“Homeland Security Fusion Centers” foster collaboration at all levels of gov’t vrs. “terrorism and crime”. Personnel from NSA, CIA, FBI, DEA, CBP, ICE, states, local corrections & police participate in the Centers.

California has 6 of the 77 fusion centers. The largest is the “Joint Regional Intelligence Center” in LA. Given LA’s proximity to Mexico, we best assume that NSA databases as well as NSA and CIA phone & PC malware & exploits are being shared with DEA, CBP, ICE, state & local police.

The Church Committee reforms of the 1970’s forbade CIA spying upon US citizens, but are unlikely to have prohibited sharing of technology with domestic agencies. In the 70’s, the CIA was not in the IT business. Indeed, PC’s and smartphones had yet to be invented! Now, Wikileaks has published details and user guides on many CIA malware and exploits. It’s best to assume they are under study in the Fusion Centers.

NSA is also forbidden to target Americans. BUT, Sec. 702 of the Foreign Intelligence Surveillance Amendments Act allows “reverse targeting” of Americans — i.e. targeting foreigners with whom US citizens communicate — which makes ALL records collected on those US citizens available to NSA analysts and contractors.

Sen. Rand Paul has warned of this, and former NSA contractor Snowden has confirmed the widespread use of reverse targeting by NSA. Section 702 is likely to be renewed in 2017. The “Shadow Brokers” have published details and user guides on many of NSA’s weapons-grade exploits and malware. They have promised more releases of NSA exploit in future. These NSA tools are best assumed to be under study by state and local law enforcement in the Fusion Centers.

The key question for small firms is how quickly these weapons-grade exploits begin to be used by the less-than-elite hackers who threaten them.

President Trump is implementing aggressive new policies on drug enforcement, deportation, and “law & order”. If your firm handles cases in these areas, will your opponents benefit? Will they gain access to federal databases? to PC and smartphone malware & “exploits” developed or purchased by CIA, FBI, DEA, ICE, etc.? (ICE recently acknowledge their use of “stingray” mass cellphone interception.)

Is your firm active politically? If you oppose administration policies, will opponents and their investigators feel free to “push the envelope”? Ours is the most populous state, the leading “sanctuary state” and the center of resistance to Trump’s policies.

Kevin Mitnick, dubbed in the mid 90’s “world’s most dangerous hacker”, fled the FBI from San Fernando. He found work as an investigator in a Denver law firm. 20 years later, Mitnick’s counterparts will likely work for independent investigators, who will have often have established client-confidentiality with the law firms they serve.

In 2014, a hack of Securus Technologies (provider of phone service to prisons) stole “70 million records of phone calls placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between inmates and attorneys.” (per documents leaked to the Intercept, reported 11.11.15). Surely, many small law firms serving prisoners were affected.

In 2015 major law firms including Cravath Swaine & Moore and Weil Gotshal & Manges were hacked, apparently by Chinese seeking to profit from confidential M&A information. Other prominent firms, Cleary Gottlieb, Mayer Brown, Latham & Watkins, Covington & Burling, Davis Polk & Wardell  were also attacked.

In 2016, Mossack Fonseca was breached, leaking thousands of documents to a global team of journalists. Mossack was said to have had virtually no security measures in place. Fallout affecting world leaders continues in 2017. After review of documents, the deceased father of former UK Prime Minister David Cameron was alleged to have behaved illegally in the management of various offshore entities.

Most breaches of law firms are not publicly reported. There is limited value in looking into the weeds. It’s more useful to look at the big picture: how major institutions behave, and technology costs are plunging.

These former agents have contacts, some still in official positions in FBI, CIA, or other agencies, some now independent investigators.

My fortune 50 employer, in a competitive foreign deal, investigated several small foreign law firms, then hired the four most talented — in part to make them unavailable to our competitors.

Private investigators turn to ex-NSA & ex-CIA colleagues to access gov’t databases not available to the public. Investigators use technology via hackers as it’s often cheaper and more productive than following people around or questioning people face to face.

Uber hired a CIA-linked intelligence firm to investigate plaintiffs and lawyers in a class-action suit, and is now under investigation by DoJ for developing software to evade local gov’t authorities. Earlier, Hewlett-Packard surveilled board members’ email, to determine where leaks were originating. In both cases, word got out, and the companies suffered PR setbacks. In future, such moves will be made in a stealthier manner!

Surveillance & hacking (they’re first cousins!) are becoming ever cheaper. 10 years ago, Harris Corp. introduced the “Stingray” to capture cellphone numbers & meta-data. Each unit costed US agencies $500,000. The newer (aptly named) “DRTbox” from Digital Receiver Technology (DRT) now part of Boeing costs less, and captures content of phone calls, text messages as well.

FBI use of stingrays came to light only after demonstrations following the 2015 police killing of Freddy Grey. An astute hacker noticed small planes circling over Baltimore, and traced the planes’ registration nos. to an FBI-owned shell co. It soon emerged that stingrays were on board to generate “social graphs” of phone users at the demos.

Also in 2015, Great Scott Gadgets released the “HackRF” costing $330.  Software ranges from free to $300 on the dark web. Harvard security researcher Bruce Schneier wrote, “Anyone with a HackRF software-defined radio card can turn their laptop into an amateur IMSI-catcher.” (IMSI stands for international mobile subscriber identity — the basis of the stingray, drtbox and now HackRF technology).

$300-600 is within the budget of teenage hackers — the Kevin Mitnicks* of today! How long until hackers are hired to capture smartphone traffic from your office parking lot?

_________________________________________

*Mitnick was never accused of stealing for profit. He hacked for intellectual challenge, for pranks, for fun. He served 5 un-fun years in federal prison for hacking into 40+ corporations. Kevin has since produced 4 excellent books, become a much-sought keynote speaker, and built Mitnick Security Consulting, which has worked for many companies and agencies, including — ironically — the FBI !

Simple tools and techniques, consistently implemented across a small firm, can significantly step up data security. One example: easy-to-use, zero-cost “Signal” encryption software defeats stingray, drtbox or HackRF attacks against cellphone call content and text messages.

Two other simple measures could have thwarted email hacks of two CIA directors, and one Director of National Intelligence — officials in charge of US data security!! As US leaders can protect neither their data nor their institutions’ we need to take charge of our own security. And here’s how:

Each firm should first define and rank the real security threats to its particular practice. Everyone in the firm should participate in this exercise, and in understanding strong yet simple counter-measures. All must adopt around a dozen simple tools and techniques. SSmS will make available affordable assistance and “hand-holding” until your entire staff achieves the agreed level of security.

As surely as threats will evolve, there can be no absolute security. Even small firms are in an “arms race” against cyber-criminals, whose “business” is growing fast, and most of whom are never caught!

SSmS believes that small firms — offering smaller spoils, and with many fewer network “end points” to defend —  face better security prospects than do Target, JPMorgan, Sony, Yahoo, OPM, DNC, NSA, CIA, and other behemoths which have been hacked or will be in future.