April 29, 2024

The mountain of shit theory

Uriel Fanelli's blog in English

Fediverse

Dossiers? No, sloppiness and incompetence.

Uriel Fanelli 0 Comments

Before talking about the affair of the dossiers, it seems legitimate to clarify my bias: as an IT architect, mainly in the sector of network infrastructures (disaggregated or not) and so-called "fabrics", I talk daily about RBAC, access, Privacy By Design, Data Owners, Data Processors, of metrics, telemetry, perimeter security, segregation security, and everything. So when I read about dossiers, honestly my hand goes to the gun.

Don't tell me that "I don't know everything" or that "they haven't said everything". What we have seen is inexorably and clearly the unequivocal proof that the management and security of that data was amateurish, sloppy and incompetent. There's no escape. What is not clear, if anything, is the method of collecting and transmitting that data.

I'll give you a stupid example: you work for the call center of a telco. You are therefore underpaid and frustrated, and you decide to personally tell the President of the Republic to fuck off. BUT you don't have his phone. But what's the problem? You are call center operators, you will have access to the data. Then search for “Sergio Mattarella”.

Or you want to have a chat with Valentina Nappi. Same thing, open your console and search for Valentina Nappi.

Lo and behold, at that moment a small light turns on in another office. Some names are classified as “VIP”, and so just looking for them gets you into trouble. Only a few can access some data, and they are normally well-paid employees, not external call centers.

In that case, however, it seems that all the data is accessible indifferently if you have any access to the system. There are no roles, no RBAC. Either you're in or you're not in.

In terms of responsibilities, it would seem that there is pitch darkness. Who was responsible for that data. Of that system? Who was the Data Owner, who were the Data Processors? Where is the Privacy by Design documentation, required by law? I don't know.

But let's move on. For example, in the telco world, when Valentina Nappi has a problem and calls the Call Center, it is escalated to a colleague who can access VIP contracts. But is this enough for the colleague to access the data? No. Normally there must be an open ticket. It means that when you call your telco's helpdesk, a ticket is automatically opened with your name and phone number.

So, first an operator will identify you to understand that you are the right customer. Doing so automatically opens a ticket. When it turns out that you are Valentina Nappi, then he has to call another colleague, and also passes him the ticket. The higher-level colleague who gets his hands on the ticket, at that point, is justified.

(I'm not saying it's a system immune to layer 8 attacks, for those who know what that is, but I'm saying it would have made things more difficult.)

https://en.wikipedia.org/wiki/Layer_8

There is no trace of basic good practices, and I don't even ask myself about best practices. That stuff, in science and conscience, shouldn't have happened because such a swine house shouldn't have existed.

BUT let's move on. It is clear in this dossier that access to data is uniform and there are no precautions such as encryption. The best way to approach the problems would be to use a vault for the encryption keys and grant access based on their location in the RBAC.

The other is to provide a Clearance, i.e. a temporary right (for the duration of an investigation) to the encryption key. That is, access to the data is not granted, but access to the key that encrypts it. It is clear that Clearance and RBAC mechanisms can coexist.

What does it mean? It means that a user who was "only" a lieutenant was able to read data on Crosetto, who is now the defense minister . There was no need for clearance, there was no encryption mechanism in place to prevent access.

As if there were no levels of secrecy. Anyone who has ever managed to bribe a lieutenant of any armed force, including foresters, could download the entire database.

You can be sure that a copy of this database exists in Moscow.

Access to the data was unstructured, as if the NOS did not exist, and a simple lieutenant could read into the life of his defense minister.

The amount of access and data accessed, according to what we read, alone would have triggered alarms. There is no need for outlier detection, no need for machine learning: to notice such an anomaly, a report with the system KPIs is enough. That is, it is enough for someone to write, and someone to read, a monthly report with the top 10 users by number of accesses, the top 10 by number of people impacted, and the top 10 users by data downloaded.

None of this was done, as if those responsible were at sea all the time.

And it is not clear what the baseline of these accesses was: how many were expected per day? Hundreds? Thousands? Millions? We don't know. What was the baseline? We don't know. Therefore, they pass an enormous amount (but no one specifies it) of data collected from more than 30,000 people, with traffic… which is unknown.

In reality, things are not done like this, almost all modern monitoring systems, from Splunk to Dynatrace and others, do nothing but immediately detect anomalies in I/O figures. If only by calculating the standard deviation between the values ​​in a certain interval: if it increases or decreases, it is better to take a look.

There was nothing here: the system, from what we read in the newspapers, seems to have been completely unattended for years and years. When you need an investigation to understand, after years, how a system was used, evidently that database lacked any governance.

It doesn't take long to recognize a mix of sloppiness and incompetence in all this. Anyone who has worked in the public sector knows this mix well. It is useless to continue looking for a "dome": the system was unattended, unmanaged, unmonitored, accessible indiscriminately without structuring access.

Obviously a market for this data has arisen. Obviously there have been illegal uses of the data. But it is an immediate consequence of the fact that the system had been abandoned, without management, monitoring, administration or custody. It couldn't have gone any other way. In those conditions, for example,

You can assume that the Russians have a copy of that database.

You never know, you might lose data and need a backup.

In any case, the problem is simple:

if you leave one of the most sensitive databases in the country, with enormous value, on a silver platter, trade and abuse will arise around it.

The problem is not the dossier, the problem is sloppiness and incompetence.

Leave a Reply

Your email address will not be published. Required fields are marked *

Create a website and earn with Altervista - Disclaimer - Report Abuse - Privacy Policy - Customize advertising tracking