Forgot your password?
typodupeerror
Security The Courts Your Rights Online

Russian Spy Ring Needed Some Serious IT Help 191

Posted by samzenpus
from the close-your-spy-network dept.
coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."
This discussion has been archived. No new comments can be posted.

Russian Spy Ring Needed Some Serious IT Help

Comments Filter:
  • Encryption (Score:5, Funny)

    by Pharmboy (216950) on Wednesday June 30, 2010 @07:14PM (#32751352) Journal

    They encrypted everything using ROT13, TWICE! How much better security can you get?

    • Except that Cyrillic has thirty-three letters, not twenty-six. Therefore, they did ROT11 three times.

    • Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password. It's bound to be written somewhere even if it's written in a PGP encrypted email message to self.

    • by blair1q (305137)

      The correct rule is to protect the password at the same level of security as the data you access with that password.

      So, writing down a password on a post-it on your desk is not appropriate if you wouldn't do the same with the most sensitive item of data on your computer or network.

      Similarly, if you have a sensitive network and a not-so-sensitive network, writing your sensitive-network password into a file stored on your not-so-sensitive network is a bad thing. This includes putting it in an encrypted file

  • Passwords (Score:5, Insightful)

    by birukun (145245) on Wednesday June 30, 2010 @07:17PM (#32751382)

    Nothing wrong with writing down your long complex passwords..... UNLESS YOU LEAVE IT LAYING AROUND

    The complaint read like a spy novel.... A ready-made Bourne script!

    • What?!?!

      Bourne would never have been this stupid!

      Everyone trying to catch him on the other hand ...
    • Re:Passwords (Score:5, Insightful)

      by timeOday (582209) on Wednesday June 30, 2010 @08:53PM (#32752030)
      They left it lying around... their home. The reason it was compromised was because (apparently) the FBI had a warrant to go in their home, meaning they were already under suspicion because of something else they had done.

      Here is my point: if you do something that causes the FBI to monitor your every move and scour your home for clues for over 10 years, it is going to be very hard to keep many secrets, regardless of how you configure your WiFi or whether you try to memorize random 27 character passwords.

  • Seems like they doing this on the cheap? acting dumb? stolen parts?

  • by al0ha (1262684) on Wednesday June 30, 2010 @07:18PM (#32751390) Journal
    the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.
    • by flajann (658201) <flajann.linuxbloke@com> on Wednesday June 30, 2010 @07:31PM (#32751516) Homepage Journal

      the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

      Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.

      Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.

      They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.

      The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.

      • by Anonymous Coward on Wednesday June 30, 2010 @07:41PM (#32751598)

        That seal is hanging at the NSA museum. If you go there, you can open it up and see the microphone. Pretty neat.

        http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml

        look for "great seal"

      • Re: (Score:3, Funny)

        You'll never know if you have a real competent spy around.

        I know! It's just the same with the half-dozen ninja assassins lurking in my apartment!

        But they're there. I can feel it.

      • Re: (Score:3, Informative)

        by sznupi (719324)

        To be fair, it might have been just as well made by children - at least when it comes to visible parts ;p

        Also, the seal device was actually hung on a wall in Soviet Union, by the US ambassador there. The interesting part made by no other but...Theremin.

      • by Darth Cider (320236) on Wednesday June 30, 2010 @08:56PM (#32752056)
        That listening device [wikipedia.org] hidden in the great seal was invented by Leon Theremin [wikipedia.org], the same guy who invented the theremin musical instrument [wikipedia.org].
      • Re: (Score:3, Funny)

        by sootman (158191)

        > The US guys couldn't figure it out, so they consulted British scientists!

        Truly dumb. I wouldn't have even needed scientists--I would have started with the question "So, have you gotten any gifts from any Russians recently?"

      • Uh, "how stupid the US gov can be sometimes..." I'd not us that for this instance where hindsight is 20-20 whole figuring out on of the first passive resonators is really hard.

        Now, the CIA figuring out that Russia was exiting Afghanistan 9 months after Russia held a press conference saying they were leaving Afghanistan, that's stupid. And, that's form a book written by a previous CIA director to trumpet their successes.

      • by tehcyder (746570)

        You'll never know if you have a real competent spy around.

        Yeah, they don't tend to fall for the "Simon says put your hand up if you're a spy" approach.

    • by euxneks (516538)

      the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

      This sounds like the plot to Spies like Us

  • Use passphrases (Score:5, Interesting)

    by hkz (1266066) on Wednesday June 30, 2010 @07:23PM (#32751446)
    Passwords are the wrong solution. Trying to make people remember a short string with high entropy is hard, so people write them down. The other way around is much better - long passphrases with less of the tedious entropy. Quotations, lyrics, names, whatever. They're much easier to remember and much harder to brute-force. Sprinkle in some punctuation and you're golden.
    • by AuMatar (183847)

      That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

      • That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

        You, sir, have outdone yourself, even for slashdot standards. A passphrase is NOT "a phrase as a password", but rather a phrase as a mnemonic for your password.

        Example:

        Passphrase: 100 quick clicked commentors barely read Slashdot each day!
        Password: 100qccbrSed!

        I'll leave it to you to figure the magic out.

        • by KevMar (471257)

          A pass phrase is not that bad of an idea. It does not have to be 200 chars long, but a few words that mean something to you stringed together. If nobody can see you type it, then they will have no clue its a pass phrase. If they see you tap space every 4-7 chars they will figure it out.

          For a while, I used the phrase "I am the administrator!" for my workstation admin password. 23 very easy characters to remember. It is such a simple password to remember and hard to guess.

      • by joelsanda (619660)

        That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

        Yes. Assuming I'm an "end user" - I've been in I.T. for 13 years and still haven't quite figured out why the word "end" is put in front of user.

        Anyway ...

        I use passphrases for everything that will take something more than a short-digit PIN. My favorite is 27 characters long. At work I cull my memory for a passphrase, use that, and recall it much quicker than a coworker who enters part of the previous password, hits the backspace button, and mumbles "Now what was my new password again?" By the time he's don

      • Re: (Score:3, Interesting)

        I used to use lines form James Joyce's Finnegans Wake. All I had to do was to remember the page # and I could find the quotation.
    • Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

      • Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

        Passphrases encourage the use of numbers, capitalization, longer passwords, and punctuation. If the common password is all lowercase letters and maybe digits, your looking at a search space of (26+10)^k for a password of length k. If you throw in the 30 or so punctuation marks, and capitalization, the search space is (26+26+30)^k for the same length of password.

        Given that so many people use lowercase+digits passwords, I'd be inclined to think that anyone brute-forcing a bunch of passwords would stick to

      • by Culture20 (968837)

        Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

        If you don't follow correct grammar, you can make a secure passphrase that's easier to remember than 98jn339ejnT#T*j#fe8#wf#F.
        Assume a character set of 256, that means with 8 random characters, you've got 8^256. 8 random characters is tough for some people to handle. With passphrases, if you allow only english, you've got a "character" set of `wc -l /usr/share/dict/words` (98569), so with 8 random words, you've got 8^98569 possibilities. Of course, to follow a sense of grammar (even bad), you reduce tha

    • Remembering random strings isn't that hard, it just takes time. People's heads are crammed full of random bits of data (pieces of bank account numbers, random login names you've been assigned, etc.) Instead of using a 20 character string as a password and trying to remember it straight away, generate four 5 character strings, write them down and recite them a couple times a day every day for a couple of weeks. After you're so sick of them you could recite them in your sleep eat the piece of paper and combin

      • by AK Marc (707885)
        My most "secure" password (Assuming no one knew it was numbers only) was to open up the phonebook and select a phone number at random. 9 characters with no known association between them or to me would be uncrackable. If someone knew it was all numbers, it would be crackable. And I could write the code for the password down and look it up again if I forgot. I wrote "p213 #23" on a post it note, with no other references, so only I knew it was for a password and that it would be the phone number of the 23
    • I remember one of our truecrypt volume passwords at work used to be "mymilkshakebringsalltheboystotheyard". Upon being informed of that, I thought "ok, pretty secure, easy to remember, but who the hell came up with that?"
      • I remember one of our truecrypt volume passwords at work used to be "mymilkshakebringsalltheboystotheyard". Upon being informed of that, I thought "ok, pretty secure, easy to remember, but who the hell came up with that?"

        What hole are you living in that you don't recognize that as a song lyric [lmgtfy.com]?

        • Um, I may live in a hole, but I know the lyric. The funny thing about the passphrase is that I work with a bunch of (male) engineers, and one of them selected that as a passphrase. I just think it's strange that an engineer, probably in his mid 40s with a beer gut, came up with that.
    • by blair1q (305137)

      This is mine:

      "There's nothing more useless than a passphrase based on a quote."

      (One Quotation-Dictionary Attack Later)

      ALL YOUR BASE ARE BELONG TO US!

      • by AK Marc (707885)
        That's why you add in incorrect punctuation or spellings or such if you can. "4scourand7yearsagoour4fathers" If a dictionary won't hit it directly, trying permutations of errors would render a dictionary attack useless, as long as there are enough possible errors. That and there are so many song lyrics that quotes can be found that are obscure and memorable.
        • by blair1q (305137)

          Pretty useless.

          "Did I put the 4 first or the 7? and what the fuck was between years and ago?"

          Guaranteed to forget the details in 2.4 months.

  • they were just make it look like you standard network, so they do not arouse suspicion ..... ;-)

  • they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

    then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

    if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

    • by colfer (619105)

      Or they have connections who got them their cushy US layabout jobs.

      The net history of espionage is like the net profit history of the airline industry. Comes out to about zero on balance (going back to the Wright Brothers, or so they say). But in espionage, even though the topmost levels of the U.S. and British and probably Soviet spy agencies were infiltrated over and over again, I guess there is some argument you can't just unilaterally disband them unless the other side does too.

    • by elucido (870205) *

      they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

      then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

      if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

      Seriously? You think Russia would put polonium in their tea? On US soil? I know the guy you are talking about so it does happen but I don''t think Russia would dare do that. That being said I agree the spy ring does look to be a joke and I'm not sure why there is such a big deal about this considering they were an unsuccessful ring.

      They weren't all full of shit because some of them (the Chapman female) seemed to have some real skills.

    • Hah, it had to be circletimessquare -- oh how I miss Kuro5hin and this kind of out-of-the-box thinking that used to come up there so often from you and the rest of the people. Too bad the place was filled with trolls to the point of unusability the last few times I tried to return.

    • by Jah-Wren Ryel (80510) on Wednesday June 30, 2010 @10:00PM (#32752448)

      then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

      I thought that was pretty obvious.
      The very first article [guardian.co.uk] I read about the bust contained this suppossedly intercepted message:

      "You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.

      It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.

  • Sounds similar to a lot of corporate America: Using OS that locks up, poor password security, need to send laptops to corporate for assistance, ...
  • They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. It's very much like encryption where the key has to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.

    Let's just say it, these spies didn't kn

    • by tehcyder (746570)

      They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.

      No, the whole point of steganography is that you use it to avoid provoking suspicion i

  • by porky_pig_jr (129948) on Wednesday June 30, 2010 @08:01PM (#32751726)

    And if so, is that good or bad?

  • by Anonymous Coward on Wednesday June 30, 2010 @08:05PM (#32751750)
    I have little to no hope that the corporate world ever will.

    I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.

    Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.

    And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.

    In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.

    Sorry to post anonymously (it's the first time I have!), but other folks in my department read ./ and I can't really expose my name / UID in this particular case.
    • Re: (Score:3, Insightful)

      by turbidostato (878842)

      "I'm an IT director at a mid-sized company in the US [...] Our CEO [...] He'd ask me to fix a problem with his machine"

      You *think* you are an IT director, but you are the mop guy.

      At least that's what your CEO thinks, and that's all that counts.

  • go low tech (Score:2, Insightful)

    by LostMonk (1839248)
    Why try to beat US security at their own game? go low tech. it works for el-qaeda. If they used the good old mail services they would have gone unnoticed for another 10 years.
  • .... terrorist threat is just not working very well anymore, so its time to remake an old threat....

    But this time its really a lot more like "Spy vs. Spy" as found in MAD magazine.

  • by OnePumpChump (1560417) on Wednesday June 30, 2010 @08:18PM (#32751810)
    Unless it's a randomly generated password, omit some letters. You shouldn't need the whole password to remind yourself what it was.
  • Funny (Score:2, Funny)

    by formfeed (703859)

    If they had just called themselves a business intelligence and consulting service for foreign investors, they wouldn't have any problems.

    And if you call yourself a lobbyist you can even funnel money from foreign governments into your congressman's pocket.

  • This whole thing reads like an episode of Rocky & Bullwinkle.

    Boris Badenov: "Everything going fine until Moose and Squirrel!"

    Natascha Fatale: "What you mean, dear?"

    Boris Badenov: "Everything working fine until we get laptop with Windows!"

    Fearless Leader: "First Chernobyl, then Kursk, NOW OUR SPIES!"

    Natascha Fatale: "Dahling, least not Moose & Squirrel this time....."

"Don't discount flying pigs before you have good air defense." -- jvh@clinet.FI

Working...