Sunday, July 28, 2019

Why the NSA Should Delete Its Data on Americans - The Atlantic

Why the NSA Should Delete Its Data on Americans - The Atlantic
Can I get a copy first please?



The NSA Should Delete Its Trove of Data on Americans

It cannot reliably protect even its most closely guarded secrets from adversaries. There is no reason to trust it to store years of details about private citizens' communications, too.

The NSA data center in Bluffdale, UtahGeorge Frey / Reuters

Fifteen months ago, a group called the Shadow Brokers began to taunt the National Security Agency with proof of an extraordinary breach: By unknown means, operatives had infiltrated its operations and stolen its most potent cyber weapons. Developed by the U.S. government to penetrate or attack adversaries, those weapons were then used to attack millions of innocents worldwide.

Future attacks are "all but certain," The New York Times reported while revisiting the matter over the weekend, yet the NSA still doesn't know exactly what was taken, or whether its defenses were breached by an outside hacker or an insider.

Some fear a mole remains inside the intelligence agency even today.

"The leaks have renewed a debate over whether the NSA should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying rather than immediately alert software makers so the holes can be plugged," the Times wrote. "The agency claims it has shared with the industry more than 90 [percent] of flaws it has found, reserving only the most valuable for its own hackers. But if it can't keep those from leaking, as the last year has demonstrated, the damage to businesses and ordinary computer users can be colossal."

* * *

Software vulnerabilities aren't the only thing that the NSA stockpiles. Four years ago, the American public learned that the agency hoovers up metadata pertaining to the private communications of most every adult in this country.

After the Edward Snowden leaks, the Obama administration insisted that the costs of collecting and storing metadata on phone calls, texts, and emails was outweighed by the benefits. Sure, the trove that the government was amassing indicated countless sensitive calls, like those to abortion clinics, suicide hotlines, and oncologists; and it could expose a person's entire web of acquaintances.

But procedural safeguards would prevent violations of privacy, NSA defenders insisted. NSA analysts wouldn't enjoy unfettered access to the entire haul. Rather, they would be permitted to submit discrete queries, like a phone number found in a terrorist safe house. And if their database in fact contained information on that target, they'd still be limited by a constraint that they could only look at other phone numbers within two or three "hops" of the target.

NSA critics challenged the accuracy and adequacy of the safeguards, as well as the government's underlying presumption: that an American's privacy wasn't in fact impinged upon if the government merely gathered and stored information about their communications, so long as no one subsequently looked at it.

A different concern was scarcely broached: What if the U.S. government never itself abused the system it built, but failed to safeguard its contents?

The likelihood of the trove's eventual theft strikes me as significant (and that is assuming that a foreign government or group of hackers hasn't already gotten any of it). The NSA failed to stop Snowden from taking some of its most closely held secrets. It failed to stop the Shadow Brokers from taking some of its most closely held cyber weapons and deploying them against innocents, including Americans. Why expect it to successfully safeguard its most closely held trove of metadata?

Per the Times, "NSA employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library's worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets."

According to the report, after the NSA's stockpile of offensive weapons leaked, the consequences included the following:

Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain, and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil, and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide. American officials had to explain to close allies—and to business leaders in the United States—how cyber weapons developed at Fort Meade in Maryland came to be used against them.

Now consider the potential costs and consequences if the NSA's stockpile of metadata on American citizens were to be breached by hackers or stolen by an insider, and then come under the control of Russia or China or North Korea or terrorists.

Chaos-loving Russian trolls could take to Facebook, Twitter, and Reddit to post phone numbers of millions who called abortion clinics, addiction and suicide hotlines, and tip lines to anonymously report crime to the FBI or local cops. China's government could map the business networks of American corporations expected to be in high-stakes economic competition with Chinese firms. I'll refrain from giving terrorists specific ideas about how they might exploit such information, but I can think of several frightening ways off the top of my head.

To collect and store all this information about U.S. citizens in one place would create a vulnerability even if it was protected by bureaucrats with a good record of data security.

To keep it in the hands of the NSA, given its track record, is folly. All data the NSA retains on Americans should be erased now before it falls into the wrong hands. And Congress should pass data-retention laws that force categories of private corporations, which are often even less capable of safeguarding the data that they amass, to purge whole categories of sensitive information at regular intervals. How many breaches must we witness to give up on securing and start deleting?



We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.




Friday, July 12, 2019

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

"The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds" of affected users, the source said. "Right now they're working on an effort to reduce that number even more by only counting things we have currently in our data warehouse."

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn't ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

"We've not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data," Renfro said. "In this situation what we've found is these passwords were inadvertently logged but that there was no actual risk that's come from this. We want to make sure we're reserving those steps and only force a password change in cases where there's definitely been signs of abuse."

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

"This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening," Renfro said. "We have a bunch of controls in place to try to mitigate these problems, and we're in the process of investigating long-term infrastructure changes to prevent this going forward. We're now reviewing any logs we have to see if there has been abuse or other access to that data."

Facebook's password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world's largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network's different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

Tags: , ,

This entry was posted on Thursday, March 21st, 2019 at 11:17 am and is filed under A Little Sunshine, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.



Elyssa D. Durant
Policy & Research Analyst