CIA Network Exposed through Insecure Communications System

Interesting story of a CIA intelligence network in China that was exposed partly because of a computer security failure:

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected -- and there would be no way to trace the communication back to the CIA. But the CIA's interim system contained a technical error: It connected back architecturally to the CIA's main covert communications platform. When the compromise was suspected, the FBI and NSA both ran "penetration tests" to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

In the words of one of the former officials, the CIA had "fucked up the firewall" between the two systems.

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official -- links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA's own website, according to the former official.

People died because of that mistake.

The moral -- which is to go back to pre-computer systems in these high-risk sophisticated-adversary circumstances -- is the right one, I think.

Posted on August 29, 2018 at 8:10 AM • 28 Comments

Comments

Marc EspieAugust 29, 2018 9:55 AM

Not fucking up also comes to mind.

But that assumes people who know what they're doing, write/audit all the code, and have a high ethical conscience of the seriousness of the job they're doing.

E.g., not contractors who see the CIA or FBI as fat cash cows.

JonKnowsNothingAugust 29, 2018 10:31 AM

@Bruce

go back to pre-computer systems


There is a slight problem with "pre-computer" systems, one of which is paper, and that is in the USA people are no longer taught how to write "longhand or cursive".

Without a keyboard these people cannot communicate in any way other than by voice and even there they require a huge amount of apps to help them place phone calls.

There are old typewriters both manual and electric. Electric was useful because you didn't need gorilla strength to push down a key with your pinky-finger. Not that long ago, I think the Russians bought a new load of typewriters with each machine tweaked so any documents printed on it would be identified easily which sort of blows the "security" both ways in the fan.

You will have to take on the US Education System if you want handwritten.


ht tps://en.wikipedia.org/wiki/Cursive#Decline_of_English_cursive_in_the_United_States
(url fractured to prevent autorun)

bigmacbearAugust 29, 2018 11:39 AM

Not sure if cursive writing is necessary as long as block lettering is still taught. Hand encoding algorithms seem to lend themselves more to manipulation of block letters anyway...

TatütataAugust 29, 2018 12:01 PM

The moral -- which is to go back to pre-computer systems in these high-risk sophisticated-adversary circumstances -- is the right one, I think.

You mean Moscow Rules?

HmmAugust 29, 2018 12:40 PM

https://www.washingtonpost.com/local/public-safety/chinese-spies-promised-to-take-care-of-ex-cia-officer-for-life-prosecutors-say/2018/05/18/8a83aa60-59ee-11e8-858f-12becb4d6067_story.html

What a small world.

Apparently it's the famous/infamous cantankerous opinionated interjecting judge T.S.Ellis III who's handling the case of the CIA agent turned spy Jerry Chun Lee, wonderful. I imagine he'll temper his habit of unreasonably defending the defendant personally this time, after all, this traitor isn't directly one of the President's own right-hand men.

echoAugust 29, 2018 3:04 PM

The other variant of this story is Chinese security services did the job they were paid to do. If they had been the US we would be reading authoritative narratives in the newspapers and other such chatter not to mention long reads of the technical issues and drama surrounding a major triumph. If this had been the UK we would have heard next to nothing beyond "the government does not comment on security issues".

As with everyday public policy issues affecting health and welbeing the handers often don't have as much depending on the outcome as the poor afflicted citizen. One example is pensioners living in poverty dying over the winter.

The irony is cheap Russian gas and cheap Chinese clothes may have saved lives faster than the UK government was trying to kill people off hence the current UN investigation into UK government human rights abuses.

Given the EU position againstthe death penealty I would hope other states such as the US and China reflecton their use of the death penelty for routine espionage. Really, it is quite hypocritical to complain of deaths when if the boot had been on the other foot the conversation would have been squalid. The fact the current UK government blatantly tried to udnermine settled policy on the death penalty and extradition is appalling.

Given how cheaply lives are treated by diliberatness or error is it any wonder if security services have a recruitment problem and may have problems retaining sources? Who in their right mind would vote for a politician with indifferent attitudes or snarling aggression to deflect attention?

Gerard van VoorenAugust 30, 2018 2:25 AM

What is it with that site: foreignpolicy.com? My guess is that they went too much away with their ".com" crap. But that site is absolutely unreadable (with readable I mean "take the time to digest the content") if you don't have at least one "automatic JS disabler".

DH4096August 30, 2018 7:41 AM

The schadenfreude of their incompetence made my day!
Come on, they are the CIA, yet they can't even do an audit of their own network.

Pro tip for isolating systems: Check that the system is actually isolated!

On another note, it's interesting the method they used to communicate with agents before the internet. They broadcast 'number stations' with high power shortwave radio, agent decrypts using a one-time-pad key. It's very discrete because it didn't require any unusual equipment

kiwanoAugust 30, 2018 8:21 AM

@JonKnowsNothing

As much as I share your lamentations on the state of American education, I feel like I ought to point out the evasive driving also isn't taught in school, but it nonetheless manages to be a skill that CIA agents have (and I'm pretty sure they don't all learn it by trying to cut through traffic on the Leesburg Pike).

bttbAugust 30, 2018 9:27 AM

Regarding the Foreign Policy article that is the subject of this thread, Clive Robinson imo had a relevant recent post ( https://www.schneier.com/blog/archives/2018/08/friday_squid_bl_638.html#c6780306 ):

"... But there is more to it, than that for a couple of reasons. Firstly various Middle East nations are no slouches when it comes to ElInt and SigInt and the CIA and various other US IC entities have continuously under rated them and been caught with not just their jaws dropping... But secondly, the CIA has a history of being technically not that bright in house, thus over estimating technology vendor promisses... Which has resulted in over ambitious technology rollouts...

[...]

In essence you need a "sacrificial goat" that acts as a "cut out". The agent uses old school Opsec to "one way" send messages via dead letter boxes and the like to the goat, and the goat then puts them in at a node. The goat like the SOE radio operators during WWII are expected to have a very short life time. Thus these days they would never be given "plaintext" as they will be expected to be tourtured in various ways prior to being "discarded" by those capturing them.

[...]

The actual problem in Spy Craft is actually "the last mile" problem. That is how does an agent get the secret message over the last mile to their handling officer? It's safe to assume all officers like all diplomats are watched 24x365.25 and have their homes and offices bugged when dealing with the likes of the Russian's or Chinese. Even the cars, cafes, restaurants, toilets within a mile or so are going to be bugged directly or indirectly (laser mics etc) as a matter of normality. As the price of technology drops this surveillance capability ceases to be just the province of the Super Powers, all first world and even some third world countries can now afford to do it...

It's actually increasingly difficult to solve the last mile problem, some actually believe it's now nolonger possible to do it either with technology or old school Spy Craft and OpSec.

I'm not so sure, there are after all "stray cats" that could be trained[1] ;-) But the question arises as to just how small can you make an autonomous drone/robot to act as a goat?"


Regardless, with things like fingerprints, retina scans, license plate readers, RFIDs, facial recognition, voice recognition, gait analysis, cctv, tracking technology (including smartphones), The Office of Personnel Management (OPM) hack (perhaps w/ attempted matching to both the likes of Experian [a consumer credit reporting agency] and death records), etc., it seems that nation states have, of course, lots of ways to perform surveillance and/or to populate their databases.

Clive RobinsonAugust 30, 2018 12:58 PM

@ DH4096,

They broadcast 'number stations' with high power shortwave radio, agent decrypts using a one-time-pad key. It's very discrete because it didn't require any unusual equipment

Except having the "one time pad" and a fairly good quality "shortwave receiver"...

In many "behind the iron curtain countries" mear possession of a shortwave receiver was cause to br given ten or more years at a labour camp with little odds of surviving.

Even in countries like Britain, France, Germany and a few other Western nations possession of "non broadcast band" unlicenced receivers including those in the Shortwave Bands was "frowned upon" legaly. It was not till the 1980s when "scanners" got down below the equivalent of 1000USD in todays money that the authorities took less of a dim view.

There is also a benign reason behind "numbers stations" which is "station keeping" Most HF broadcasters have to fight for their frequencies even when they have been "officialy" granted and licenced. Due to various reasons they do not "program broadcast" for 24x7 therefore they put out multinote signals every 30secs or so at slightly higher than normal carrier level. Or they put out something equally as anoying. I used to do "station keeping" for a station in the 49meter band, and we decided that being a "numbers station" might be fun... Thus I wrote some software to generate numbers and send them to an early voice synthesizer I'd built.

What most people do not realise is that pre-1980 Shortwave recievers had a major problem, they were also low power transmitters. The cheaper the radio the more output it was likely to give...

Thus if an "agent" was daft enough to tune into a numbers station the local oscilator in their radio would broadcast this fact sometimes more than 10miles away depending on the antenna or any metalwork it might "couple into". In the UK the General Post Office under the authority of the Minister of posts and communications had listening stations covering most of the likely area for "agents" to be in... The same was certainly true for various asian communist nations and those streatching across East Europe.

In the UK such "spectrum monitoring" still goes on for various reasons not just "spys".

But due to the general stupidity of US utility companies trying to make a fast buck or a million they have developed "power line data systems" these due to the very lax behaviour of the FCC are pushing out EM radiation 20dB or so above internationaly agreed levels. And because of the idiots at OfCom or above in the UK such crappy systems have been given the nod in the UK. The expected result is that the HF band will go out of use for anyone in an urban or city location...

ErikAugust 30, 2018 1:49 PM

@HMM - I wouldn't take Ellis's behavior in the Manfort case as being on the defendant's side. Good judges run trials that end in tidy rulings that are difficult to appeal, and if the attorneys on one side are screwing up that means giving them the appropriate nudges to fix their behavior.

"In fact, judges often snipe more at the side they expect to win. Even a simple criminal trial requires a judge to make dozens of discretionary decisions like what evidence to admit or exclude, how long to let the parties take with witnesses and the scope of permissible argument. Judges routinely cut the weaker side all of the breaks, hoping to make a bulletproof record for appeal when that side loses. Riding prosecutors and limiting their evidence doesn’t necessarily signal that Ellis thinks they’re in the wrong — it may signal that he thinks they’re likely to convict Manafort, and he wants to make the result as clean and error-free as possible."

https://www.nbcnews.com/think/opinion/manafort-trial-judge-keeps-yelling-prosecutors-s-not-good-news-ncna898736

HmmAugust 30, 2018 2:55 PM

@Erik

"In fact, judges often snipe more at the side they expect to win"

I've seen that, it's true that could be the case. But it SURE WAS in the defendant's favor!
Repeatedly, on different issues. The judge even felt obliged to apologize for it. (rare)

It went beyond just forcing the prosecution to bring the most solid case, it was improper.

“Put aside my criticism,” the red-faced jurist told the panel, adding: “This robe doesn’t make me anything other than human.”

*(He got into that 'red-faced' shouting argument over an expert witness for the prosecution who had been present for some small portion of the proceedings - specifically WITH the judge's explicit written pre-trial permission. It was just one thing after another, hurry up, no you can't ask that, doesn't matter, you're crying...)

It got weird regardless of his motivation. But you're right that pushing back against prosecutors in that way did lessen the chances of Manafort winning on a bias appeal. Ellis did reject his motion for a mistrial, etc. Justice was at last served.

And 11:1 verdict, that one holdout probably didn't decide that way because of Ellis' antics.
I don't think there was much credible doubt of those 10 charges, 11/12 didn't either.
This is our system, warts and all.

HmmAugust 30, 2018 2:57 PM

Certainly Jerry Lee will get a fairer trial under Ellis than anyone can expect in Beijing.

WeskerTheLurkerAugust 30, 2018 4:15 PM

What happened to good old-fashioned dead drops and one-way radio? Anything based on communication through the internet just opens itself up for being easily exploited or tracked.

Guess the CIA's been getting lazy these days.

Jon (fD)August 30, 2018 7:15 PM

Comments died too. If you commit a crime in a jurisdiction where that crime is punishable by death and you get caught at it, death is what you should expect.

Jon (fD), not any other Jon

HmmAugust 30, 2018 8:16 PM

"where that crime is punishable by death"

What about rights in presenting/examining evidence, having the opportunity to confront accusations?
Without respect of such rights in law, "what is crime" is an undefined entity and easily redefined.

If accused, executed. That's certainly a more straightforward system.

Jon (fD)August 31, 2018 2:25 AM

All that is subsumed by "and you get caught at it". In theory.

While not every country has the same legal system as the USA, I'd like to point out Article III, Section III of the U.S. Constitution and 18 USC 2381.

Furthermore, when the US courts allow 'national security' to suppress evidence and throws "terrorists" into jail with no due process at all, it's a bit rich to complain when another country does the same thing to your spies.

I'm not saying the CIA is not at fault here. They told their spies their information transfer was secure, and it wasn't. But it's akin to a mob boss telling his minions that he'll keep them safe even if they kill people.

Oddly enough, those who implemented the insecure system are probably the most secure against having it used against them.

Some countries have no death penalty crimes. Some countries have the death penalty for actions people in the USA would consider (mostly) harmless. Not every country is the same as the USA. The important law is that of the country in which the CIA was operating at the time.

In short, I reiterate my disagreement. People did indeed die. But what killed them was not insecure communications, they were executed for the crimes based on the evidence in those insecure communications. Various states in the USA have executed people for less.

Jon (fD)

Jon (fD)August 31, 2018 2:39 AM

For complaining about trials where evidence is not submitted to the defense or the public, I give you United States v. Renyolds, 1953. Enjoy. J. (fD)

vas pupAugust 31, 2018 11:28 AM

Diplomats' mystery illness linked to radiofrequency/microwave radiation, researcher says:
https://www.sciencedaily.com/releases/2018/08/180829115456.htm
"Writing in advance of the September 15 issue of Neural Computation, Beatrice Golomb, MD, PhD, professor of medicine at University of California San Diego School of Medicine, says publicly reported symptoms and experiences of a "mystery illness" afflicting American and Canadian diplomats in Cuba and China strongly match known effects of pulsed radiofrequency/microwave electromagnetic (RF/MW) radiation.

Golomb compared the situation to persons with peanut allergies: Most people do not experience any adverse effect from peanut exposure, but for a vulnerable subgroup, exposure produces negative, even life-threatening, consequences."

Yes, only some got affected, not all.

JackAugust 31, 2018 11:42 AM

"covert communications systems" -On the Internets ? ROFLMAO
What, do the yanks TLA's STILL not talk with each other ?
After the massive screw-up that made it possible for KNOWN SALAFIST TERRORISTS to enter the US,attend flight-school, hijack planes and make buildings blow up all over the place ??
One would think the NSA could tell CIA in simple terms : There is no such thing as "covert communications systems" on the internet - And we have the exabytes of intercepted data to prove it - Let me take a wild guess here : Onion makes you cry and die !

Not really anonymousAugust 31, 2018 1:29 PM

Maybe this response could be used against China. If a number of important people in China had their devices hacked and fake communications to CIA services were set up, China might execute important people who were actually loyal to the the government. This could set back a number of projects there.

echoAugust 31, 2018 2:57 PM

@vas pup

So they were kyboshed by their own spy equipment? I wouldn't be surprised if this was true. If it was true then it would be a humiliating and embarassing climb down if they could admit it.

@Jon (fD)

The usual trick in the UK was if confidential information would betray sources and oerpational methods the evidence for "national security reasons" would not be submitted to the courts which effectively meant the accused would walk free. Evidence of child abuse by a prominent now deceased politician was also withheld from prosecuting agencies because by law GCHQ could not use the information for anything other than a "national security" issue. Abuse of the official Secrets Act and D Notices was a thing too.

A lot has changed since including information being secret almost up to the point of withholding it from the court and defence and certainly media reporting. While sex abuse is not as blatant as before a lot of very worrying abuses still take place in the system although mostly by beaurocratic cruelty.

I am waiting until I get my day in court to divulge everything but basically "they" got away with it to the point I'm actively planning to seek asylum in a mainland EU country.

This is the tip of the iceberg. Been there and worse.

https://www.theguardian.com/uk-news/2018/aug/29/academic-konstancja-duff-passive-resistance-before-met-strip-search
Academic strip searched by police says refusal to cooperate was 'passive resistance'. Konstancja Duff tells custody sergeant’s disciplinary hearing she was reacting to unjust treatment.

Erdem MemisyaziciSeptember 6, 2018 12:50 AM

The first problem is, some of the vulnerabilities were not really thought of as vulnerabilities. Most hardware and software are prepared with profitability in mind. To give an example, think about the speculative execution vulnerabilities we had in the recent years. The problem was, one engineer came up and said, well, this can be a lot faster if we simply built in some guess work. It's a terrible idea from the perspective of security. In one hand you have a processor operating n times faster, in the other you have a secure but a slow product. Guess who won that argument? So don't tell me anybody but the makers of memory sticks saw Row Hammer coming before it hit the shelves.

The other problem in security is, updates are not always a good thing. Sometimes you have to leave a darn thing which works, the way it is. Yea you find a 20 year old bug in OpenSSH, but that's pretty rare compared to something like imagemagick. Update then, and only then. Stable release is what you need to get to. Add no new features. In the article, it sounds like that's exactly what happened. They wanted to co-operate with more people, and a programmer or a systems administrator without their coffee screwed up.

Lastly though, why would anybody who is worried about secure communications use the friggin' Internet? I mean what happened to interjecting into a BBC broadcast or something clever like that? If spies are depending on encryption, they are merely fighting against time. Computers are getting cheaper and more powerful by the day, and all kinds of quantum computers are becoming available to the average consumer. Aren't spies better off sending a pigeon? Put a message in a ball and fire it off a cannon. You're going to depend on iptables to keep you safe? Don't you know every packet is captured and stored even if it is dropped?

What I predict for the future of the Internet is that the only way to eventually secure it will be to use symmetric encryption and trust a 3rd party security organization with fighter jets and tanks. Whether that will be Amazon or your government I'm not so sure. It will probably be an ID with bio-metrics which unlocks your key and the key strength adjusted based on the latest super-computer benchmarks. TLS 3.0?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.