The ARRL incident of May 2024

Рет қаралды 7,548

Ай бұрын

Foundations of Amateur Radio
Today I want to talk about something that might feel only tangentially related to our hobby, but it likely affects you.
Recently the ARRL announced that it was "in the process of responding to a serious incident involving access to our network and headquarters-based systems". A day later it sought to assure the community that the "ARRL does not store credit card information" and they "do not collect social security numbers" and went on to say that their "member database only contains publicly available information". Five days after that it's "continuing to address a serious incident involving access to our network and systems" and that "Several services, such as Logbook of The World(R) and the ARRL Learning Center, are affected.", but "LoTW data is secure". Over a third of the latest announcement, more than a week ago, was to assure the community that the July QST magazine is on track but might be delayed for print subscribers.
Regardless of how this situation evolves, it's unwelcome news and much wider reaching than the ARRL.
LoTW, or Logbook of The World, is used globally by the amateur community to verify contacts between stations. The IARU, the International Amateur Radio Union, is headquartered at the ARRL office.
I've been told that I should have empathy and consider that the ARRL is only a small organisation that may not have the best of the best in technology staff due to budget constraints and finally, that LoTW being down for a few days is not going to kill anyone.
All those things might well be true and mistakes can and do happen.
The ARRL has been in existence for well over a century, bills itself as the answer to "When All Else Fails" and has even registered this as a trademark, but hasn't actually said anything useful about an incident that appears to have occurred on the 14th of May, now over two weeks ago. By the way, that date is based on the UptimeRobot service showing less than 100% up-time on that day, the ARRL hasn't told us when this all occurred, it didn't even acknowledge that anything was wrong until two days later.
This raises plenty of uncomfortable questions.
What information did you share with the ARRL when you activated your LoTW account? For me it was over a decade ago. I jumped through the hoops required and managed to create a certificate. What information I shared at the time I have no idea about. As I've said before, I do know that security was more extreme than required by my bank, even today, and the level of identification required was in my opinion disproportionate to the information being processed by the service, lists of amateur stations contacting each-other.
Something to take into account, on the 30th of October 2013, Norm W3IZ wrote in an email to me: "Data is never removed from LoTW." - I have no idea how much or which specific information that refers to.
If you used the ARRL Learning Center, what information did you share? If you're a member of the ARRL, or you purchased something from their online store, what data was required and stored? Is the data at the IARU affected? What infrastructure, other than the office, do they share?
While I've been talking about the ARRL, this same issue exists with all the other amateur services you use. QRZ.com, eQSL.cc, eham.net, clublog.org, your local regulator, your amateur club, your social media accounts, all of it.
What information have you shared?
Do you have an internet birthday, address and middle name?
Recently I received a meme. It shows two individuals talking about life, the universe and everything. They discuss their favourite books, the first movie they ever watched, the name of their pets, what car they learnt to drive in, their interests and other things you talk about when you meet someone new and interesting. The last image of the meme shows the heading: "Security Questions Answered, Welcome Amanda."
So, my question is this: What's your favourite colour and your mother's maiden name?
Seriously, next time you access a service online, have a look at what data that service has. When you sign up, consider the requirements for the service and how much information that's worth. Do you really need to send your birthday, your gender and your physical address with a copy of your passport or another government approved identity document? If you're being asked for the name of your first pet, consider answering something unique. In my case, I generate a random string of characters to use as an answer for each security question.
The ARRL "incident" is the tip of the iceberg. This problem is't going away, it's only going to get bigger and happen more often.
Final observation. With the potential of a global shopping list for thieves coming out of the database at the ARRL, will you be sharing your station address next time and if you're subject to the GDPR, the General Data Protection Regulation, perhaps it's time to a...

Пікірлер: 36

@vk6flab 28 күн бұрын

The ARRL has just published the following statement: Updated 6/4/2024 On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate. This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs. ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation. Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services. We will continue to update members as advised and to the extent we are able. This story will be updated with new developments. Source: www.arrl.org/news/arrl-systems-service-disruption

@paulmitchell4421 15 күн бұрын

yes, it's playing victim.

@kevinshumaker3753 29 күн бұрын

Interesting. I don't give anything out anymore. I think I signed up to ARRL like 6-7 years ago, but never signed up for LOTR or other systems, because that's not the purpose I got licensed for. I usually give fake date of births, fake first dog names and other such info unless they can prove a legitimate need. My online and IRL info is different even for my doctor and bank. Sucks having worked in IT and knowing all the ways you can be phished...

@vk6flab 28 күн бұрын

I have received reports of amateurs sending in copies of their passports. I wish I could recall what I sent, but I take comfort in that I've moved several times since, have had several identity documents renewed and our regulator has never published my physical address.

@kevinshumaker3753 28 күн бұрын

@@vk6flab Nice things about US Passports is they do not contain US Social Security numbers, and don't have a street address. Unfortunately, FCC does show mailing address. Like you, though, I've moved several times, and use a PO Box for a lot of mailing addresses.

@rlic9206 29 күн бұрын

If they can hack it they will. Use this as a training experience. We need to come up with a better system in order to help others in a emergency. Communications are everything.

@N0LSD 29 күн бұрын

I've pointed out elsewhere, and I'll point it out here: ARRL does not have a CISO -- a Chief Information Security Officer. They have a President, two Vice-Presidents, a CEO, a treasurer...but no one insuring that their information systems are secure. And I really, *really* don't want to hear about, "...but they're a *small* company" -- no, they're a CORPORATION. They *really* like to put that out there in all their communications with their membership: that they're a *corporation*. Ok --well, if you're a corporation, then you should have a Chief Information Security Officer. What we need is for organizations and corporations to be transparent up-front, *before* we fork over information, about what they're going to do about protecting the information we provide to them. Then, when they get pwned, they need to be transparent about what was compromised and why. Then, they need to be held accountable. Additionally, companies need to be made to understand that simply offering credit checks after their systems have been compromised is not a data protection policy. THe bits of information that are stolen from ARRL's systems, alone, may not be enough to steal someone's identity. But these data breaches do not occur in a bubble, and information stolen from one place can be put next to information stolen from another place to then have enough information to steal someone's identity. This isn't rocket surgery - this process can be automated.

@vk6flab 28 күн бұрын

It's interesting that an organisation such as the ARRL, supposedly with expertise in emergency situations appears to be so completely ineffectual in its own emergency.

@vk6flab 28 күн бұрын

It is staggering to me that the concept of "Know Your Customer" (YNC) is so pervasive today that it is used as an excuse to save all incoming data. At no point has anyone stated that you should use this identity information once to establish an account, then dispose of the information. I have no doubt that the ARRL trove will turn out to contain significantly more information than the public data currently claimed. As for the lack of CISO, par for the course in most organisations. I've been in this industry for 40 years and it's rare I come across one, let alone get quizzed by one when my services are requested. Come to think of it, I've NEVER been quizzed by a CISO (or their representative) when I start assisting a company with their ICT requirements.

@nealbeach4947 29 күн бұрын

Technology will be the end of us all yet the moths continue towards the flame.

@vk6flab 28 күн бұрын

So, not a collision with an astroid?

@BrianMann216 28 күн бұрын

I am still waiting for my tech license, I passed on may12, arrl says they have not received it when looking up my frn..

@vk6flab 27 күн бұрын

I'd contact the examiner and ask them for guidance.

@larryjanson4011 20 күн бұрын

this is why all info on every one , no matter who has it (cc, banks, emplyer, arrl, etc. sll info should not be on any computer connected to the web.

@vk6flab 19 күн бұрын

Whilst I understand the sentiment, how would an end-user update their data?

@kludgeaudio 19 күн бұрын

Paper cards in the mail seem a win to me on so many different levels, because you are not at the mercy of a data processing infrastructure that someone else runs. Once I have a physical card, I have it, unless I lose it or destroy it, in which case it's me responsible for the loss.

@vk6flab 15 күн бұрын

It's interesting that I was encouraged to join my local peak body, in my case the WIA, to get benefit from the QSL Bureau, which is ironic, since now that I am no longer a member is potentially hampering my QSO confirmations, since cards sent to the "buro" are as I understand their systems likely to be shredded before I have the opportunity to collect them.

@tonyrowland9216 22 күн бұрын

why the scent.

@vk6flab 22 күн бұрын

I have no idea what you are referring to.

@mikedevita5558 28 күн бұрын

Enemy hackers probing.

@vk6flab 27 күн бұрын

Remember that anyone using an IP address that's not inside the USA is "international" and anything that socially engineers a password is "sophisticated". I'm not saying that the current statement from the ARRL is wrong, but there is plenty of history around statements made like this that turned out to be a former employee with a grudge. In other words, I'm sceptical until a full after event debrief has been published.

@Brenda-jf2pe 27 күн бұрын

Stiff penalties for hacking, are needed our government has failed us legislation is needed with teeth! JohnBoyUtah yes I am a General!🇺🇸😎📡🎙

@vk6flab 26 күн бұрын

@@Brenda-jf2pe I think that the penalties for hacking have been well and truly established with absolutely over the top claims of loss by the "victim". Where society needs to focus its attention is the corporate lack of due diligence, the absurd amount of personal information being stored and the lack of repercussions for the board of a company. Finally, the actual victims, people whose information has been stolen, not the people who have been hacked, need to have a system of redress that goes well beyond a subscription to a credit watch service.

@markr.1984 18 күн бұрын

Glad I have never joined the ARRL!! I've always hated that organization. Many reasons but my biggest is that they have some sort of weird connection to the Freemasons. I happen to know that for a fact. Growing up in Indiana and experiencing those folks I really don't care for them. Masons dominate Indiana. I had a brother that infiltrated them to learn more about them. So now my family knows more than you wanna know about them. Trust me, you don't want to know. I understand that this has little do do with this breach or whatever it was but I'm just sayin'. When I was a ham in Indiana I saw how so many hams there (possibly the majority) are into mason stuff because I got a lot of "funny handshakes" from hams all the time.

@vk6flab 14 күн бұрын

I think hate is a strong word and I'm unsure if it assists with enabling a discussion.

@K1OIK 29 күн бұрын

It takes longer to say A double RL than ARRL

@vk6flab 28 күн бұрын

Interesting assertion. Not sure if I have the energy to measure it, but I prefer to say A double R L, rather than ARRL, which I tend to only do as: A. R. R. L. when I'm referring to statements quoted from early 1900's comments.

@K1OIK 28 күн бұрын

@@vk6flab Why do you prefer to say A double R L, rather than ARRL? To sound cool like their staff?

@vk6flab 27 күн бұрын

@@K1OIK I have no affiliation with the organisation and my ability to sound "cool" vanished with my increasing age several decades ago.

@K1OIK 27 күн бұрын

@@vk6flab then don't say A double RL like the employees and directors do. Do you say F double C?

@chrisk0blu594 15 күн бұрын

From your Call Sign, I infer you have an Australian amateur radio license, and a simple QRZ search on your call sign can reveal more details about you. During an investigation of an incident, one does not discuss details in a public manner, such that anyone can read. Despite your best intentions or desires, you are complicating a crime scene in the middle of an investigation. Even e-Mails or phone calls do not authenticate you or provide any circumscribed security. Perhaps you are under the mistaken belief that just because amateur radio communication is open, unencrypted for anyone to hear. That has nothing to do with an internal investigation of a crime, which does not primarily involve you. Perhaps you have heard of the Official Secrets Act or the Digital Millennium Copyright Act. As a foreign individual, you may pose an indirect risk of phishing or social engineering, especially, if you are communicating in an open manner. As an ARRL member and U.S.A. Citizen, I find the terse information appropriate and necessary. Please respect ARRL‘s privacy, seriously.

@vk6flab 15 күн бұрын

You might not realise this, but like every single LoTW user, I am a potential victim of this "crime" as you put it. I have every right to make my opinion known here or on any other platform, regardless of my membership status or citizenship. I contacted the organisation that held my data and they referred me to their generic statements which, as I have pointed out on multiple occasions, do not actually answer any questions, instead hiding behind motherhood and public relations dribbling of information, something which is becoming pervasive in the case of data breaches. I note that I am an ICT consultant with over 40 years experience in addition to being an amateur and I am not alone in my disdain for the approach that the ARRL has taken in this matter. Crime or not, my activities have no impact. If they do, that speaks more to the incompetence at the ARRL than anything else. I also note that the ARRL website is currently down. Clearly they are still dealing with this issue and instead of spouting gibberish about a random field day, QST magazine and the club station being operational, they should focus their attention on their systems.