SoylentNews is people
SoylentNews
A desktop computer and hard drive stolen from the University of Washington Center for Human Rights stored sensitive details of human rights violations in El Salvador and a lawsuit against the Central Intelligence Agency:
Sometime between October 15-18, the office of Dr. Angelina Godoy, Director of the University of Washington Center for Human Rights, was broken into by unknown parties. Her desktop computer was stolen, as well as a hard drive containing about 90% of the information relating to our research in El Salvador. While we have backups of this information, what worries us most is not what we have lost but what someone else may have gained: the files include sensitive details of personal testimonies and pending investigations.
This could, of course, be an act of common crime. But we are concerned because it is also possible this was an act of retaliation for our work. There are a few elements that make this an unusual incident. First, there was no sign of forcible entry; the office was searched but its contents were treated carefully and the door was locked upon exit, characteristics which do not fit the pattern of opportunistic campus theft. Prof. Godoy's office was the only one targeted, although it is located midway down a hallway of offices, all containing computers. The hard drive has no real resale value, so there seems no reason to take it unless the intention was to extract information. Lastly, the timing of this incident—in the wake of the recent publicity around our freedom of information lawsuit against the CIA regarding information on a suspected perpetrator of grave human rights violations in El Salvador—invites doubt as to potential motives.
We have contacted colleagues in El Salvador, many of whom have emphasized parallels between this incident and attacks Salvadoran human rights organizations have experienced in recent years. While we cannot rule out the possibility of this having been an incident of common crime, we are deeply concerned that this breach of information security may increase the vulnerability of Salvadoran human rights defenders with whom we work.
(Score: 1, Insightful) by Anonymous Coward on Friday October 23 2015, @09:53AM
It's 2015. Encryption and Encrypted backups. That's why we have it - to protect the innocent. This was reckless and stupid ...
(Score: 5, Informative) by NCommander on Friday October 23 2015, @10:11AM
If they used Windows (and I'm going to assume they do), you can't start BitLocker via active directory, and it either has to use Windows 7 Enterprise/Ultimate or Windows 8+ Pro (some organizations don't bother with volume licensing and simply use what came on the machine), it has to be manually enabled at each machine and requires a TPM module which only some desktops have, *and* requires a trip to the BIOS/UEFI configuration screen to enable. You can kludge around it using scheduled tasks, but its very non-trivial and can go horribly wrong. Furthermore, Windows uses a computer's TPM to store information, and while TPM's are tamper resistant, if the theft was carried out by a nation state, there is likely a good chance they could recover the key stored in the TPM. This is also presuming that there is no type of backdoor or zero-day side-channel attack in Windows' BitLocker or in the TPM modules themselves. For other full disk encryption products for Windows, I've never heard of a good deployment story for them.
Full disk encryption helps for non-targeted attacks, but is of limited use for a targeted attack. Windows doesn't warn if Secure Boot has been disabled (at least as of 8.1, the story may be different on 10), and without secure boot, you can simply patch the bootloader binaries to store and record the password. If you want an attack harder to detect, and have the resources, nation state could easily gain physical access to a machine and install a backdoor into the System Management Mode firmware via an EEPROM reader (an attack of this type was demonstrated at DEFCON). Then just record the first 100+ keystrokes of a machine coming out of reset to onboard flash storage. Boom, password. And that's just off the top of my head; you could easily install a device to interface between the KB and the computer and log keystrokes via hardware; almost undetectable.
Encryption helps, but it sure as hell isn't a magic bullet. Failing all of the above, one day zero that allows remote execution, and a custom rootkit that AV software won't detect, and you're in business.
Still always moving
(Score: 2) by Alfred on Friday October 23 2015, @01:28PM
</sarcasm>
otherwise I totally agree. I read about a guy who was hacking his own hard drive and found that there were three different ARM processors on the board. In my unsubstantiated opinion, the chances that at least one has compromised firmware from the factory is high. Not to mention the possibility of backdoors that could be built into the silicon. There is no trust in computing.
/foil_hat
(Score: 4, Interesting) by Hyperturtle on Friday October 23 2015, @04:54PM
Wasn't Germany looking to avoid the use of TPM chips due to the inherent lack of security they have? The users cannot control who has the keys to it.
Windows 10 even copies related keys for bitlocker to their servers by default. When I have reluctantly* used bitlocker due to employer requirements, I have always saved that key to several local physical items. USB connected storage, for example. Then a copy goes to whoever at the employer that demands it.
*Note that this is not me doing this to my own hardware as a consultant at a place I am doing a project for; it is on hardware they issued to me. Reluctance can be due to TPM itself, due to having a 5600rpm laptop hard drive with an i7 processor in the laptop and the system is at 100% disk activity once the queue depth reaches about 2.0, or that the bitlocker approach is simply a "we read a white paper and the security team says this is how to secure everything" and then no further efforts are made to prevent remote access into a decrypted drive, etc.
In any event, there are few low hanging fruits to protect against state sponsored activities such as this. True security has true costs associated with it -- time, convenience, financial, and people. Often, the biggest enemy one can have is one's own behaviors.
Encryption is no magic bullet for security, just as RAID is no backup for data. Both are tools to achieve a goal but are not the tools to achieve the broad goal of data security. However, if they used something else, in addition to or instead of (discussion of which would be out of scope of this reply), it's possible it could slow down or stop the information gained from the disk drive.
The real problem here is not the loss of data. Assume it can be obtained if the powers that be would like to have it. It is that an unknown party will be able to know what they know, their past plans, their current plans, their proposed actions, and everything documented on that drive that helps influence their decisions.
It would have who their contacts are, where they live, phone numbers, email addresses, etc.
If the drive is readable, that data is now all available for use.
You can consider it to be piracy, if you want to look at it that way. Nothing was stolen as they still have their data. But the damages are beyond financial in this case, due to the loss of the information security they previously had. It would have been more favorable for them in some regards to have lost their only copy and not had a backup. At least, then, there would be no chance for their enemies or adversaries to gain insight from it.
A total loss may very well have been highly preferable.
If this was a state sanctioned activity, then next time I'd expect that someone would make (or replaces) the drive with a forensic image, depending on the time available and if it was encrypted. If they are going to steal it and not draw speculation like this to themselves, then the laptop will smoke next time and the data on that drive will have already been made unrecoverable. Maybe just enough would work to boot into windows, bluescreen, then self destruct. It takes effort to pull off because a great number of details must be considered -- serial number, disk model, positioning of everything in the room, and careful check to make sure someone didn't leave dust out to get fingerprints to see if anyone was tampering with things. Someone with what appears to be a very messy office or room might have a very secure room by design. It could be that coffee cup never moves because it's on top of something that no one is supposed to be touching. If you make it easy, expect them to take it easily.
i mean its not like we havent read articles on usb stick laptop friers or self destruct modules or devices that melt away at specific heat levels. introduce something like that, or just a drive rigged to fail...
Warranty repair, quite depending on vendor and country this happens, will find nothing wrong considering they likely already honor government requests. It will take longer than usual to get the answer that it cant be fixed, would you like a new one...in fact mr person of interest, why not a whole new high end laptop with the latest OS? For being such a good customer...
(Score: 1, Insightful) by Anonymous Coward on Friday October 23 2015, @10:56AM
Then we'd be reading news titled "University of Washington Hardware Stolen & Staff Member Missing"...
Good ol rubber hose cryptanalysis. Look it's not torture when we do it!
(Score: 2) by arulatas on Friday October 23 2015, @04:22PM
We would let you know but National Security....
----- 10 turns around
(Score: 0) by Anonymous Coward on Friday October 23 2015, @01:50PM
Encryption doesn't help if the goal is to deprive you from information. Now you have a case with evidence, now you don't...
(Score: 1) by khallow on Friday October 23 2015, @04:10PM