MIT’s Computer Science and Artificial Intelligence Lab: In recent months, government officials in the United States, the United Kingdom, and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes.
Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — just published by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.” [Continue reading…]
Category Archives: information security
Hacks of OPM databases compromised 22.1 million people, federal authorities say
The Washington Post reports: Two major breaches last year of U.S. government databases holding personnel records and security-clearance files exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends, U.S. officials said Thursday.
The total vastly exceeds all previous estimates, and marks the most detailed accounting by the Office of Personnel Management of how many people were affected by cyber intrusions that U.S. officials have privately said were traced to the Chinese government.
But even beyond the rising number of apparent victims, U.S. officials said the breaches rank among the most potentially damaging cyber heists in U.S. government history because of the abundant detail in the files. Officials said hackers accessed not only personnel records of current and former employees but also extensive information about friends, relatives and others listed as references in applications for security clearances for some of the most sensitive jobs in government. [Continue reading…]
Inside the hack of the century
Peter Elkind writes: On Monday, Nov. 3, 2014, a four-man team from Norse Corp., a small “threat-intelligence” firm based in Silicon Valley, arrived early for an 11:30 a.m. meeting on the studio lot of Sony Pictures Entertainment, in the Los Angeles suburb of Culver City. They were scheduled to see Sony’s top cybersecurity managers to pitch Norse’s services in defending the studio against hackers, who had been plaguing Sony for years.
After a quick security check at the front gate and then proceeding to the George Burns Building on the east side of the Sony lot, the Norse group walked straight into the unlocked first-floor offices of the information security department, marked with a small sign reading info sec. There was no receptionist or security guard to check who they were; in fact, there was no one in sight at all. The room contained cubicles with unattended computers providing access to Sony’s international data network.
The visitors found their way to a small sitting area outside the office of Jason Spaltro, Sony’s senior vice president for information security, settled in, and waited. Alone. For about 15 minutes.
“I got a little shocked,” says Tommy Stiansen, Norse’s co-founder and chief technology officer. “Their Info Sec was empty, and all their screens were logged in. Basically the janitor can walk straight into their Info Sec department.” Adds Mickey Shapiro, a veteran entertainment attorney who helped set up the meeting and was present that day: “If we were bad guys, we could have done something horrible.”
Finally Spaltro, who’s worked at Sony since 1998, showed up and led them to a nearby conference room, where another studio information security executive was waiting. The meeting began, and as Stiansen described how Norse scopes out potential threats, Spaltro interrupted: “Boy, that could really help us with that North Korean film!” According to the four Norse representatives, Spaltro explained that he was worried about a Seth Rogen comedy called The Interview that the studio was preparing to release on Christmas Day. It featured a plot to assassinate Kim Jong-un, the country’s actual leader. Recalls Stiansen: “They said North Korea is threatening them.” (Sony denies any mention of a North Korean cyberthreat.)
After about an hour the Sony team declared the session “very productive,” according to the Norse team, and promised to be in touch. They departed, leaving the visitors to find their own way out.
Three weeks later — starting at about 7 a.m. Pacific time on Monday, Nov. 24 — a crushing cyberattack was launched on Sony Pictures. Employees logging on to its network were met with the sound of gunfire, scrolling threats, and the menacing image of a fiery skeleton looming over the tiny zombified heads of the studio’s top two executives.
Before Sony’s IT staff could pull the plug, the hackers’ malware had leaped from machine to machine throughout the lot and across continents, wiping out half of Sony’s global network. It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead.
From the moment the malware was launched — months after the hackers first broke in — it took just one hour to throw Sony Pictures back into the era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.
That was only the beginning of Sony’s horror story. [Continue reading…]
Hackers warned about internet vulnerabilities but were ignored
The Washington Post reports: The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world.
Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it.
“If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes.
The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said.
What happened instead was a tragedy of missed opportunity, and 17 years later the world is still paying the price in rampant insecurity. [Continue reading…]
Attack gave Chinese hackers privileged access to U.S. systems
The New York Times reports: For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities.
But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data, according to American officials briefed on a federal investigation into the attack and private security experts.
Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems, two senior administration officials said. The hackers began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.
Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.
“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.” [Continue reading…]
In report on data collection practices, WhatsApp and AT&T fail the test
The New York Times reports: In the post-Snowden era, tech companies are increasingly being rated not only for the quality of their gadgets and services, but also for how they handle government requests for customer data. In the Electronic Frontier Foundation’s annual report on data collection practices, tech companies like Yahoo, Apple and Adobe earned top marks, while WhatsApp and AT&T came in last.
The report this week from the E.F.F., a nonprofit that focuses on digital rights, evaluated companies based on factors including their transparency to consumers about data requests and data retention, as well as their public positions on so-called back doors that grant government agencies access to customer data.
Apple, Adobe, Yahoo, Dropbox and Sonic.net were among those that scored highly. AT&T and WhatsApp, which earned the lowest marks, with one out of five stars, did not immediately have comments. Verizon Communications, which earned two stars in the report (down from four stars last year when the report had slightly different criteria) declined to comment. [Continue reading…]
Fed personnel agency admits history of security problems
The Associated Press reports: An Office of Personnel Management investigative official said Tuesday the agency entrusted with millions of personnel records has a history of failing to meet basic computer network security requirements.
Michael Esser, assistant inspector general for audit, said in testimony prepared for delivery that for years many of the people running the agency’s information technology had no IT background. He also said the agency had not disciplined any employees for the agency’s failure to pass numerous cyber security audits.
Esser and others were testifying Tuesday to the House Oversight and Government Reform Committee about the cyber-theft of private information on millions of former and current federal employees, as well as U.S. security clearance holders, by hackers linked to China.
Officials fear that China will seek to gain leverage over Americans with access to secrets by pressuring their overseas relatives, particularly if they happen to be living in China or another authoritarian country. Over the last decade, U.S. intelligence agencies have sought to hire more people of Asian and Middle Eastern descent, some of whom have relatives living overseas. The compromise of their personal data is likely to place additional burdens on employees who already face onerous security scrutiny.
China denies involvement in the cyberattack that is being called the most damaging U.S. national security loss in more than a decade.
The potential for new avenues of espionage against the U.S. is among the most obvious repercussions of the pair of data breaches by hackers who are believed to have stolen personnel data on millions of current and former federal employees and contractors. [Continue reading…]
When secret government talks are hacked it shows no one is secure in the connected age
By Carsten Maple, University of Warwick
Hotel rooms aren’t as private as they used to be. Recent reports suggest luxury hotels may have been targeted by national intelligence services trying to spy on negotiations over Iran’s nuclear programme.
The talks weren’t bugged in the traditional way of hiding microphones in the room. Instead, hackers infected hotel computers with a computer virus that its discoverers say may have been used to gather information from the hotels’ security cameras and phones.
The virus was discovered by cyber-security firm Kaspersky Labs when the company itself was infected by a sophisticated worm known as Duqu2. Kaspersky went about investigating which other systems around the world might have been attacked. Among the huge range of systems they checked, thousands of hotel systems were analysed. Most of these had not been subjected to an attack, but three luxury European hotels had also been hit by Duqu2.
Each was compromised before hosting key negotiations between Iran and world leaders regarding the country’s nuclear programme. Having previously been accused by the US of spying on the talks, Israel – which was not involved in the discussions – is now under suspicion of (and denies) deploying the virus.
Hackers gained access to records on ‘almost everybody who has got a United States security clearance’
The Associated Press reports: Hackers linked to China have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, U.S. officials said Friday, describing a cyberbreach of federal records dramatically worse than first acknowledged.
The forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.
In a statement, the White House said that on June 8, investigators concluded there was “a high degree of confidence that … systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”
“This tells the Chinese the identities of almost everybody who has got a United States security clearance,” said Joel Brenner, a former top U.S. counterintelligence official. “That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.” [Continue reading…]
Adrienne LaFrance writes: it is clear that large-scale data theft is a major problem facing the United States. It has happened before and it will happen again.
In 2012, Verizon said that “state-affiliated actors” made up nearly one-fifth of the successful breaches it recorded that year. In 2013, hackers stole data about more than 100,000 people from the Department of Energy’s network. Officials in the United State blame China for years-long hacking attempts against the Veteran Affairs Department that began as early as 2010 and compromised more than 20 million people’s personal information. And even though the Office of Personnel Management had been hacked before, it appears the agency continued to be astonishingly lax about its own security. [Continue reading…]
Big U.S. data breaches offer treasure trove for hackers
Reuters reports: A massive breach of U.S. federal computer networks disclosed this week is the latest in a flood of attacks by suspected Chinese hackers aimed at grabbing personal data, industrial secrets and weapons plans from government and private computers.
The Obama administration on Thursday disclosed the breach of computer systems at the Office of Personnel Management and said the records of up to 4 million current and former federal employees may have been compromised.
U.S. officials have said on condition of anonymity they believe the hackers are based in China, but Washington has not publicly blamed Beijing at a time when tensions are high over Chinese territorial claims in the South China Sea. [Continue reading…]
As encryption spreads, U.S. grapples with clash between privacy, security
The Washington Post reports: For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?
Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?
“I don’t want a back door,” Rogers, the director of the nation’s top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. “I want a front door. And I want the front door to have multiple locks. Big locks.”
Law enforcement and intelligence officials have been warning that the growing use of encryption could seriously hinder criminal and national security investigations. But the White House, which is preparing a report for President Obama on the issue, is still weighing a range of options, including whether authorities have other ways to get the data they need rather than compelling companies through regulatory or legislative action.
The task is not easy. Those taking part in the debate have polarized views, with advocates of default commercial encryption finding little common ground with government officials who see increasing peril as the technology becomes widespread on mobile phones and on text messaging apps. [Continue reading…]
The mysterious internet mishap that sent data for the UK’s nuclear program to Ukraine
Quartz reports: The information superhighway got diverted last week when a Ukrainian internet service provider hijacked routes used by data heading for websites in the United Kingdom, according to a company that monitors and optimizes internet performance. The action could be a mere glitch — or something more sinister in an era of geopolitical cyber conflicts.
The issue at hand is the way disparate computer networks merge into the internet. The networks announce to one another which internet users — more technically, which IP addresses — they serve so that data can be routed accordingly; a US internet service provider might tell the world it can give you access to the Library of Congress, while one in Germany would say that it can reach BMW’s main website.
Dyn, the company that noted the incident, keeps an eye on network traffic patterns. Doug Madory, the company’s director of internet analysis, spotted something strange: Vega, a Ukranian internet service provider, had announced it was serving numerous IP addresses in the United Kingdom. Advertising the wrong addresses is called “route hijacking,” and it is often a quickly-corrected mistake — for instance, an employee of an internet service provider makes a typo while typing into a router. In this case, the affected addresses included those operated by defense contractors Lockheed Martin and Thales, the UK Atomic Weapons Establishment, and the Royal Mail. [Continue reading…]
Politics intrude as cybersecurity firms hunt foreign spies
Reuters reports: The $71 billion cybersecurity industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations.
Moscow-based cybersecurity firm Kaspersky Lab has become a leading authority on American computer espionage campaigns, but sources within the company say it has hesitated at least twice before exposing hacking activities attributed to mother Russia.
Meanwhile, U.S. cybersecurity firms CrowdStrike Inc and FireEye Inc (FEYE.O) have won fame by uncovering sophisticated spying by Russia and China – but have yet to point a finger at any American espionage.
The balkanization of the security industry reflects broader rifts in the technology markets that have been exacerbated by disclosures about government-sponsored cyberattacks and surveillance programs, especially those leaked by former U.S. intelligence agency contractor Edward Snowden.
“Some companies think we should be stopping all hackers. Others think we should stop only the other guy’s hackers – they think we can win the war,” said Dan Kaminsky, chief scientist at security firm White Ops Inc, putting himself in the former camp.
Kaspersky Lab has faced questions about its connections to Russian intelligence before: Chief Executive Eugene Kaspersky had attended a KGB school, Chief Operating Officer Andrey Tikhonov was a lieutenant colonel in the military, and Chief Legal Officer Igor Chekunov had served in the KGB’s border service.
Eugene Kaspersky said the firm has never been asked by a government agency to back away from investigating a cyberattack, and said that its international team of researchers would not be swayed by any one country’s national interests.
Still, several current and former Kaspersky Lab employees said the firm has dithered over whether to publish research on at least two Russian hacking strikes.
Last year, Kaspersky Lab officials privately gave some paying customers a report about a sophisticated computer spying campaign that it had uncovered. But the company did not publish the report more widely until five months after British defense contractor BAE Systems Plc (BAES.L) exposed the campaign, linking it to another suspected Russian government operation and noting that most infected computers were found were in Ukraine. [Continue reading…]
We still don’t know who hacked Sony
Bruce Schneier writes: If anything should disturb you about the Sony hacking incidents and subsequent denial-of-service attack against North Korea, it’s that we still don’t know who’s behind any of it. The FBI said in December that North Korea attacked Sony. I and others have serious doubts. There’s countervailing evidence to suggest that the culprit may have been a Sony insider or perhaps Russian nationals.
No one has admitted taking down North Korea’s Internet. It could have been an act of retaliation by the U.S. government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government.
Not knowing who did what isn’t new. It’s called the “attribution problem,” and it plagues Internet security. But as governments increasingly get involved in cyberspace attacks, it has policy implications as well. [Continue reading…]
U.S. puts new focus on fortifying cyber defenses
The Wall Street Journal reports: The Obama administration is increasingly concerned about a wave of digital extortion copycats in the aftermath of the cyberattack on Sony Pictures Entertainment, as the government and companies try to navigate unfamiliar territory to fortify defenses against further breaches.
About 300 theaters on Thursday screened the movie that apparently triggered the hacking attack, a comedy about the assassination of North Korean leader Kim Jong Un, after Sony reversed its initial decision to acquiesce to hacker demands that the film be shelved.
Still, the threat to Sony — allegedly by North Korea—marked “a real crossing of a threshold” in cybersecurity, given its unusually destructive and coercive nature, said Michael Daniel, the cybersecurity coordinator for the White House National Security Council.
“It really is a new thing we’re seeing here in the United States,” Mr. Daniel said. “You could see more of this kind of activity as countries like North Korea and other malicious actors see it in their interest to try and use that cyber tool.” [Continue reading…]
Countries like North Korea is arguably a category of one. “Other malicious actors” is the group to be more concerned about — a category in which governments may still be in the minority. It’s a group that includes disgruntled employees, hackers, hactivists, criminal organizations, and corporate competitors.
U.S. links North Korea to Sony hacking
The New York Times reports: American officials have concluded that North Korea ordered the attacks on Sony Pictures’s computers, a determination reached as the studio decided Wednesday to cancel the release of a comedy movie about the assassination of Kim Jong-un that is believed to have led to the hacking.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign. Sony’s decision to cancel release of “The Interview” amounted to a capitulation to the threats sent out by hackers this week that they would launch attacks, perhaps on theaters themselves, if the movie was released.
Officials said it was not clear how the White House would decide to respond to North Korea. Some within the Obama administration argue that the government of Mr. Kim must be directly confronted, but that raises the question of what consequences the administration would threaten — or how much of its evidence it could make public without revealing details of how the United States was able to penetrate North Korean computer networks to trace the source of the hacking.
Others argue that a direct confrontation with the North over the threats to Sony and moviegoers might result in escalation, and give North Korea the kind of confrontation it often covets. Japan, for which Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations underway for the return of Japanese nationals kidnapped years ago.
The sudden urgency inside the administration over the Sony issue came after a new threat was delivered this week to desktop computers at Sony’s offices that if “The Interview” was released on Dec. 25, “the world will be full of fear.” It continued: “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
Sony dropped its plan to release the film after the four largest theater chains in the United States — Regal Entertainment, AMC Theaters, Cinemark and Carmike Cinemas — and several smaller chains said they would not show the film. The cancellations virtually killed “The Interview” as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie.
While intelligence officials have concluded that the cyberattack on Sony was both state sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with an intimate knowledge of the company’s computer systems. [Continue reading…]
Jason Koebler reports: North Korea has denied playing a role in the hack, but called it a “righteous deed.” There’s nothing, really, beyond hatred of The Interview, to tie Guardians of Peace [as the hackers have dubbed themselves] to North Korea, but it’s still a narrative that has played out in the media.
And it’s a narrative that both sides are happy to embrace, [cybersecurity expert Bruce] Schneier speculated in an interview with me. Sony execs can say they’ve been targeted by a dictatorship, and the hackers get to have some fun.
“It’s really a phenomenally awesome hack — they completely owned this company,” Schneier, who is regularly consulted by the federal government on security issues, said. “But, I think this is just a regular hack. All the talk, it’s hyperbole and a joke. They’re [threatening violence] because it’s fun for them — why the hell not? They’re doing it because they actually hit Sony, because they’re acting like they’re 12, they’re doing it for the lulz, no one knows why.”
“Everyone at Sony right now is trying not to get fired,” he added. “There are going to be a lot of firings for Sony at the end of this.” [Continue reading…]
A TMZ headline on Sony Pictures Chief Amy Pascal says ambiguously, “I’m going nowhere” — she’s staying or she’s finished?
Underlining her conviction that everyone inside Sony is blameless, Pascal told Bloomberg News: “I think continuity and support and going forward is what’s important now.” Continuity = no one gets fired. Support = no criticism. Going forward = don’t look back.
But screenwriter Aaron Sorkin is in no doubt about who deserves blame: the press.
If you close your eyes you can imagine the hackers sitting in a room, combing through the documents to find the ones that will draw the most blood. And in a room next door are American journalists doing the same thing. As demented and criminal as it is, at least the hackers are doing it for a cause. The press is doing it for a nickel.
The cause of the hackers being? To defend the image of Kim Jong-un?
I don’t buy it. Much more likely this is an ongoing test of power with the hackers flexing their muscles and now demonstrating that they have the power to torpedo the release of a movie that cost $44 million to produce.
What next?
The looming digital security catastrophe
Nicole Perlroth reports: Paul Kocher, one of the country’s leading cryptographers, says he thinks the explanation for the world’s dismal state of digital security may lie in two charts.
One shows the number of airplane deaths per miles flown, which decreased to one-thousandth of what it was in 1945 with the advent of the Federal Aviation Administration in 1958 and stricter security and maintenance protocols. The other, which details the number of new computer security threats, shows the opposite. There has been more than a 10,000-fold increase in the number of new digital threats over the last 12 years.
The problem, Mr. Kocher and security experts reason, is a lack of liability and urgency. The Internet is still largely held together with Band-Aid fixes. Computer security is not well regulated, even as enormous amounts of private, medical and financial data and the nation’s computerized critical infrastructure — oil pipelines, railroad tracks, water treatment facilities and the power grid — move online.
If a stunning number of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits and a cutback in air travel, and the airlines’ stock prices would most likely plummet. That has not been true for hacking attacks, which surged 62 percent last year, according to the security company Symantec. As for long-term consequences, Home Depot, which suffered the worst security breach of any retailer in history this year, has seen its stock float to a high point.
In a speech two years ago, Leon E. Panetta, the former defense secretary, predicted it would take a “cyber-Pearl Harbor” — a crippling attack that would cause physical destruction and loss of life — to wake up the nation to the vulnerabilities in its computer systems.
No such attack has occurred. Nonetheless, at every level, there has been an awakening that the threats are real and growing worse, and that the prevailing “patch and pray” approach to computer security simply will not do. [Continue reading…]
The FBI’s secret House meeting to get access to your iPhone
National Journal reports: The Obama administration is ramping up its campaign to force technology companies to help the government spy on their users.
FBI and Justice Department officials met with House staffers this week for a classified briefing on how encryption is hurting police investigations, according to staffers familiar with the meeting.
The briefing included Democratic and Republican aides for the House Judiciary and Intelligence Committees, the staffers said. The meeting was held in a classified room, and aides are forbidden from revealing what was discussed.