Could a More Secure Online Browser Protect Background Check Hack Victims?

Jeff Wasserman/Shutterstock.com

Richard “Hollis” Helms, a 45-year-veteran of the intelligence community, has a tool he says might stem the potential bleeding of national secrets.

The former head of the CIA's European division whose intimate secrets were bared by a sweeping U.S. background check hack says the $330 million worth of identity monitoring services the federal government is offering victims will not protect them online.

Richard “Hollis” Helms, a 45-year-veteran of the intelligence community, has a different tool he says might stem the potential bleeding of national secrets: a secure browser.

"I think the government has to extend its cybersecurity perimeter beyond its buildings," but in a nonintrusive way, said Helms, who founded spy agency contractor Abraxas and cybersecurity vendor Ntrepid.

To further his cause, Helms has spent months sending Congress members, government employee unions and relevant federal agencies a plan to offer affected individuals free use of an Ntrepid secure browser at home for one year. An enterprise edition of the Web-surfing tool, known as Passages, currently is in the offices of Fortune 500 corporations and national security agencies, Ntrepid says. The 150-person company is committed to spending "tens of millions of dollars” to deliver a new consumer version of the program to the home computers of Office of Personnel Management hack victims, Helms said.

The suspected mastermind of the attack against OPM networks -- the Chinese military -- stole applications for security clearances to handle classified material that detailed, among other things, each applicant’s family ties, personal and professional contacts, past residences and jobs, and financial situations, as well as criminal, health and addiction histories. 

“It’s more data than anybody has but God on any individual," Helms said.

And who understands the espionage schemes awaiting U.S. victims better than a man whose companies have been employing similar tactics against foreign targets? 

Going forward, when 20-some million victimized retirees, former feds, contractors, current government personnel and their family members “are on the Internet, in any way, they can be touched and if you already know who they are and all you are trying to do is sort out who they are in touch with” who has access to classified data, “that’s how you compromise national security systems," Helms said.

Later today, Ntrepid plans to launch a website where affected individuals can see updates on the availability of its software.  

You Can’t Touch This

Here's how the technology behind secure browsers works. 

"The whole idea behind these browser-based isolation plays is to run the Web-browsing session away from the user’s device – on a locked-down server somewhere, or in the cloud," says Adrian Sanabria, senior security analyst at 451 Research.

Often, the safe browsing sessions are run on Linux servers, which are targeted less often than Windows machines. Security clearance hack victims are particularly at risk for so-called watering hole, or “drive-by,” attacks that slip malicious code into websites known to attract targets, such as military news websites.

"Since most drive-by and watering hole attacks are ones of convenience aimed at users browsing the Web from Windows devices, browser isolation foils those attacks," Sanabria said. 

Whoever is behind the background check breach likely will be in touch with victims through the Internet, according to a January 2016 unclassified RAND presentation for agencies, titled "THEY KNOW US: What a State Actor Can Do with Background Investigation Records for the Custodians of America’s Secrets."

Hacked individuals are at risk for surveillance through smartphones and email addresses listed on the forms, and the chances the nation state will guess their passwords have increased now that their personal histories are floating around, RAND researchers say.

Helms said, "This will be a gift that keeps on giving for a long time even after people may have moved on from the specific jobs where they got the clearances, they can still be leveraged and attacked and used to do harm." 

Ntrepid cannot deliver a free browser to affected individuals until figuring out a way to validate each consumer who claims to be a breach victim. OPM has not responded to the company's requests for a meeting. Plan B is to hire a data broker or credit bureau that can verify the user’s prior or current employment. Ntrepid, itself, will not gather personal information, the company said.  

A lawmaker representing Ntrepid's home district, Herndon, Virginia, has contacted OPM about Passages. 

"We’ve asked OPM to give this company and its proposal the same consideration as any other constituent company’s proposal," said Jamie Smith, spokesman for Rep. Gerry Connolly, D-Va. "This is being handled as a constituent casework matter."

But others are more circumspect about the possibility of introducing new vulnerabilities into victim's lives through the technology. 

Staff for Sen. Tim Kaine, D-Va., said they met with Ntrepid at the company's request. "Our office had questions about this proposal and would want further information on the privacy and security implications associated with it," a Kaine spokeswoman said. 

Nextgov has asked OPM for comment multiple times this week, but the agency did not respond by the deadline. 

A secure browser is intended to let users click freely on news sites -- even porn sites and less savory parts of the Web -- where financial swindlers or spies, in this case, might have planted invisible malicious code. With Passages as the default browser, instead of, for example, Google's Chrome or Mozilla's Firefox, the malware will not reach the target's machine or network, Ntrepid says. 

No Protection against Human Error

A major drawback of most virtual secure browsers is ease of use, as extensions or plugins that work on Chrome and Firefox might not transfer to a browser banking on invincibility. Passages won’t install a user's existing extensions. It does, however, support a growing number of Firefox plugins that are "fully tested secure and safe," said Lance Cottrell, chief scientist with Ntrepid.

There is a decent amount of competition in the broader category of free secure browsing software, including modified conventional browsers such as Whitehat AviatorEpic Browser, and Comodo IceDragon, according to market researchers. 

Comodo's security technology was tested in the consumer space before the enterprise space.

Personal computers are "probably the most volatile environment there is – with unstructured downloads, spam, virus and malware all ready to infect a consumer’s endpoint," said John Peterson, vice president of enterprise product management at Comodo. "We already have a deep history in marketing our browser technology to the masses, and have done it for years.”

In September 2015, OPM issued hacked employees and relatives tips on how to avoid dangers posed by adversaries in possession of their stolen data. 

Sanabria, the security analyst, says Passages seems to address about half of the guidelines. Much of OPM’s advice deals with conscientiousness, like making sure to identify the sender of emails and not revealing sensitive information to untrusted individuals or organizations. Secure browsers are powerless to control human error.

Virtual browsers also generally cannot stop users from unwittingly typing sensitive information into a hacker-owned site that looks like a legitimate, trusted website. 

Another hazard the tool cannot guard against is malware concealed in emails. Menlo Security, one of Ntrepid’s newest competitors in the virtual browser category, does handle email-based threats, Sanabria said. 

"Most technical attacks through email use malicious Web links rather than attaching the malware directly to the email," Cottrell said. "Passages provides complete protection against those technical attacks."

A user experience that is the same as Firefox's navigation would be a nice feature, but it remains to be seen whether the service will work as advertised or break when consumers get their fingers on it, Forrester Research analyst Heidi Shey said.

"It’s certainly a good PR move," she said. 

‘Our Defense Community That’s Under Attack’

Ntrepid says it has devoted as much time to privacy as security in its consumer version of Passages. The company does not log any user traffic, so if U.S. authorities come knocking with a warrant for a customer's online activity, Ntrepid will not be able to respond with information.

"We have in fact received subpoenas for data about our customers using other privacy services we have provided," Cottrell said. “We’ve never been forced or been able to provide that kind of data.”

To be clear, Ntrepid does work with the government on surveillance projects, some of which have been controversial. This is not one of them, however, the company says.

Ntrepid in the past has built technology that collates data from myriad sources to map out social circles and organization charts. The company reportedly also created false online personas, or sock puppets, with fabricated backgrounds believable enough to fake out real people on social media and manipulate opinions.

The online news site, Raw Story, in 2011 reported that Ntrepid won a military contract to create software that would allow a user to command multiple identities that "can interact through conventional online services and social media platforms," all  "without fear of being discovered by sophisticated adversaries." 

According to The Wall Street Journal, Ntrepid has a product called Tartan, which can "rapidly intake and assess large amounts of structured and unstructured data" through mathematical models to provide "an interactive network graph that displays human terrain as a product of observed contacts and relationships." Helms described Tartan to Nextgov as a data science research project meant to help better understand how organizations work.

The director of national intelligence, amid concerns about the OPM attack, warned that foreign nationals might be waging the same sorts of online campaigns against federal employees. New DNI-sponsored YouTube videos caution feds and contractors to resist connecting with an individual on social media whom they have never met in person, but seems to know a lot about them. The public service campaign, titled "Know the Risk - Raise Your Shield," features a handful of short segments on how to defend against foreign intelligence cyberstalkers.

Two of the episodes feature spies who have created fake personas on a professional network similar to LinkedIn. A purported recruiter claims she was referred by the network member’s friend and is interested in hiring the user. She asks seemingly mundane questions -- Do you have a security clearance? What contracts does your company support? -- but as the video notes, the answers could provide valuable insights to a foreign government. 

Helms said: “Our focus is the defense community. There’s no question in our mind this was done to go after those people. Not the Department of Commerce and not esoteric parts of domestic agencies. It was really our defense community that’s under attack." 

(Image via /Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.