We don’t hear anymore from the “old school” types of data breaches: lost or stolen laptops, computers that were stolen during a break-in, USB flashdrives that disappeared, etc. The last memorable case – now two years ago – involved a doctor who was tied to a tree by a couple of thugs and ordered to spit out the password to his encrypted laptop. Nowadays, data security revolves around the web: the Dark Net, zero-day exploits on computers and smartphones, the flimsy security of Internet of Things, flaws in the basic infrastructure of the net, etc.
Well, if you had a hankering for some old-timey data breach stories, wait no longer. Regarding last week’s news of NSA hacking tools going on the auction block of some remote, dark corner of the web (businessinsider.com, my emphasis):
Aitel doesn’t think that the NSA was actually hacked, though he does think that the files look legitimate. Instead, he told us, the much more likely scenario is that an insider walked out of a secure area with this data on a USB key, which could have been sold or stolen.
“No one puts their exploits on a [command-and-control] server,” Aitel said. “That’s not a thing.”
That assessment was echoed by another former NSA employee who worked in Tailored Access Operations, the government’s top hacking unit.
“Knowing how the NSA setup is, it’s so unlikely that someone would hack it,” the source told Business Insider on condition of anonymity. “It’s just ridiculous. That’s not to say they are so perfect, or so impenetrable. … The fact that this is consolidated around one specific toolkit, I would totally agree with Dave that someone just left with an infrastructure ops disk.”
The NSA may employ some of the brightest minds the US has to offer but, alas, they are only too human. It goes without saying that using encryption on that USB drive would have stopped this particular data breach from happening.
Or would it have? I cannot help but keep re-reading the “insider’s” comment that it “could have been sold or stolen.” The implication being that, despite what happened in 2013, security controls in place at the NSA are not up to snuff to prevent data smuggling (assuming the hacking tools were taken before then).
Which is understandable when you consider all the different ways that data can be pilfered by the brightest minds a country has to offer. The good news for ordinary companies, though, is that information copied to USB disks can be easily secured with the right mix of security policies and software. For example, automatic USB disk encryption is a real thing, and will ensure that devices can only be read by computers that have the correct software, which in turn is unavailable without an administrator’s consent – no matter how hard you search the internet.
Related Articles and Sites: