Cybersecurity Ramifications of the 2021 Storming of the United States Capitol

Originally published at: Cybersecurity Ramifications of the 2021 Storming of the United States Capitol - TidBITS

Over at Wired, Lily Hay Newman focuses on the potentially massive harm done to US cybersecurity by the mob of rioters who stormed and then occupied the US Capitol.

Just to make it clear in advance, I’ll be accepting only comments surrounding the cybersecurity and IT ramifications of this event. If I have to keep removing posts, I’ll shut off comments on the article entirely.

I worry that FileVault is that I might not be able to access my computer if I mess up in some way.

In the light of what could have been accessed in the storming it seems to me the question of who might have accessed what and who might have put important data on a thumb drive is a concern. I might also add that I am the son of an FBI agent (deceased - worked during the end of WW II and through the Viet Nam war and riots era) who taught me early on that national security is a constant concern and of great importance. What is raised by the article is significant and thank you for posting it. I’ll be interested in what the folks online here who have far better understanding of all things cyber than me will have to say lol.

I have the same worry, but I think it’s a holdover from the old days. The solution to messing up in some major way is a solid backup strategy. All that having the data readable on disk at rest gets you is the ability to use utility software to scan the surface of the disk (or SSD equivalent) looking for bits that might be data. That sort of data recovery will sometimes get some things back, but it’s pretty hit or miss. If you’re resorting to that, you probably want to be calling DriveSavers anyway and paying them to recover the data with their specialized tools. They might be somewhat less capable of recovery if FileVault was enabled, but if you provide them the password, they can probably decrypt what they do recover. (It’s the same with the iPhone and iPad; the data isn’t accessible to just anyone, but if people with the right skills have your passcode, they can get the data off.)

And of course, once you have a Mac with a T2 chip, the data is encrypted at rest anyway, so FileVault is just ensuring that the data is protected after the Mac has booted and decrypted the disk (as I understand things—see Glenn’s article linked in our original article).

So I think it makes a lot more sense to enable FileVault and make sure you have a solid backup strategy, which includes offsite or Internet backup for reasons that this event makes obvious.

Thank you Adam. That is a very helpful explanation. I have multiple backups and use Carbon Copy Cloner but my frustration is that with dreaded consistency one of my two CCC backups will suddenly be declared unwritable - I can get stuff off but the disk will not be writeable and so I have to reformat it all over. This is odd because one disk is SSD and the other is a regular hard drive. Thus my concern over being locked out. I also back up key files to other disks (copies to 2 different disks always as backups), keep most of my stuff on Dropbox and use Backblaze. OCD is my middle name lol but I once lost important professional files to a disk failure so I am ever cautious.

I am going to go to FileVault and so appreciate your excellent explanation.

I have to admit I’ve never given this much thought so let me just ask very bluntly. On a modern Mac, is there any good reason not to use FileVault? Or perhaps better worded, what are the use cases where it would be advisable not to use FileVault on a modern Mac?

I would think it it not just “foreign intelligence agents” who are a concern. Some of the people involved are likely to be members of hacking groups who can do great harm over the internet. Gathering account passwords (likely written down in desk drawers etc) would be an easy task while rifling through offices.
Also I am not sure that encrypted drives would have been much help - it looked like most office workers had to flee for their lives and many computers would have been left “open”.

Sort of. The data is encrypted at rest, but it seems you don’t need a password to decrypt it if you have physical access to the Mac. According to this article on Kolide, using target disk mode (no password needed) will make the T2-encrypted disk available to another Mac or over the network. It’s great that T2 and M1 Macs have hardware encryption, but FileVault is still highly recommended.

I don’t know how much of a problem this will have been. I doubt there were many rioters sitting and trying to extract data from the computers during the incident, and to take the computers with them they will almost certainly have had to shut them/put them to sleep/turn them off.

The T2 chip’s encryption serves to tie the flash chips to the computer so you can’t extract the data by moving them into another device, but it does nothing if the chips are connected to the Mac they are paired with. Which is why target disk mode or booting a different OS (including the recovery partition) on that Mac (if secure boot is configured to permit it) will grant access.

File Vault provides protection against booting other systems, requiring a password, either by entering it directly or by logging in via an account authorized to unlock the volume.

One would be Macs that provide a server-like function and might reboot due to a power failure. For example, I have one machine that runs SpamSieve to filter my spam. When I’m traveling (the good old days!) it’s nice if that machine doesn’t stay down because that results in a lot more spam showing up on whatever device I’m using to read my mail on the road. (Unfortunately, I have to use FileVault on that machine for other reasons, but I’ve often though it would be nice if it could reboot itself without human interaction.)

I would think a greater worry is that a nation-state took advantage of this and tried to execute malware on an unlocked computer (as it seems Nancy Pelosi’s was) to try to get access later. Though I have to say that if I was the IT staff at the Capitol would assume that all computers were compromised and would be replaced or completely rebuilt, so it’s probably still not much of a worry.

Heard some reports of laptops and iPads been stolen which also has implications.

Given the elderly nature of many representatives I wonder how secure these machines were. The office computers would have had some standards applied but personal devices would vary.

There was reports of email still being up on the screen,

Here’s another complication, the top security guy and other staff members are running off of Capitol Hill:

What really bothers me is that there doesn’t seem to have been a security protocol in place that would address what should happen before, during and after anything resembling a siege of the US Capital building. And now we’ve got this internal US security mess on top of the SolarWinds/FireEye security mess.

The Email on screen problem is a reminder to set your computer to lock the screen after a modest period of inactivity. You can use your iPhone (or Apple Watch?) to lock your computer if you step away beyond Bluetooth range and unlock it when you return.

80% of cybersecurity breaches are due to passwords being stolen or compromised. The technology for passwordless two factor authentication is available now, but widespread adoption has been slow.

Just an aside re security breaches: when I was in high school I took a 3 year electronics course, one of the first programs where multiple school districts provided career programs in one place. The course was taught by a retired engineer (who was demanding but taught a college level program - proof: we started with 30 students and were down to 6 by the end of the 3 years). He had worked at a major corporation that had top level security contracts. One night the FBI came through their office (my dad never confirmed he was part of that lol). The next morning one of the engineers found a note on his desk from the FBI - DON’T use the calendar to keep your security code!!! - he had circled dates in months that would remind him of his code!!

I would also add that given the preplanning and some of the groups involved, it would not be a far reach to suspect some brought equipment to access computers on the expectation they would access offices. I’m not a conspiracy nut but recognize the planning that can go into efforts to get information. Also, having worked down in Ground Zero shortly after 911 I remember how stunned we all were at the planning and sheer audacity of what happened - who would have thought, we all said.

I thing the caution you have all expressed is well said and should be acted upon. I’m going to do so.

Not to disagree in general, but I do want to clarify something that has changed with M1-based Macs.

With respect to an M1-based Mac anyway, the Kolide article is wrong. The only way to access the Share Disk command that invokes Target Disk Mode is to enter macOS Recovery, select an account for which you have a password, and then enter that password.

Plus, even after you do that, if you’re sharing an encrypted disk, it requires another authentication to unlock the disk for sharing.

I was watching 60 Minutes on Sunday (through tears - oh my poor Steelers forgot to show up for their game!) and they showed a picture of someone walking off with a laptop and indicated there were several computers stolen or messed with. That is scary. Per Adam’s excellent explanation I am going to FileVault - my grandkids may be able to come back into the house soon lol.

The flip side of having good backups, is needing to secure additional devices. Filevault and on-device encryption work if my MacBook/iDevices is/are pilfered or lost e.g. if I take them out of the house. But multiple, and frequent backups could make data theft easier. Eg if someone stole my Carbon Copy Cloner destination, or Time Machine drive. My backups are by-and-large not encrypted. Especially if I want them to be bootable. My unencrypted external terabyte clone drive is just sitting in front of my Filevault-installed computer.

From memory, backup to an encrypted Time Capsule was slow, and I switched encryption off there. When I tried to switch on encryption on my Synology, I had a warning about incompatibility: I think with longer file names. Add to that is the “off-site” backups, where a drive is periodically brought elsewhere just in case, also subject to theft.

Maybe my “safest” (in terms of physical ransacking) backup is the Backblaze one. Which also would be a PITA to recover from.

Wouldn’t the destination be encrypted, if it’s a clone of the source?

Only if you choose to encrypt the destination. CCC creates a per-file clone, not a binary image of the storage device.