Counterintelligence works only when you identify the threat
The US election cycle has been quite heavily dominated by cyber security issues. A number of cyber security experts have even stepped forward to offer their solutions to how to keep safe. Everyone has problems with their proposals, that fundamentally they all stem from not understanding the actual threat.
Achieving security is possible using counterintelligence principles, but it requires knowing what you want to protect, who you want to protect it from, and then implementing that plan. I expect this post to be deeply unpopular with everyone, but I’ll explain my position anyway.
Establishing The Scene
In early 2016 the Russian Military Intelligence service, the GRU, hacked a number of US Democrat institutions and individuals using cyber intelligence collection techniques. They then used the “take” to create curated datasets that were disseminated to the public using a number of cut outs and attribution fronts:
- WikiLeaks – cut out
- DCLeaks – front
- Guccifer 2.0 – attribution front
This data dumping technique used to be called “mail spool drops” back in the days of hacker wars, but it is now part of strategic cyber war and modernized information operations.
A subset of the intelligence cycle codified by the CIA is presented below, as applied to these events:
- Collection – cyber breaches
- Analysis – both by the Russian services, the media, and the public
- Dissemination – using various channels (fronts, cut outs, etc)
This will be on the quiz later, so don’t forget…
If you want to hear a cyber security expert laugh, ask them how to avoid breaches from a determined well funded persistent attacker. If they don’t laugh, they’re probably not an expert.
A number of people have provided good advice on how to avoid being phished for Gmail login credentials. This is because a number of victims of the breaches were hit using phishing attacks. This advice is definitely good – use 2FA, strong passwords, read URLs, don’t get phished!
But this advice would not enable civilians, many of them volunteers, to defend themselves against Russian military intelligence. It’s like advice on how to avoid being mauled by a tiger, there is no “train hard and learn tiger self defence.” Similarly, there is no way to avoid a breach by a persistent determined well funded attacker.
Do: enable anti phishing protections, they help against a lot of threats.
Encryption Cyber Security Fairy Dust
Some people have come forward to suggest that the problem is that the emails were in plaintext and that simply using PGP (lol!) would be the solution. End to end encryption provides a secure channel for sending data, but the end points still have plain text (that is literally what end to end encryption means.) PGP is a particularly terrible solution for protecting mail spools because it lacks PFS, a property of an encryption protocol that mitigates the damage of a compromised key. If the GRU could compromise an email account, they could compromise an end point and steal the PGP keys.
Encrypted emails, particularly with PGP (horrible UX, fragile security model), would not stop the collection of data by Russian military intelligence.
Do: encrypt your emails with PGP. There are a few guides which provide good instructions on setting up and using PGP correctly. Also, consider using a PGP hardware key (YubiKey, or PGP smart card) to mitigate against a breach.
The GRU was recently discovered using multiple 0day exploits against an number of targets. Some people may think that the solution is to ban 0day (non technologists), or implement cyber insurance (vendors) or provide better end point protections (vendors). Nothing here is really going to help. If the end point protection systems worked, they would solve cyber security. Everyone pushing these solutions is selling something. Some of it is actually useful, most of it is junk.
Just remember that compromising the end points of a civilian computer network is basically what every penetration testing company does on a daily basis. There is no salvation against exploits and compromised end points, only mitigations.
Do: harden the systems you use, apply patches in a timely fashion, minimize your exposure to high risk situations, install and use robust end point protection software. Make the bastards work for it!
Mobile Messaging Magic
People have suggested switching from email to more secure mobile messaging platforms. This is certainly a good idea wherever feasible, since using a hardened mobile device (e.g. an iPhone) with strong end to end encryption (e.g. Signal messenger) is about as secure, and usable, a system civilians can get.
This is great advice, except that it is actually possible for Russian military intelligence to compromise a mobile device. They are at least as capable as the UAE, and it would be surprising if an iPhone could stymie the GRU. Remember, this is a problem that is tractable with money. Throwing a million dollars or so at an iPhone will produce a functioning exploit that can be used to compromise the end points of that secure messenger.
Signal is a good secure messenger for their end to end protocol (WhatsApp and Facebook Messenger are more usable though) but it is a terrible private messenger. There’s a difference, it’s important, I’ll tell you why later.
Do: use mobile phones and encrypted messengers whenever possible instead of email. They are much better solutions in almost every situation.
Buy an iOS phone, use Signal, check key fingerprints religiously. There: I've pretty much put myself out of a job. pic.twitter.com/348W6PdFtu
— Matthew Green (@matthew_d_green) November 8, 2016
Can’t Avoid Collection
There is no feasible way for civilians to avoid collection by the GRU. Definitely go out of your way to make them work for their money, but they are not going to be stopped by: 2FA, PGP, iPhones, Signal or vendor solutions. Do all those things to stop threat actors who aren’t the Russian military intelligence, but realize that the threat model for this collection is literally James Mickens’ famous attacker model.