Schneier on Security
A blog covering security and security technology.
« Press Security Concerns in Lebanon |
| Bot Networks »
July 26, 2006
Sloppy CIA Tradecraft
CIA agents exposed due to their use of frequent-flier miles and other mistakes:
The man and woman were pretending to be American business executives on international assignments, so they did what globe-trotting executives do. While traveling abroad they used their frequent-flier cards as often as possible to gain credits toward free flights.
In fact, the pair were covert operatives working for the CIA. Thanks to their diligent use of frequent-flier programs, Italian prosecutors have been able to reconstruct much of their itinerary during 2003, including trips to Brussels, Venice, London, Vienna and Oslo.
Aides to former CIA Director Porter Goss have used the word "horrified" to describe Goss' reaction to the sloppiness of the Milan operation, which Italian police were able to reconstruct through the CIA operatives' imprudent use of cell phones and other violations of basic CIA "tradecraft."
I'm not sure how collecting frequent-flier miles is a problem, though. Assuming they're traveling under the cover of being business executives, it makes sense for them to act just like other business executives.
It's not like there's no other way to reconstruct their travel.
Posted on July 26, 2006 at 1:22 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As a frequent business traveler myself, I would have been very suspicious if they didn't use Frequent Flier programs and take advantage of seat upgrades and such. It would also have been weird for them to not use their cell phones frequently (there's not always much else to do in some airports).
There has to be some other reason (perhaps it was bad tradecraft) that brought them to the attention of the Italian authorities. What that might be, I couldn't venture to speculate.
Frequent flier numbers make it easy for the prosecutor to access (is a subpoena needed?) a single site and get all the travels. Otherwise he'd have to go through the labourious checking of border-crossing records at the airports or checking with each airline directly.
The Italian authorities already knew who they were: they're the CIA agents being prosecuted for the "extraordinary rendition" of an Italian citizen. The Italian government used the frequent-flier information to reconstruct their travels in order to show that the two were following the man they're accused of kidnapping.
So what have we learned? The Tribune's executives are probably banned from using frequent flyer miles. ^o^
Perhaps the idea of the tradecraft is to create an identity that uses the frequent flyer miles within scope of the identity alone instead of using the frequent flyer miles across multiple "assignments" for personal usage. This would satisify normal usage patterns as well as not reveal previous assignments.
It would be quite stupid - but maybe they used the same flyer cards (maybe even their personal ones as in: real name) while disguising themselves with different identities?
Heh, heh. The secret police is having trouble operating in the total surveillance state.
Rule # 1 - Do not get caught... oops!
It sounds to me (based on the summary in the entry; the linked article is login-to-read) like they're damned if they do, damned if they don't: they need to use the frequent flyer cards and cell phones in order to stay in character, because their cover identities are people who definitely would; but doing so means that their activities can be tracked.
If it's a bad thing that CIA operatives pretending to be business executives can have their activities tracked... maybe that means it's also a bad thing that real business executives can similarly have their activities tracked!
Porter Goss "horrified" at their tradecraft, that's hilarious. That's like Sylvester the Cat criticizing Wile E Coyote's Road-Runner-catching technique.
"maybe that means it's also a bad thing that real business executives can similarly have their activities tracked!"
"maybe that means it's also a bad thing that real business executives DO similarly have their activities tracked!"
I dont think theres any doubt ...
Multiple pseudonyms, multiple cards.
After all, if multiple pseudonyms works for posting on this blog, it'll work anywhere. Well, anywhere that doesn't require a digital passport and have an access log...
It wouldn't even have to be one pseudonym per trip (department budgets aren't what they were; the Agency'd hate to lose all those frequent flier miles). All it has to be is a few pseudonyms randomly used, to break up the chain of trips from being an obvious case of following one target.
Then again, I bet the operatives weren't expecting to have the Italian police trying to track them later, either. D'OH!
"they need to use the frequent flyer cards and cell phones in order to stay in character, because their cover identities are people who definitely would"
Is it so rare that someone like their cover identities would be paranoid enough to avoid frequent flyer programs? It's really just a minor perk, one that has even less value if you use multiple airlines.
Is it so rare that someone like their cover identities would be paranoid enough to avoid frequent flyer programs?
I think it might be. Certainly, it would make the person stand out, and a CIA agent doesn't want to.
I read a story very like this recently; I can't be sure if it was the same people or not, but the key factor was that they were travelling as John and Jane Doe but redeeming the frequent-flier points under their real names.
I can't find a reference, does anyone else remember it?
In today's interconnected world, I imagine it's difficult to appear to be just another person without being traceable. Any normal person leaves behind so much information in their wake it'd be a red flag to do otherwise.
Seems like a sort of basic traffic analysis mistake. A simple solution is to have "drones", whose sole purpose is to give the false identity a masked traffic pattern. They get the frequent flyer card, travel around to locations, staying for durations, renting cars, etc. Then when you want the actual agent to go out on a mission, a drone goes to "home base" and deactivates the false identity. The real agent activates it and goes on the mission.
You can decouple it further by having N*M drones and M agents. You have M classes of drone, each with a collection of N actual drones, each class assigned to one agent. Then an agent uses a random drone "identity" for each mission.
Every once in a while, you assign a drone a new fake identity and eliminate the old one (do this plausibly). Then you have a very difficult pattern to match.
One would think the officials would have set up some sort of low-profile frequent flyer program for 'special agents' with the airlines.
One would also think that airlines would be greatfull in serving their political masters after all the years of multi-billion dollar subsidies.
I'm actually shocked that the government doesn't simply hand out flyer-miles as a benefit, bribe, or rationing control, just like it has done with sugar, tires, shoes, appliances, etc... in past military expeditions.
The Fed can create money out of thin air - why not flyer-miles as well? Surely this is a more effective corporate welfare scheme than the one that exists now.
I think the miles are the amusing part of the story. It nicely demonstrates why you shouldn't take identity management for granted.
I thought this was also interesting:
"'We had information from reliable intelligence sources,' [Krekar's Norwegian lawyer] Meling said Friday. 'We were told that it was a kidnapping plan. We were told that there were sent agents from the United States that were meant to bring Mullah Krekar to Guantanamo,' the prison at the U.S. base in Cuba where hundreds of terrorism suspects are held.
Asked why he believed he had been tipped off about the Americans' intentions, Meling said 'a lot of people with integrity in the [Norwegian] government didn't like the situation. And therefore, there [were] quite a lot of leaks, and some of them came to my knowledge.'"
Sloppy indeed. But more importantly the mission appears to have been strongly opposed by the local government -- even the police. Only thing worse might have been if the airlines themselves were against the plan.
"In the end, the CIA operatives flew home empty-handed. 'There was too much noise,' Meling said. 'They couldn't do it without a lot of public mess and diplomatic trouble. Anyway, they wouldn't get any help from the Norwegian police.'"
It can't be that unusual to say you're on a different frequent flyer program and this one flight isn't worth the hassle of registration. You could even carry a United tag when you fly AA, and a Delta tag when you fly United, etc. Unless you do regular enough routes noone would bother you. But I think this is more about diplomatic blunders than leaving a trail of breadcrumbs that your (former) allies can find...
The CIA mismanaged this. They should have emulated a real, tightfisted, company, making their people travel on a corporate card, so that the frequent flier miles would accrue to the company and not to the working stiffs. The company's top people would then cash in the miles to get free travel for themselves, their families, mistresses, and friends they want to impress.
A check on the corporate account would yield only the travel costs, without identifying the traveller. The fuzz would have to track down their data some other way.
My guess is that the tradecraft problem was elsewhere, perhaps in poor phone security (they said too much). The frequent flier stuff was just something that allowed the Italians to track their cover identities once they associated those identities with the agents they wanted. But that's boring because not many people are scared that if they say things on the phone, foreign governments will arrest them for crimes committed at the behest of their CIA case officers. Lots of people use frequent flier miles and so the idea of being tracked using them is scary and sells papers. So that's what made it into the article.
Using alternate identities inevitably requires one to bring a certain number of people or institutions (banks, drivers licence bureaus, foreign government agency personnel, etc.) into the "circle of trust." In this case, some of the Italians and squeamish Norwegians proved themselves unworthy of that trust.
No alternate identity can be made to appear completely innocent under all conditions - if they are starting to look for correlations between your travel and, say, a controversial detention, there is nothing you can do to stop it, nor the conclusions they draw from any correlations (under other circumstances they might have tracked the Safeway loyalty card, or ATM withdrawals, or whatever). I assume, for example, that foreign government agents can reconstruct my hotel registrations, culled from the forms I have to fill out (with citizenship, passport number, etc.) The hotel doesn't care about my passport numberr - only the Authorities do. The point is, if they start applying intense investigative techniques against your identity, you've already missed your goal of simply not coming to anyone's attention - staying down in the ambient noise level, so to speak.
But the good news is that the identity took some time and investigation to pick up on and untangle, giving ample time for the participants in the would-be rendition to slip out of the country - which is an intended benefit of using alias identities. In any case, those "people" (and frequent flyer cards, and cell phones, and etc.) no longer exist, and cannot be extradited...
Ultimately, I suspect this was not a demonstration of incompetence, but of the limitations of using alias identities.
@Kohler: "some of the Italians and squeamish Norwegians proved themselves unworthy of that trust"
Huh? The Italian government and Norwegians weren't invited into your "circle of trust". These CIA goons just trundled in and started operating anyway, subverting a few Italian cops along the way.
If "squeamish" means "having a sense of basic morals" then count me among the squeamish.
The formerly free people of the USA seem to have accepted that by merely reciting the magic words "War on Terror", US government agencies can commit any wrong and ignore any law with impunity. They'd better realise that people outside the US are not so weak.
There are two issues here,
1, The CIA officers where caught in the process of carrying out an illegal activity.
2, Their previous travel arangments are being used against them as evidence.
Deal with issue 1 first, the CIA officers where commiting a crime, in that they where trying to kidnap an individual, that was not one of their citizens, and was not within their jurisdiction. Why because they had insufficient evidence to bring before a Judge to get an extradition (and lets face it recent events show how little evidence is required these days).
Why should a (host) goverment get involved with helping a forign government carry out illegal activities on their soil, especially when it will reflect badly on the host government.
The simple fact is that the U.S. has set up an illegal system which has not produced results in any acceptable fasion. So rather than admit it's not working (how embarising) they carry on with more of the same, whilst the rest of the world has moved on...
If Iran for instance sent agents to say France, to kidnap CIA officers who had commited crimes against Iran would you expect the French authorities to go along with it?
The US appear to be of the belief that as long as they keep shouting "We are the good guys" as loudly as possible it will excuse all their activities that would be rightly condemed if carried out by other nations...
On a similar note to my earlier posting
Even the UK which is often seen as the US's staunchest ally due to the behaviour of it's current Prime Minister Tony Blair. Appears to have had enough of some of the US Government behaviour.
Basically the US is giving very high tech wepons to Israel and flying them through the UK without the proper formalities etc
Apparently the Israelis have requested the 100 laser guided bunker busting bombs to attack bunkers being used by Hezbollah militants in Lebanon.
But it appears the Israelis cannot tell the difference between a UN bunker with UN observers in it and any other randomly selected target in Lebanon
Even though they have known about it's location for twenty years, and having been requested repeatedly by radio and through political channels for many hours to stop attacking it. The Israelis continued to attack it with shelling and eventually destroyed it killing atleast 4 UN observers with a bunker busting bomb from an Israeli air strike.
United Nations Secretary General Kofi Annan
said that the Israelis
"apparently deliberate targeting"
of the U.N. post in southern Lebanon was unaceptable and demanded an Israeli investigation into the incident.
Personally I wish him luck as previous investigations by the Israeli Military / Government have usually not produced any blaim. It has only bean when their is clear video evidence backed by considerable international presure that any action has been taken by the Israeli Government. And then it has been at best a token gesture (see BBC footage about the death of Abed Takkoush).
The Israeli Military have a past history of attacking and killing unarmed monitoring forces. This has included US personnel abourd the NSA signals intelegance ship Liberty.
Even though 34 US personnell had been killed another 171 where wounded and a US vessal worth around 450million USD at current values had become a write off. The then US government (under Johnson) did nothing, apparently to avoid problems with the "Jewish Lobby" in the run up to an election...
The Israelies however have put the the ships wheel and bell from the MTB203 that attacked the Liberty, and machine gunned her life boats in pride of place in a prominent display amoungst other artifacts the Israeli Navy is most proud in their Navel Museum.
The remaining survivors of the Liberty submitted a "War Crimes" report on the attack of the Liberty to the US Secretary of the Army a little over a year ago. The US is legaly bound to investigate reports of war crimes, however so far no comment has been forthcomming from the U.S. Government...
You can read more in James Bamford's book "Body of Secrets" ISBN 0-7126-7598-1 or James Ennes book "Assault on the Liberty" ISBN 0-9723116-0-2.
So, when will the NYT report that the NSA is mining the records of all the airlines' frequent-flyer programs looking for suspicious patterns (terrorists, or their rivals in the CIA?)
A more on topic comment.
One thing this does prove is that you are the sum of your identifing documentation, and that the more documents you have the easier it is to detect fraudulent or other illicit behaviour by you...
Which kind of also shows why National ID cards are likley to fail ;)
In the UK banks currently rely on many different forms of identification most of which could be relativly easy to forge as individual documents (such as land line phone bills, and other utilities such as electricity).
However although very low cost to forge they would fail if cursory checking (authentication) was carried out (such as phoning the utility company and checking the account details).
So without checking the documents are very week security wise, but involve very large levels of work by a fraudster to support if authentication is carried out (which banks are starting to do which is why they claim it costs around 100USD to open a new account).
The UK Gov (with the support of the banks) wants to move over to a single ID card as proof of Identity (it's a lot lot cheeper for the banks and virtualy illiminates their legal risks under various UK & EU money laundering legislation).
Which is fairly pointless as the level of Bank Fraud etc in the Countries with ID Cards is not significantly different to countries without ID cards, infact for some crimes it is significantly higher....
Worse under the current proposels the banks do not have a way of checking the UK ID cards except by visual inspection (supposedly they will not be able to phone up the UK Gov and say "is this card legit" or scan the card's chip).
So you have a document that has a high production cost (to the UK tax payer) which cannot be forged at low cost, but also cannot be easily (if at all) verified as being genuine.
Also many studies have shown that a single ID system with photograph etc is infact a significant weakness in that the people checking it think even quite crude forgeries are real, or they fail to check the details on the card...
The overall effect is a system with a very expensive token that is effectivly worthless from a security perspective. Organisaed crime has only one token to forge or authority to suborn to produce false ID credentials. The economies of scale work for both forging and back handers to officials.
The (supposed) solution to the problem is Automatic Authentication of the ID Cards, and this can be done either Off-line or On-line.
Off-Line authentication is complex and requires expensive (fragile) systems. These can be attacked at lesure by the criminals untill the authentication system is sufficiently known / broken to allow forgeries to be made.
On-Line systems require a fairly extensive communications network but that in of it's self becomes a target for individuals carrying out illicit activities.
In both cases the systems will give rise to the (probable) unwarented release of significant levels of personal / private infirmation on the individual (otherwise all you authenticate is the card not the individual carrying it).
So what we learned here, is that now the "data" about anybody is outside the control of the government. Therefore, it is near impossible to be suppressed even by the government. If an intel agency is able to obfuscate the passport records to cover their activity, it can be found in the frequent flyer files of the airline or cell phone records, or ATM records or security video.
Intel uses the same processes as smugglers and other criminals to run their work outside the normal channels. When those are closed off or monitored closely, the suspicious activity that is directed to be ignored is highlighted as government sanctioned. But even this doesn't work as no longer can a flash of an id with at wink and a nod get someone unrecorded through immigration. There are hundreds of private databases that would have to be cleaned which is impossible.
And as many have pointed out, by avoiding using frequent flyer programs or cell phones, you only bring attention to yourself.
This sounds like they were able to track the travel of one pair of people who were traveling undercover. It does not say if they were able to tie anything back to their real identities.
An interesting dilema. Curiously, the group interested in reducing the opportunities for individuals to engage in anonymous behavior is much the same as the group interested in the ability of governments to perform covert operations. But as this example illustrates, the former may undermine the latter.
Most overseas US Gov't activity is not illegal according to US law, including the kidnapping of foreign citizens. You forget that the whole point of the CIA is to commit the "crimes" of "espionage" and "treason" in other countries. You can't both damn the CIA for not having good intelligence and also damn the CIA for trying to get good intelligence.
Whether this particular event was "right" or "wrong", I do not know. I do know that it is inconsistent to apply foreign law to agents of the United State government and still expect the United States government to be able to protect its citizens and agents.
Almost every country in the world faces the same choice: break foreign laws, or protect domestic interests. Almost without exception, the choice made is to break foreign laws. From my point of view, if they're doing it to me, why should I let them have such an advantage?
Michael has a point. The ability to identify and track others is a kind of power. Governments insist to have that power over individuals, and at the same time try to deny it to the public, including their own citizens.
Clearly another imbalance that allows governments to do anything they want, including morally evil like torture (people confess anything under torture, so it has no value anyway), kidnapping of innocents, and theft (think industrial espionage and, of course, tax).
As long as we don't know what the government is really doing, we don't base our votes on facts. We base them on the faked image the government wants us to see. But wait, votes are manipulated anyway. Isn't it all just theater to keep up the illusion it were something like democracy?
A clandestine power accumulating gov can lie better and, to the masses, look better than a transparent one with proper division of powers whose failures are visible to public scrutiny. Maybe it is just a law of nature that ruthlessness is rewarded, hence power (and money, which is equivalent) will always concentrate around the most ruthless.
The point I was making was technically correct, the first paragraph
"Deal with issue 1 first, the CIA officers where commiting a crime, in that they where trying to kidnap an individual, that was not one of their citizens, and was not within their jurisdiction. Why because they had insufficient evidence to bring before a Judge to get an extradition (and lets face it recent events show how little evidence is required these days)."
Was a preface to the second paragraph,
"Why should a (host) goverment get involved with helping a forign government carry out illegal activities on their soil, especially when it will reflect badly on the host government."
My point was that it is a bit dim to expect co-operation from a host nation when you are committing an illegal act by their laws on their soil (and also expect them to take the rap/flack for it).
Also with regard to rendition and other acts, I am not sure they are legal in the US, the US Law may not prevent it but the US Gov is also the signitory to several international treaties that do cast this kind of activity (against civilians) as a war crime. However like all things it is open to interpretation, and the will and ability of a court to enforce it.
I think an interesting way to look at this event is as follows:
It appears that due to computerization and technology and corporate surveillance and data gathering, that the ability to operate in a clandestine (unattributed) or anonymous manner is being eroded, and so naturally the shift will be towards cover stories, and the way you will generate plausible cover stories is by acting the part. Once a cover is blown, however, the details of that cover are probably irretrievably documented so that an investigation will be able to connect all the dots post-facto. So this brings home the following point; someone operating under cover must be much more diligent in maintaining that cover because the consequences of attracting attention sufficient to warrant an investigation will unearth far more than before.
Personally, I don't think it would be that suspicious to not use a cell phone, or to use different cell phones on different days (it is rumored that a certain technology CEO meets with his executives every morning and picks one of their cell phones at random to use for the day). Same with frequent flyer cards or grocery store discount cards. However, ultimately it is a judgement call, because trying overly hard to minimize evidence is likely to be more suspicious, and technology has already pushed us pass the tipping point - the tipping point where suspicion so easily uncovers the activity (because the investigative/forensic tools are so powerful and the ambient data so pervasive) that even a small amount of it can be inimical to the operation as a whole.
If one can perform "identity juggling" (trading cell phones) and other confusion techniques (with an eye towards preventing traffic analysis as well) without detracting from the cover, then theoretically that would be a reasonable tactic; that the technique was in use would not be evident until the cover was effectively blown and the operatives under a forensic-style investigation. However, I doubt anything like that is worth jeapordizing the cover in even a small way because the consequences of that are so dire.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.