Infiltrate, Exfiltrate, and… Inject?
Written by Ron LaPedis   

 

This is a blog about spying in the Internet era. While activists would have you believe that it’s all about online personas, there is still a lot of cloak-and-dagger up close and personal spying going on. When Edward Snowden dumped his files, many Western spy agencies had to pull back agents because their covers were blown.

Even more covers may have been blown with the latest hack into the US government’s Office of Personnel Management’ security clearance database, where the Chinese gained access to employees’ 127-page SF-86 security-clearance forms, on which candidates for sensitive jobs have to give an exhaustive account of their past, including foreign contacts. They also got investigational info that includes employees’ extramarital affairs, sexually transmitted diseases and other health matters, as well as the results of polygraph tests. Can you spell “Blackmail?”

What is absolutely hilarious, yet sad at the same time, is that we found out during a hearing held by the House Committee on Oversight and Government Reform that the stolen data was not protected by practices like data masking, redaction and encryption. Oops!

But what if breaking in and playing “spot the spy” or determining whom they can target for espionage against us is not the game of the Chinese government? What if the Chinese are more interested in injecting data into the system?

I wrote a Forbes blog about losing your own identity if your biometrics are overwritten. In a nutshell, if someone changes your password to steal an online account, it is not all that hard to regain control of it. But what if someone hacks into a biometrics database and replaces your fingerprints with those of someone else? How do you prove that you are you?

But I am getting ahead of myself. Let’s start at the beginning. Cloak-and-dagger spies need an identity and a back story. That is, James Bond can’t just show up behind enemy lines. Q needs to create a persona, an alias, and fake documents to make it appear as if he is someone who he is not.

An excellent story in the Economist talks about spying in pre-computer days, when intelligence agencies kept files on paper. Access was strictly controlled and making copies was near impossible. That arrangement was cumbersome but made it possible to see exactly who had looked at a file, when, and why. Snowden would not have been able to dump hundreds of thousands of documents without someone noticing.

More importantly, it was no problem for a government to create a person out of thin air, and especially easy to create a fake passport, which would of course be as real as any other passport. Other documents could be inserted into paper files, such as birth and marriage certificates, and fingerprint cards. The spy had to memorize and practice their created backstory until it was perfect, otherwise their cover could be blown.

With everyone’s lives open to the world, it is much harder to create a digital timeline as part of a persona and popping paper cards into paper files won’t cut it any longer. People don’t just appear out of thin air and it is not hard to use your favorite search engine to find out more about someone whether they like it or not. And if you believed that a site had its historical timeline altered, you could always make a trip back in time using the Wayback Machine.

So let me leave you with this chilling possibility. What if foreign governments are not in our systems solely to get data out of them, but also to write their own data into them? Perhaps they can increase someone’s security clearance, change adjudication data to slander someone else, make a double agent look more valuable to us, remove damaging foreign contact information, or maybe even add someone to the payroll.

Is anyone looking at that possibility by comparing the latest contents to read-only archival copies? I wonder…

 

About the Author

Ron LaPedis is the Workforce Continuity Strategist for Sungard Availability Services. He is co-inventor on two storage and two virtualization patents, and is named on one encryption patent. He is a Master Business Continuity Professional (MBCP), an Associate Fellow of the Business Continuity Institute (AFBCI), and a Certified Information Systems Security Professional (CISSP) with ISSAP and ISSMP endorsements. He is frequently published and blogs regularly on business continuity and security topics.

Ron would also like to thank his friend Bill Fisher for giving him  the idea for this post.