July 15, 2014

by Bruce Schneier
CTO, Co3 Systems, Inc.

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

GCHQ Catalog of Exploit Tools

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It's a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.
MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MOUTH: Tool for collection for downloading a user's files from
PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.
SILVER SPECTOR: Allows batch Nmap scanning over Tor.
SPRING BISHOP: Find private photographs of targets on Facebook.
ANGRY PIRATE: is a tool that will permanently disable a target's account on their computer.
BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.
BOMB BAY: is the capacity to increase website hits/rankings.
BURLESQUE: is the capacity to send spoofed SMS messages.
CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.
CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message.
GATEWAY: Ability to artificially increase traffic to a website.
GESTATOR: amplification of a given message, normally video, on popular multimedia websites (YouTube).
SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.
SUNBLOCK: Ability to deny functionality to send/receive email or view material online.
SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine
UNDERPASS: Change outcome of online polls (previously known as NUBILO).
WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.
HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.
HUSK: Secure one-on-one web based dead-drop messaging platform.

There's lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

TAO catalog:

NSA Spied on Prominent Muslim Americans

The latest story from the Snowden documents is about five prominent Muslim Americans who were spied on by the NSA and FBI. It's a good story, and I recommend reading it in its entirety. I have a few observations.

One, it's hard to assess the significance of this story without context. The source document is a single spreadsheet that lists 7,485 e-mail addresses monitored between 2002 and 2008.

The vast majority of individuals on the "FISA recap" spreadsheet are not named. Instead, only their email addresses are listed, making it impossible in most cases to ascertain their identities. Under the heading "Nationality," the list designates 202 email addresses as belonging to "U.S. persons," 1,782 as belonging to "non-U.S. persons," and 5,501 as "unknown" or simply blank. "The Intercept" identified the five Americans placed under surveillance from their email addresses.

Without knowing more about this list, we don't know whether this is good or bad. Is 202 a lot? A little? Were there FISA warrants that put these people on the list? Can we see them?

Two, the 2008 date is important. In July of that year, Congress passed the FISA Amendments Act, which restricted what sorts of surveillance the NSA can do on Americans. So while this story tells us about what was happening before the FAA, we don't know what -- if anything -- changed with the passage of the FAA.

Three, another significant event at the time was the FBI's prosecution of the Holy Land Foundation on terrorism charges. This brought with it an overly broad investigation of Muslim Americans who were just associated with that charity, but that investigation came with approved warrants and all the due process it was supposed to have. How many of the Americans on this list are there as a result of this one case?

Four, this list was just the starting point for a much broader NSA surveillance effort. As Marcy Wheeler pointed out, these people were almost certainly associationally mapped. CAIR founder Nihad Awad is one of the NSA targets named in the story. CAIR is named in an EFF lawsuit against the NSA. If Awad had any contact with the EFF in 2008, then they were also being spied on -- that's one hop. Since I had lots of contact with the EFF in the affected time period, I was being spied on as well -- that's two hops. And if any of you e-mailed me around that time -- well, that's three hops. This isn't "just metadata"; this is full-take content that's stored forever. And, yes, the president instructed the NSA to only spy people up to two hops away this January, but that was just one program under one authority.

This is a hard story to analyze, because it's more anecdote than data. I much preferred last Saturday's story that tried to analyze broad trends about who the subjects of NSA surveillance are. But anecdotes are more persuasive than data, so this story might be more compelling to a mainstream audience.

Holy Land Foundation commentary:

Marcy Wheeler:

EFF lawsuit:

EFF commentary:

Ben Wittes:

Director of National Intelligence:

Web Activity Used in Court to Portray State of Mind

I don't care about the case, but look at this:

"Among the details police have released is that Harris and his wife, Leanna, told them they conducted Internet searches on how hot a car needed to be to kill a child. Stoddard testified Thursday that Ross Harris had visited a Reddit page called "child-free" and read four articles. He also did an Internet search on how to survive in prison, Stoddard said.
"Also, five days before Cooper died, Ross Harris twice viewed a sort of homemade public service announcement in which a veterinarian demonstrates on video the dangers of leaving someone or something inside a hot car."

Stoddard is a police detective. It seems that they know about Harris's web browsing because they seized and searched his computer:

...investigators confiscated Harris' work computer at Home Depot following his arrest and discovered an Internet search about how long it would take for an animal to die in a hot car.

Stoddard also testified that Harris was "sexting" -- is this a word we use in court now? -- with several women on the day of his son's death, and sent explicit pictures to one of them. I assume he knows that by looking at Harris's message history.

A bunch of this would not be admissible in trial, but this was a probable-cause hearing, and the rules are different for those. CNN writes: "a prosecutor insisted that the testimony helped portray the defendant's state of mind and spoke to the negligence angle and helped establish motive."

This case aside, is there anyone reading this whose e-mails, text messages, and web searches couldn't be cherry-picked to portray any state of mind a prosecutor might want to portray? ("Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre." -- Cardinal Richelieu.)


Here's a way to plant false evidence -- call records, locations, etc. -- on your smart phone. I have no idea how good this will be. Presumably it will be an arms race between programs like this and programs that harvest data from your phone.

Good essay on the current state of cyberinsurance.

Here are two articles about how effectively the Islamic State of Iraq and Syria (ISIS) -- the militant group that has just taken over half of Iraq -- is using social media. Its dedicated Android app, that automatically tweets in its users' names, is especially interesting. Also note how it coordinates the Twitter bombs for maximum effectiveness and to get around Twitter's spam detectors.

This is a bizarre story of an almost-happened $10 million scam. It reads like an obviously phony Nigerian 419 scam, but it actually fooled what seem to be smart people. What's amazing to me is that there was no face-to-face interaction at all.

MarketWatch has a list of five apps for spying on your spouse.

Research paper: "It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice," by Nicolas Christin, Serge Egelman, Timothy Vidas, and Jens Grossklags. Turns out you can pay people to infect their computers. The experiment was run on Mechanical Turk, which means we don't know who these people were or even if they were sitting at computers they owned (as opposed to, say, computers at an Internet cafe somewhere). But if you want to build a fair-trade botnet, this is a reasonable way to go about it.

The second Quadrennial Homeland Security Review has been published by the Department of Homeland Security. At 100+ pages, I'm not going to be reading it, but I am curious if there's anything interesting in it.

Interesting paper on defending against algorithm substitution attacks: M. Bellare, K. Paterson, and P. Rogaway, "Security of Symmetric Encryption against Mass Surveillance."

New York City officials anonymized license plate data by hashing the individual plate numbers with MD5. (I know, they shouldn't have used MD5, but ignore that for a moment.) Because they didn't attach long random strings to the plate numbers -- i.e., salt -- it was trivially easy to hash all valid license plate numbers and deanonymize all the data.
Of course, this technique is not news.

Coming soon to a protest near you: drones that fire pepper spray bullets.

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones. Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can't be certain the Saudi government is a customer, but there's good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it's a perfectly reasonable strategy for Country A to locate its servers in Country B. And remember, this is just one example of government spyware. Assume that the NSA -- as well as the governments of China, Russia, and a handful of other countries -- have their own systems that are at least as powerful.

First review of the secure Blackphone.

Useful primer on match fixing in soccer.
Previous article on the subject.

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.
Google deleted the unread e-mail, without waiting for a court order.

Last week, the German government arrested someone and charged him with spying for the US. Buried in one of the stories was a little bit of tradecraft. The US gave him an encryption program embedded in a -- presumably common -- weather app. When you select the weather for New York, it automatically opens a crypto program. I assume this is a custom modification for the agent, and probably other agents as well. No idea how well this program was hidden. Was the modified weather app the same size as the original? Would it pass an integrity checker?

Related: there is an encryption feature in my own Password Safe program. From the command line, type: pwsafe -e filename

Pickpocket tricks explained by neuroscience.
I've seen Apollo Robbins in action. He's very good.

Man-in-the-middle attack against a Brazilian payment system:
This is the sort of attack that bypasses any two-factor authentication system, since it occurs after all authentication has happened. A defense would be to send a confirmation notice to another device the account-owner owns, confirming the details of the transaction.

LIFX is a smart light bulb that can be controlled with your smart phone via your home's Wi-Fi network. Turns out that anyone within range can obtain the Wi-Fi password from the light bulb. It's a problem with the communications protocol.

Researchers are refining the techniques of surreptitiously videoing people as they type in their passwords.

Parody NSA memo:

"Tips For Crafting A Strong Password That Really Pops"

Marginally related, here's an odd essay about using a password as a mantra for personal change.

This is an interesting paper: "An Anthropological Approach to Studying CSIRTs." A researcher spent 15 months at a university's SOC conducting "ethnographic fieldwork." Right now, it's more about the methodology than any results, but I'll bet the results will be fascinating.

Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria was found guilty as an accomplice, because someone used his computer to transmit child porn.
Even more recently, Tor was named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.

NSA Targets the Privacy-Conscious for Surveillance

Jake Appelbaum et al. are reporting on XKEYSCORE selection rules that target users -- and people who just visit the websites of -- Tor, Tails, and other sites. This isn't just metadata; this is "full take" content that's stored forever.

And, since Cory Doctorow said it, I do not believe that this came from the Snowden documents. I also don't believe the TAO catalog came from the Snowden documents. I think there's a second leaker out there.

All links here:

More NSA News

More details on the NSA tapping the Internet backbone. There are two new stories here, one from Germany and one from Denmark. And lots of other links and commentary.

A group of researchers have reverse-engineered the NSA's retro reflectors, and has recreated them using software-defined radio (SDR):

New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called "traffic shaping," and has legitimate uses in network management.

The latest Washington Post story from the Snowden documents analyzes a large cache of intercepted conversations -- actual operational data -- and concludes that 90% of the individuals eavesdropped on were not the targets of the surveillance.
Good commentary:
Additional context:
Good commentary:

Schneier News

I'm speaking at the Chicago ISSA meeting on July 17:

I'm speaking at Black Hat in Las Vegas on August 6:

Co3 Systems Is Hiring

At the beginning of the year, I announced that I'd joined Co3 Systems as its CTO. Co3 Systems makes coordination software -- what I hear called workflow management -- for incident response. Here's a 3:30-minute video overview of how it works. It's old; we've put a whole bunch of new features in the system since we made that.

We've had a phenomenal first two quarters, and we're growing. We're hiring for a bunch of positions, including a production ops engineer, an incident response specialist, and a software engineer.

Blog entry URL:

Co3 Systems:



Could Keith Alexander's Advice Possibly Be Worth $600K a Month?

Ex-NSA director Keith Alexander has his own consulting company: IronNet Cybersecurity Inc. His advice does not come cheap: "Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private."

Alexander declined to comment on the details, except to say that his firm will have contracts "in the near future."
Kenneth Bentsen, Sifma's president, said at a Bloomberg Government event yesterday in Washington that "cybersecurity is probably our number one priority" now that most regulatory changes imposed after the 2008 credit crisis have been absorbed.

SIFMA is the Securities Industry and Financial Markets Association. Think of how much actual security they could buy with that $600K a month. Unless he's giving them classified information.


But don't worry, everything Alexander knows will only benefit the average American like you and me. There's no reason to suspect that he is trading his high level of inside knowledge to benefit a bunch of rich people all around the globe. Because patriotism.

Or, as said: "For another million, I'll show you the back door we put in your router."


Rep. Alan Grayson is suspicious:

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

Copyright (c) 2014 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.