We had two reports of an ongoing situation in Sweden where confidential information held by the government has been compromised:
Outsourcing Nightmare
Sweden might just be experiencing an outsourcing nightmare on a national level. The Swedish transport agency outsourced the entire driver's license database to IBM which in turn made it accessible to three IT workers in the Czech Republic, none of whom had security clearance. With it also came access to various police databases and access to SGSI (Swedish Government Secure Intranet), the secure and encrypted government network. Access to SGSI could also have acted as a backdoor into the STESTA (Secure Trans European Services for Telematics between Administrations) network which is the European and EU equivalent.
Part of the drivers license database and related system are also databases that contain information about active military personnel, vehicles owned and operated by the armed forces, and people with a protected identity. For normal people, beyond all the usual information a drivers license gives such as the personal ID number — that could be used for identity theft — it might also contain medical information that had to be filed to obtain a drivers license.
The former head of the agency was fired in January 2017 after being under investigation from SÄPO (secret service) and fined 70000 SEK (about $8500) for her part in the wrongdoing. So someone got a slap on the wrist, as this was about half a month's salary for her.
Turns out now everyone in power and government might have known about it for about two years give or take a couple of months and had not done anything about it.
Heads are about to roll. I wouldn't want to be in scapegoat range as someone is about to have to fall on the sword to save their incompetent political bosses arses.
https://www.thelocal.se/20170721/it-workers-in-other-countries-had-access-to-secret-records-report
https://www.thelocal.se/20170717/swedish-authority-handed-over-keys-to-the-kingdom-in-it-security-slip-up
"The Cloud" Facilitates Worst Known Leak of Government Material To-date
Over at the Privacy News Online blog, Rick Falkvinge writes about Sweden's lack of foresight and knowledge regarding the nature of hosted services and what kind of data they might be appropriate for:
Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.
(Score: 0) by Anonymous Coward on Saturday July 22 2017, @10:49PM (5 children)
This was a major screw-up and there should be more accountability than 1/2 a month's salary. But do they have any evidence that any data was actually compromised?
(Score: 5, Informative) by looorg on Saturday July 22 2017, @11:16PM (4 children)
How will they ever know? Data was transferred to a datacenter in the Czech Republic, it was staffed by people with physical access and also access to the encryption keys. They could have made as many copies as they liked and then removed all traces of it from any logs. They just have to work under the assumption that all is now available to the enemy (or the highest bidder) and possibly also to your friends -- after all everybody likes big juicy databases.
In some sense the story is now growing by the hour and by the day. Whenever you think you heard the worst something else pops up. The only reason it probably hasn't reach fullscale shitstorm levels yet are that this time of year is usually the holiday month and a lot of people in power are away from the offices.
The previously mentioned three IT workers in the Czech republic is now probably a company of workers and it seems to be staffed by people that used to work with or in the Czech military or intelligence community. A country with fairly chummy military and political relations with Russia. So I recon the equivalent would be if some US department decided to outsource all their information to IBM which in turn decided to host the information on Cuba and staff the datacenter with people that "used to" work for DI, the civilian Cuban Intelligence agency.
To put it into some historical context. The last of the known, and caught, USSR spies in Sweden was Stig Bergling. During the height of the cold war he sold secrets to the soviets regarding military personnel and vehicles used for surveillance of soviet assets. One day he got a copy of the military defence plan. He managed to make a photocopy of said document which included the locations of all permanent military fortifications along the coast, all secret command and control facilities and all military storage depots. He was eventually caught by the Israelis and returned to Sweden where he was sentenced to life in prison. He later escaped and made his way to the USSR. A few years after the collapse of the USSR he and his wife returned to Sweden, they had both been diagnosed with PD and cancer. He was returned to prison, served a few more years but was then released due to his poor health. He died two years ago.
The motive in both cases was money, Bergling wanted it so he could live a nice comfy life that he felt he deserved and the transport agency wanted to save money by outsourcing. He got life in prison and she got a fine that was about half a months salary. He knew what he was doing, he admitted as much - she is currently claiming ignorance and didn't understand that she had to follow the actual laws of the land. Apparently getting a letter and a visit from SÄPO telling you that you shouldn't do something due to national security reasons isn't or wasn't a valid concern for her. Her current claim is that she didn't understand since she isn't a lawyer.
I'm fairly sure this will be the story that keeps on giving for many months to come. A cautionary tale about outsourcing. They don't even know if they have actually even secured the systems yet or not. They think they might have it under control sometime during the fall. So possibly then fixing it sometime in the next six months and then the potential damage will probably exist for three or four decades. Whatever the saving was for said outsourcing deal that sum already pales in comparison to the sum of the potential damage.
https://en.wikipedia.org/wiki/Stig_Bergling [wikipedia.org]
(Score: 1) by Ethanol-fueled on Saturday July 22 2017, @11:42PM (1 child)
National security and non-national security databases are apples and oranges. Say, for example, that I hacked the OPM and acquired and publicly released the SF-86's of all who applied for a security clearance. The data in those forms is extremely detailed and could even lead to the identification of spies and agents in foreign countries. However, that information is not classified. If caught I would be charged with hacking and maybe 2 or 3 hacking-related counts. Same if I hacked and released a nationwide police database with information regarding who was currently under investigation.
I modded you up, but let's not conflate the two.
(Score: 0) by Anonymous Coward on Saturday July 22 2017, @11:50PM
"Say, for example, that I hacked the OPM and acquired and publicly released the SF-86's of all who applied for a security clearance."
No need. The Chinese already did 2 years ago and the US did...nothing.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @01:24AM
Another spy of importance:
Stig Wennerström [wikipedia.org]. Spied for the Soviets 1948 - 1963.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @03:44AM
So chummy that the Russians invaded them in 1968, and they were one of the first countries to break from being a Soviet satellite to being a US satellite. Tone down the hyperbole.
(Score: 3, Insightful) by Anonymous Coward on Saturday July 22 2017, @10:51PM (11 children)
Anyone that uses cloud services for anything more than personal throwaway email should be taken to the nearest public square soaked in oil and set on fire, seriously DIAF your a big part of why we cannot have nice things
(Score: 0) by Anonymous Coward on Saturday July 22 2017, @10:57PM (3 children)
Don't forget the feathers before applying the torch!
(Score: 0) by Anonymous Coward on Saturday July 22 2017, @11:14PM
Something like this [youtube.com] ? :-)
Goes right with the Swedish theme.. :p
(Score: 2) by BsAtHome on Saturday July 22 2017, @11:16PM (1 child)
No! Do not apply feathers... They may try to fly away before the fire catches on!
Better add gasoline and turpentine, place the person(s) in the middle of a stack of dry wood and be sure to have practiced making fire (ancient art, but you may have outsourced it).
While you are at it, please make sure to make the proper trail to ensure the fire catching all corners of incompetence.
(Score: 0) by Anonymous Coward on Saturday July 22 2017, @11:20PM
Don't forget some firecrackers. A few M80s at least.
(Score: 0, Disagree) by Anonymous Coward on Saturday July 22 2017, @11:08PM
Hogwash. With regards to this story there is no excuse for these kinds of bad decisions. But for many small businesses internet based services (aka "the cloud") can be very beneficial. Of course they should have backups of their own data, etc.
Before you start with the "but anyone can do it" crap, no, most small businesses cannot do it for themselves. Configuring, administering and maintaing servers is "easy" for some of us but not for 99% of the population. And when you're running a small business you don't have time to pretend to be a server admin/IT expert/whatever. Don't deny small businesses the services and features that big businesses can afford to setup themselves.
(Score: 5, Informative) by tibman on Saturday July 22 2017, @11:56PM (5 children)
You are uninformed. Might as well say nobody should use SQL because of unsanitized form inputs. Before you place anything sensitive into "the cloud" you have to encrypt it. Your cloud provider can backup, restore, move around, and do whatever they want with your data as long as it is immediately available to you. Decryption/encryption points should be on hardware you own. This lets you tell your clients that no 3rd-party has access to their data. Data in transit is encrypted over ssl and data at rest "in the cloud" is encrypted via other means.
SN won't survive on lurkers alone. Write comments.
(Score: 0, Flamebait) by fakefuck39 on Sunday July 23 2017, @09:07AM (3 children)
yeah, let's encrypt that ec2 vm so people with access to the db running on it can't access it.. wait, i don't even know how to finish that joke. don't give advice on things you know nothing about retard.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @02:45PM (2 children)
What? No. You don't encrypt the EC2 instance or the database running on it. You encrypt the data you send to it and store in the database. Replace EC2 with Dynamo, SDB, S3, Aurora, etc.
(Score: 0) by fakefuck39 on Sunday July 23 2017, @04:52PM
Tell that to the guy I was replying to. And call him a moron.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @09:10PM
The article is about servers outsourced to run in the cloud, not an object store used for data storage. From where exactly do you plan on sending your "encrypted data?" You should really bother to at least read the summary and know the basic topic of conversation before chiming in with your bright ideas.
(Score: 1) by khallow on Sunday July 23 2017, @01:44PM
At least, until the third party obtains that hardware in one of the huge variety of ways they have of doing so.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @12:18AM (1 child)
Sweden is using this to prevent discrimination against people who return to Sweden after fighting for ISIS.
I'm not going to shed a tear.
(Score: 2) by looorg on Sunday July 23 2017, @04:05PM
I doubt they'll cry about that to, they are probably more worried about identities created for informants, agents and operators working for the police or military.
(Score: 3, Informative) by Anonymous Coward on Sunday July 23 2017, @01:14AM (1 child)
The general director Staffan Widlert 2009–2015 started the headless outsource it all project under the the conservative government 2006-2014 led by Fredrik Reinfeldt that were totally into the got mine and fuck you theme. Also called new public management or such. So when the next director came around, Maria Ågren (2015-2017) she were told to sign a paper on her first day, allowing this breaking the law mode of operation or essential services in society would halt operations almost immediately, like being able to issue any drivers license as an example. However she anchored it with the chairman of the board, Rolf Annerberg. So when the blame game started she had a meeting with the government at no later than February 2016 and some kind of deal was made. That is why she only got fired and a ~$8500 fine. But Rolf Annerberg resigned this week.
These actions are official crimes that can render many years in prison..
It's obvious from interrogation documents from the security services (SÄPO) and others that the minister of interior and minister for Infrastructure knew about this exposure for 1.5 years without taking appropriate action. And it's likely that the prime minister did know for some time too. That is how high this affair goes and thus why it can take the government down in a vote of no confidence, new election etc.
The point is that the government 2014-now has mishandled a lot of other services like the police, health care, school, housing, immigration social services, foreign policy etc for a long time. So the patience with them is very low with large parts of the population. To top it of Serbia where the firewall services were outsourced is a amusement park of security services and their military is a partner with Russia while Sweden is more aligned with the western powers. The database part went to Czech Republic as mentioned above.
Take home:
* Don't trust mainstream media. If it's owned by Bonnier or Schibstedt, they are traitors.
* Elect a sane government that isn't a bunch of traitors and sellouts.
* Provide a budget for in-house staff to do the security sensitive stuff. Outsourcing security that matters is a really bad idea.
* Hire boards that have sane values (meritocracy, security and getting shit done) and brains.
* Hire general directors that stays with the law, treats employees nice and gets shit done.. and brains. Preferably they know computing.
As always the fish rots from the head down and the smell comes a long time later than when the rotting started.
(Score: 1, Informative) by Anonymous Coward on Sunday July 23 2017, @05:30AM
Latest from Incompetence-R'-Us:
Worst known governmental leak ever is slowly coming to light: Agency moved nation’s secret data to “The Cloud” [privateinternetaccess.com] (2017-07-21)
How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it [privateinternetaccess.com] (2017-07-22)
(Score: 1, Offtopic) by krishnoid on Sunday July 23 2017, @01:30AM
I knew they were a big thing in Sweden, but I had no idea the breadth of influence IKEA wielded in that region. I gotta start paying more attention.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @02:40PM (1 child)
$204,000/year Not too bad for someone who didn't understand how to secure some of the most important data Sweden has.
(Score: 0) by Anonymous Coward on Sunday July 23 2017, @06:22PM
I can think of few clueless people whose salaries Trump that figure...
(Score: 3, Interesting) by Tangaroa on Sunday July 23 2017, @04:11PM