MK-Ultra and the Patriot Act: A Privacy Dilemma

MK-ULTRA. It was a “classified covert mind-control and chemical interrogation research program, run by the Office of Scientific Intelligence”. It began in the early 1950’s. The Central Intelligence Agency (CIA) insists it has been shut down. But a 14-year veteran of the CIA, Victor Marchetti, has stated in many interviews, that the claim is a “cover story.” The program is likely still in operation.

From the CIA’s own website we read that the CIA is “prepared to accomplish what others cannot accomplish and go where others cannot go” and that they are “the Nation’s eyes, ears, and sometimes, its hidden hand”.

Since they are the self-declared extra-legal arm of the US government, and from their history the extra-ethical arm of the country, we may deduce there are many activities conducted by the Agency we simply cannot see. Yet.

In a redacted Memorandum for the Record dated June 9, 1953 Director Gottlieb penned these words about MK-ULTRA, “The estimated budget of the project at XXXXXX is $39,500.00. The XXXXXX will serve as a cut-out and cover for this project and will furnish the above funds to the XXXXX as a philanthropic grant for medical research. A service charge of $790.00 (2% of the estimated budget) is to be paid to the XXXXXX for this service.”

The direct quotations printed above are from the CIA Freedom of Information Act (FOIA) page on their website. Therefore, I’m not making any unsubstantiated claims. I’m just the messenger for their own message. From this point forward I will be making wild unsubstantiated claims and speculate like an unrestrained adolescent.

MK-ULTRA isn’t the only CIA program to use US citizens for experimentation. It’s just the one we used for this article. But since smoke indicates fire, maybe we should feel free to speculate. Which leads me to the technical portion of this article.

Most people treat the details of their personal life on the World Wide Web very carelessly. People who (in person) are very guarded and suspicious, disclose the most sensitive information about themselves on Facebook, or in an email. Which, by the way, are both unencrypted and easily accessible by anyone.

Most people use Gmail and Google Docs – the free one. They are under the mistaken impression that since they have it protected with a password, only they have access to it. They forget that Google also has access to it. And through the PATRIOT ACT, so does any arm of the Federal Government, or law enforcement; even without a warrant. The Big Tech companies like Google, Microsoft, Apple et.al. provide wonderful free cloud-based services like email, word processor, spreadsheets, etc. We fail to understand the scope of the reach tech companies have into our lives.

You may think, “but I am a law-abiding citizen. I have nothing to worry about.” The truth is, you are only partially correct. In his blog, Moxie Marlinspike, the creator of the encryption tool Signal, said the following, “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed.” Our entire culture has evolved when a critical mass of citizens pushed back against laws we collectively decided were outdated or just plain wrong. That couldn’t have happened in a world where even a whiff of social disobedience is detectable.

This may sound a little like the movie “Minority Report”. If law enforcement could peer into the digital lives of us all, would they possibly use artificial intelligence to prognosticate whether someone was contemplating a crime? Would there be a law to punish such a person? Furthermore, have you ever made a comment that might be construed as terrorist leaning? I bet you have but you didn’t know.

Truth be told, maybe we all have lives that we should have the power to keep private. Even from the CIA.

This article was originally published here.

One Click That Shutdown 15,000 Businesses, the CDK Hack 

What started out as a peaceful shift for one of the country’s largest Auto Dealer Software-as-a-Service vendor, turned into a nightmare.  By 2:00AM, the security team determined that they needed to shut down two of their data centers to stop the ransomware from spreading.   

The vendor is CDK Global and they provide software services for over 15,000 car dealerships nationwide. They provide a platform that handles all aspects of an auto dealership’s operation including customer relationship management, financing, payroll, support and service, inventory, and back-office operations.  On June 19th, CDK announced there was a cyber incident they were investigating, and services were not available.   They started restoring service later in the day, but then they had a second cyber incident which caused them to take the systems offline again.   

What makes the problem more complicated is that their clients are always connected to their network through an “always-on” VPN. This provides a tunnel from the client to the data centers.  Normally that would be a good thing, but in this case, the always-on VPN just extended a network that was poisoned by ransomware.  They recommended that the clients disconnect so that the hacker could not “pivot” from the CDK network to the client dealership network.  What was even more critical was that the CDK software had administrative privilege on the client systems to do software updates. Hacking that software would give the attackers admin access to the local computers.  Thankfully no clients reported any contagion.  

This attack caused widespread disruption at car dealerships with no ability to track and order car parts, conduct new sales and offer financing.  Some dealerships shut down completely, while others reverted to the tried-and-true method of pen and paper assisted by spreadsheets.  They are projecting to have all their clients fully operational by July 4th.   However, the damage has been done.  The disruption comes at a cost to CDK and the dealerships an estimated $944M. 

The attacker is purported to be a hacking group identified as BlackSuit, who although only starting a couple years ago, have been responsible for over 95 breaches across the globe.  They are known for using a technique called “double extortion.”  During the breach, they upload the victim’s data to their server before encrypting (locking) the data on the client system.  They request a ransom for the key to unlock the data allowing the victim to continue operations.  Additionally, they also threaten to release the data on the dark web if the victim does not pay a second ransom.  

This breach may have been avoided if CDK fully implemented Zero-Trust methods.  In a Zero-Trust environment, it is assumed hackers are on the network and only trusted applications can run.  Application whitelisting would have stopped this attack in its tracks.  Whitelisting allows only those known trusted applications to run on the network.  Any new application, like ransomware, would not be allowed to run. 

The attack also highlighted the importance of being prepared for anything.  All businesses should have a Contingency Operations Plan written and validated prior to any incident or emergency.  Those dealerships that adapted the process without a computer could continue to sell and service vehicles.  Those that did not have a plan suffered. 

The ray of sunshine in this otherwise dreary incident was that our local dealerships were unaffected by the attack. All the dealerships from Sierra Vista to Tucson escaped this disaster as they do not use the CDK service for their management.  

For CDK, one improper click costs them and their clients a billion dollars.  Implementing Zero-Trust concepts and employing continuous cybersecurity training would have been a much more cost-effective solution.  The problem is many companies don’t really understand that until it is too late. 

The original article was published in the Sierra Vista Herald here.

How Bilbo Baggins Almost Hacked Your Email 

In the story created by JRR Tolkein, “The Hobbit”, little Bilbo Baggins was just a hobbit. But he became a burglar. No one suspected that this little Shireling was capable of such great feats. Although he did have great feet. The least suspecting of all was the dragon Smaug. Smaug had a great treasure. You see dragons love gold. It turns out they love gold even more than dwarves.  

But Bilbo was not after the gold. He was after something much more precious. The Arkenstone.  With his special ring, Bilbo became the first hobbit burglar.  

The next part of the story you are about to read is true. The names have been withheld to protect the victims. 

I received a phone call recently from a client who had a concern about an email. In this case it was an email sent from their own account rather than the typical phishing email one would receive. The email was requesting an ACH wire transfer from my client. My client, I was informed, did not use ACH transfers. How could that be?  This request was coming from their legitimate email account. What happened? 

All the evidence points to a compromised email account. The burglar had created a rule in the account that moved very specific sent emails to a folder called RSS feeds. This folder is almost always added by default to your Outlook client. It’s a folder almost no one uses, and even fewer users look at it. Certain emails were redirected to the RSS folder so that the legitimate user had no knowledge that it existed.   However, it was very easy for the threat actors to simply monitor this folder. As soon as a targeted message appeared, the burglars crafted a follow-on email requesting the ACH transfer. The legitimate email was simply asking if an invoice was payable, and the burglar asked for a transfer of funds to his account.  

Fortunately, this story has a happy ending. Thanks to the diligence of a very astute employee, this discrepancy was caught and the theft was blocked. The resolution to this almost tragic episode was quite simple. Change the password to the email account.  Make the password long and enable multi-factor authentication. Never re-use passwords.  This is like putting a dragon at the gate.  

Unlike Smaug, you don’t have an Arkenstone. But what you may not have thought about is your email. It is often the gateway to your gold. You must be as vigilant with it as if it were gold itself. You may want to consider having two email accounts. One account is for your entertainment, and a separate one is used to access and manage your financial accounts. And the latter? Protect that one with a dragon as if it were the Arkenstone itself.  

This article was originally published in the Sierra Vista Herald here.