In an extraordinary twist, it was revealed on Tuesday that the man most likely responsible for bringing drug kingpin "El Chapo" Joaquin Guzman to justice was none other than his sysadmin.

Two months into the trial in New York, the FBI admitted that it had been able to access hundreds of phone calls made by Guzman and his associates via a custom encryption system because they had flipped the IT guy that set it up, systems engineer Cristian Rodriguez.

The trial had heard several recordings previously but, starting this week, the prosecutors started playing more in which Guzman discussed cocaine deals, warned his bodyguard not to kill policeman and even had a brief conversation with a corrupt police commander who he had just put on the payroll.

The recordings were made possible because nearly a year earlier a federal agent posing as a Russian gangster sat down with Rodriguez at a New York hotel and said he needed a system to make calls without law enforcement being able to listen in.

Rodriguez had just set up such a system for Guzman after he was recommended to the Mexican by Colombian drug lord Jorge Cifuentes. Rodriguez could set up a totally secure comms network, Cifuentes told El Chapo, using a closed, encrypted VoIP network.

And so Rodriguez traveled to Guzman's headquarters in the Mexican county Sinaloa and did exactly that. Guzman logged into the network with his home Wi-Fi and made encrypted business calls that the authorities were unable to listen into.

But the Feds were onto the IT guy and approached him pretending to be in need of a similar network. At some point, they managed to flip Rodriguez and he then undermined Guzman's network by shifting servers from Canada to the Netherlands – claiming it was an upgrade – and giving the FBI the network's new encryption keys.

From that point, the authorities were able to grab recordings of El Chapo's calls and their contents seem likely to put the drug lord away for life.

The details were outlined in court by FBI special agent Steven Marston, who said that with Rodriguez' help they had managed to tap more than 1,500 calls on the encrypted system between April 2011 and January 2012.

Amazingly, it seems the lot of a sysadmin is the same regardless of who you are working for. A transcript of one call made between Rodriguez and Cifuentes' brother, who was with Guzman in the Mexican mountains at the time, sees Rodriguez being castigated for the encrypted network being down.

The call was intercepted because it was carried out over an unencrypted cell phone. Rodriguez tries to reason with Cifuentes, saying all he has to do is buy a computer and he will head over and configure it.

But the drug trafficker isn't happy, complaining about having to get the computer himself, and about the long password needed to get into a different machine: A situation that every sysadmin on the globe will recognize. Except with one big difference - your boss is unlikely to track you down and kill you if you upset him.

"You didn’t send me the engineer to install my machine. So, then, it’s all your fault," Jorge Cifuentes complained. "No!" responded to Rodriguez.

"It’s all your fault."
"No, Don Jorge, don’t stress me out more, man, because…"
"Don’t complain that I… what can I do? I haven’t been able to do it."
"Hadn’t we agreed that you were going to buy a mini computer and you were going to call us to configure it?"
"I’m so busy. I didn’t even have time to breathe… I have a computer but, you know that I haven’t been able to open it? A Vaio… Do you remember the small Vaio?"
"Yes, sir."
"Good, but that has a very long password."
"Yes, sir."
"The long one, that password that you place…is this the password?
"Yes, sir."
"What a drag! It has symbols and things."

It's safe to assume that as soon as the Feds heard this exchange, they figured that Rodriguez could be their way in. And he was, although it wasn't easy on him.

Prosecutors told the court earlier in the trial that a key witness – which turns out to be Rodriguez – had suffered a "nervous breakdown" in 2013 because of "stress" of working for El Chapo – although the stress was more likely due to the fact that he was working undercover for the Feds while in charge of the comms network of an extremely violent criminal enterprise.

Eventually, Rodriguez left the cartel – it's not clear under what circumstances or if the Feds helped. But by then Guzman and Cifuentes had grown suspicious that their IT guy may have flipped and various enforcers turned up looking for Rodriguez – something that didn't exact improve his sense of personal safety.

Rodriguez is still expected to appear as a witness at some point in the trial: The sysadmin who took down a drug lord. ®

Authentication , Cybercrime , Data Breach

Following the massive leak of sensitive information tied to about 1,000 German celebrities, journalists and politicians, including Chancellor Angela Merkel, police say they have arrested a suspect who has confessed to stealing and dumping the information online (see: Hackers Leak Hundreds of German Politicians' Personal Data).

See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker

The suspect, who allegedly used the handles "G0d" and "0rbit" online, is a 20-year-old German citizen who was arrested Sunday night and questioned Monday by a senior prosecutor and police officials, police say. They have not named the suspect, but say he is a student living at home with his parents in the German state of Hesse.

On Monday, the suspect "comprehensively acknowledged the allegations against him and provided information on his own offenses," the Bundeskriminalamt, or Federal Criminal Police Office of Germany, known as the BKA, said in a statement.

Annoyance Allegedly Drove Hacker

"During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases," the BKA said. "The investigation has so far revealed no evidence of third-party participation. As to his motivation, the suspect stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned."

Officials say the dumped information included telephone numbers, addresses, payment card information, images, chat messages and other communications.

The suspect, who is being handled by a juvenile court, faces a maximum of three years imprisonment, reported Germany's national public television broadcaster, ZDF.

Police said that "due to a lack of grounds for detention," they released the suspect on Monday, but only after he had shared the location of a computer that he had attempted to wipe as well as the location of at least partial backups he placed on a cloud-based hosting service. Digital forensic analysis of the systems and other aspects of the alleged crime are still being reviewed, officials said, noting that they have recovered data from the supposedly wiped system. They also said that the suspect had used a VPN to try to hide his tracks.

A 19-year-old German man from the town of Heilbronn who was in contact with the suspect is also cooperating with authorities as a witness, German broadcaster Deutsche Welle reported. According to press reports, the suspect allegedly boasted of his deeds to the other man, via the encrypted messaging app Telegram, with which the suspect had registered an account using his own telephone number.

Germany's Federal Office for Information Security, or BSI, is investigating the "hackerangriff" - hacker attack - and says it has recovered 8.8 GB of leaked data for analysis.

So far, Germany's Interior Ministry estimates that the data leak includes information for about estimated 1,000 celebrities, journalists, politicians and other public figures, although said officials are still reviewing all of the dumped data. They have identified about 50 individuals for whom extensive personal details, including photographs and sensitive communications, were dumped online.

Lone Suspect Identified

The question of whether the suspect acted alone, however, continues. The leaks, notably, were part of an "Advent calendar" of big and little leaks, with new data being dumped every day from Dec. 1 to Dec. 24 via a Twitter account that was reportedly followed by up to 18,000 people until Twitter suspended the account on Jan. 4.

The account initially began leaking data for celebrities before switching to politicians on Dec. 20.

The information security researcher known as the Grugq says that whoever leaked the data appeared to go to great lengths to gather it, package it up as well as make it tough to eradicate.

Some independent security researchers say 0rbit was using an anonymity product called Perfect Privacy, which provides VPN and encryption capabilities.

But an unnamed police investigator tells German weekly news magazine Der Spiegel that authorities are treating this as an isolated case of hacking by a 20-year-old, and they see no ties to foreign intelligence services.

Leaked Data Still in Circulation

At a Tuesday press conference in Berlin, Minister of the Interior Horst Seehofer said that efforts remain underway to expunge the leaked information from online sites, but that it was unlikely that officials would be able to delete everything because the data is already in circulation.

"We cannot promise total security," said Seehofer, ZDF reported.

The interior committee of the Bundestag - the German federal parliament - is now set to probe the incident.

In his Tuesday press conference, Seehofer responded to criticism that he had said very little about how the investigation was proceeding. "This is how you, as a responsible minister, handle such things," he said.

He also rebutted criticism that police had been too slow to investigate the data leaks, after receiving alerts from officials whose online accounts were hacked, beginning in December. Rather, Seehofer praised officials for working around the clock, and said the Bundestag has already approved funding to add 315 cybersecurity experts to the Federal Office for Information Security as well a 160 employees to create a dedicated cybersecurity group inside the Federal Criminal Police Office, ZDF reported.

'ILoveYou' Password Problem

The BSI says it will be issuing recommendations aimed at helping politicians to better keep their personal data secure.

Investigators said they don't believe the data was obtained via malware, but rather by accessing victims' social media accounts, often due to weak passwords.

Seehofer said consumers and public figures alike need make it more difficult for would-be hackers to take control of their accounts (see: Why Are We *Still* So Stupid About Passwords?).

"Bad passwords were one of the reasons he had it so easy," Seehofer said of the suspect, the Guardian reported. "I was shocked at how simple most passwords were: 'ILoveYou', '1,2,3.' A whole array of really simple things."

3rd Party Risk Management , Compliance , General Data Protection Regulation (GDPR)

An EU General Data Protection Regulation enforcement action against a hospital in Portugal demonstrates for U.S. healthcare entities that complying with GDPR may be even tougher than complying with HIPAA.

See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker

Portugal's supervisory authority Comissão Nacional de Protecção de Dados levied fines totaling 400,000 euros ($458,000) against a hospital, Centro Hospitalar Barreiro Montijo, for three violations of GDPR. That enforcement action - which was reportedly levied last July but only recently made public - apparently was Portugal's first since GDPR's compliance deadline on May 25, 2018.

For U.S. healthcare entities, "this case demonstrates that there is significant overlap between HIPAA and GDPR, such as expectations for appropriate policies and documentation and expectations for role-based access and appropriate authorization and termination of accounts with access to medical information," notes privacy attorney Adam Greene of the U.S. law firm Davis Wright Tremaine.

"But it also shows that GDPR enforcers may expect more stringent privacy and security controls than are typically practiced under HIPAA."

Who Must Comply?

Most U.S. healthcare entities, however, don't need to comply with GDPR.

Those that must comply with the European regulation include organizations that operate offices in the EU, are involved with clinical studies in the EU, market their services to EU residents or track online behavior of EU residents on their websites, Greene notes in an interview with Information Security Media Group.

GDPR "doesn't apply broadly" to U.S. healthcare entities, he says.

Three Main Violations

The Portuguese hospital's GDPR infractions included allowing indiscriminate access to patient's clinical information to an excessive number of users, according to a report about the enforcement case by the International Association of Privacy Professionals.

Another infraction was a violation of integrity and confidentiality as a result of failing to apply technical and organizational measures to prevent unlawful access to personal data, the IAPP notes.

A third violation was the failure of the hospital to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the failure to implement technical and organizational measures to ensure a level of security adequate to the risk, according to IAPP. That included the lack of having a process to regularly test, assess and evaluate technical and organizational measures to ensure the security of the processing.

Access Issues

When it came to the access-related violations by the Portuguese hospital, regulators found the existence of access credentials that allowed any doctor, regardless of specialty, to access at any time the data of the clients of the hospital. This was considered a violation of the GDPR principle of "need to know" and the principle of "minimization of data," IAPP reports.

This should ring warning bells for U.S. healthcare entities that must comply with GDPR, some regulatory experts note.

"It is typical in the U.S. for doctors to have access to all patients' records, not just those who they are treating," Greene says. "Hospitals generally find it unreasonable to apply more granular access controls. But the Portuguese data authority faulted the hospital for allowing all doctors to have such a level of access."

Media Account

The GDPR noncompliance investigation of issues at the hospital appears to have come as the result of a news media report, which was then investigated and confirmed by Portuguese regulators - rather than being spurred by a data breach report or formal complaint.

Those circumstances are similar to some HIPAA enforcement cases in the U.S., notes privacy attorney Iliana Peters of the law firm Polsinelli.

"Regarding the [Portugal] investigation not resulting from a security incident or breach of some sort ... it is important to note that OCR [Department of Health and Human Services' Office for Civil Rights] has also investigated entities, and entered into settlement agreements with them, as a result of news reports," Peters notes.

Emerging Lessons

Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes that the report about the Portuguese GDPR case reads much like an OCR investigation conducted into allegations that an organization has failed to comply with the HIPAA privacy and security standards.

"The report provides details of the thorough and extensive investigation of how the Portuguese managed its information systems as well as administrative policies setting access controls, role-based access, and minimum necessary standards," he says. "The regulator provided an extensive discussion of the weight given affirmative defenses and mitigation in making the determination of the appropriate monetary penalty."

Holtzman says it's not surprising to see striking similarities between GDPR and the HIPAA privacy and security standards "because their shared foundation lies in the principles of organizations' implementing reasonable administrative and technical safeguards to protect personal information from unauthorized use or disclosure."

The enforcement action in Portugal highlights the GDPR requirements for performing an information security risk analysis to identify and mitigate threats to protected information; setting account access controls that include policies for establishing user's role-based access that considers need to know and applying a minimum necessary standard; and terminating account access when users' have left the organization or changed roles, Holtzman says.

Other Details of Case

Attorney Elizabeth Harding of law firm Polsinelli highlights a few other noteworthy aspects to this GDPR case.

For instance, Portuguese authorities found that the hospital had 985 users associated with the profile "doctor," but in the entity's official human resources charts there are only 296 doctors in that hospital, according to the IAPP report.

"The hospital allowed access to its [patient information] to a broad range of personnel without proper access profile management. This resulted in access being granted via false profiles, and access being granted to all patient files, regardless of the doctor's specialty," she says.

Harding notes that it appears that the hospital had failed to properly review and document its access controls.

"The lesson here is the importance of putting in place appropriate internal policies and procedures. The controller is responsible for demonstrating compliance with the data protection principals under GDPR - this is known as the accountability principal," she says.

Harding notes that the issues in the Portugal case arose as a result of the implementation of a third-party software system.

"U.S. healthcare entities that are subject to GDPR need to ensure that they undertake proper diligence when using third-party products and services to ensure that they do not cause them to be in violation of their GDPR obligations," she says.

"The hospital in this case argued that it was using a system provided by the Portuguese healthcare authorities, but the regulators pushed back on this argument on the basis that the hospital could, and should, have known that its use was in violation of GDPR."

More Than Meeting HIPAA

Attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., notes: "The findings that the security measures were so lax as to present a threat to the maintenance of integrity and confidentiality of the PHI itself - although no PHI was referred to as having been compromised from either a integrity or confidentiality perspective - would in my opinion be sufficient to trigger an investigation."

GDPR compliance "facilitates meeting or exceeding HIPAA security requirements," he says.

"Merely being HIPAA compliant may not serve as a competent defense in a GDPR proceeding; the opposite may not be true."

3rd Party Risk Management , Breach Preparedness , Cybercrime

The Trump administration has launched a public awareness campaign for the U.S. private sector, urging businesses to better defend themselves against online attackers who may be trying to steal their sensitive data or wage supply chain attacks.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

The effort, being run by the National Counterintelligence and Security Center, aims to improve the minimum level of information security practices in place at businesses. At a minimum, NCSC is urging all organizations to review supply chain security, safeguard against spear-phishing emails, beware of social media deception and expect that, when traveling abroad, their equipment will be subject to surveillance or interference.

The NCSC has branded the effort as "Know the Risk, Raise Your Shield," and released a range of videos, posters, brochures and flyers via its website that promulgate strategies to help protect data, assets, technology and networks. The materials were previously distributed to the federal workforce.

"To enhance private sector awareness, we're arming U.S. companies with information they need to better understand and defend against these threats," says NCSC Director William Evanina.

The U.S. NCSC is a center within the Office of the Director of National Intelligence, not to be confused with the U.K.'s National Cyber Security Centre, which is the public-facing arm of British intelligence agency GCHQ.

The U.S. NCSC's 2018 Foreign Economic Espionage in Cyberspace report, released last July, singles out China, Russia and Iran as posing the biggest nation-state hacking risk to the U.S. private sector. Laws in China and Russia, in particular, allow government agencies to compel firms to assist in their efforts.

But officials warn that the threat is much broader.

"Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data and compromising supply chains," Evanina says. "The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars."

Last year, Director of National Intelligence Dan Coats told Congress that in the online realm, Russia poses the top online attack threat to United States, while China, North Korea and Iran are also top threats, "although many countries and some non-state actors are exploring ways to use influence operations, both domestically and abroad."

Robert Hannigan, speaking at the June 2018 Infosecurity Europe conference in London, said cybercrime groups and nation-state attackers are increasingly blurring together. (Photo: Mathew Schwartz)

Indeed, the former head of the U.K.'s signals intelligence agency, GCHQ, last year warned that it was becoming increasingly difficult to tell cybercriminals and nation-state actors apart (see: Cybercrime Groups and Nation-State Attackers Blur Together).

"In some cases, you can see these groups sitting in the same room, and in some cases, you can see where people have been conducting state activity during the day, and then doing crime activity at night," said Robert Hannigan, who headed GCHQ until 2017, speaking at last year's Infosecurity Europe conference in London. "It's an interesting mixture of profit and political intent."

Charges Filed

As part of its effort to warn private businesses to take information security more seriously, NCSC pointed to the numerous charges that have been filed in the past 12 months against alleged nation-state hackers. Individuals named in indictments or sanctions allegedly worked for or on behalf of the governments of:

Threats to Supply Chain

Source: Worldwide Threat Assessment of the U.S. Intelligence Community, released Feb. 13, 2018

Of course, anyone - government-sponsored or otherwise - can potentially launch a hack attack. But the outreach effort by NCSC focuses on some tactics that have been regularly employed by nation-state attackers, including targeting supply chains.

On that front, the NCSC outreach mirrors recent moves by the Trump administration - as well as some governments abroad - to restrict the use of Chinese-built telecommunications gear over fears that it could be easily suborned at the request of Beijing (see: Report: Trump Weighs Executive Order Banning Huawei, ZTE).

NCSC doesn't suggest that securing supply chains will be inexpensive. But it warns that "this is a place where an ounce of prevention is worth a pound of cure."

Prevention includes asking the right questions, conducting due diligence, as well as hiring "acquisition and procurement personnel" to be integral member's of an organization's "enterprise-wide risk management and security program," NCSC says.

Spear-Phishing Success

Spear-phishing attacks are regularly used by every stripe of online attacker; they're the entry point for the majority of hacks perpetrated by remote attackers, security experts say.

Spear-phishing emails have also been employed by APT groups, which the U.S. intelligence establishment said were being run by Russia's intelligence agencies, that targeted multiple U.S. organizations, including hacking the Democratic National Committee and the presidential campaign of Hillary Clinton (see: Nation-State Spear Phishing Attacks Remain Alive and Well).

Such attacks can not only be low cost, but as the attackers' seizure - and then release - of sensitive DNC communications demonstrates, also effective at penetrating targeted environments.

'I'd Like to Add You'

Social media may now be a large part of the U.S. cultural DNA, but NCSC warns that it's also used a tool by foreign intelligence service recruiters.

"China's intelligence services use social media platforms to spot, assess and target Americans with access to business or government secrets," NCSC warns. As an example, the center notes that last year, a Chinese intelligence operative, posing as a job recruiter, first approached a former CIA officer who was ultimately convicted of espionage.

Leave Mobile Devices at Home

The guidance from NCSC also touches on mobile devices and advocates avoiding traveling abroad with smartphones, laptops or other mobile devices, whenever possible. "If possible, leave your electronic device at home," NCSC says. "If you bring it, always keep it with you; the hotel safe isn't really 'safe.'"

It also notes that WiFi access points can be easily monitored by any domestic government agency, and spyware or other malicious software pushed to any system or device that connects to the network. NCSC's advice adds impetus to the need for organizations to issue "burner" devices, especially to executives, with minimum functionality for use when traveling to some foreign countries. Such devices can be completely wiped upon an employee's return.

"When abroad, don't expect electronic privacy," NCSC says.