SoylentNews is people
SoylentNews
A desktop computer and hard drive stolen from the University of Washington Center for Human Rights stored sensitive details of human rights violations in El Salvador and a lawsuit against the Central Intelligence Agency:
Sometime between October 15-18, the office of Dr. Angelina Godoy, Director of the University of Washington Center for Human Rights, was broken into by unknown parties. Her desktop computer was stolen, as well as a hard drive containing about 90% of the information relating to our research in El Salvador. While we have backups of this information, what worries us most is not what we have lost but what someone else may have gained: the files include sensitive details of personal testimonies and pending investigations.
This could, of course, be an act of common crime. But we are concerned because it is also possible this was an act of retaliation for our work. There are a few elements that make this an unusual incident. First, there was no sign of forcible entry; the office was searched but its contents were treated carefully and the door was locked upon exit, characteristics which do not fit the pattern of opportunistic campus theft. Prof. Godoy's office was the only one targeted, although it is located midway down a hallway of offices, all containing computers. The hard drive has no real resale value, so there seems no reason to take it unless the intention was to extract information. Lastly, the timing of this incident—in the wake of the recent publicity around our freedom of information lawsuit against the CIA regarding information on a suspected perpetrator of grave human rights violations in El Salvador—invites doubt as to potential motives.
We have contacted colleagues in El Salvador, many of whom have emphasized parallels between this incident and attacks Salvadoran human rights organizations have experienced in recent years. While we cannot rule out the possibility of this having been an incident of common crime, we are deeply concerned that this breach of information security may increase the vulnerability of Salvadoran human rights defenders with whom we work.
(Score: 1, Insightful) by Anonymous Coward on Friday October 23 2015, @09:53AM
It's 2015. Encryption and Encrypted backups. That's why we have it - to protect the innocent. This was reckless and stupid ...
(Score: 5, Informative) by NCommander on Friday October 23 2015, @10:11AM
If they used Windows (and I'm going to assume they do), you can't start BitLocker via active directory, and it either has to use Windows 7 Enterprise/Ultimate or Windows 8+ Pro (some organizations don't bother with volume licensing and simply use what came on the machine), it has to be manually enabled at each machine and requires a TPM module which only some desktops have, *and* requires a trip to the BIOS/UEFI configuration screen to enable. You can kludge around it using scheduled tasks, but its very non-trivial and can go horribly wrong. Furthermore, Windows uses a computer's TPM to store information, and while TPM's are tamper resistant, if the theft was carried out by a nation state, there is likely a good chance they could recover the key stored in the TPM. This is also presuming that there is no type of backdoor or zero-day side-channel attack in Windows' BitLocker or in the TPM modules themselves. For other full disk encryption products for Windows, I've never heard of a good deployment story for them.
Full disk encryption helps for non-targeted attacks, but is of limited use for a targeted attack. Windows doesn't warn if Secure Boot has been disabled (at least as of 8.1, the story may be different on 10), and without secure boot, you can simply patch the bootloader binaries to store and record the password. If you want an attack harder to detect, and have the resources, nation state could easily gain physical access to a machine and install a backdoor into the System Management Mode firmware via an EEPROM reader (an attack of this type was demonstrated at DEFCON). Then just record the first 100+ keystrokes of a machine coming out of reset to onboard flash storage. Boom, password. And that's just off the top of my head; you could easily install a device to interface between the KB and the computer and log keystrokes via hardware; almost undetectable.
Encryption helps, but it sure as hell isn't a magic bullet. Failing all of the above, one day zero that allows remote execution, and a custom rootkit that AV software won't detect, and you're in business.
Still always moving
(Score: 2) by Alfred on Friday October 23 2015, @01:28PM
</sarcasm>
otherwise I totally agree. I read about a guy who was hacking his own hard drive and found that there were three different ARM processors on the board. In my unsubstantiated opinion, the chances that at least one has compromised firmware from the factory is high. Not to mention the possibility of backdoors that could be built into the silicon. There is no trust in computing.
/foil_hat
(Score: 4, Interesting) by Hyperturtle on Friday October 23 2015, @04:54PM
Wasn't Germany looking to avoid the use of TPM chips due to the inherent lack of security they have? The users cannot control who has the keys to it.
Windows 10 even copies related keys for bitlocker to their servers by default. When I have reluctantly* used bitlocker due to employer requirements, I have always saved that key to several local physical items. USB connected storage, for example. Then a copy goes to whoever at the employer that demands it.
*Note that this is not me doing this to my own hardware as a consultant at a place I am doing a project for; it is on hardware they issued to me. Reluctance can be due to TPM itself, due to having a 5600rpm laptop hard drive with an i7 processor in the laptop and the system is at 100% disk activity once the queue depth reaches about 2.0, or that the bitlocker approach is simply a "we read a white paper and the security team says this is how to secure everything" and then no further efforts are made to prevent remote access into a decrypted drive, etc.
In any event, there are few low hanging fruits to protect against state sponsored activities such as this. True security has true costs associated with it -- time, convenience, financial, and people. Often, the biggest enemy one can have is one's own behaviors.
Encryption is no magic bullet for security, just as RAID is no backup for data. Both are tools to achieve a goal but are not the tools to achieve the broad goal of data security. However, if they used something else, in addition to or instead of (discussion of which would be out of scope of this reply), it's possible it could slow down or stop the information gained from the disk drive.
The real problem here is not the loss of data. Assume it can be obtained if the powers that be would like to have it. It is that an unknown party will be able to know what they know, their past plans, their current plans, their proposed actions, and everything documented on that drive that helps influence their decisions.
It would have who their contacts are, where they live, phone numbers, email addresses, etc.
If the drive is readable, that data is now all available for use.
You can consider it to be piracy, if you want to look at it that way. Nothing was stolen as they still have their data. But the damages are beyond financial in this case, due to the loss of the information security they previously had. It would have been more favorable for them in some regards to have lost their only copy and not had a backup. At least, then, there would be no chance for their enemies or adversaries to gain insight from it.
A total loss may very well have been highly preferable.
If this was a state sanctioned activity, then next time I'd expect that someone would make (or replaces) the drive with a forensic image, depending on the time available and if it was encrypted. If they are going to steal it and not draw speculation like this to themselves, then the laptop will smoke next time and the data on that drive will have already been made unrecoverable. Maybe just enough would work to boot into windows, bluescreen, then self destruct. It takes effort to pull off because a great number of details must be considered -- serial number, disk model, positioning of everything in the room, and careful check to make sure someone didn't leave dust out to get fingerprints to see if anyone was tampering with things. Someone with what appears to be a very messy office or room might have a very secure room by design. It could be that coffee cup never moves because it's on top of something that no one is supposed to be touching. If you make it easy, expect them to take it easily.
i mean its not like we havent read articles on usb stick laptop friers or self destruct modules or devices that melt away at specific heat levels. introduce something like that, or just a drive rigged to fail...
Warranty repair, quite depending on vendor and country this happens, will find nothing wrong considering they likely already honor government requests. It will take longer than usual to get the answer that it cant be fixed, would you like a new one...in fact mr person of interest, why not a whole new high end laptop with the latest OS? For being such a good customer...
(Score: 1, Insightful) by Anonymous Coward on Friday October 23 2015, @10:56AM
Then we'd be reading news titled "University of Washington Hardware Stolen & Staff Member Missing"...
Good ol rubber hose cryptanalysis. Look it's not torture when we do it!
(Score: 2) by arulatas on Friday October 23 2015, @04:22PM
We would let you know but National Security....
----- 10 turns around
(Score: 0) by Anonymous Coward on Friday October 23 2015, @01:50PM
Encryption doesn't help if the goal is to deprive you from information. Now you have a case with evidence, now you don't...
(Score: 1) by khallow on Friday October 23 2015, @04:10PM
(Score: 2) by wonkey_monkey on Friday October 23 2015, @11:50AM
University of Washington Stolen Hardware Had Details of CIA Lawsuit
Nothing in the article states this to be the case.
systemd is Roko's Basilisk
(Score: 1, Informative) by Anonymous Coward on Friday October 23 2015, @12:34PM
Please attain literacy! I know it's uncool to RTFA but it's right there:
Computer hardware holding sensitive information being used in a lawsuit against the CIA has been stolen, according to the University of Washington’s Center for Human Rights.
Very first paragraph of http://kuow.org/post/computer-drives-info-cia-lawsuit-stolen-uw [kuow.org]
(Score: 2) by deathlyslow on Friday October 23 2015, @02:38PM
It's in the second paragraph of the first linked article as well.
(Score: 2) by wonkey_monkey on Friday October 23 2015, @03:21PM
It's not. That paragraph makes mention of suspicious timing in light of the lawsuit, but doesn't say the hard drive contained information on the lawsuit itself.
Only the KUOW goes as far as to state that.
systemd is Roko's Basilisk
(Score: 2) by frojack on Friday October 23 2015, @07:34PM
Quote from second paragraph of
http://humanrights.washington.edu/uw-center-for-human-rights-reports-theft-of-data-equipment/ [washington.edu]
Lastly, the timing of this incident—in the wake of the recent publicity around our freedom of information lawsuit against the CIA [washington.edu] regarding information on a suspected perpetrator of grave human rights violations in El Salvador—invites doubt as to potential motives.
Why are you having so much trouble reading TFA?
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Friday October 23 2015, @07:38PM
Center officials say they have backup copies of the information on the computer drives, but they're concerned because the drives had about 90 percent of the information being used in the lawsuit, including sensitive details about personal testimonies and pending investigations.
No, you are mistaken. I've always had this sig.
(Score: 2) by wonkey_monkey on Friday October 23 2015, @03:23PM
In my defence I did at least read one of TFAs. And only the KUOW article goes as far as to say that the hard drive contained information on the lawsuit itself.
systemd is Roko's Basilisk
(Score: 2) by wonkey_monkey on Friday October 23 2015, @03:25PM
Meh, okay, it says testimonies and investigations. To say that isn't the lawsuit itself is probably being a bit picky, even for me.
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Friday October 23 2015, @02:33PM
What shocks me much more than lack of encryption is the lack of a BACKUP (preferably an off-site one).
Without a backup, ANYTHING can take out your data. Forget about spies and theft, this was a disaster waiting to happen due to common and mundane causes.
(Score: 2) by deathlyslow on Friday October 23 2015, @02:36PM
While we have backups of this information, what worries us most is not what we have lost but what someone else may have gained: the files include sensitive details of personal testimonies and pending investigations.
It was in the TFS. They do have backups.
(Score: 0) by Anonymous Coward on Friday October 23 2015, @02:37PM
Ignore my post about backups. I reread summary.
(Score: 1) by PocketSizeSUn on Friday October 23 2015, @06:14PM
Is very unlikely to have been a sanctioned activity. The proper method would just insert one of may low level key loggers and/or root kits. A theft just puts everyone on guard. More likely someone involved in the case wants to sling some mud at the CIA in some misguided attempt at justice. Another possibility is that some guilty person is hoping to find if they have been found out and/or who they need to keep from talking, as it were.
The CIA probably deserves all the mud you can sling ... just unfortunate that it probably backfire and damage any legal activity in progress.
(Score: 3, Interesting) by frojack on Friday October 23 2015, @07:57PM
Since the CIA is already aware of the FIOA suit [washington.edu], they would have little reason to steal the computer. They already know exactly what documents are being sought.
information relating to Salvadoran Col. Sigifredo Ochoa Pérez (Ret.) were denied on national security grounds. We are aware of at least 20 CIA documents responsive to our request that have already been declassified. The fact that the CIA has failed to, at minimum, grant us access to those same documents suggests they chose not to take their FOIA obligations seriously.
I would suspect Ochoa or his friends to be the logical suspects here. Some of those friends are/were probably in the US Military.
I wonder If UW knew these documents were already declassified at the time of the request, or if they became declassified later? It matters because FIOA does not contain any requirement to revisit each prior FIOA-request upon subsequent declassification actions.
No, you are mistaken. I've always had this sig.