El Chapo's Opsec

I've already written about Sean Penn's opsec while communicating with El Chapo. Here's the technique of mirroring, explained:

El chapo then switched to a complex system of using BBM (Blackberry's Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days at a public place with Wi-Fi) this intermediary (or "mirror") would then transcribe the text to an I-Pad and then send that over a Wi-Fi network (not cellular networks which were monitored constantly by law enforcement). This WiFi text was then sent to another cut-out who would finally transcribe the message into a Blackberry BBM text and transmit it to Guzman. Although Guzman continued to use his Blackberry, it was almost impossible to analyze the traffic because it now only communicated with one other device. This "mirror" system is difficult to crack because the intermediaries or proxies, can constantly change their location by moving to new WiFi spots.

This article claims he was caught because of a large food order:

After construction was complete, the safehouse was quiet. Until 7 January 2016, when a car arrives carrying unknown passengers. Security forces suspected that this was Guzman. There was one final indicator that someone important enough to require an entourage was inside. A white van went off, at midnight, to fetch enough tacos to feed a large group of people. The police raided the house 4 hours later.

Here's more detail about El Chapo's opsec at the time of his previous capture.

EDITED TO ADD (2/11): More on his opsec.

Posted on January 21, 2016 at 6:19 AM • 24 Comments

Comments

Clive RobinsonJanuary 21, 2016 8:59 AM

El Chapo obviously had not learnt the lesson of the first night of the first gulf war,

    A white van went off, at midnight, to fetch enough tacos to feed a large group of people.

For those to young to have been aware of it, the DC Pizza delivery people were well aware of not just the build up but the actual start night because of the number of Pizza's that they had to deliver to various key buildings.

The amusing thing was that reporters watched the succession of deliveries and either did not realise or decided not to say.

However other people became aware because they could noy get a fast food delivery for love or money so some realised and SMS'ed each other about it.

But in El Chapo's case is the story true or just parallel construction... It's unlikely we will get to find out. But we do know that Mexico has the use of Stingrays and better courtesy of the USG.

As longer term readers will know I've mentioned various ways to do Mirroring in the past including building WiFi or Bluetooth to GSM to Mobile Broadband relays which can be left in public places like high rise carparks, shopping centers offices and appartment buildings as well as using optical laser networking from one building to another and putting surveillance equipment to watch it on near by buildings etc.

For those who live in Northern Ireland many know that most of the later Pirate Radio Stations used similar tricks including "microwave links" to get the audio to the transmitter sites on "the mountain" etc just inside Eire (Southern Ireland, or just "the south"). The funny thing is that some of the "Pirate Engineers" worked for the BBC or Sky Satellite Television (which is part of the Rupert "the bear faced lier" Murdoch's News International organisation that was "politicaly and commercially" at war with the BBC...

Not meJanuary 21, 2016 9:39 AM

Here in México, the first new we got was that someone "important" have been captured thanks to an anonymous call.

A person call and report armed men in a near house. The local police went and were shoot by the people in the house, called reinforcements an the marines came, and killed some of them and captured the rest. That was when they found the "Chapo"

There were no intelligence, tracking, nothing at all. All of that has been produced after the capture: the "Policia Federal" arrived 6-8 hours *after* the Chapo has been captured, nice touch the GoPro cams, wasn't ?

The text messages were obtained *after* they got the Chapo's phone, etc.

The truth is , the mexican authorities *always* have known where the Chapo was, and *always* have looked for him elsewhere. The cooperation with the US ? Just to get money and economic help.

This Chapo capture happens because someone "didn't get the memo" and do his work

Everything else is for capitalizing the capture

Besides, the US Dollar today is 19 pesos, but who cares? The Mexican President got the Chapo!

JoeJanuary 21, 2016 10:36 AM

Just to be clear, the New Yorker article details El Chapo's second capture. He escaped a second time a month after the article was published. Not sure if anyone has written in detail about the third capture this year.

DaveJanuary 21, 2016 10:53 AM

I'm confused. The quoted article says that Chapo's Blackberry only talked to one other Blackberry, which made it difficult to analyze its traffic. Why is this? If it only had one peer, shouldn't it be easier to analyze its traffic? Or if you are sitting in a privileged position in the network (as the government might be expected to do if it serves a warrant on Blackberry), then why does the number of Blackberries Chapo is texting matter at all?

Jarrod FratesJanuary 21, 2016 11:24 AM

@Clive Robinson

"However other people became aware because they could noy get a fast food delivery for love or money so some realised and SMS'ed each other about it."

No, they didn't. The purported pizza delivery story was for the first Gulf War in 1991, while SMS wasn't implemented in a phone network until 1992 (and then in Britain), and didn't catch on until many years later. The story arose from the owner of a number of DC-area Domino's Pizza stores who made the claim years later, saying that he always knew when something important was going on. However, large orders of pizza for the White House, the Pentagon, and Congress aren't unusual, and happen as a result of legislative negotiations, policy gridlock, large-scale military exercises, and many other reasons. The idea that the Pentagon would need to order out for so much pizza is also questioned, since it has its own, very substantial food courts. While there may be a grain of truth to it, it could also have been self-promotion, since he (and Domino's in general) got free (international) press coverage out of the claim.

In any case, the idea that no one could get a fast food delivery is blanked out by the scale: the Pentagon only has about 25,000 people in it on a normal day, and it's in a city of 150,000 people (110,000 in 1991). If an overnight crew ordering pizzas can zero out the available food for that city, it's a very strange place, indeed. If the Pentagon was hosting a larger population overnight, the presence of excess vehicles in the parking lot would have been a much stronger indicator of something going on than the delivery of a lot of pizzas.

ianfJanuary 21, 2016 11:37 AM


@ Clive Robinson wrote “El Chapo obviously had not learnt the lesson of the first night of the first gulf war…”

Which night exactly did you mean (and where… in Saudi Arabia?). Acc. to the timeline of the Gulf War, it was not some surprise attack, but declared in advance

  • January 15, 1991: First U.S. government statement of Operation Desert Storm made.
  • January 17, 1991: The air war commenced at 2:38 a.m. (local time) or January 16 at 6:38 p.m. EST due to an 8-hour time difference, with an U.S. Apache helicopter attack. U.S.-led Coalition warplanes attacked Baghdad, Kuwait, and other military targets in Iraq.

… and, anyway, the first month of Desert Storm was pretty much exclusively devoted to the USAAF bombing of enemy defense targets in Kuwait and Iraq. So who in your view was it that needed all those (off-army base) rush-order extra-topping pizzas (when there were plenty of MREs on the premises), and what could El Chapo have learned from that faraway logistical-culinary experience?

markJanuary 21, 2016 11:47 AM

That kind of mirror, or cutout, isn't new - I think the first time I read about it was in William's Hardwired, from the high days of cyberpunk in the eighties.

mark

AnonmexicaliJanuary 21, 2016 12:34 PM

Sorry Bruce... but he was detected in a simple way, not by the mirror.

There was only 1 person with a blackberry in 50 miles around the area. Simple & easy.

Track to the tools of HackTeam Italy and you´ll have more clues.

SpartanusJanuary 21, 2016 4:50 PM

Well, so turns out that Sean Penn wasn't so clueless about opsec after all? ;) (People made fun of his "mirroring" comment and said it was nonsense.)

k15January 21, 2016 5:49 PM

How could someone do this to El Chapo without his knowledge? Would there be anything he could do to detect it?

Clive RobinsonJanuary 21, 2016 6:08 PM

@ Spartanus,

People made fun of his "mirroring" comment and said it was nonsense.

Not all of us did as you can see if you read my point 5 in,

https://www.schneier.com/blog/archives/2016/01/sean_penns_opse.html#c6715261

The problem is some experts realy are not experts outside of a narrow field of competence.

Others who don't claim to be experts have not just a broader knowledge base, but have actually designed, built and deployed systems to do such things.

@ Jarrod Frates,

Yes the UK was switching over from TACS/ETACS to GSM in 91, the US stayed on AMPS for quite a bit longer. Though the SMS spec was done under Ian Harris by Kevin Holley in the late 88/89. The official story of the first SMS sent was in the UK (Kevin worked for BT's Cellnet) and was a "merry xmas" message. I worked with some of the Racal (Vodafone) people down at the old mannor house in Raynes Park just off the A3 when trying to thrash out a way to send computer data over TACS which was basically an analogue audio channel system with holes punched in it for signalling. It became clear it was not realy going to work easily and thus I attended a couple of meetings with Ian and others on the standards committee to find out if what was to become GSM was going to be better suited to the task...

It was all a long time ago, and there was a lot of rivalry between BT and Racal. Being the "senior service" and backhaul provider BT assumed it was going to be able to dictate terms etc to Racal-Vodafone, however it did not work out that way and the ability to "aprove" or not changes in each others service provisions and standards changes, surprisingly actual worked to everybodies benifit customers included.

It's part of my past I thought was long past after all TACS/ETACS service stoped fifteen years ago in the UK, untill I was reminded that the 1st of Jan was the thirtieth anniversary since the first non test UK cellphone call...

@ ianf,

So who in your view was it that needed all those (off-army base) rush-order extra-topping pizzas (when there were plenty of MREs on the premises),

Err what are you talking about? As far as I'm aware MRE's are "field rations" that back then nobody wanted to eat[1], so you would have been hard pushed to find them in DC.

[1] I have heard in the distant past of 1985-6 US MRE's being called "Meals Rejected by Ethiopians" quite a few times when "being in the field" on what was in effect a USAF signals base in the UK.

AnonJanuary 21, 2016 6:46 PM

How does the number of other stations make tracking harder?

I see the low number making it easier to track:

1) most people call/text more than one person
2) due to the low number of stations and point 1, it should stand out as odd, and would make it *easier* to monitor/trace?

Doo doo-doooo, Doo doo-doooooo,January 21, 2016 7:06 PM


The crucial OPSEC lesson of the Gulf Wars was how to conceal mass casualties.

https://www.indybay.org/newsitems/2011/04/07/18676664.php

"wives at the home base were being harassed and they were being given pharmacological psychotropic cocktails. There was a news blackout. When they (Third Infantry Division) finally did get back, they came back kind of on the midnight train.

"There were many more wounded than the hospital could accommodate. They were sleeping in open fields. The reason for that, I believe, is that they were trying to keep everybody who was at the Battle of Baghdad all located at one Army post so they could control all the information.

"Among the survivors and their dependents, there was an attempt to coerce silence. I like to say they were thugged up and drugged up.

"In January 2004, I had a freelance journalist from upstate New York start working with me to try to get the story. She found out that there were about 100 backdoor visits, which means the casualty officer would come and inform the widows of what happened. They were taking women and getting them out of town, off the post.

"She came up with a number of about 100 war widows. About one out of three soldiers is married. That kind of went well with what I had thought: about 300 to 500 killed in action. Very quickly, after she began investigating, she got a death threat.

"Maybe we have 500 dead. That sounds like an immense pile. What happens is that you get 500 coffins that go to 500 different train terminals and 500 disparate cities and small towns. Nobody sends out a card saying there are 499 other ones. Everybody who gets one knows they have a dead G.I. But, nobody thinks their dead G.I. was part of a massive battle. It’s the elephant of truth. Every blind person gets one feel. Everyone gets one pat on the elephant without realizing there’s an immense beast there.

"Covering up dead body counts is not hard to do at all. All you do is fail to report in any kind of cohesive order that there has been a massive battle. They proved that again by the fact that the fight of Fallujah, both of them, were covered up.

"It’s easy to understand what happened with Fallujah. The same as the Battle of Baghdad. What the public got told was nothing like the carnage that was going on. The U.S. death count was held down."

Joe KJanuary 22, 2016 2:39 AM

@Dave (and possibly @Anon, if "difficult-to-track" was a paraphrase of
the traffic analysis difficulties mentioned by the quoted Steven Frost article.)

Get out a sharp pencil and a really big sheet of paper. Make a dot for
every telecom device.

Then, for each pair of dots <x,y> such that x has initiated at least one
call to y, draw an arrow from x to y and label it with the positive
integer i representing how many times x has called y.

One of those dots is El Chapo's blackberry. What properties
distinguish it from all the other nodes that only talk to one other
node?

Yes, this is overly simplistic. No, I am not a Traffic Analyst. I
don't even play one on TV.

But one thing seems clear: the dot corresponding to El Chapo's
blackberry does not look like it belongs to the head-honcho of a large
organisation.

Doesn't mean it couldn't be. But traffic analysis won't tell you.

Joe KJanuary 22, 2016 3:58 AM

I wrote:

One of those dots is El Chapo's blackberry. What properties distinguish it from all the other nodes that only talk to one other node? [...] But one thing seems clear: the dot corresponding to El Chapo's blackberry does not look like it belongs to the head-honcho of a large organisation.

Actually, on re-reading the Frost article, I realise that I based my conclusion on the assumption that El Chapo's sole BBM pal also only talks to one node (namely, El Chapo). But the article does not state that explicitly.

And neither did I. Until now.

Because, yeah, if Darth Sidious's blackberry only corresponds with Darth Vader's blackberry, but Vader's blackberry is conspicuously chatting with other important-looking nodes all over the galaxy, Darth Sidious's device might not look so inconspicuous after all.

Z.LozinskiJanuary 22, 2016 6:58 AM

@Joe K,

If you look at the agenda for any of the ISS (Intelligence Support Systems) conferences, you will see presentations on traffic analysis for telecommunications.

http://www.issworldtraining.com/ISS_WASH/

One of the things some vendors talk about is having a library of communication traffic patterns, and one example they talk about is a device that has previously not been used, which suddenly pops-up on the network. Given most people buy phones to use them regularly, this is a remarkable event, and one that will probably be highlighted. You can even filter out the "emergency phone for the car" scenario by filtering out cases like "an unused phone pops up and calls the Automobile Association and doesn't change location for the next hour".

A useful thought experiment is trying to create say a dozen different patterns of how mobile phones are used in space and time.

Larry Callimahos' "Introduction to Traffic Analysis" from the NSA has been declassified and mentions how to apply this thinking to a wireless-based military communications net.

Its applicability in this case is down to the imagination of the people creating the analysis rules to find people, and the imagination of the people trying to develop opsec procedures to hide. We know from military campaigns that both sides develop increasingly sophisticated strategies. Of course, the details of the patterns that analysts are looking for will usually be classified - and that is going to be true for both military and intelligence scenarios.

65535January 23, 2016 12:54 AM

Since I am at the bottom of this thread I’ll make my comments short.

“…It would be “The Nose,” who after extensive questioning and torture by Mexican authorities, would give up Guzman’s location….” –Readfomag

I wonder how legal torture is under Mexican law.

[And]

“…The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days at a public place with Wi-Fi) this intermediary (or "mirror") would then transcribe the text to an I-Pad and then send that over a Wi-Fi network (not cellular networks which were monitored constantly by law enforcement). This WiFi text was then sent to another cut-out who would finally transcribe the message into a Blackberry BBM text and transmit it to Guzman. Although Guzman continued to use his Blackberry, it was almost impossible to analyze the traffic because it now only communicated with one other device. This "mirror" system is difficult to crack because the intermediaries or proxies, can constantly change their location by moving to new WiFi spots.”-Readfomag

https://readfomag.com/2015/12/how-opsec-helped-catch-the-worlds-most-wanted-drug-kingpin/

It appears to be a sort of manual Blackberry/Tor network. Very interesting.

But, what about the Call Data Records, Billing Records, location records and other metadata? IMEI, IMSI, UICC and identifiers? Who paying for those phones and what is the address? One would think the DEA had to have some of those records.

Wi-Fi

Crowdsourced Wi-Fi data can also be used to identify a handset's location.[11] Poor performance of the GPS-based methods in indoor environment and increasing popularity of Wi-Fi have encouraged companies to design new and feasible methods to carry out Wi-Fi-based indoor positioning.[12] Most smartphones combine Global Navigation Satellite Systems (GNSS), such as GPS and GLONASS, with Wi-Fi positioning systems.

https://en.wikipedia.org/wiki/Mobile_phone_tracking#Wi-Fi

@ Not me

‘Here in México, the first new we got was that someone "important" have been captured thanks to an anonymous call. A person call and report armed men in a near house. The local police went and were shoot by the people in the house, called reinforcements an the marines came, and killed some of them and captured the rest. That was when they found the "Chapo"’

I agree.

That is the impression I got from the early reports of Chapo’s arrest. Yet, the New Yorker says he was captured in an expensive high rise hotel/apartment building.

“Mazatlán is a resort town popular with retirees from the U.S. and Canada… On the night of Friday, February 21st, about forty marines assembled in the city, along with a small contingent of agents from the D.E.A., the U.S. Marshals, and the Department of Homeland Security. The marshals, who specialize in locating fugitives, had been able to trace the signal on Condor’s BlackBerry to the Hotel Miramar, a white, twelve-story condominium building with three columns of half-moon balconies overlooking the Pacific. Geolocation technology can trace a signal to a given city block or building, but not necessarily determine where in the building the device is situated… A team of marines climbed to the sixth floor and burst into one of the apartments, where they discovered two groggy tourists, who were recovering from an evening of partying. (One of them, an American, thought that their room had been stormed because they had been smoking marijuana. The marines were perplexed when he produced, from his wallet, a California medical-marijuana card.) …on the fourth floor, a team of six marines approached Apartment 401, where they discovered Condor standing guard and holding an assault rifle. He raised his weapon only for a moment, since it was obvious that he was outnumbered. Guzmán’s decision to jettison his huge security force had allowed him to move around quickly and inconspicuously, but he was left essentially defenseless. The Marines crashed through a flimsy wooden door, shouting, “Marines!”

“They entered a two-bedroom apartment… Guzmán had scrambled out of bed in his underwear, grabbed an assault rifle, and darted into a small bathroom. “Don’t kill him!” Coronel pleaded again. “He’s the father of my children!” The standoff lasted only a few seconds, with the marines bellowing and Coronel screaming. Then Chapo shouted, “O.K., O.K., O.K., O.K.!” and extended his empty hands through the bathroom doorway.” –Newyorker

That is a different version of the story that first was circulated.

[and]

“…it should come as no surprise that many observers believe that Guzmán’s “capture” in Mazatlán was a theatrical event directed by the drug lord himself. When I reached Hernández and asked her what she made of the arrest, she challenged the premise of my question. “If Chapo Guzmán has been captured,” she said. “If that is the real story.” She is not convinced that the man who was photographed in Mazatlán, and whose DNA was tested, is the real Chapo.” -Newyorker

http://www.newyorker.com/magazine/2014/05/05/the-hunt-for-el-chapo

There seems to be a few unanswered questions.


ianfJanuary 23, 2016 1:15 AM


@ 65535 “Since I am at the bottom of this thread I’ll make my comments short.

[5k characters follows incl. a couple of quotes and URLs]

Promises, promises.

ReaderJanuary 24, 2016 10:41 AM

El Chapo broke Opsec by himself:

http://grugq.tumblr.com/post/137543628353/el-chapos-arrest

https://medium.com/@thegrugq/the-futile-fugitive-4d909aee7c02

Guzman had other problems with his COMSEC setup. He gave a phone purchased from a retail store to an actress and communicated directly with her. How this was supposed to be secure is beyond me. Security is as strong as the weakest link, and generally speaking civilians are not associated with high security.

https://medium.com/@thegrugq/the-rise-and-fall-of-the-tunnel-rat-king-58352d4f2f65

They tracked his Escape-Tunnel Architect retrofitting Escape-Tunnels into houses and set up observation posts after he left (also a sweep of the property to locate all tunnels before Chapo arrived).

jimbobFebruary 13, 2016 9:16 AM

So mirroring was actually good opsec and not "Sean Penn doesn't know what he's talking about" ? Sometimes it's hard to know who is the noob and who is the expert.

Clive RobinsonFebruary 13, 2016 10:25 AM

@ Jimbob,

Sometimes it's hard to know who is the noob and who is the expert.

Well... Let's say that a lot of --supposed-- "experts" learnt their trade watching Fox News "talking heads".

Most people who are realy experts as opposed to self promoters tooting their horns, take a cautious approach to what they say. Further if they realy understand it from first principles, they can give you three strengths and weakness of the top of their head. But most importantly they can explain it in a way a listener can understand, and generaly make it sound simple.

If you go back and look at the media circus that surounded this you will quickly spot the talking heads from their non cautious nature, then their compleat lack of explanation...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.