Russian Spy Ring Needed Some Serious IT Help

coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."

Encryption

[Pharmboy]

They encrypted everything using ROT13, TWICE! How much better security can you get?

Re:Encryption

[rubi]

If you manage to replicate the thinking algorithm of only one lawyer, you've just created truly unbreakable one-way obfuscation. Not even the original lawyer understands after his own process.

Writing passwords isn't necessarily bad

[dhavleak]

http://www.schneier.com/blog/archives/2005/06/write_down_your.html
http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html

Of course, the rules are a bit different when you're a spy :)

Passwords

[birukun]

Nothing wrong with writing down your long complex passwords..... UNLESS YOU LEAVE IT LAYING AROUND

The complaint read like a spy novel.... A ready-made Bourne script!

Re:Passwords

[timeOday]

They left it lying around... their home. The reason it was compromised was because (apparently) the FBI had a warrant to go in their home, meaning they were already under suspicion because of something else they had done.

Here is my point: if you do something that causes the FBI to monitor your every move and scour your home for clues for over 10 years, it is going to be very hard to keep many secrets, regardless of how you configure your WiFi or whether you try to memorize random 27 character passwords.

Well this just proves

[al0ha]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Re:Well this just proves

[flajann]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.

Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.

They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.

The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.

Re:Well this just proves

That seal is hanging at the NSA museum. If you go there, you can open it up and see the microphone. Pretty neat.

http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml

look for "great seal"

Re:Well this just proves

[MoellerPlesset2]

You'll never know if you have a real competent spy around.

I know! It's just the same with the half-dozen ninja assassins lurking in my apartment!

But they're there. I can feel it.

Re:Well this just proves

[sznupi]

To be fair, it might have been just as well made by children - at least when it comes to visible parts ;p

Also, the seal device was actually hung on a wall in Soviet Union, by the US ambassador there. The interesting part made by no other but...Theremin.

Re:Well this just proves

[Darth+Cider]

That listening device hidden in the great seal was invented by Leon Theremin, the same guy who invented the theremin musical instrument.

Re:Well this just proves

[sootman]

> The US guys couldn't figure it out, so they consulted British scientists!

Truly dumb. I wouldn't have even needed scientists--I would have started with the question "So, have you gotten any gifts from any Russians recently?"

Re:Spying? There's no App for that?!

[Mitchell314]

Yes. iSpy: with my little i. (Wonder if applescript would actually accept it).

Use passphrases

[hkz]

Passwords are the wrong solution. Trying to make people remember a short string with high entropy is hard, so people write them down. The other way around is much better - long passphrases with less of the tedious entropy. Quotations, lyrics, names, whatever. They're much easier to remember and much harder to brute-force. Sprinkle in some punctuation and you're golden.

Re:Use passphrases

[vonFinkelstien]

I used to use lines form James Joyce's Finnegans Wake. All I had to do was to remember the page # and I could find the quotation.

they were just make it look ...

[jobst]

they were just make it look like you standard network, so they do not arouse suspicion ..... ;-)

Re:I find this entire story to be a load of shit

[Pharmboy]

But what if it is true? Likely, it is, actually. Every country spies on other countries. I don't really see the US getting completely bent out of shape over it, it was a 10 year investigation. What was more important was tracking them and finding out who in the US was helping them. But spies come and go, but spying is a constant.

they're not spies, they're defectors

[circletimessquare]

they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

Re:they're not spies, they're defectors

[Jah-Wren+Ryel]

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

I thought that was pretty obvious.
The very first article I read about the bust contained this suppossedly intercepted message:

"You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.

It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.

Re:Slower than a onetime pad

[MichaelSmith]

Makes me think that Russia had already abandoned these people. They knew the FBI were on to them and cut down on support to limit damage to other parts of their network.

Hey these were language, not IT, experts

[Katchu]

Sounds similar to a lot of corporate America: Using OS that locks up, poor password security, need to send laptops to corporate for assistance, ...

Re:Thats the least of their problems.

[Culture20]

nobody can remember a 26 character password

abcdefghijklmnopqrstuvwxyz. If preschoolers can learn an arbitrary sequence of meaningless symbols totaling 26, then I think it's possible.
Plus, your sentence is longer than 26 characters and so is this one.

Re:I find this entire story to be a load of shit

[schwaang]

Unlike typical spies with foreign diplomatic cover, these alleged "illegals" cannot just be summarily expelled back to their home countries. Any act against them requires due process, the first step of which is pressing charges.

The lack of diplomatic cover also means they are not protected from any charges that may stick. Spying without diplomatic cover is a very risky game. It makes this case all the more interesting.

The key question: did they run Linux?

[porky_pig_jr]

And if so, is that good or bad?

Re:I find this entire story to be a load of shit

[JWSmythe]

The United States gets very offended by espionage activity, because we would never do it to anyone else. They promise. Not a single satellite. No high altitude spy planes. No high altitude long range supersonic spy planes (we retired all of these, we promise). No remote control spy planes. No flock of agencies with covert operations world wide. Nope, not the US. Keep your spies out of our country, we don't do it to you.

    Excuse me, there are a couple nice men in black suits knocking at my door that just want to ask me a few questions.

If spies can't even get it right

I have little to no hope that the corporate world ever will.

I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.

Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.

And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.

In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.

Sorry to post anonymously (it's the first time I have!), but other folks in my department read ./ and I can't really expose my name / UID in this particular case.

Re:If spies can't even get it right

[turbidostato]

"I'm an IT director at a mid-sized company in the US [...] Our CEO [...] He'd ask me to fix a problem with his machine"

You *think* you are an IT director, but you are the mop guy.

At least that's what your CEO thinks, and that's all that counts.

Re:Thats the least of their problems.

[Stupendoussteve]

"Your password has expired"

"Your password is too similar to your last password"

"Your password much be entirely different than the previous 50 passwords"

go low tech

[LostMonk]

Why try to beat US security at their own game? go low tech. it works for el-qaeda. If they used the good old mail services they would have gone unnoticed for another 10 years.

Re: writing passwords on slips of paper

[OnePumpChump]

Unless it's a randomly generated password, omit some letters. You shouldn't need the whole password to remind yourself what it was.

Re:Thats the least of their problems.

[interkin3tic]

That is indeed the least of their problems. I've heard their computers were themselves full of

(puts on sunglasses)

spyware.

Funny

[formfeed]

If they had just called themselves a business intelligence and consulting service for foreign investors, they wouldn't have any problems.

And if you call yourself a lobbyist you can even funnel money from foreign governments into your congressman's pocket.

Re:I find this entire story to be a load of shit

[Kral_Blbec]

Hmmm, you bring up a good point. The Russians should have just hired a bunch of Mexicans. Then, even after we find out they are illegal, we still couldn't touch them!

Re:Thats the least of their problems.

[Mashiki]

You laugh and mock, but the last head of IT we had, had us on 14 day rotating passwords. After 2 months he got canned.

they did it on british soil

[circletimessquare]

http://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko

if they have no problem doing it on british soil, what would stop them from doing it on american soil?

Re:Thats the least of their problems.

[mortonda]

Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily. Use the first letter or two from each word, swapping case and substituting punctuation marks/numbers as needed. Finally, a use for 1337-5p34k!

Example -
Whose woods these are I think I know.
His house is in the village though;

Becomes - wh wo ar th i th i kn ki ho i i th vi th

...and this is why I don't like this technique - you didn't even get it right in your example!

wh wo th ar i th i kn hi ho i i th vi th

Re:Thats the least of their problems.

[gumbi+west]

That would be fine, but then having to learn a new one every 12 weeks because of a password expiration cycle--that's when it gets impossible. You are always recalling fragments of the old password...

Re:Thats the least of their problems.

[PitaBred]

I'm surprised he didn't get assaulted in the parking lot after a month.