The former head of the CIA's European division whose intimate secrets were bared by a sweeping U.S. background check hack says the $330 million worth of identity monitoring services the federal government is offering victims will not protect them online.
Richard “Hollis” Helms, a 45-year-veteran of the intelligence community, has a different tool he says might stem the potential bleeding of national secrets: a secure browser.
"I think the government has to extend its cybersecurity perimeter beyond its buildings," but in a nonintrusive way, said Helms, who founded spy agency contractor Abraxas and cybersecurity vendor Ntrepid.
To further his cause, Helms has spent months sending Congress members, government employee unions and relevant federal agencies a plan to offer affected individuals free use of an Ntrepid secure browser at home for one year. An enterprise edition of the Web-surfing tool, known as Passages, currently is in the offices of Fortune 500 corporations and national security agencies, Ntrepid says. The 150-person company is committed to spending "tens of millions of dollars” to deliver a new consumer version of the program to the home computers of Office of Personnel Management hack victims, Helms said.
The suspected mastermind of the attack against OPM networks -- the Chinese military -- stole applications for security clearances to handle classified material that detailed, among other things, each applicant’s family ties, personal and professional contacts, past residences and jobs, and financial situations, as well as criminal, health and addiction histories.
“It’s more data than anybody has but God on any individual," Helms said.
And who understands the espionage schemes awaiting U.S. victims better than a man whose companies have been employing similar tactics against foreign targets?
Going forward, when 20-some million victimized retirees, former feds, contractors, current government personnel and their family members “are on the Internet, in any way, they can be touched and if you already know who they are and all you are trying to do is sort out who they are in touch with” who has access to classified data, “that’s how you compromise national security systems," Helms said.
Later today, Ntrepid plans to launch a website where affected individuals can see updates on the availability of its software.
You Can’t Touch This
Here's how the technology behind secure browsers works.
"The whole idea behind these browser-based isolation plays is to run the Web-browsing session away from the user’s device – on a locked-down server somewhere, or in the cloud," says Adrian Sanabria, senior security analyst at 451 Research.
Often, the safe browsing sessions are run on Linux servers, which are targeted less often than Windows machines. Security clearance hack victims are particularly at risk for so-called watering hole, or “drive-by,” attacks that slip malicious code into websites known to attract targets, such as military news websites.
"Since most drive-by and watering hole attacks are ones of convenience aimed at users browsing the Web from Windows devices, browser isolation foils those attacks," Sanabria said.
Whoever is behind the background check breach likely will be in touch with victims through the Internet, according to a January 2016 unclassified RAND presentation for agencies, titled "THEY KNOW US: What a State Actor Can Do with Background Investigation Records for the Custodians of America’s Secrets."
Hacked individuals are at risk for surveillance through smartphones and email addresses listed on the forms, and the chances the nation state will guess their passwords have increased now that their personal histories are floating around, RAND researchers say.
Helms said, "This will be a gift that keeps on giving for a long time even after people may have moved on from the specific jobs where they got the clearances, they can still be leveraged and attacked and used to do harm."
Ntrepid cannot deliver a free browser to affected individuals until figuring out a way to validate each consumer who claims to be a breach victim. OPM has not responded to the company's requests for a meeting. Plan B is to hire a data broker or credit bureau that can verify the user’s prior or current employment. Ntrepid, itself, will not gather personal information, the company said.
A lawmaker representing Ntrepid's home district, Herndon, Virginia, has contacted OPM about Passages.
"We’ve asked OPM to give this company and its proposal the same consideration as any other constituent company’s proposal," said Jamie Smith, spokesman for Rep. Gerry Connolly, D-Va. "This is being handled as a constituent casework matter."
But others are more circumspect about the possibility of introducing new vulnerabilities into victim's lives through the technology.
Staff for Sen. Tim Kaine, D-Va., said they met with Ntrepid at the company's request. "Our office had questions about this proposal and would want further information on the privacy and security implications associated with it," a Kaine spokeswoman said.
Nextgov has asked OPM for comment multiple times this week, but the agency did not respond by the deadline.
A secure browser is intended to let users click freely on news sites -- even porn sites and less savory parts of the Web -- where financial swindlers or spies, in this case, might have planted invisible malicious code. With Passages as the default browser, instead of, for example, Google's Chrome or Mozilla's Firefox, the malware will not reach the target's machine or network, Ntrepid says.
No Protection against Human Error
A major drawback of most virtual secure browsers is ease of use, as extensions or plugins that work on Chrome and Firefox might not transfer to a browser banking on invincibility. Passages won’t install a user's existing extensions. It does, however, support a growing number of Firefox plugins that are "fully tested secure and safe," said Lance Cottrell, chief scientist with Ntrepid.
There is a decent amount of competition in the broader category of free secure browsing software, including modified conventional browsers such as Whitehat Aviator, Epic Browser, and Comodo IceDragon, according to market researchers.
Comodo's security technology was tested in the consumer space before the enterprise space.
Personal computers are "probably the most volatile environment there is – with unstructured downloads, spam, virus and malware all ready to infect a consumer’s endpoint," said John Peterson, vice president of enterprise product management at Comodo. "We already have a deep history in marketing our browser technology to the masses, and have done it for years.”
In September 2015, OPM issued hacked employees and relatives tips on how to avoid dangers posed by adversaries in possession of their stolen data.
Sanabria, the security analyst, says Passages seems to address about half of the guidelines. Much of OPM’s advice deals with conscientiousness, like making sure to identify the sender of emails and not revealing sensitive information to untrusted individuals or organizations. Secure browsers are powerless to control human error.
Virtual browsers also generally cannot stop users from unwittingly typing sensitive information into a hacker-owned site that looks like a legitimate, trusted website.
Another hazard the tool cannot guard against is malware concealed in emails. Menlo Security, one of Ntrepid’s newest competitors in the virtual browser category, does handle email-based threats, Sanabria said.
"Most technical attacks through email use malicious Web links rather than attaching the malware directly to the email," Cottrell said. "Passages provides complete protection against those technical attacks."
A user experience that is the same as Firefox's navigation would be a nice feature, but it remains to be seen whether the service will work as advertised or break when consumers get their fingers on it, Forrester Research analyst Heidi Shey said.
"It’s certainly a good PR move," she said.
‘Our Defense Community That’s Under Attack’
Ntrepid says it has devoted as much time to privacy as security in its consumer version of Passages. The company does not log any user traffic, so if U.S. authorities come knocking with a warrant for a customer's online activity, Ntrepid will not be able to respond with information.
"We have in fact received subpoenas for data about our customers using other privacy services we have provided," Cottrell said. “We’ve never been forced or been able to provide that kind of data.”
To be clear, Ntrepid does work with the government on surveillance projects, some of which have been controversial. This is not one of them, however, the company says.
Ntrepid in the past has built technology that collates data from myriad sources to map out social circles and organization charts. The company reportedly also created false online personas, or sock puppets, with fabricated backgrounds believable enough to fake out real people on social media and manipulate opinions.
The online news site, Raw Story, in 2011 reported that Ntrepid won a military contract to create software that would allow a user to command multiple identities that "can interact through conventional online services and social media platforms," all "without fear of being discovered by sophisticated adversaries."
According to The Wall Street Journal, Ntrepid has a product called Tartan, which can "rapidly intake and assess large amounts of structured and unstructured data" through mathematical models to provide "an interactive network graph that displays human terrain as a product of observed contacts and relationships." Helms described Tartan to Nextgov as a data science research project meant to help better understand how organizations work.
The director of national intelligence, amid concerns about the OPM attack, warned that foreign nationals might be waging the same sorts of online campaigns against federal employees. New DNI-sponsored YouTube videos caution feds and contractors to resist connecting with an individual on social media whom they have never met in person, but seems to know a lot about them. The public service campaign, titled "Know the Risk - Raise Your Shield," features a handful of short segments on how to defend against foreign intelligence cyberstalkers.
Two of the episodes feature spies who have created fake personas on a professional network similar to LinkedIn. A purported recruiter claims she was referred by the network member’s friend and is interested in hiring the user. She asks seemingly mundane questions -- Do you have a security clearance? What contracts does your company support? -- but as the video notes, the answers could provide valuable insights to a foreign government.
Helms said: “Our focus is the defense community. There’s no question in our mind this was done to go after those people. Not the Department of Commerce and not esoteric parts of domestic agencies. It was really our defense community that’s under attack."