6 January 2021 was a security clusterfuck.

11 January 2021

Note the first: I started working on this article last week, but didn't post it until now because I wanted to let all of the (usually astoundingly bad) hot takes die down. While I realize that the Internet has given everyone an attention span rivalled only by the lifespan of the adult mayfly, I think it might be useful to have something laying around that can be pointed to later if need be.

Note the second: A reminder that I do not speak from an official position. I do not speak for or represent my employers, past, present, or future.

In case you weren't paying attention last week there was an attempted coup at the US Capitol Building. A mob of right-wing Trump cultists broke into the building, largely unimpeded by DC police or site security and wreaked havoc therein. I'm not going to write about this because there's no point; the perpetrators helpfully documented it themselves with photographs, videos, and even live streams posted to various social networks. You don't need to be Miranda Zero to know how stupid this is. However, that's also not what I'm going to write about.

The thing that caught my attention over and over again was that the attempted and failed coup attempt constitutes a massive, almost legendary failure of security, both physical as well as informational. If you're already bored with this article, the tl;dr is that much of the security community collectively shit itself when they saw what happened that day.

When the mob finally gained access to the Capitol Building they seem to have run rampant through an unspecified amount of the building. We do know that, per security policy, the Senate, the House of Representatives, and all incident personnel were evacuated by site security. It would appear from photographs and videos posted by individual members of that mob that personnel were evacuated before clean desk protocols could be enacted. Briefly, that means that whenever you're going to be away from your workspace in an unclassified environment for longer than, say, a trip to the bathroom you are supposed to put all of your stuff away: Put paperwork, notes, what have you into your desk and lock it, lock your screen, grab your CAC (note: anonymized link) and put it on your person, lock your screen, and make sure anything else you have is either with you or locked up. It would appear that the active threat was considered sufficiently high that everybody hustled out of there before they could put anything away.

This could be politely termed an evolving situation.

We know from the evidence posted by members of the invading mob of people that potentially sensitive materials were stolen. At least two laptops are missing, and it would be unsurprising if any of the documents that people were holding and being photographed with were also taken. It's going to take time to inventory the building from top to bottom to see what's there and what isn't. I strongly doubt that any of that material is actually classified, because anyone taking classified material out of an area designed for storing and handling classified information has technically breached security. Judging by the FBI's public requests for information (note: anonymized link) they seem to assume the worst until encountering evidence to the contrary.

I do not know and thus cannot say if any of the other offices depicted by the invading force constitute such facilities. I would personally assume that they were until one of the duly authorized facility's security officers stated otherwise, and even then I'd ask for a second opinion.

The following text is predicated on the possibility that hostile foreign agents may have taken cover inside the force at the Capitol Building for the purpose of gaining access to and compromising the security of the building.

Inside the Beltway, there is a saying: Never let a good crisis go to waste. 6 January 2021 would have been a platinum opportunity for someone to make a move.

The thing that concerns me the most is the potential information security breaches. We know that laptops were stolen. It seems probable that some volume of information stored on electronic media was taken as well. Flash drives being what they are they'd be tempting and incredibly easy for intruders to pocket and abscond with. Even more concerning is that someone might have left malicious USB devices behind for personnel to accidentally pop themselves with. When I was doing penetration testing professionally, one of the best investments I ever made was buying a crappy iPod off of Craig's List because I put some music on it along with an autorun.inf file that would fire off some custom malware when it was plugged in. Leaving it in the parking lot or on the sidewalk outside of a target worked way too well. Because who wouldn't want a free iPod? As for what information was on those machines, there is simply no way of knowing.

It would also be possible for someone to have installed USB keyloggers on computers in the building to capture user credentials for later penetration attempts. Spoiler alert, they're not rare. In point of fact, badUSB has been around for years as an attack technique so potentially any USB device, from a flash drive to a crappy webcam used for Zoom conferencing could be compromised. After all, who really keeps track of which USB cable they leave at work? One webcam purchased in bulk looks pretty much like another. If they are smart and pushing back against administrative time pressure, security teams there will probably go over as many USB devices in the building as possible to see if they've been compromised somehow or replaced. I don't envy them that task.

As for all those workstations left unlocked during evac? The ideal thing to do would be to treat all of them as compromised, set all of them aside for forensic analysis, and issue replacement hardware to personnel to work on. Assuming, of course, that personnel did what they were told to and store everything on their designated file servers. Which, speaking from experience, is never a sure thing. However, I do not think it likely that they will have the budget or time to replace and autopsy more than a bare handful of machines. It is far more likely that they'll seize a couple for analysis (probably those of the higher ups), nuke and pave many more, and forget a few during the process. That is usually how things go during an evolving situation.

I would carefully say that the same thing would go for stuff like USB chargers, desk clocks, lamps... again, all this stuff is not rare, it's cheap and easy to get. It's also actually used in the real world (local mirror) profitably. From the limited amount of tinkering I've done with some of this stuff it's pretty awesome, which is why I do a security sweep (local mirror) when I stay in a hotel. But now I'm getting off track, just understand that hidden surveillance devices are now an even bigger risk inside the Capitol Building.

I cannot authoritatively say if there are SCIFs (as of 20210108 this Wikipedia article is reasonably accurate) in the Capitol Building. It would not surprise me at all if there were. After conferring with my lawyer, I have been advised to not speculate on the record about them with regard to the MAGA riot, because the last thing I need is the FBI asking me questions. I do not envy counter-intelligence right now regardless.

I could go on and on but I think you take my point. Regardless of what you may or may not think of government as a thing or the US government in particular, the harm that could be done to people indirectly through damage to The System(tm) resulting from the compromise of the Capitol Building could be considerable. I won't speculate on it because I simply don't know.

I do feel fairly secure in saying that 2020.ev isn't done with us by a long shot.