February 15, 2014

by Bruce Schneier
CTO, Co3 Systems, Inc.

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

Finding People's Locations Based on Their Activities in Cyberspace

Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone.

Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional information about how the agency's programs work. From this and other articles, we can now piece together how the NSA tracks individuals in the real world through their actions in cyberspace.

Its techniques to locate someone based on their electronic activities are straightforward, although they require an enormous capability to monitor data networks. One set of techniques involves the cell phone network, and the other the Internet.

Every cell-phone network knows the approximate location of all phones capable of receiving calls. This is necessary to make the system work; if the system doesn't know what cell you're in, it isn't able to route calls to your phone. We already know that the NSA conducts physical surveillance on a massive scale using this technique.

By triangulating location information from different cell phone towers, cell phone providers can geolocate phones more accurately. This is often done to direct emergency services to a particular person, such as someone who has made a 911 call. The NSA can get this data either by network eavesdropping with the cooperation of the carrier, or by intercepting communications between the cell phones and the towers. A previously released Top Secret NSA document says this: "GSM Cell Towers can be used as a physical-geolocation point in relation to a GSM handset of interest."

This technique becomes even more powerful if you can employ a drone. Greenwald and Scahill write: "The agency also equips drones and other aircraft with devices known as 'virtual base-tower transceivers' -- creating, in effect, a fake cell phone tower that can force a targeted person's device to lock onto the NSA's receiver without their knowledge."

The drone can do this multiple times as it flies around the area, measuring the signal strength -- and inferring distance -- each time. Again from the Intercept article: "The NSA geolocation system used by JSOC is known by the code name GILGAMESH. Under the program, a specially constructed device is attached to the drone. As the drone circles, the device locates the SIM card or handset that the military believes is used by the target.

The Top Secret source document associated with the Intercept story says: "As part of the GILGAMESH (PREDATOR-based active geolocation) effort, this team used some advanced mathematics to develop a new geolocation algorithm intended for operational use on unmanned aerial vehicle (UAV) flights." This is at least part of that advanced mathematics.

None of this works if the target turns his phone off or exchanges SMS cards often with his colleagues, which Greenwald and Scahill write is routine. It won't work in much of Yemen, which isn't on any cell phone network. Because of this, the NSA also tracks people based on their actions on the Internet.

A surprisingly large number of Internet applications leak location data. Applications on your smart phone can transmit location data from your GPS receiver over the Internet. We already know that the NSA collects this data to determine location. Also, many applications transmit the IP address of the network the computer is connected to. If the NSA has a database of IP addresses and locations, it can use that to locate users.

According to a previously released Top Secret NSA document, that program is code named HAPPYFOOT: "The HAPPYFOOT analytic aggregated leaked location-based service / location-aware application data to infer IP geo-locations."

Another way to get this data is to collect it from the geographical area you're interested in. Greenwald and Scahill talk about exactly this: "In addition to the GILGAMESH system used by JSOC, the CIA uses a similar NSA platform known as SHENANIGANS. The operation -- previously undisclosed -- utilizes a pod on aircraft that vacuums up massive amounts of data from any wireless routers, computers, smart phones or other electronic devices that are within range.

And again from an NSA document associated with the FirstLook story: "Our mission (VICTORYDANCE) mapped the Wi-Fi fingerprint of nearly every major town in Yemen." In the hacker world, this is known as war-driving, and has even been demonstrated from drones.

Another story from the Snowden documents describes a research effort to locate individuals based on the location of Wi-Fi networks they log into.

This is how the NSA can find someone, even when their cell phone is turned off and their SIM card is removed. If they're at an Internet café and they log into an account that identifies them, the NSA can locate them -- because the NSA already knows where that Wi-Fi network is.

This also explains the drone assassination of Hassan Guhl, also reported in the Washington Post last October. In the story, Guhl was at an Internet cafe when he read an email from his wife. Although the article doesn't describe how that email was intercepted by the NSA, the NSA was able to use it to determine his location.

There's almost certainly more. NSA surveillance is robust, and they almost certainly have several different ways of identifying individuals on cell phone and Internet connections. For example, they can hack individual smart phones and force them to divulge location information.

As fascinating as the technology is, the critical policy question -- and the one discussed extensively in the FirstLook article -- is how reliable all this information is. While much of the NSA's capabilities to locate someone in the real world by their network activity piggy-backs on corporate surveillance capabilities, there's a critical difference: False positives are much more expensive. If Google or Facebook get a physical location wrong, they show someone an ad for a restaurant they're nowhere near. If the NSA gets a physical location wrong, they call a drone strike on innocent people.

As we move to a world where all of us are tracked 24/7, these are the sorts of trade-offs we need to keep in mind.

The Intercept article:

The NSA's tracking of cell phone locations:

The NSA documents:

NSA tracking leaky cell phone apps:

War driving from drones:

The assassination of Hassan Guhl:

NSA hacking iPhones:

NSA surveillance and corporate capabilities:

This essay previously appeared on

The Insecurity of Secret IT Systems

We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week.

It's worse than you might have expected: "It runs on the outdated Windows 98 operating system, stores user credentials in plain text, and includes a feature called Threat Image Projection used to train screeners by injecting .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener's reaction during training sessions. The weak logins could allow a bad guy to project phony images on the X-ray display."

While this is all surprising, it shouldn't be. These are the same sort of problems we saw in proprietary electronic voting machines, or computerized medical equipment, or computers in automobiles. Basically, whenever an IT system is designed and used in secret – either actual secret or simply away from public scrutiny – the results are pretty awful.

I used to decry secret security systems as "security by obscurity." I now say it more strongly: "obscurity means insecurity."

Security is a process. For software, that process is iterative. It involves defenders trying to build a secure system, attackers -- criminals, hackers, and researchers -- defeating the security, and defenders improving their system. This is how all mass-market software improves its security. It's the best system we have. And for systems that are kept out of the hands of the public, that process stalls. The result looks like the Rapiscan 522 B x-ray system.

Smart security engineers open their systems to public scrutiny, because that's how they improve. The truly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negative security results. Get ready for Rapiscan to claim that the researchers had old software, and the new software has fixed all these problems. Or that they're only theoretical. Or that the researchers themselves are the problem. We've seen it all before.

Insecurities on other systems:

Security by obscurity:

Security is a process:

NSA Exploit of the Day

One of the top-secret NSA documents published by Der Spiegel was a 50-page catalog of "implants" from the NSA's Tailored Access Group. Because the individual implants are so varied and we saw so many at once, most of them were never discussed in the security community. (Also, the pages were images, which makes them harder to index and search.) To rectify this, I am publishing an exploit a day on my blog.

SIERRAMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card.

STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card.

The CTX4000 is a portable continuous wave (CW) radar unit. It can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection.

LOUDAUTO is an audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing.

NIGHTSTAND is an active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals).

PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000.

SPARROW II is an embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards.

TAWDRYYARD is a beacon RF retro-reflector. Provides return when illuminated with radar to provide rough positional location.

GINSU provides software application persistence for the CNE implant, KONGUR, on target systems with the PCI bus hardware implant, BULLDOZER. This technique supports any desktop PC system that contains at least one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 20003, XP, or Vista.

HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in conjunction with a digital core to provide a complete implant.

IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution. This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives. The supported file systems are: FAT, NTFS, EXT3 and UFS.

JUNIORMINT is a digital core packaged in both a mini Printed circuit Board (PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to be used in implants with size constraining concealments.

MAESTRO-II is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments.

SOMBERKNAVE is a Windows XP wireless software implant that provides covert internet connectivity for isolated targets. SOMBERKNAVE is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network via an unused embedded 802.11 network device. If an Internet-connected wireless Access Point is present, SOMBERKNAVE can be used to allow OLYMPUS or VALIDATOR to "call home" via 802.11 from an air-gapped target computer.

SWAP provides software application persistence by exploiting the motherboard BIOS and the hard drive's Host Protected Area to gain periodic execution before the Operating System loads. This technique supports single or multi-processor systems running Windows, Linux, FreeBSD, or Solaris with the following file systems: FAT32, NTFS, EXT2, EXT3, or UFS1.0.

TRINITY is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments.

WISTFULTOLL is a UNITEDRAKE and STRAITBIZARRE plug-in used for harvesting and returning forensic information from a target using Windows Management Instrumentation (WMI) calls and Registry extractions.

SURLYSPAWN is data RF retro-reflector. Provides return modulated with target data (keyboard, low data rate digital device) when illuminated with radar.

DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc.

GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

In the blog comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Finally -- I think this is obvious, but many people are confused -- I am not the one releasing these documents. Der Spiegel released these documents in December. Every national intelligence service, Internet organized crime syndicate, and clued terrorist organization has already pored over these pages. It's us who haven't really looked at, or talked about, these pages. That's the point of these daily posts.

There's a good exchange between a reader and me on this, starting here:

Last Month I Briefed Congress on the NSA

One morning in January, I spent an hour in a closed room with six members of Congress: Rep. Lofgren, Rep. Sensenbrenner, Rep. Bobby Scott, Rep. Goodlatte, Rep. Mike Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren had asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn't forthcoming about their activities, and they wanted me -- as someone with access to the Snowden documents -- to explain to them what the NSA was doing. Of course, I'm not going to give details on the meeting, except to say that it was candid and interesting. And that it's extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

Surreal part of setting up this meeting: I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top-secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF. So we had to have the meeting in a regular room.

This really was an extraordinary thing.


Criminals are starting to track people by cell phone: "Adding credence to the theory that Brooklyn landlord Menachem Stark was kidnapped and murdered by professionals, a law enforcement source tells the Post that the NYPD found a cell phone attached to the bottom of his car, which could have been used to track his movements." Presumably the criminals installed one of those "track your children" apps that transmits the phone's GPS data to some database somewhere.

Edward Elgar's cryptography puzzles from the late 1890s.

There's a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish.

New type of DDOS attack using NTP:

Adware vendors are buying and abusing Chrome extensions. This is not a good development.

Coming barely weeks after my essay on the security risks from embedded systems, the Proofpoint report of a spam-sending refrigerator was just too good to be true. I was skeptical, so I didn't blog it. Now Ars Technica has a good analysis of the report, and is also skeptical. In any case: it could happen, and sooner or later it will.

Tim Harford talks about consumer manipulation:
This is a security story: manipulation vs. manipulation defense. One of my worries about our modern market system is that the manipulators have gotten too good. We need better security -- either technical defenses or legal prohibitions -- against this manipulation.

More about how cell phone companies rip you off.

This is an interesting way to characterize income inequality as a security issue:

Applied Cryptography is available online. I'm sure this is a pirated copy. Looking at it, it's amazing how long ago twenty years was.

Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable. Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far? We have far to go with our security of embedded systems.

The EU might raise fines for data breaches.
This makes a lot of sense. If fines are intended to change corporate behavior, they need to be large enough so that avoiding them is a smarter business strategy than simply paying them.

This is a very good essay on the politics of fear.

Interesting paper: "The Value of Online Privacy," by Scott Savage and Donald M. Waldman.
Interesting analysis, though we know that the point of sale is not the best place to capture the privacy preferences of people. There are too many other factors at play, and privacy isn't the most salient thing going on.

A side-channel attack: the male túngara frog _Physalaemus pustulosus_ uses calls to attract females. But croaking also causes ripples in the water, which are eavesdropped on -- both by rival male frogs and frog-eating bats.

This is a pretty impressive social engineering story: an attacker compromised someone's GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It's a complicated attack.
The misuse of credit card numbers as authentication is also how Matt Honan got hacked.

A man in China bought a first class plane ticket and used it to have free meals at the airport's lounge every day for almost a year, continually changing the ticket for the next day so he could come back. When the year was almost up, he cancelled the ticket for a refund.
It's such a weird occurrence that I'm not even sure it's worth bothering to defend against.

A fantastic social engineering attack from 1971:

Interesting paper by Steven J. Murdoch and Ross Anderson in this year's Financial Cryptography conference: "Security Protocols and Evidence: Where Many Payment Systems Fail."
Security Protocols and Evidence: Where Many Payment Systems Fail:

Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that.

We've got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs. It's been in operation, undetected, for at least seven years. As usual, we infer the creator of the malware from the target list. Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they're immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.

NSA News

The NSA collects hundreds of millions of text messages daily. No surprise here. Although we learned some new codenames. DISHFIRE is the NSA's program to collect text messages and text-message metadata. And PREFER is the NSA's program to perform automatic analysis on the text-message data and metadata. The documents talk about not just collecting chatty text messages, but vCards, SIM card changes, missed calls, roaming information indicating border crossings, travel itineraries, and financial transactions.

Two reports have recently been published questioning the efficacy of the NSA's bulk-collection programs. The first one is from the left-leaning New American Foundation.
The second is from Marshall Erwin of the right-leaning Hoover Institute.

The NSA is collecting data from leaky smart phone apps.

This catalog of Snowden revelations looks to be pretty good.
Add that to these three indexes of NSA source material, and these three summaries.
This excellent parody website has a good collection of all the leaks, too.

Generate your own fake NSA programs.
Generate your own fake TAO implant.
Sadly, the NSA will probably use these to help develop their R&D roadmap.

US Privacy and Civil Liberties Oversight Board (PCLOB) Condemns NSA Mass Surveillance

Now we know why the president gave his speech on NSA surveillance when he did; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board.

The PCLOB issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this.

What frustrates me about all of this -- this report, the president's speech, and so many other things -- is that they focus on the bulk collection of cell phone call records. There's so much more bulk collection going on -- phone calls, e-mails, address books, buddy lists, text messages, cell phone location data, financial documents, calendars, etc. -- and we really need legislation and court opinions on it all. But because cell phone call records were the first disclosure, they're what gets the attention.

The report:

NSA collecting phone calls:

NSA collecting e-mails:

NSA collecting address books:

NSA collecting buddy lists:

NSA collecting text messages:

NSA collecting cell phone location data:

NSA collecting calendars:

NSA collecting cell phone calling records:

NSA/GCHQ Accused of Hacking Belgian Cryptographer

There has been a lot of news about Belgian cryptographer Jean-Jacques Quisquater having his computer hacked, and whether the NSA or GCHQ is to blame. There have been a lot of assumptions and hyperbole, mostly related to the GCHQ attack against the Belgian telecom operator Belgacom.

I'm skeptical. Not about the attack, but about the NSA's or GCHQ's involvement. I don't think there's a lot of operational value in most academic cryptographic research, and Quisquater wasn't involved in practical cryptanalysis of operational ciphers. I wouldn't put it past a less-clued nation-state to spy on academic cryptographers, but it's likelier this is a more conventional criminal attack. But who knows? Weirder things have happened.

GCHQ attack on Belgacom:

Schneier News

I am speaking -- several times -- at the RSA Conference in San Francisco on 2/24-28.

Earlier this month, I gave a talk about the NSA at MIT. The video is available.
If you have trouble viewing the video on that page, try this direct link:

CSEC Surveillance Analysis of IP and User Data

The most recent story from the Snowden documents is from Canada: it claims the CSEC (Communications Security Establishment Canada) used airport Wi-Fi information to track travelers. That's not really true. What the top-secret presentation shows is a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using that data to identify individual users. This is actually far more interesting than simply eavesdropping on airport Wi-Fi sessions. Between Boingo and the cell phone carriers, that's pretty easy.

The researcher, with the cool-sounding job-title of "tradecraft developer," started with two weeks' worth of ID data from a redacted "Canadian Special Source." (The presentation doesn't say if they compelled some Internet company to give them the data, or if they eavesdropped on some Internet service and got it surreptitiously.) This was a list of userids seen on those networks at particular times, presumably things like Facebook logins. (Facebook, Google, Yahoo and many others are finally using SSL by default, so this data is now harder to come by.) They also had a database of geographic locations for IP addresses from Quova (now Neustar). The basic question is whether they could determine what sorts of wireless hotspots the IP addresses were.

You'd expect airports to look different from hotels, and those to look different from offices. And, in fact, that's what the data showed. At an airport network, individual IDs are seen once, and briefly. At hotels, individual IDs are seen over a few days. At an office, IDs are generally seen from 9:00 AM to 5:00 PM, Monday through Friday. And so on.

Pretty basic so far. Where it gets interesting his how this kind of dataset can be used. The presentation suggests two applications. The first is the obvious one. If you know the ID of some surveillance target, you can set an alarm when that target visits an airport or a hotel. The presentation points out that "targets/enemies still target air travel and hotels"; but more realistically, this can be used to know when a target is traveling.

The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he can't risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he can't be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

The results from testing that second application were successful, but slow. The presentation sounds encouraging, stating that something called Collaborative Analysis Research Environment (CARE) is being trialed "with NSA launch assist": presumably technology, money, or both. CARE reduces the run-time "from 2+ hours to several seconds." This was in May 2012, so it's probably all up and running by now. We don't know if this particular research project was ever turned into an operational program, but the CSEC, the NSA, and the rest of the Five Eyes intelligence agencies have a lot of interesting uses for this kind of data.

Since the Snowden documents have been reported on last June, the primary focus of the stories has been the collection of data. There has been very little reporting about how this data is analyzed and used. The exception is the story on the cell phone location database, which has some pretty fascinating analytical programs attached to it. I think the types of analysis done on this data are at least as important as its collection, and likely more disturbing to the average person. These sorts of analysis are being done with all of the data collected. Different databases are being correlated for all sorts of purposes. When I get back to the source documents, these are exactly the sorts of things I will be looking for. And when we think of the harms to society of ubiquitous surveillance, this is what we should be thinking about.

The story:

The CSEC presentation:

NSA's cell phone location database:

The NSA's cell phone location analytical programs:

Microsoft has done the same research, and patented it.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

Copyright (c) 2014 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.