Russian Spy Ring Needed Some Serious IT Help

coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."

Encryption

[Pharmboy]

They encrypted everything using ROT13, TWICE! How much better security can you get?

Passwords

[birukun]

Nothing wrong with writing down your long complex passwords..... UNLESS YOU LEAVE IT LAYING AROUND

The complaint read like a spy novel.... A ready-made Bourne script!

Re:Passwords

[timeOday]

They left it lying around... their home. The reason it was compromised was because (apparently) the FBI had a warrant to go in their home, meaning they were already under suspicion because of something else they had done.

Here is my point: if you do something that causes the FBI to monitor your every move and scour your home for clues for over 10 years, it is going to be very hard to keep many secrets, regardless of how you configure your WiFi or whether you try to memorize random 27 character passwords.

Well this just proves

[al0ha]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Re:Well this just proves

[flajann]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.

Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.

They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.

The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.

Re:Well this just proves

That seal is hanging at the NSA museum. If you go there, you can open it up and see the microphone. Pretty neat.

http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml

look for "great seal"

Re:Well this just proves

[Darth+Cider]

That listening device hidden in the great seal was invented by Leon Theremin, the same guy who invented the theremin musical instrument.

Re:Spying? There's no App for that?!

[Mitchell314]

Yes. iSpy: with my little i. (Wonder if applescript would actually accept it).

Use passphrases

[hkz]

Passwords are the wrong solution. Trying to make people remember a short string with high entropy is hard, so people write them down. The other way around is much better - long passphrases with less of the tedious entropy. Quotations, lyrics, names, whatever. They're much easier to remember and much harder to brute-force. Sprinkle in some punctuation and you're golden.

they're not spies, they're defectors

[circletimessquare]

they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

Re:they're not spies, they're defectors

[Jah-Wren+Ryel]

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

I thought that was pretty obvious.
The very first article I read about the bust contained this suppossedly intercepted message:

"You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.

It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.

Re:Slower than a onetime pad

[MichaelSmith]

Makes me think that Russia had already abandoned these people. They knew the FBI were on to them and cut down on support to limit damage to other parts of their network.

Re:I find this entire story to be a load of shit

[schwaang]

Unlike typical spies with foreign diplomatic cover, these alleged "illegals" cannot just be summarily expelled back to their home countries. Any act against them requires due process, the first step of which is pressing charges.

The lack of diplomatic cover also means they are not protected from any charges that may stick. Spying without diplomatic cover is a very risky game. It makes this case all the more interesting.

The key question: did they run Linux?

[porky_pig_jr]

And if so, is that good or bad?

Re:I find this entire story to be a load of shit

[JWSmythe]

The United States gets very offended by espionage activity, because we would never do it to anyone else. They promise. Not a single satellite. No high altitude spy planes. No high altitude long range supersonic spy planes (we retired all of these, we promise). No remote control spy planes. No flock of agencies with covert operations world wide. Nope, not the US. Keep your spies out of our country, we don't do it to you.

    Excuse me, there are a couple nice men in black suits knocking at my door that just want to ask me a few questions.

If spies can't even get it right

I have little to no hope that the corporate world ever will.

I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.

Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.

And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.

In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.

Sorry to post anonymously (it's the first time I have!), but other folks in my department read ./ and I can't really expose my name / UID in this particular case.

Re:Thats the least of their problems.

[Stupendoussteve]

"Your password has expired"

"Your password is too similar to your last password"

"Your password much be entirely different than the previous 50 passwords"

Re:Thats the least of their problems.

[interkin3tic]

That is indeed the least of their problems. I've heard their computers were themselves full of

(puts on sunglasses)

spyware.

Re:Thats the least of their problems.

[Mashiki]

You laugh and mock, but the last head of IT we had, had us on 14 day rotating passwords. After 2 months he got canned.

they did it on british soil

[circletimessquare]

http://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko

if they have no problem doing it on british soil, what would stop them from doing it on american soil?