Among all the discussion about FBI wiretap procedures and following the rules, the Department of Justice has just released a report that condemns the FBI for widespread practices of cheating even within top management.

At the heart of the report is the fact that test takers collaborated on the test and then certified on Question 51 that they did not collaborate on the test.

The Inspection Division conducted an investigation and found that the SACs [Special Agents in Charge] had taken the exam together, in the same room, while discussing the questions and possible answers with a legal advisor, who was also present. While the ADIC [Assistant Director in Charge] was also in the room at the time, he did not take the exam that day. Instead, the ADIC wrote down the answers and later used them to complete the exam another day.

The hubris of those accused is hard to believe. Aside from lying on Question 51, another issue in the report is that test takers claimed an answer-sheet provided by someone else should be treated as personal notes:

The ADIC argued that he had not cheated because the answers he wrote down for his later use constituted “notes,” which he argued were permissible under the open-book procedures of the exam.

Is this really who will be working on wiretap authorization orders?

The report also discusses how test takers justified cheating and excused themselves from breaking the rules by saying they were unaware of the importance of an exam covering the Domestic Investigations and Operations Guide (DIOG).

Attorney James admitted creating two answer sheets that consisted of the question number and the answer (for example, 1 – a, 2 – true, 3 – c, etc.) Attorney James told us that he gave the first answer sheet to an SSA who was also a trainer and the second answer sheet to an ASAC. Attorney James also said that he distributed the answer sheets because he felt that the DIOG exam was just another administrative hurdle that FBI employees had to surmount. Attorney James stated that if he had realized that the FBI considered the exam to be so important, he never would have given out the answers.

Regret noted.

Some test takers used a system vulnerability to pass the test.

We also interviewed FBI employees in Field Office 2 about the DIOG test. First, and most troubling, we found four agents who took advantage of a flaw in the Virtual Academy computer program to reveal the answers to the questions as they were taking the exam.

You will never guess who figured this out.

An FBI agent who works on a cyber crime squad in Washington, D.C., told the OIG that sometime in 2008 he was experimenting with Virtual Academy computer programming to see how secure it was when he noticed some “really sloppy” coding that amounted to a programming flaw. According to the agent, the flaw allowed any FBI employee taking some Virtual Academy exams to open an XML file located in the employee’s computer’s “Temporary Internet Files” folder and view all the answers to the exam. The agent told us that he created a computer tool that made it easier to see the DIOG exam answers by taking employees directly to the XML file that contained the answers. While the answers were available without the tool to anybody who realized where to look for them on their computer, he said the tool made it slightly easier to get to the answers.

Caught red-handed, the FBI agents really start to dig a massive hole by describing why they exploited the “slightly easier” way to find the answers to the test. You just can’t make this stuff up.

The agent told us that a week later he sent the computer tool to the other cyber agent in Field Office 2 as an attachment to an e-mail. The agent said that he sent the computer tool only after receiving verbal assurances from the Field Office 2 agent that he would not forward the computer tool to anyone else.

Verbal assurances in place. This is the guy complaining about sloppy security? Yes, as an added measure of security the cyber crime squad expert put a “disclaimer” in his email. Oh, I see, that’s not “really sloppy”.

In one e-mail, the Washington, D.C., cyber agent mentioned the recent computer class that the two agents had attended together and explained the use of the computer tool, noting that it could be used to view the answers on most Virtual Academy exams. The agent added, at the bottom of the e-mail, the following: “DISCLAIMER: This is only a learning tool, not to be used for official test-taking purposes.”

Naturally the agent who received the email used the tool to take the test anyway.

The Field Office 2 agent who received the e-mail told us that he also took the exam on his own without using the computer tool or the XML file to look at the answers. He said, however, that after answering the questions on his own, he looked at the XML file to double-check his answers. He said that he did not believe he violated any FBI rules because he did not change any of his answers after reviewing the correct ones in the XML file.

Perhaps like me you are wondering if the agents are laughing in the face of the DoJ investigators. Do they really believe they are not violating the rules if they use an answer sheet at the end instead of the start?

Remember the verbal assurance by the agent worried about sloppy security?

The tool was forwarded. For good measure this agent emphasized that the tool is useful for cheating…undermining his own statements to the investigators.

However, this field office agent forwarded the e-mail and the attached computer tool he had received to four other agents on his cyber squad in the field office. At the bottom of this forwarded e-mail, the field office agent added this comment: “Depending on how lazy you are, [this program] will make taking the tests faster.”

The report continues with multiple cases of agents who believed they could cheat but answer yes to Question 51 because they saw no relationship between cheating and outside assistance “from another FBI employee”.

I could go on but there really are two sides to this story. We can blame the test takers for cheating and lying and using extremely weak logic to excuse themselves. That seems easy to see. However, it also should be asked whether the test givers were naive to administer a test with so few controls to prevent and detect cheating — the questions were asked by computer but never rotated. Only after more than 200 tests were completed in an impossibly short time-frame were suspicions raised. The report makes three recommendations to the FBI, none of which suggest technical measures to prevent cheating.

…and at the end of it all you have to ask yourself if it really is a good idea to expand or make easier wiretap authorization.

Computerworld in New Zealand tries to make sense of the Privacy (Cross-Border Information) Amendment Act and gaps in privacy law as they relate to data and cloud computing issues:

Section 10 of the Privacy Act in its present form covers some of the situations. For example, where a company in New Zealand sends data to an affiliated company overseas, it is still protected by the principles of the Act covering misuse, availability to the subject and opportunity for correction; but where data is sent overseas to an unrelated third party or into the cloud there is no guaranteed protection under the Act, says assistant privacy commissioner Blair Stewart.

Three solutions have been proposed for protecting data that leaves the island:

1. Impose Kiwi law on foreign states, like the EU has imposed on NZ
2. Pass laws to make Kiwi companies liable for data in their care regardless of where it is processed or transmitted
3. Adopt the Indian example of using security standards (ISO) instead of using the law to control privacy

It seems to me that they really should consider a combination of two and three.

One is amusing but would be a wasted political effort. When the countries within the EU can barely work out a breach notification law, demanding adoption from the outside is a long shot at best. Does NZ have that kind of clout?

Likewise the Amendment’s new “transfer prohibition notice” has a reference to security controls but it leaves the door wide open to interpretation. Adopting a standard would clarify things immensely.

114C Transfer prohibition notice
(1) A prohibition under section 114B(1) is to be effected by the service of a transfer prohibition notice on the agency proposing to transfer the personal information concerned.
(2) A transfer prohibition notice must
(a) state the name of the agency to whom it relates; and
(b) describe the personal information concerned; and
(c) state that the transfer of the personal information concerned from New Zealand to a specified State is prohibited either
(i) absolutely; or
(ii) until the agency has taken any the steps stated in the notice to protect the interests of any individual or individuals affected by the transfer; and…

Can you guess what “steps stated in the notice to protect” will mean?

That kind of ambiguity will be very unpopular with data managers and service providers for good reason. Each prohibition notice could vary so much it would create an impossible onus on providers to comply; even if compliance just means writing a formal response to the request. Cloud providers like consistency as it is the only way to scale. They will want to see a discrete and regular list of controls, for which they can prepare answers and solutions. The ISO 27002 is a good example of what has worked, even for clouds.

Last September six helicopters with at least two AH-6 Little Bird (pictured to the right) attacked an al-Shabab convoy in southern Somalia, which carried Saleh Ali Saleh Nabhan. The convoy was quickly out-gunned. Wounded and dead militants were picked up and taken away by the helicopters.

The US military claimed responsibility for the operation, called Celestial Balance; they suggested it involved extensive coordination between Army and Navy with support from two warships and was planned over several months.

The success of a delicate and complex operation surely created a stir. Some reported it as a change in policy for the US; an “evolution in US operational and intelligence capabilities” — one that worked yet left civilians unhurt. Somali militants may have been spooked to the point where they were looking skyward more nervously. Retaliation was predicted but so far none has come.

Now a similar shootout has just been reported further north. Details are sketchy (one helicopter/two helicopters, shots fired/no shots fired) and the US denies involvement. The Scotsman calls it a mystery over Somalia helicopter shootout

Residents of the town of Merca, about 50 miles south-west of Mogadishu, said a military helicopter flew over on Sunday and Islamic militants from the al-Shabaab group fired on it. Some residents said the helicopter fired back but caused no major damage.

But no-one seems to know who the helicopter belongs to.

Maybe it is owned by the Stuxnet authors? I jest.

Unlike Stuxnet, which really truly could be written by anyone with a computer, a coordinated helicopter operation suggests nation-state resources and planning. If nothing else, this story gives a little better perspective on security resource differentiation. Perhaps African Union force Major Barigye Bahoku said it best:

You made me have the laugh of the year. There is no way the African Union force can be involved in such a strike. We don’t have helicopters — any air capacity whatsoever.

He does have a PC and a network connection, however.

The fallout from “Operation: Payback is a Bitch” continues, although it is not clear yet who exactly is at fault in this case. During ongoing attacks from the Low Orbit Ion Cannon DDoS tool a lawfirm infamous for prosecuting file sharers has experienced a breach and will be sued itself for accidentally sharing sensitive information.

V3 says the law firm is facing legal action over data breach

The ACS-Law web site was hit by a series of DDoS attacks over the weekend carried out by web group Anonymous as part of a wide-ranging attack on pro-copyright organisations known as Operation Payback.

The breach of ACS-Law’s systems reportedly resulted in the release of a file containing 365MB of emails containing credit card information on suspected offenders, as well as emails written by the firm’s boss Andrew Crossley.

Rights group Privacy International has reported the firm to the ICO, as the data breach was not technically caused by the hack, but by a failure to put appropriate technical safeguards in place.

The good news is ACS:Law is well experienced in notifying people. They apparently sent 10,000 letters in just the first two weeks of January 2010. In that case they were said to be trying to blackmail people by telling them to pay or be sued for sharing information illegally. Now they just have to turn it around a little and say they were sharing information illegally so they are being sued and will pay people.

More than the privacy of suspected offender information is at stake. The Inquirer shows why some of the email exposed in the breach, now available on the Pirate Bay, will probably further damage the law firm’s already controversial business model:

Crossley bragged about how much money he has obtained from penning his emails to people. He wrote, “Spent much of the weekend looking for a new car. Finances are much better so can put £20-30k down. May go for a Lambo or Ferrari. I am so predictable!” Later emails reveal that he bought a Jeep Compass 2.4CVT.

In a letter to NG3Sys, which did the outfit’s Internet monitoring, he told it that it would receive on average about £1,000 per 150 letters sent.

[…]

Other emails include the approach used to screw people out of cash when they are clearly not liable for copyright infringement.

Perhaps most interesting is how attackers also try to capitalize on search results to infect more computers, documented by Panda Labs.

I will cover this next month along with other high-profile breaches in my RSA 2010 Europe presentation on the Top Ten Breaches.