Friday, February 19, 2016

How disconnected are the cerebellums of the CIA and FBI?

The last few weeks have been significantly active in the security world, constantly providing sitcom writers material to last a decade.  And.... I'm not even going to talk about Donald Trump.  

The FBI is sending out court orders to get Apple to put in back doors in an iPhone....

Hillary Clinton is being investigated by the FBI for her "sensitive email" issue....

And the FBI arrests a teenager for hacking into senior CIA & FBI officials emails....

Lets take a quick look at these events, and lets all realize how much we are being taken for fools.



First off, the FBI does not need Apple to get into the insides of an iPhone.  John McAffee is even offering to do it for free.  Thanks John.  In fact, I will offer to do it for free too, great publicity.  

No worries since the FBI will not let anyone try to get into that iPhone.  This case is about the government putting in place the mechanisms for killing privacy in general.  So don't be fooled by their request looking all normal because they need Apple to get into a terrorists phone.  Whatever Apple could do, the United States Government can do, or get done.

But lets take a look at the MAJOR security issue around the Hillary Clinton and CIA/FBI email scandal.

Certainly we should be concerned that a senior government official who is representing "the people" and is supposed to be smart would expose sensitive information on her personal email system.

However, something much worst is not being discussed by the media.

How can someone, anyone, take top secret documents from a high security ecosystem and bring it into a less secure ecosystem (like Hillary's email server).

Someone should be getting fired, and charged with some form of criminal negligence.

But WAIT !   It gets worst.

This week, HackerNews reported that a 16 year old hacker was arrested for breaking into emails of both the CIA and the FBI.

Take a look at these details (taken from the article):

What the hell is going on at the CIA and the FBI ????  Do they not have any security policies or "RULES" ?   Can anyone just do anything over there ?

Well, rest assured, if a normal person working at the CIA or FBI did anything this stupid, they would face the full power of the US government (sorry Snowden).  Yet in this case, just like Hillary, it will be a joke.

What am I referencing exactly...  Senior staff using PERSONAL EMAIL SYSTEMS (like AOL) to handle sensitive data.

These clowns are the real problem.   They knowingly allowed sensitive information to transit through insecure systems therefor violating the agencies CLEARLY DEFINED POLICIES.

Strangely, John Brennan, James Clapper and Mark Giuliano are not being charged, and have not been arrested...

Yet a 16 year old is being arrested.

Doing enterprise security assessments is often accompanied by attitudes that ressemble this.  

What people to not understand is that the security risk is coming from these individuals, not the 16 year old.

In fact, strange enough, the 16 year old exposed the issue, brought it to light, and showed no strategy for making use of the information collected aside from foolishly publishing it.

Who is to say that someone truly malicious had not been reading these imbeciles emails for months or years ?

The 16 year old went out and published what he found and got caught.

The spies who are taking actions on US soil do not publish their findings for the world to see.  They gather the intelligence and take well educated actions.

Like corporate America, these senior executives are the weakest link, and will significantly and negatively impact security.

So when the FBI is done roasting the 16 year old, I hope they get their heads out of their asses and have the common sense to take legal action against their own clowns.

In the security industry, we call that the ROOT CAUSE.

You can't fix stupid, but you can fire stupid.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...