Author: Sean Gallagher

In an e-mail exchange with then-incoming Secretary of State Hillary Clinton, former Secretary of State Colin Powell warned that the State Department Diplomatic Security (DS) would "[drive] you crazy if you let them." The e-mail, released yesterday by Rep. Elijah Cummings (D-Maryland), ranking minority member of the House Oversight and Government Reform Committee, warned Clinton about the risks of using a personal mobile device in her job—but also detailed how Powell had flouted security rules set by the State Department and National Security Agency in his own daily use of mobile devices.

Powell explained that he had used a dial-up connection (as previously reported, this was a personal AOL account) to send e-mails "so I could communicate with a wide range of friends directly without it going through the State Department servers. I even used it to do business with some foreign leaders and some of the senior folks in the Department on their personal e-mail accounts. I did the same thing on the road in hotels."

The private e-mail account used by Powell pre-dated the State Department's own external unclassified e-mail capability. However, Powell also ignored rules on the use of personal devices in secure spaces at the State Department—such as the Office of the Secretary of State suite in "Mahogany Row," a Sensitive Compartmented Information Facility (SCIF)—by using a personal digital assistant, he told Clinton. "DS would not allow them in a secure space, especially up your way," he wrote. "When I asked why not, they gave me all kinds of nonsense about how they gave out signals and could be read by spies, etc. Same reason they tried to keep mobile phones out of the suite."

Enlarge (credit: NBCUniversal)

Warning: This piece contains minor spoilers for the most recent episode of Mr. Robot (S2E9)

Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involves hiring ex-FBI employees as consultants or tracking down the duo behind the Full House theme, the series wants to ground its high stakes story in a healthy dose of realism. 

“The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow," Kor Adana, staff writer and the show's lead tech producer, told Ars recently. "The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality."

OPM officials did nearly everything wrong as far as security goes and then lied about it, House Oversight Committee Republicans said in a final report on the OPM breach. (credit: Photo illustration by Sean Gallagher, based on image by Colin)

A report from the Republican majority on the House Oversight and Government Reform Committee published today places blame for the 2014 and 2015 data breaches at the Office of Personnel Management squarely on the OPM's leadership. The report finds that the long-time network infiltration that exposed sensitive personal information on about 21.5 million individuals could have been prevented but for "the longstanding failure of OPM's leadership to implement basic cyber hygiene."

"Tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency's extensive responsibilities," the report concluded. And the committee's majority report also asserted that former OPM Chief Information Officer Donna Seymour lied repeatedly during her testimony, misstating how the agency responded to the breach and misleading Congress and the public about the damage done by the attack. Ars extensively covered the shortfalls in OPM's security last year.

The House Oversight report reveals that there were two separate extensive breaches—one beginning as early as November of 2013, which went undiscovered until March 2014 and was finally shut down completely two months later, allowed attackers to obtain manuals and technical information about the types of data stored in OPM systems. A second attack began shortly afterward, targeting background investigation data, personnel records, and fingerprint data. These breaches were determined to be likely conducted by the "Axiom Group" and "Deep Panda," respectively, two China-based hacking groups alleged to have ties to the Chinese government. The attacks used a series of domains—some with OPM-related names (opmsecurity.org and opmlearning.org) and registered under the names of Marvel superheroes Tony Stark (Iron Man) and Steve Rogers (Captain America)—to control malware and exfiltrate stolen data.

The meme that launched a veritable fleet of investigations. (credit: Kevin Lamarque / Getty Images)

Last Friday, the Federal Bureau of Investigations published a 58-page redacted memorandum on the investigation of the mishandling of classified information by former Secretary of State Hillary Clinton. The memo includes details from Clinton's interview with the FBI and a summary of other interviews the FBI conducted during the yearlong investigation.

During her three-and-a-half-hour interview with FBI investigators, Hillary Clinton said that she had used a personal e-mail account "out of convenience" because she only wanted to carry a single mobile device—and the State Department would not allow her to connect a work device to her personal e-mail. She said she had no recollection of anyone voicing concerns over the arrangement. But the FBI investigation found records of an exchange with former Secretary of State Colin Powell on the topic, where he warned her of the risks and told her how he had "gotten around it."

The FBI report shows that Clinton generally allowed others to make decisions about how to support her Blackberry habit and that the private mail server she used was run largely at the direction of former President Bill Clinton's staff. And while the FBI did not find that Clinton did anything criminal, the investigation revealed a generally lax approach to security overall by the State Department, Clinton's staff, and Clinton herself.

(credit: Marc Falardeau)

Another major site breach from four years ago has resurfaced. Today, LeakedSource revealed that it had received a copy of a February 2012 dump of the user database of Rambler.ru, a Russian search, news, and e-mail portal site that closely mirrors the functionality of Yahoo. The dump included usernames, passwords, and ICQ instant messaging accounts for over 98 million users. And while previous breaches uncovered by LeakedSource this year had at least some encryption of passwords, the Rambler.ru database stored user passwords in plain text—meaning that whoever breached the database instantly had access to the e-mail accounts of all of Rambler.ru's users.

The breach is the latest in a series of "mega-breaches" that LeakedSource says it is processing for release. Rambler isn't the only Russian site that has been caught storing unencrpyted passwords by hackers. In June, a hacker offered for sale the entire user database of the Russian-language social networking site VK.com (formerly VKontakte) from a breach that took place in late 2012 or early 2013; that database also included unencrypted user passwords, as ZDNet's Zach Whittaker reported.

The Rambler database shows that its users had the same proclivity toward using weak passwords as users of other sites breached during the same period—the most common password, used by 723,039 users, was "asdasd," followed by 437,638 accounts that used "asdasd123." The majority of the top 50 passwords were simple numerical sequences. While that would be expected for "throwaway" passwords for sites with relatively low levels of privacy data (such as Last.fm), Rambler provides e-mail services—so the risk to user privacy of weak passwords was much higher.

Enlarge / The Clintons used one of these to run a mail server for Hillary Clinton's Blackberry. (credit: baku13)

As she was being confirmed as Secretary of State, Hillary Clinton contacted Colin Powell to ask him about his use of a Blackberry while in the same role. According to a Federal Bureau of Investigations memorandum published today (PDF), Powell warned Clinton that if it became public that she was using a Blackberry to "do business," her e-mails would be treated as "official" record and be subject to the law.

"Be very careful," Powell said according to the FBI. "I got around it all by not saying much and not using systems that captured the data."

Clinton told the FBI that she didn't take factor Powell's advice into her decision to use a personal mail server—a statement that seems obvious based on the tens of thousands of e-mails now being published as the result of lawsuits, congressional and FBI investigations, and Freedom of Information Act requests. Just how far she deviated from that advice is evident in the detailed history gathered by the FBI. Their information on the Clintons' e-mail infrastructure dates back to Hillary Clinton's tenure in the US Senate, and this new release shows how that infrastructure was intertwined with the information technology used by former president Bill Clinton's staff.

Enlarge / If you haven't changed your password for Last.fm since 2012, it's long past time—the passwords are now easily grabbed from the Internet.

The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked "mega-breaches" from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.

Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide "trending" board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.

"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches," a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.

Enlarge / Go ahead and click it. You know you want to.

Clickers gonna click. Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk. It's simply too easy with the slightest amount of targeted work to convince users to click.

Eric Rand and Nik Labele believe they have an answer to this problem—an answer that could potentially derail not just phishing attacks but other manner of malware as well. Instead of relying on the intelligence of users, Rand and Labele have been working on software that takes humans completely out of the loop in phishing defense by giving clicks on previously unseen domains a time out, "greylisting" them for 24 hours by default. The software, a project called Foghorn, does this by intercepting requests made to the Domain Name Service (DNS).

Greylisting has been used in spam filtering for e-mails, where it deliberately delays e-mails delivered from previously unseen sources and sends temporary errors back to the sender for a few minutes or hours. Spam greylisting operates under the assumption that a real mail server will re-attempt delivery, while spambots likely will not.

Enlarge (credit: Lockheed Martin)

At a breakfast with defense reporters this week, Marine Corps Lt. General Robert Walsh, the commanding general of the Corps' Combat Development Command, said that directed energy weapons are "where we want to go." That includes eventually mounting lasers on the F-35B fighter—and virtually everything else in the Marine Corps' inventory.

"As soon as we could miniaturize them, we would put them on F-35s, Cobra [attack helicopters]… any of those kind of attack aircraft," Walsh said, according to a report from National Defense. But given how much difficulty Defense Department researchers have had reducing the size and power required for directed energy weapons, that day is still a long way off—and the objective right now is to get a system that could be flown on a C-130.

The advantage of directed energy weapons, from the Marine Corps' perspective, is that they don't require ammunition (other than their energy source) and could be used defensively against missiles and even other aircraft at a much lower cost per shot than the $300,000 to $400,000 AIM-120 missiles carried by the F-35—or even the 25 millimeter rounds of its GAU-22/A cannon.

With a name or just a general description of some generic event, researchers were able to "spear-phish" half of their test subjects. (credit: Wikipedia)

Security experts often talk about the importance of educating people about the risks of "phishing" e-mails containing links to malicious websites. But sometimes, even awareness isn't enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.

The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects—university students—from fake accounts.

The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.