Irony came back to the shores of the United States in the month of September as the CIA was forced to recall a number of undercover agents working in China. The agents’ names and identities were part of the millions of records exposed by the hack of the U.S. Office of Personnel Management earlier in 2015.

The OPM hack was called, “the gift that keeps on giving for years” by the Director of National Intelligences, James Clapper.

A subsequent audit of the OPM’s security practices and posture demonstrated that the infrastructure was in shambles, lacking logging and monitoring, systems updates and patches, with some systems not having been reviewed in several years. Also, some of the most critical databases and back-end systems lacked multi-factor authentication and many of them were not even authorized to be on the network!

The breach affected tens of millions of past and current government employees, exposing medical history and background investigations forms and details about the individuals, including CIA agents and embassy staffers.

As CIA agents do not usually show up on diplomatic manifests and lists of staffers, Chinese intelligence could deduce that missing names would be strong indicators of CIA operatives or other secret activities performed by the individuals in question.

According to the Washington Post, Clapper told a congressional panel that the OPM breach was not so much an attack as a form of espionage, and that both nations engage in this behavior. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

Clapper said that the OPM hack “has very serious implications . . . from the standpoint of the intelligence community and the potential for identifying people” who may be undercover.

by Deric Lostutter

We all know that AshleyMadison.com – the dating site who’s slogan is “life is short, have an affair” was recently compromised by a group of hackers calling themselves Impact Team

Ashley Madison released this statement pertaining to the unauthorized access of the site.

“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

Impact Team threatened to release all of the information of more than 30 million users if they didn’t take AshleyMadison.com and EstablishedMen offline. The hackers chose to release 2,500 records to show they mean business. The mirrors were taken down by use of the “Digital Millennium Copyright Act” or “DMCA” requests on behalf of Avid Life Media, the parent company of AshleyMadison. It is unclear just how much information Impact Team has obtained, but the information could include credit card numbers and other financial information.

Impact Team left this message behind:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Below is a snippet left behind by Impact Team verbatim:

AshleyMadison customer service has been slammed busy in their call centers, reassuring clients that their information is secure and that only 2 records were ever compromised – a claim that was obviously false due to the evident leak that they worked so hard to take offline. Some customers are even taking advantage of a “full delete” option that rolled out because of the hack, which AshleyMadison claims will remove all user information, however, they refuse to acknowledge if it also deletes the damning credit card transaction information associated with user profiles.

With AshleyMadison lying to it’s users, one can only be sure that information is safe in corporate hands, if you never give it to them in the first place.

A federal worker union claims that the massive Office of Personnel Management hack reported last week is even bigger and more damaging than the government cares to admit. The American Federation of Government Employees believes the hackers stole the social security number of every current federal employee and retiree, along with the SSNs of up to a million former workers.

Associated Press has also obtained a letter addressed to OPM and written by AFGE’s president, J. David Cox, where he listed the other types of info stolen from OPM’s database: military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data. Meanwhile, the Wall Street Journal reports the hackers were inside for more than a year before a sales demo by a tech firm discovered malware in the network.

In the same letter, Cox accused the agency of failing to take the proper precautionary measures to protect federal workers: it keeps up to 780 separate pieces of information on each person, after all. “We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” he wrote.

Take note, however, that Cox and his team don’t have access to the investigation and are only basing all these from OPM’s sketchy and limited responses to their questions. An OPM spokesperson has denied allegations that the breach is bigger than the agency reported, though, telling NBC News that the official number of affected people remains the same: 4.2 million overall, including 1 million retirees, 2.1 million active civilian federal employees and 1.1 million separated workers.

If you recall, some authorities, including Sen. Harry Reid and Sen. Susan Collins, revealed that the government believes China is behind this security breach. The stolen data could be used for anything, from identity theft to blackmail. So if you’re a government employee and you receive a warning email from Homeland Security, take advantage of the credit monitoring and identity theft protection services the agency promised to offer.

This story written by Mariella Moon for Engadget

The FBI wants backdoors in all your crypto, and UK Prime Minister David Cameron made backdoors an election promise, but as Stanford lawyer/computer scientist Jonathan Mayer writes, there’s no way to effectively backdoor modern platforms without abolishing the whole idea of computers as we know them, replacing them with an imaginary and totalitarian computing ecosystem that does not exist and probably never will.

Mayer gives the example of how stopping Android users from using crypto would require the abolition of third-party app stores, rolling back the state of the art in Web-based apps, introducing kill-switches to the platform that lets Google delete your apps and the data associated with them, and preventing jailbreaking at all costs.

He mentions that the same is true for Ios, though that’s not exactly right — it’s a felony to jailbreak many Ios devices (Iphones, but not Ipads, are temporarily exempted from this thanks to a Copyright Office ruling that expires this year), and it’s a felony to run a third-party Ios app store and supply jailbreaking tools for Ios.

DRM-locked ecosystems are already designed to prevent users from running code that their users desire, and so it’s conceptually a lot easier to understand how a government could simply say to all those companies — Sony, Nintendo, Apple, Nest, John Deere, etc — that the law required them to only approve apps with backdoors and then help the companies with their existing project of vigorously prosecuting jailbreak tool-makers, and get a much more airtight seal around users’ ability to use good crypto.

One option: require Google to police its app store for strong cryptography. Another option: mandate a notice-and-takedown system, where the government is responsible for spotting secure apps, and Google has a grace period to remove them. Either alternative would, of course, be entirely unacceptable to the technology sector—the DMCA’s notice-and-takedown system is widely reviled, and present federal law (CDA 230) disfavors intermediary liability.

This hypothetical is already beyond the realm of political feasibility, but keep going. Assume the federal government sticks Google with intermediary liability. How will Google (or the government) distinguish between apps that have strong cryptography and apps that have backdoored cryptography?

There isn’t a good solution. Auditing app installation bundles, or even requiring developers to hand over source code, would not be sufficient. Apps can trivially download and incorporate new code. Auditing running apps would add even more complexity. And, at any rate, both static and dynamic analysis are unsolved challenges—just look at how much trouble Google has had identifying malware and knockoff apps.

Continue with the hypothetical, though. Imagine that Google could successfully banish secure encryption apps from the official Google Play store. What about apps that are loaded from another app store? The government could feasibly regulate some competitors, like the Amazon Appstore. How, though, would it reach international, free, open source app repositories like F-Droid or Fossdroid? What about apps that a user directly downloads and installs (“sideloads”) from a developer’s website?

The only solution is an app kill switch.3 (Google’s euphemism is “Remote Application Removal.”) Whenever the government discovers a strong encryption app, it would compel Google to nuke the app from Android phones worldwide. That level of government intrusion—reaching into personal devices to remove security software—certainly would not be well received. It raises serious Fourth Amendment issues, since it could be construed as a search of the device or a seizure of device functionality and app data.4 What’s more, the collateral damage would be extensive; innocent users of the app would lose their data.

Designing an effective app kill switch also isn’t so easy. The concept is feasible for app store downloads, since those apps are tagged with a consistent identifier. But a naïve kill switch design is trivial to circumvent with a sideloaded app. The developer could easily generate a random application identifier for each download.5

Google would have to build a much more sophisticated kill switch, scanning apps for prohibited traits. Think antivirus, but for detecting and removing apps that the user wants. That’s yet another unsolved technical challenge, yet another objectionable intrusion into personal devices, and yet another practice with constitutional vulnerability.

You Can’t Backdoor a Platform [Jonathan Mayer]

by Virgil Vaduva

Updated at 2:12 PM EST.

In what appears to be an all-out fear mongering and intimidating announcement, IC3, the Internet Crime Complaint Center, which is a website maintained by the FBI, issued an emergency alert stating that “family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity.”

While re-packaging the announcement as a brand new Internet Security emergency, the fear-mongering is little more than a copy and paste from an announcement made in January 26, 2011 by  the United States Computer Emergency Readiness Team (US-CERT) emergency “Security Tip” titled “Staying Safe on Social Networks.”  While masquerading as a “national emergency,” the emergency alert is little more than a poorly-written list of activities or steps that anyone could take to increase their online privacy rather than just law enforcement or police officers.

Without citing any specific threat, Mindi McDowell wrote in 2011 that law enforcement personnel are at risk of having personal information unveiled and exposed on social media networks and other public web sites. Yesterday, April 21 2015, the FBI, using their IC3 website issued a newly re-packaged alert re-stating the same warning, with the exception of going into a bit more detail but still not quoting any credible threat and sticking to very generic language:

“Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.”

To make matters worse for the average reader of this release, the IC3 advisory is even explaining “doxing” as being one of the main reason for issuing this advisory, except doxing is a perfectly legal activity and it largely involves gathering publicly and legally available information about a particular topic or individual. Their alert however defines doxing as follows:

“The act of compiling and posting an individual’s personal information without permission is known as doxing.”

Not only is this blatant fear-mongering on the part of FBI and Homeland Security, but as I mentioned above, doxing is in fact completely legal activity and it involves little more than the simple ability to use online search tools like Google and other search engines to find and compile information legally available!

The brand new “fake” security alert was picked up by other government agencies and was sent out to millions of information security and IT professional subscribers late yesterday:

IC3, NCCIC and US-CERT have all been tasked with maintaining awareness about ongoing cyber threats to our national defense systems and Internet infrastructure, however it appears that these organizations and the alerting mechanisms they are using to create awareness about serious threats are now being used to instigate fear about actual legal activities which are being used every day by millions of Americans for research work.

One notable FBI case related to doxing was the case of the Steubenville, Ohio rapists who were exposed by an Anonymous hacker Deric Lostutter. Working under the handle KYAnonymous, Lostutter was interviewed for this article related to doxing and said,

“…as far as the legality of doxing goes, it is perfectly legal should you use data gathered from public sources such as google, spokeo, linkedin etc. The problem the feds have with the practice is they dont hold the people who leave all of their information freely on the internet accountable. When the FBI raided me in april of 2013, I explained to agent bixby of Ohio that Spokeo had an address that I lived at that was a safe house. He stated “well that just seems illegal”. Seeming illegal and being illegal are two different things. It was my fault, as it is the fault of the target, that the information is publicly obtainable. Information on the internet grows exponentially.”

In that case, Lostutter claims to have spent a substantial amount of time researching legally accessible information which was publicly available to identify the rapists and expose them. Shortly thereafter he was raided by an FBI SWAT team, arrested and his computer equipment was confiscated. As a result he is now facing more time in prison than the rapists he helped expose.

His closing statement to TruthVoice about doxing and his message to the FBI was,

“I can find anything out, about anyone, dead or alive. cop or not. all legal, they can suck my left nut“

Unfortunately FBI’s methodology of pushing announcements about doxing via emergency notifications channels may be having the opposite effect and may be detrimental to maintain awareness about Information Security topics by lowering the bar for what constitutes a true cyber security emergency and desensitizing the security industry to real threats and risk factors.

If the folks at Homeland Security, IC3 and NCCIC (who are largely former law enforcement officers) truly believe doxing to be such a danger to the general public, they should issue a general advisory for all Americans who may be at risk of having their privacy violated, not just to cops or current law enforcement members.  The issuance of this alert is illustrating that the current channels used for emergency alerts are little more than a joke and are now seemingly being used for what appears to be political motives and reasons.

You can read the original advisory here: https://www.us-cert.gov/ncas/tips/ST06-003

You can read the re-packaged advisory here: http://www.ic3.gov/media/2015/150421.aspx

Virgil Vaduva is a Libertarian security professional, journalist, photographer and overall liberty freak.  He spent most of his life in Communist Romania and participated in the 1989 street protests which led to the collapse of the Ceausescu regime. He can be reached at vvaduva at truthvoice.com.