This Site

You are here: Home

News

Iraq pullout blinds U.S. intel operations @

BAGHDAD, Nov. 9 (UPI) -- The U.S. military withdrawal from Iraq is cutting off vital intelligence bases and listening posts that have played a key role in clandestine operations that have scored major successes in the global counter-terrorism campaign.

The Central Intelligence Agency, which until recently operated outside the military establishment, is expected to stay on in various guises within the 17,000 U.S. personnel who will remain under State Department jurisdiction.

The CIA has become increasingly militarized since the Sept. 11, 2001, terror attacks, and most of its establishment -- including a heavily enlarged paramilitary division -- is engaged in the counter-terrorism battle to one degree or another.

And with Gen. David Petraeus, the former military commander in Iraq and Afghanistan who wrote the army's counter-insurgency manual, now the director of the CIA, the agency can be expected to maintain some covert operations.

Even so, the loss of clandestine facilities means "there will be a considerable lapse in and degradation of the U.S. intelligence-gathering and situational awareness capabilities in Iraq," observed U.S.-based global intelligence consultancy Stratfor.

One of the major drawbacks to the military withdrawal is that Iraq's intelligence and security services, heavily infiltrated by Shiite groups with strong links to Iran, are not likely to be capable of waging an effective and non-sectarian counter-terrorism campaign.

U.S. military intelligence and Special Forces ran operations against Iran and its proxies in Iraq, and even into Syria, Iraq's northern neighbor and Tehran's key ally, intelligence sources say.

With tension escalating between the Islamic Republic and the United States, not to mention Israel, the closures could impede such operations.

Iran's influence in Iraq is expected to swell as U.S. power departs, compounding the loss of these intelligence bases around the country.

Iran has an extensive and deeply entrenched clandestine network across the entire Gulf region, and with the U.S. withdrawal from Iraq the way will be more open to expand that network across Iraq, into Syria and Lebanon, right up to Israel's doorstep.

Without the intelligence bases in Iraq, American efforts to prevent Iran filling the power vacuum in Iraq will be seriously weakened.

"The problem is Iran's military power in Iraq is primarily covert and unconventional, including both proxies and militias composed of Iraqis and clandestine operatives that can effectively move into and around Iraq with considerable freedom," Stratfor noted.

One possibility to limit the damage is building a wider counter-terrorism apparatus in Turkey, Iraq's northern neighbor, a growing power in the region and a longtime NATO ally.

But that could come with a hefty political price tag.

Turkey has been pressing U.S. President Barack Obama's administration since June to provide it with MQ-1 Predator unmanned aerial vehicles to monitor separatist rebels of the Kurdistan Workers Party, known as the PKK, it is fighting in southern Anatolia and their havens in Iraq's Kurdish enclave.

Turkey's need for UAVs has heightened amid reports Heron surveillance craft acquired from Israel before the two allies broke up in 2010 are currently undergoing maintenance in Israel.

To counter this, the Americans plan to redeploy some Predators, which they used as missile-armed killer-hunters in Iraq, to the big U.S. air base at Incirlik in southern Turkey for anti-PKK operations.

The Turks have been heavily dependent on U.S. intelligence on PKK movements.

But using U.S. drones based in Turkey could drag the Americans into yet another seemingly intractable Middle Eastern conflict just as they're extricating themselves from a disastrous nine-year occupation in Iraq.

Classified diplomatic cables released by WikiLeaks reveal Turkey has persistently pressed Washington to step up its involvement against the PKK before the U.S. pullout wraps up Dec. 31.

Turkish Prime Minister Recep Tayyip Erdogan said Sept. 24 the Americans have agreed "in principle" to station the Predators in Turkey as the 27-year-old war against the PKK escalates.

There have been some strains between Washington and Ankara in recent years, but several weeks ago the Turks agreed to station U.S. advanced radar units in their country to monitor ballistic missile launches in Iran.

U.S. cooperation with Erdogan on intelligence and security issues was given impetus after the joint Turkish-U.S. Kurdistan intelligence center in Erbil, capital of the semiautonomous Kurdish enclave in northern Iraq, closed in October.

Soon after, PKK guerrillas mounted near-simultaneous attacks on eight military targets in southeastern Turkey, killing 26 Turkish soldiers Oct. 19.

JPR Note: Proper and enforced information security policies could have easily prevented this from occurring:

Washington Post
November 25, 2011
Pg. 22

Tricare Beneficiaries Are Told Of Stolen Information

By Steve Vogel

The letter that arrived Saturday at the home of Fred MacLean in Fayetteville, N.C., held alarming news: Computer backup tapes containing the retired Army chaplain's personal information with the military's Tricare health system had been stolen.

MacLean is hardly the only one receiving bad news. Letters are being sent thi s month and next to the homes of all 4.9 million Tricare military beneficiaries whose personal data has been stolen in one of the largest health-data breaches ever reported.

The data on the tapes include names, Social Security numbers, addresses, birth dates, phone numbers and laboratory tests but not any financial data such as credit card or bank information, according to the letter from Science Applications International Corp., a defense contractor for the Tricare Management Activity.

The tapes were stolen on Sept. 12 from the car of an SAIC employee in San Antonio who was transporting the data from one federal facility to another as part of required backup procedures. The theft was publicly revealed on the Tricare Web site and publicized in late September. But many beneficiaries, including MacLean, are just learning the news with the arrival of the letters.

When MacLean's wife, Adrianne, called SAIC and Tricare for more information, she said that everyone she spoke to offered reassurance.

"They all told me it was encrypted and I had nothing to worry about," she said. "You're crazy if you think I'm not worried."

In fact, "most of the data was not encrypted," SAIC spokesman Vernon Guidry said this week.

Austin Camacho, a Tricare spokesman, said: "If that's something that's being put out, they need to fix that in a hurry."

Following an inquiry from The Washington Post, SAIC said it "reinforced with our call center personnel their previous instruction that they should not say the data were encrypted."

Despite the data theft and the lack of encryption, SAIC and Tricare say the risk to beneficiaries is low. "The chance that your information could be obtained from these tapes is low since accessing, viewing and using the data requires specific hardware and software," the SAIC letter states.

"There are n't a lot of people who know how to do it or have the equipment," Camacho said.

"At this time, we have no evidence to indicate the data on the backup tapes has been accessed, viewed or used by others in any way," the SAIC letter states.

Nonetheless, SAIC is facing a class-action lawsuit filed in Texas seeking up to $4.9 billion in damages on behalf of affected beneficiaries. A separate class-action lawsuit has been filed seeking $4.9 billion in damages from the Defense Department.

"We take this incident very seriously," Brig. Gen. W. Bryan Gamble, deputy director of the Tricare Management Activity, said in a statement. "The risk to our patients is low, but the Department of Defense is taking steps to keep affected patients informed and protected."

Adrianne MacLean is not reassured. "Tricare was pointing the finger at SAIC, and SAIC says, 'It's not our fault,' " she said. "Nobody had good answ ers for me."

SAIC has received reports from beneficiaries who fear that their information is being misappropriated. The company is looking into whether the cases are linked to the data theft, Guidry said. SAIC is about halfway through the mailing and expects it to be completed in early December, he added.

Procedures for backing up computer data have been changed. "The tapes are no longer transported," said Guidry, who declined to discuss how the information is now being backed up.

The employee from whom the tapes were stolen no longer works for SAIC, Guidry said, but he declined to say whether his departure was related to the incident.

____________________________________________________________________________

JPR Note: The majority of companies with whom we work are vulnerable to the type of information theft mentioned in the following article:

Information Theft

Are nervous employees sizing up your data?

@ http://www.datalossbarometer.com/14737.htm

During the current recessionary climate, many employees feel stressed and uncertain about their futures. Every week fresh announcements are made of job losses across industries. Financial pressures continue to mount for individuals, and there are many reasons: the stagnant housing market, savings rates that are running at historic lows and uncertainties over pensions and stock markets.

So it is unsurprising, perhaps, that some employees are likely to be tempted, in these uncertain times, to act against the interests of their employer as they try to shore-up their own financial position. There is a danger that they will see an opportunity to exploit the valuable and potentially sensitive data that your business holds - either by selling it or taking it to your competitors, or else using it to set themselves up in a rival business.

Are you vulnerable?

Have you considered how vulnerable you are as an organization to such misconduct, and are you actively and effectively fighting potential information theft?

In a recent paper, KPMG in the UK and a law firm, Mishcon de Reya, analyzed more than 100 employee-related data theft cases on which they have acted over the past three years.

Such thefts have a number of features in common, as our analysis shows. Cases of data theft have risen year on year (more than doubling between 2006 and 2008), culminating in 46 cases last year in which forensic investigation and legal redress were sought by the employer to protect its business interests. In the current economic climate, the number of such incidents is almost certain to increase further.

The perpetrators

While most thefts were carried out by individuals, in about 10 percent of cases, the perpetrators were teams of employees working against their employer. Their aim was either to set up on their own or to join an existing competitor. In one case, up to 15 employees conspired to defraud their employer by stealing proprietary information.

Alarmingly, the study shows that in the overwhelming majority of cases (93 percent), employees had already left their employer before the thefts were discovered. This is clear evidence that companies are not doing enough to detect and prevent information theft in a timely fashion.

Information theft to secure the next move

Further, our research showed that in 23 percent of cases, data was stolen in order to establish a competing business. In most cases, though - 70 percent - the perpetrator(s) moved to a rival company. That raises serious questions about how much a new employer needs to know about the nature, and source, of information a new employee brings with them.

In only 6 percent of cases were the data thieves' intentions unknown, the thefts having been discovered before it was clear what they planned to do. In such cases, the person stealing the data may have taken it as 'insurance', in case its potential value could be exploited in the future.

So, what sort of information is being stolen? By far the most common data - 75 percent - was customer or client-related (dealing with customer relationships, levels of trading, pricing information, profit levels and so on) or customer lists. Just 14 percent of the thefts consisted of financial information (such as internal accounts, business plans, projections and forecasts).

Rationalization - "I did it because..."

Many bright careers are now on hold while organizations assess the effects of the credit crisis and economic downturn. The so-called 'Generation Y' (often defined as those born between the mid-70s and 2001, but also referred to as the 'net generation') have grown up in a booming world economy. Generation Y employees are sometimes seen as being loyal, first and foremost, to themselves. With careers stalled or stalling, some may regard the theft of sensitive data - whether they take it to rivals or use it to start up their own venture - as the most effective short-cut to restarting their own professional and financial progression.

The analysis shows that those who were caught stealing data justified their actions either by claiming that the information was already in the possession of the competitor (60 percent) or in the public domain (30 percent). This latter statistic highlights the challenge of defining exactly what data within your business can legitimately be considered 'proprietary', and which should be accepted as public information.

In only 10 percent of cases was no defence offered by the perpetrator after the theft had been discovered.

How they get away with it

The most common method of transfer of stolen proprietary data by disloyal employees was via email (46 percent of cases examined); 22 percent of cases were through taking hard copy print outs. Surprisingly, perhaps, USB memory sticks, data CDs or DVDs were used in only 9 percent of cases, despite their low cost, relative ease of use, and (especially in the case of USB sticks) conveniently small size. This may be an indication that data thieves are relatively unsophisticated, or that they simply do not believe they will be caught.

The misuse of newer technologies is likely to become more prevalent from now on since data can also easily be stolen using smart phones, MP3 players, digital cameras and other types of digital media. Social networking websites have also provided data thieves (in at least one case) with a way to remove data. Generation Y is, of course, very familiar and comfortable with such technology.

Such data leakage, and the ease with which data can be stolen, is therefore clear evidence that too many companies are not doing enough to detect and prevent information theft in a timely fashion.

Data theft by employees is a genuine threat to organizations, particularly in the current economic climate.

In the future, there is likely to be an everrising trend among employees attempting to steal confidential data for their personal benefit when leaving their current employment. It is possible for businesses to take effective action against such fraud, both in response to actual and attempted thefts of data, and to minimize the likelihood of data being stolen in the first place.

Effective data protection policies, and the creation of a climate in which everyone recognises the value of, and need for, integrity in the handling of sensitive commercial data, is vital if such thefts are to be prevented.

_______________________________________________________________________________________

JPR Note: If this can happen to companies like Microsoft, which can afford the best security money can buy, it can certainly happen to any small or medium-sized business:

Pretexting Goes Unnoticed by Microsoft

@http://www.raveneye.com/case-studies.html

Obtaining financial information using the practice of pretexting has been illegal since the enforcement of the Gramm-Leach-Bliley law in 2001. The law prohibits fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. However, con artists continue to use this technique of false pretenses to find passwords and other personal information that will lead to the theft of financial information.

The Federal Trade Commission considers any organization that stores consumer financial information to be a non-traditional financial institution.Microsoft, for example, was a recent victim of pretexters when their Xbox Live support staff frequently gave up account information to fraudulent callers. This information then led to the ability to access Xbox accounts, which hold stored credit card data. So, in an indirect way, these pretexters have broken the law by accessing financial information through a non-traditional financial institution.

Any organization that stores personal information, especially financial data, must determine what routes a social engineer may exploit to access this information.

________________________________________________

JPR Note: Lack of corporate email policy, control and encryption is common and opens the enterprise to client litigation:

ASSURING ONLY YOU READ YOUR EMAIL: WHY NOW?

By Jonathan McCormick, COO Intermedia @http://www.intermedia.net/resources/articles/assuring-only-you-read-your-email-why-now.aspx

When it comes to using technology to improve their profits, the first place small businesses should look to is the success of social networks. This is not a recommendation to set up a Facebook page or Twitter feed, although those actions can be valuable, instead, it’s a recommendation to take cues from how social networks operate.

What would be the cost to your business if email with sensitive client information, such as credit card numbers or health records, got into the wrong hands?

In 2010, more than 107 trillion emails (Pingdom) were sent. Email has become such second nature that we don’t think twice before sending our most personal information through this easy communication channel.

Most good email providers go to great lengths to protect your email in datacenters, and many companies have put good security practices into place to protect email access. But, as email travels across the Internet, it is vulnerable to data breaches, data leaks, and hackers. Rogue employees also pose risks for distributing information inappropriately.

Businesses can face litigation, fines, and loss of reputation if any personal information about their customers is exposed via email or other means. For instance, the Federal government’s HIPAA act mandates that healthcare providers secure email communication with encryption technology. Financial services firms also face regulation under the Sarbanes-Oxley act. Several states, including California and Massachusetts, have passed their own legislation requiring email encryption.

Yet, even now, many businesses have no email encryption technology in place. One data breach can jeopardize the trusted relationship you have with your customers. Unfortunately, many businesses are unaware that the problem can be solved with simple controls over the communications coming and going from their company – anything from bad language to confidential information.

Potential Costs of Unsecured Email Data Breach

The average cost of a data breach incident for U.S. organizations in 2009 was $6.75 million, or $204 per compromised record. No matter the size of your business, your company may be held financially responsible in the event of a data loss. Many companies look to do the bare minimum to protect themselves, but this leaves the business and all of its data vulnerable. Encryption adds an additional layer of protection on top of your regular email security that any business dealing with personal and confidential information needs to have. By encrypting your email, it makes the information virtually unreadable as it travels across the Internet, thus protecting private information about you and your customers.