Wednesday, August 11, 2010
What is in insurance.aes256 and What is it For?
Wikileaks has published a file called insurance.aes256. What is the file for and what does it mean? Many people have speculated about the purpose of the file's existence. My guess is that the file is part of a get out of jail free card for Bradley Manning, though it could be an insurance policy just for Assange and Wikileaks itself. The file itself is an encrypted 7zip archive about 1.4 GB in size. Unless the NSA knows something the experts do not, the insurance.aes256 archive will remained encrypted until Wikileaks releases the key. I'm speculating that the file archive may just contain a list of files taken with some videos thrown in as proof, although the HuffPost piece says that there could be a lot of documents in the archive from the size of the file alone. The contents are likely damning and embarrassing evidence of high level cover ups within the military and government and may prove how high the cover ups go. All of this is speculation, but it appears that the kid discovered things that bothered him morally. He took an oath to protect the Constitution of the United States when he joined the military. He may have discovered evidence that superiors were defying national or international laws. It appears that he had access to the DVD burner on his analyst workstation and that he smuggled the information out of his secured area on CDs disguised as music CDs. (One can't tell whether a CD is a data CD or an audio CD by looking at it.)
There were at least two failures of security here. He had access and permissions to use the DVD burner on his analyst system and he had a way to backup files to a CDRW. (Windows has this ability by default without the need of third party software like Nero.) Army physical security let him leave a secure facility without noticing that he brought a rewriteable CD to work in a secure facility. The first problem could have been solved by physically removing the DVD burners or enabling a software policy to disable the device. The second problem is more difficult to solve. It is difficult to police what goes in and out of a facility unless those items are banned from the workplace which evidently they weren't. They likely are now, though. I am guessing that USB drives were banned or locked down which necessitated the need to burn backup CDs or DVDs. No information went out over a secure network that we know of, and likely never did. He could have mailed the CDs or DVDs to whomever he pleased or found a way to transfer them to Wikileaks securely without being discovered or having the information compromised.
Network monitoring programs do not do a good job of intercepting and breaking encrypted communications. Sure, one can see the traffic, but assembling and decrypting it is another story unless you have the cryptographic keys. The NSA and other agencies have likely made some headway in this area, but if you are a guy like Brad Manning, you know the strengths and weaknesses of the systems that you are trained on. He avoided all of those traps by not using those networks to transfer files and made the IT Security and system administrators of a highly secure facility look like idiots. (To be fair though, insider threats are difficult to counter and are the most damaging. This still shows that military networks are not very well compartmentalized, thanks Microsoft!) He did this theft over some period of time which means he could have smuggled out gigabytes worth of information. Documents would not take up a lot of storage, but videos would. My guess is that he has smuggled out more than a few video files along with countless documents, and that most of his evidence is likely video files. We know of video evidence of at least one incident being suppressed. Perhaps that is all he smuggled out. Only he, Wikileaks, and the military know for sure. But we know from Pat Tillman's friendly fire death, that other cover ups have happened. So, it is possible that he's got the government and DOD in a bind and they are proceeding carefully until some accommodation can be reached or the threat of embarrassing disclosure is nullified. This would explain the initial outrage of the administration followed by complete silence. We've heard nothing about his incarceration or court martial. It's being kept very low key for now.
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”
“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
There were at least two failures of security here. He had access and permissions to use the DVD burner on his analyst system and he had a way to backup files to a CDRW. (Windows has this ability by default without the need of third party software like Nero.) Army physical security let him leave a secure facility without noticing that he brought a rewriteable CD to work in a secure facility. The first problem could have been solved by physically removing the DVD burners or enabling a software policy to disable the device. The second problem is more difficult to solve. It is difficult to police what goes in and out of a facility unless those items are banned from the workplace which evidently they weren't. They likely are now, though. I am guessing that USB drives were banned or locked down which necessitated the need to burn backup CDs or DVDs. No information went out over a secure network that we know of, and likely never did. He could have mailed the CDs or DVDs to whomever he pleased or found a way to transfer them to Wikileaks securely without being discovered or having the information compromised.
Network monitoring programs do not do a good job of intercepting and breaking encrypted communications. Sure, one can see the traffic, but assembling and decrypting it is another story unless you have the cryptographic keys. The NSA and other agencies have likely made some headway in this area, but if you are a guy like Brad Manning, you know the strengths and weaknesses of the systems that you are trained on. He avoided all of those traps by not using those networks to transfer files and made the IT Security and system administrators of a highly secure facility look like idiots. (To be fair though, insider threats are difficult to counter and are the most damaging. This still shows that military networks are not very well compartmentalized, thanks Microsoft!) He did this theft over some period of time which means he could have smuggled out gigabytes worth of information. Documents would not take up a lot of storage, but videos would. My guess is that he has smuggled out more than a few video files along with countless documents, and that most of his evidence is likely video files. We know of video evidence of at least one incident being suppressed. Perhaps that is all he smuggled out. Only he, Wikileaks, and the military know for sure. But we know from Pat Tillman's friendly fire death, that other cover ups have happened. So, it is possible that he's got the government and DOD in a bind and they are proceeding carefully until some accommodation can be reached or the threat of embarrassing disclosure is nullified. This would explain the initial outrage of the administration followed by complete silence. We've heard nothing about his incarceration or court martial. It's being kept very low key for now.
Labels: data loss prevention extortion insurance Manning
