never expect to hear such a thing from a professional working in the field. (And if the certification processes aren't weeding out people who lack even this rudimentary level of understanding, then they're even more worthless than I think they are -- and I already think they're pure crap.) So here are some preliminary thoughts (and I do mean "preliminary") that outline in part just what the big deal is. I'm sure these only scratch the surface and are rife with omissions, and probably even a few errors. But even in this incomplete, unpolished state, I think that any one of these is more than enough to demonstrate that this is a very serious matter. 1. If we presume that one part of what we've been told is true -- that accesses of certain passport files result in notifications to supervisors -- then we know that the people running the operation are complete morons who have failed to demonstrate even a rudimentary grasp of basic security principles. They have implemented one of Marcus Ranum's Six Dumbest Ideas in Security, to wit, #1: default permit. The proper way for this to work, of course, is that all such files should be locked and all access forbidden without PRIOR supervisory approval. There should also be additional measures in place: for example, offhand I can think of: - it should require more than one supervisor. This closes down some attack vectors and it means that others rely on cooperation between two or more people, which in turn means that in addition to violating the Privacy Act, unauthorized accesses would require a conspiracy. It also means there are more loose lips to blab about it, increasing both the probability of detection and the probability that someone can be turned if detection occurs. - it should generate notification that goes up and across the supervisory chain in a manner which can't be controlled by supervisors. - the list of files thus treated should be actively maintained, and should contain people who are likely to be the targets of curiosity, blackmail, threats, etc. Standing entries should include members of Congress, federal judges, governors, etc.; ad hoc entries should be created based on the front pages of the New York Times, Washington Post, etc. and should require approval by more than one person, in order to prevent reverse gaming of the system by an individual. - access to locked files should never be permitted to contractors, only to permanent employees. If necessary, workloads should be shifted in order to accomplish this. - in the case of especially sensitive files -- and this is one of them -- then access should require approval that comes from the office of the Secretary of State. - unless the access relates to an ongoing criminal investigation, any subject on this list should be notified when their data is accessed. For example, if someone needed to do a routine check on former President Carter's passport prior to a trip to Peru, then he should be informed. This also increases the probability that spurious accesses will be detected, especially if the notification process is via a channel that workers and supervisors can't access or control. 2. We don't know who accessed these files, we don't know why, we don't know if they made copies, we don't know if they transcribed information, we don't know if they passed any of it on, we don't know who they're associated with, we don't know who they're working for, we don't know... much of anything. But any student of history (or anyone old enough to recall it) should realize that we didn't know the answers to rather similar questions when McCord, Barker, Gonzalez, Martinez, and Sturgis were caught either. This incident should be setting off alarms in everyone's heads which keep insisting that it's not so simple, not so cut-and-dried, as it's being made out to be. Which is not to rule out the faint possibility that in the end it might turn out to be so -- but it would be naive in the extreme to presume that today. And we most *certainly* should not accept any spokesbot's statement that they "believe no copies were made" or "believe the information wasn't passed on". That's the same fatuous nonsense that we hear every time there's a data leak. They're announcing the negative hypothesis as fact when it's only possible to prove the positive one. There is no such thing as "belief" in security. 3. *three times*? That's not idle curiosity. Think about it: they'd already fired two people for this, yet a third one DID IT AGAIN ANYWAY, even though there can be little doubt that they knew about the previous firings, knew why they took place, knew about the monitoring mechanism, and very likely knew whose file was involved. (If you were supervising this department and just fired two people. wouldn't you make sure that all current as well as any incoming new employees were excruciatingly aware of this? Would you not have had an all-hands meeting during which you read the riot act to everyone in a loud, clear voice?) Idle curiosity is insufficient motivation for someone to risk losing their job under these circumstances. People don't take chances like this just because they're bored. (And actually, "chances" isn't the right word, because again, if we believe part of what we were told, it wasn't probable they'd be caught: it was certain. And they knew it.) This strongly suggests to me that (a) it wasn't idle curiosity and (b) the job was considered expendable. Oh, and: don't you think that given how many of these breaches we already know about -- by now some *supervisors* should have been fired? 4. Who else's files? Now we're told that Senators Clinton and McCain's files were also accesssed. It's very curious that this did not come out during the press conference call. Think about it: you're the Secretary of State. You get wind of this. What are the first questions that comes into your head? They should be: What about Michelle Obama? and: What about Senator Clinton? and Senator McCain? If these aren't the questions that come to mind instantly then you shouldn't be Secretary of State: you clearly lack sufficient mental agility. And when these questions come to mind, in the first ten seconds after you find this out, you then spend the next twenty seconds issuing the order to have them answered right friggin' now. And you get those answers in a very big hurry, because you want to make sure you have them in-hand *before* you set up a media conference call. If necessary, you have staff work all night and you have the conference call the next morning. You do this because (a) it's completely obvious due diligence and (b) you darn well know that you're going to be asked. In short, you don't make a move until you have this data in hand. But this isn't what happened. Why? Also: consider the contrast in timelines. This problem, if we're to believe part of what we're told, festered for months. But the elapsed time from when the story broke to when the press conference call was held was only a couple of hours. So we see a pathetically slow reaction (if any) followed by a lightning-quick one. That's decidedly odd. 5. Given the disclosures about Senator Clinton and Senator McCain, we can now not only repeat all the questions above (and add "have these people been fired too?"), we can ask why this wasn't disclosed at the same time, and we can also inquire as to who else's file was accessed. Huckabee? Richardson? Kucinich? Romney? How about Wright? Or Hagee? Or were these other accesses merely invented so that the problem could be spun in a manner consistent with getting it out of the news cycle? Paranoia? No. It's prudent skepticism. It's a recognition that the most believable lies contain a lot of truth, and that this administration lies as a matter of institutional policy. 6. Who leaked this to the Washington Times? Why did they leak it? Why the wingnut Washington Times and not the Washington Post or New York Times or some other actual real live newspaper read by grown-ups? Was it someone in the administration -- which would hardly raise an eyebrow given that this adminstration has a well-known history of using leaks of confidential/private/secret information when it suits its purposes -- or was it someone frustrated by inability to draw administration attention to the problem? 7. The Secretary of State claims she only found out about this yesterday. So either: a. She is telling the truth or b. She is lying If (a) then something is severely wrong at State, because there is simply no possible way that the passport file of a presidential candidate gets accessed twice and supervisors are notified and people are fired and the Secretary of State doesn't know a darn thing about it. If (b) then I trust it's obvious why this is a major problem. 8. Something else that's severely wrong: put yourself in the position of a supervisor who gets a message from the database system that the file of a presidential candidate has been accessed. After you call security and have the relevant person detained, do you quiz them extensively about what they were doing, get them to admit they were indulging their curiosity, fire them, and have them escorted off the premises? No, you do not. You do that if it was Britney Spears' file. But it's not -- it's a PRESIDENTIAL CANDIDATE. So you call the Secret Service. You call the FBI. You go find your supervisor, and then two of you go find his/her supervisor, and you repeat this process until everyone in that chain is sitting in the Secretary's office waiting for the Secret Service and the FBI to get there, and when they show up, you all collectively go crawl up that person's ass with a microscope. Meanwhile, someone finds a lawyer, and they go get the appropriate warrant(s) to set up surveillance on that person. When you finally let that person go, you keep track of everyone they come in contact with, every phone call, every email (which should be easy since the telcos are already illegally doing it anyway). And so on. This is presuming you let them go. If you have grounds, you charge them with violating the Privacy Act and you arrest them. You do all this because there is the distinct possibility that this person means to harm the candidate -- or their family. And because you can't rule that out except by process of elimination (and maybe not even then), you deploy massive resources to do that very thing. And then you inform the candidate so that *their* people know what the hell is going on. And as soon as humanly possible, you bundle everything you found out into a dossier and put it in the hands of the Secret Service detail associated with that candidate. And then you do this for the other candidates and their assigned details because you know that there will be occasions when they're all in the same place at the same time, so it would be prudent to have as many clued-in eyeballs as possible present when that happens. This is an extremely obvious course of action even to the casual observer. But it didn't happen. Why? 9. You get an independent investigator for several reasons. First, internal investigators can't be trusted. Second, State has already proved to my satisfaction that it's either incompetent or lying or both. No point letting it prove it again by investigating itself. Third, you need someone who's a careerist, not a political appointee. Fourth, an inevitable part of this will be the blame game. An independent investigator doesn't care who gets blamed and won't bias the investigation in order to spare anyone humiliation. We hope. And finally, you do this because you're aware that 16 years ago, during a previous Bush administration, Elizabeth Tamposi -- an assistant Secretary of State -- dispatched people to ransack then-candidate Bill Clinton's passport file in search of material that could be used against him in the campaign. Coincidence? Yeah, riiiiiight. 10. Who else's passport file has been accessed to indulge someone's curiosity, to acquire data for resale, to dig up dirt for political reasons, to leak to the press, to [fill in with a myriad of other purposes]? It should be abundantly obvious that if this level of abuse and malfeasance can take place with known-critical data, that there is every reason to think that less critical data which is not tripwired for alarm-on-access has been essentially undefended. That's a huge problem. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Clinton's Office Says Her Passport Files Also Breached Paul Ferguson (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- <Possible follow-ups>
- Re: Clinton's Office Says Her Passport Files Also Breached Paul Ferguson (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached Dennis Henderson (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 26)