Schneier on Security
A blog covering security and security technology.
« New French Law Reduces Website Security |
| Israel's Counter-Cyberterrorism Unit »
April 12, 2011
How did the CIA and FBI Know that Australian Government Computers were Hacked?
Newspapers are reporting that, for about a month, hackers had access to computers "of at least 10 federal ministers including the Prime Minister, Foreign Minister and Defence Minister."
That's not much of a surprise. What is odd is the statement that "Australian intelligence agencies were tipped off to the cyber-spy raid by US intelligence officials within the Central Intelligence Agency and the Federal Bureau of Investigation."
How did the CIA and the FBI know? Did they see some intelligence traffic and assume that those computers were where the stolen e-mails were coming from? Or something else?
Posted on April 12, 2011 at 6:03 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That'll be the wonder of Echelon. Your tax dollars hard at work, keeping the world safe for democracy. ;-)
Isn't it the CIA's *job* to know stuff like that? They do have informants in every major government organization in the world, right? Don't you watch movies?
Snark aside, yes, it is the CIA's job, or mission anyway, to know that. In this case I rather suspect that the NSA intercepted something interesting, or possibly had some data uncovered through traffic analysis.
Assuming, of course, that the Aussie Intel guys didn't say "The CIA told us" to divert attention from their covert op that found out ;-)
"You are in a twisty maze of little passages..."
I think the intruders were hampering the operations of the NSA in Australia.
Nothing worse than stumbling over other eavesdroppers.
CIA? No it's the NSAs job as wiredog says but my money is on the FBI.
They've been using turned criminals to infiltrate collectives, gangs,
cliques, alliances, crews, mobs, syndicates, rings, posses, clans and
the illegal markets for some time. Could have been some thing offered
for sale there or braggadocio in a chat session.
Remember the principal sign that you've been compromised is someone
else calling you up to tell you about it.
Let's not assume that it's only the FBI and CIA who are involved. If for example the Russians knew of something that the Chinese were doing then they might inform the CIA or FBI as part of some deal (maybe in exchange for some of their spies being released), or maybe just to mess with the Chinese.
Wiredog's theory sounds good too. If you want attention diverted from what you are doing then assigning credit to someone on the other side of the world who isn't going to talk sounds like a good strategy.
Sounds like someone disabled the CIA's keyloggers on those Australian computers.
USA's Narus boxes detected information where it should not be, and that info had Australia stamped all over it.
@Jonathan M. Holli:
That'll be the wonder of Echelon.
I think Echelon is a myth, perpetuated by factors within the US+UK governments.
If it was real, they would have had no problems avoiding the 9-11 suicide bombers. Esp. since the US Gov't had even prepared a disaster scenario for that very same day in NY.
Or alternatively perhaps there were no 'suicide bombers'. And the US Gov't knows more about everyone that nobody cares to believe.
To be found out later.
In this case I rather suspect that the NSA intercepted something interesting...
[Rhetorical question] What are they doing intercepting other countries data traffic for?
Sorry the rhetorical question should have been: What are they doing intercepting AND analyzing other countries data traffic for? (After all NSA would not know if something is actually interesting until they analyze that something)
I have to agree with Steve on this one.
The CIA's C&C software wasn't working properly and inspection revealed the presence of competing C&C software.
Naturally, the CIA contacted the system owner and asked that they remove this peice of malware as it was interfering with their work.
I’m assuming that it’s now a widely held belief that the CIA/FBI is behind some of the “Anonymous” attacks and an eager contributor to others (in the spirit of staging abuses in order to justify erosion of our rights through changes in law and escalated enforcement). With this seeming to be the case, I’m struggling to stun myself with the idea that CIA/FBI might stand shoulder to shoulder with most hackers in most hacking efforts. If this is the case then how couldn’t they know?
@zorro "Echelon "
I figure it exists. But you can only hear what you're listening for. NSA collected all the intercepts they needed to identify what, who and when.
"gentleman don't read other gentlemen's mail." We've been penetrating and intercepting our allies comms for some time (pre-WWI?). Why? The lights better there and it's in English; so it's easier to read.
by virtue of the fact that Echelon is a popular topic it is more likely that it is two/three generations behind whatever they are currently using...
The U.S. cyber defense abilities are maturing. What is more unnoticed is our cyber offensive capabilities.
There is also cyber operations with U.S. allies.
I was under the impression we knew Echelon was real? Isn't that what the Pine Gap is for?
I'm not overly concerned about the fact that the CIA and FBI knew about the attack - someone was bound to find out at some point. What I am concerned about is the fact that the Australian Intelligence Community didn't pick up on it. It's DSD's (the Defence Signals Directorate - our version of the NSA) job to make sure this kind of thing doesn't happen, and to fix the problem when it does happen. Since this is technically an act of espionage, ASIO (the Australian Security Intelligence Organisation - our national security service. MI5 is the closest foreign equivalent.) should also have been monitoring it. If the attack emanated from overseas, ASIS (the Australian Secret Intelligence Service - roughly equivalent to MI6 or the CIA.) should have at the very least been kept up to date on the issue by DSD.
While I doubt anything important was compromised, as the computers in question were on the Parliamentary network (which is mostly used for communicating with constituents, or so I've been told), not the Ministers' departmental networks (which is where all the important stuff is kept), this still exposes a worrying hole in Australia's national security system.
Because they were offered the information from those machines, figured out where it came from (from the given samples perhaps?) and then warned the aussie government??
Likely watching TOR endpoints for traffic to the compromised machines.
I'm with BF Skinner. The FBI/CIA/SS (or all of them which is very likely), was tracking the hackers involved and the hackers dropped some info about the hack, which the Federal agencies considered serious enough to relate back to the Aussies.
No big deal. No big conspiracy theories needed.
If you read stories like Poulsen's "Kingpin", the hacker community is so riddled with FBI spies and hacker snitches that you'd have to be insane to participate in the community without heavy duty anonymity and security of your systems (which as "Kingpin" showed is pathetic in the hacker community).
The only reason the hacker community (outside of China and eastern Europe, that is, in the US) is still in existence is, like the terrorist situation, there are so many and they're engaged in so many puerile efforts that the government can't and doesn't bother to catch them all. Like the fact that identity theft is a crime where the odds of being caught are something like a thousand to one simply because the FBI/Secret Service can't afford to chase after any crime not worth $50-100K in losses - which most aren't.
Just read a Tweet from Richard Bejtlich:
Schneier asks How Did CIA/FBI Know .gov.au Computers Were Hacked? http://bit.ly/gh9Y84 Disqualifies BS from offering "cyberwar" views, IMHO.
It's pretty amazing what the NSA can do just from analyzing traffic patterns. Recently, one of their analysts noticed a small but statistically significant increase in the number of bits going into the bucket counterclockwise instead of clockwise...
More from Bejtlich Twitter:
BS' question reminds me of people who wondered how coalition forces could be coordinating with .ly rebels. Spec ops never occurred to them.
I don't mean spec ops is the answer to BS' question, though. I mean the question reveals a lack of awareness & understanding of sec reality.
Who is this idiot?
Er, unless there are special protocols in effect that govern these kind of situations - and that Wikileaks still has to reveal -, this is exactly the kind of question I would be asking too.
My money is on BF Skinner's idea. Spec ops, I doubt it. If that were the case, it would have made much more sense to relay this information to Anonymous and stay out of the picture themselves, thus avoiding anyone from asking questions.
Could be that AUS Windoze machines were infected with qbot (aka quackbot) and juicy (and identifiable) info was FTP'd to the known aggregation points - which would be reviewed by anyone who likes those juicy morsels.
@ Richard Steven Hack "WTF"
Bejtlich has skills. But I guess that doesn't disqualify him from behaving like a 14 year old school girl.
I remember Our Glorious Leader showing off her iPutz at a meeting, condescendingly comparing it to the reams of papers the other ministers brought.
I wonder if some of the shine has worn off now...
Yeah. Those things are gonna be the death of me for a couple more generations. Although Motorola has made an Android.
"Assuming, of course, that the Aussie Intel guys didn't say "The CIA told us" to divert attention from their covert op that found out ;-)"
why on earth would you "hide" "their covert op that found out" the emails were on an unclassified network, and had been going on over a month before the tip off.
and why should it be the CIA/FBI/NSA job ? This is Australian national security. Are you insinuating we are incompetent to secure our own networks?
"What are they doing intercepting AND analyzing other countries data traffic for?"
Are you kidding? What do YOU think?
"I’m assuming that it’s now a widely held belief that the CIA/FBI is behind some of the “Anonymous” attacks and an eager contributor to others (in the spirit of staging abuses in order to justify erosion of our rights through changes in law and escalated enforcement). With this seeming to be the case, I’m struggling to stun myself with the idea that CIA/FBI might stand shoulder to shoulder with most hackers in most hacking efforts. If this is the case then how couldn’t they know?"
What does any US intelligence stand to gain from unclassified government emails ?
"Are you insinuating we are incompetent to secure our own networks?"
2) Nobody else can secure their own network, either. Security is *never* priority #1 - the only secure computer is encased in concrete and switched off; "getting things done" is always higher up on the list...
the unanswered question here, that probably resolves a lot of the speculation, is *who* has been hacking the australian parliament unclassified network?
knowing there is/has been a hack is just the beginning of the game. knowing *who* and *why* - those are the really interesting/important questions.
i suspect australian internal emails popped up in amongst other data the fbi and/or cia were trolling for, or from a source they were/are interested in, and they passed them on to their australian counterparts as part of the mutual assistance arrangements.
given that there is no hint as to who, either, this is part of an ongoing surveillance, or the emails showed up in a tranche of data with messy provenance.
in any event, we're speculating because we have only the sniff of an oily rag from which to deduce the cause of an engine failure. i'm hoping *someone* has taken the cowling off to have a good look inside.
hi nerds. i can tell you how it works...
1. there are known nasty networks and single ip's for, example in China. we know they are bad and we watch them to see what they're up to.
2. there are known 'good' networks we want to keep an eye on. for example, all .gov .gov.au networks
3. when we see traffic passing between 1&2 it warrants further investigation
4. if we see nasty traffic the 'victim' will be alerted. this happens a lot more than you might think and it's usually kept hush hush for obvious reasons.
5. by the way the 'list' is mostly secret, but if there's a need to know, you will be allowed to see the relevant items.
6. Yes, it's embarrassing when you are told by another entity that your network is compromised. that should give you a clue whether or not the victims have properly implemented and managed NID/HIPS, etc.
"the unanswered question here, that probably resolves a lot of the speculation, is *who* has been hacking the australian parliament unclassified network?" Probably China, the why? Intelligence gathering.
"1. there are known nasty networks and single ip's for, example in China. we know they are bad and we watch them to see what they're up to.
2. there are known 'good' networks we want to keep an eye on. for example, all .gov .gov.au networks"
Bit of a gross oversimplification when traffic can be routed through any number of geographic locations to attempt to conceal this.
"Nobody else can secure their own network" - Disagreed.
"2) Nobody else can secure their own network, either. Security is *never* priority #1 - the only secure computer is encased in concrete and switched off; "getting things done" is always higher up on the list..."
I never argued about priorities, and in fact, "getting things done" is in some cases/organisations; Security.
Wild-ass guess: Auzzie gov't licenses copies of Windows/OS from Microsoft. Copies of the ubiquitous software are manufactured in a certain 3rd party country. The gov't of this country owns more than a few manufacturing plants. 3rd-shift Sneaky Petes insert code on select disc serials. Or provide counterfeit discs [with holograms] in pilfered packaging. For graduate-level paranoia, think about every DOS copy produced, ever, calling home to mama before Sunday dinner. Gentlemen don't need to read each others mail...they were at the desk when the letters were written.
"Sounds like someone disabled the CIA's keyloggers on those Australian computers."
I'm with Steve on this, lets be honest the DSD still has not finished the meta data signals analysis of Exmouth, from HH's time as PM! (for the obvious reasons)
I believe this is CIA's way of saying "you've been hacked!" :)
How about taking things down a few levels to say physical geography and what effect it has on shipping high bandwidth data.
As some might have noticed Australia is a very large island that is almost unoccupied in comparison to other islands.
Then ask yourself how data moves around the island, that is do you think it's microwave link towers or optical cable etc etc. Having done that then ask yourself how it get's out to the rest of the world and how.
Then ask who elses traffic might go through Australia. When you get that in perspective it might give you an insight as to why various countries might well be interested in Australia.
Failing all else go and look up the British USA agreement (BRUSA) where amongst other things the Brit's agreed to spy on USA citizens for the US, and the US agreed to spy on British Citizens for the British Government. All so the Politico's could stand up in their respective places of accountability and say hand on heart "we do not spy on our citizens!".
Over the years BRUSA has expanded to include most White Anglo Saxon Protestant (WASP) nations, and in many cases the "signals directorates" of different countries have better relations than they do with other departments in their own countries.
When you have such agreements in place you generaly form a fraternal intrest in each other and watch each others backs. The UK and USA are known to have informed each others on such things as TEMPEST and Crypto/Signals Security, Traffic Analysis. Less well known is they actually test each others systems and procedures out all the time as it keeps people on their toes.
But you also have to remember that they swap intel all the time (have a look at the Wiki Leaks cables to see that). And once you share a secret it's in your own interest to make sure it stays that way. So they tend to want to ensure "their partners" are upto scratch keeping things confidential. Likewise it's no big secret that the people that most often leak secrets are Government Ministers, Politicos and their various hangers on (think back to the recent cases of Russians being re-patriated who had been working as interns/assistants to various polititions).
Nor is it any secret that Politicos like their electronic toys (ObahmaBerry anybody?) most of which were never designed for high level security. Further other toys of conveniance such as mobile phones, I'm sure it's not just the Greek Government who have had issues with them.
At one point spying was once known as "The Great Game" because you very much knew what your oponents and alies where doing but never quite enough to be sure, so you had to keep playing in the game.
For all their sins good and bad Austrailian Polititions have a history of "gaffs" with their own press (much as we do in Britain). Unlike the US political press who almost all qualify as being sycophantic the British and more so the Australians have a more adversarial relationship, which we tend to regard as being healthier. And sometimes the "rough and ready" nature of things elicits more information out of Politico's and their hangers on than you would expect.
In America most people do not believe (or used not to) that their Government spyed on them one way or another. In Britain most people of any consiquence were well aware the Government took interest in them through the likes of MI5 and the Special Branch but accepted it as part and parcel of having a near civil war going on in the back garden (ie NI and the Unionist and Republican terrorists). Further the likes of the activities of trying to break the Unions during the Thatcher years and her obsesive desire to prosecute people including journalists via the OSA. As she felt that DORA and the 'D notices' were not working with the Press any longer.
In some respects Australia is a bit new to the game with regards the press and any thing with a wiff of politicals embarisment does get rather more of an airing there than it would in Britain or America.
"Then ask who elses traffic might go through Australia. When you get that in perspective it might give you an insight as to why various countries might well be interested in Australia."
OK I'll bite: which other countries Internet routes through Australia?
I've traveled extensively in SE Asia, Australia and NZ and I don't ever remember seeing a tracert indicate that traffic was going through any Australian hubs, apart from when I was in Australia naturally.
@inf0sec 'we are incompetent to secure our own networks? '
Reread the story. Insinuating, no.
Clearly stating -- Yes.
"What does any US intelligence stand to gain from unclassified government emails "
Dunno. Maybe a lot of choice political intel on which way an ally's trending, what
votes important to the US are likely to pass/fail, who's sleeping with who,
who is on the take, what Australian's think is funny?
@supachupa - who is this "we" of which you speak?
@RobertT - in theory any internet traffic could end up routing through Australia.
@inf0sec - ""Nobody else can secure their own network" - Disagreed."
Who has a secure network?
On the question of who is behind the attacks, there are a few possibilities:
1. It was China.
2. It was a bunch of 14 year olds fooling around.
3. It was the US Government, and the Australian spooks found out. In order to to prevent a mutually damaging international incident, a secret back room deal was struck between the two countries to publicly state that the US had politely tipped Australia off about cyber attacks on its parliamentary network (in exchange for the immediate cessation of said attacks by the US).
4. Australia and Indonesia spy on each other a lot, so I suppose they could have also been behind it.
6. An Australian Government agency, such as DSD.
No on to the whys:
1. China: because they can. There's really not much information of value on the network in question, so that's the only reason I can think of.
2. 14 year olds fooling around: because they can. Because it's fun. To show off to their friends. You get the picture.
3. USA: Australia and the US may be allies, but at the end of the day, there's no such thing as a friendly foreign intelligence service. This still doesn't explain why anyone would bother to hack an unclassified network though. Either way, there's no proof to back this theory up. It is entirely plausible however, at least in theory.
4. Indonesia: Again, I still can't see why they'd bother hacking this particular network, but then again I'm not sure how sophisticated Indonesia's cyber capabilities are.
5. Russia: see China.
6. DSD: To scare the Government into increasing their funding. They may have been better off penetrating a more important network, but this alone would probably be enough to get their point across. As with the US, there's absolutely no evidence to back this up, but it's still an interesting theory.
In all honesty, I'd say option 2 is the most likely - 14 year old kids showing off. My second choice would be China. I guess we'll never really know...
@ Robert T,
"OK I'll bite: which other countries Internet routes through Australia?"
Rather more than you would think there are subsea cables from Auz to,
Canada, Guam, Hong Kong, Indionesia, Japan, Korea,Malaysier, New Zeland, New Caledonia, Papua New Guinea, Philippines, Singapore, Taiwan, Thailand, USA.
However under normal conditions traffic does not go from Korea to the US via Aus but Japan. However under fault conditions it does.
Such fault conditions are as recently experianced a major subsea earthquake to the North East of Japan, or when China sends one of it's subs down again and cuts another subsea cable over the US giving assistance to Taiwan. Or when a China Telecom technician puts the wrong info into the Border Gateway protocol.
Back in the last decade or so I had significant reason to take interest in the subsea cabeling in A-Pac and as you have noted this is were most silicon is produced these days, and these are the cables over which the designs are sent.
Now take a look at this map,
And look at how Australia is connected at either end of the chain with links of to the continental USA and thus out to most of the rest of the world.
Look at the position of the bulk of the current data carrying cables of to the US is via NE Japan slap bang through the recent subsea earthquage subduction zone and ask what would have happened if all that fiber had gone dark?
Likewise assume China throws the toys out of the pram again and either tries to muck up the routing on their borders or goes swiming with the bolt cutters again...
All of a sudden Australia is going to be appearing in the middle of an awfully large number of trace routes as European and US customers try to talk to their suppliers in the various Tiger countries...
As was once pointed out to me,
"Because something is not of stratigic or tactical importance today, don't make the mistake of thinking it will be the same tomorow. That is how wars are lost, if you don't take the right precautions you can end up like the British, losing Singapore, when the Japanese snuck through the open back door."
Social engineering. They just asked Mark Habib when he dropped by the embassy for a chat.
"Dunno. Maybe a lot of choice political intel on which way an ally's trending, what
votes important to the US are likely to pass/fail, who's sleeping with who,
who is on the take, what Australian's think is funny?"
First few examples you have mentioned *should* not flow through that network. (I know sure, not everything is classed properly - why I've said should). The latter could be obtained in far easier and much less obvious methods than this case.
And US would risk relations for such low value information? Personally, I doubt it... They've no doubt already got this information.
@Macca Why would Mark Arbib know that they'd been hacked before the intelligence community did?
@Inf0sec I'd have to agree. If the Americans needed to know something like that, they could just ask one of their contacts in either the Department of the House of Representatives or the Department of the Senate (of which I'm sure they have many).
Lazlo Jamf: Re Windows, I might add that anyone who doesn't think the NSA has backdoors into literally every copy of every Windows sold is deluding themselves.
I believe when Vista (or 7, probably both) was being written, Microsoft enlisted the NSA to try to break the security (this was reported in a matter of fact manner in the media). Naturally, the NSA would find, say, ten possible ways - and tell Microsoft about seven of them. Anyone who thinks the NSA would behave differently just doesn't understand the intelligence mind.
So if it wasn't a case of the FBI getting the info via the hacker community's lousy security, then it probably was a US government hack of Australia's highest ranking personnel.
And nothing says it couldn't be both - a hint from the hackers followed up by US hacking.
The article was published in one of the Murdoch rags. Murdoch is pissed that his team didn't make it Government. Murdoch thinks this is a damaging story because he is stupid and he thinks that anything that mentions computers and spies in the same sentence must be damaging to the Government.
Murdoch didn't notice that the Wikileaks from Australia were actually articles from his own Australian newspapers being sent back by some wanker at the US Embassy as intelligence - as good as it gets I suppose.
this girl with big tits on facebook sent this intern a link to her naked gallery that's made in Java and clicked run inspite of the certificate error 'cause come on....did you see them tits on the bird?
@inf0sec "... examples ... mentioned *should* not flow through that network. ... The latter could be obtained in far easier and much less obvious methods than this case.
And US would risk relations for such low value information? Personally, I doubt it... They've no doubt already got this information.
HUMINT is pricey. You have to develop contacts, compromise people or use people self compromised which usually means paying them and the kind of people who would sell out their nation for filthy lucre are not the high end of the ethical ladder.
Okay so you "doubt it" and then say the US already HAS this information. This is a confusing construct. But while I disagree on US risking relations, we have, do and would (Gentlemen DO read other gentlemen's mail) I would say THIS is exactly how they get it.
It's called Pine Gap Station (JDS) original Cname: "merino"
Location: 23° 47'52" x 133° 44'12"
They know EVERYTHING that goes over telecomm, internet, etc. inbound/outbound Aus. & USA SIGINT/ELINT - (ESCHELON)
Here's a back story link:
You know it could be even simpler than that. We do joint military exercises and we probably collaborate on cybersecurity.
It could have been as simple as someone telling the Aussies at some collaborative event that "Umm hey guys that weird traffic pattern you mentioned we found out was a worm last month"
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.