Entries Tagged "intelligence"

Page 20 of 25

Doctoring Photographs without Photoshop

It’s all about the captions:

…doctored photographs are the least of our worries. If you want to trick someone with a photograph, there are lots of easy ways to do it. You don’t need Photoshop. You don’t need sophisticated digital photo-manipulation. You don’t need a computer. All you need to do is change the caption.

The photographs presented by Colin Powell at the United Nations in 2003 provide several examples. Photographs that were used to justify a war. And yet, the actual photographs are low-res, muddy aerial surveillance photographs of buildings and vehicles on the ground in Iraq. I’m not an aerial intelligence expert. I could be looking at anything. It is the labels, the captions, and the surrounding text that turn the images from one thing into another. Photographs presented by Colin Powell at the United Nations in 2003.

Powell was arguing that the Iraqis were doing something wrong, knew they were doing something wrong, and were trying to cover their tracks. Later, it was revealed that the captions were wrong. There was no evidence of chemical weapons and no evidence of concealment. Morris’s mockery of the sweeping interpretations made in Powell’s photographs.

There is a larger point. I don’t know what these buildings were really used for. I don’t know whether they were used for chemical weapons at one time, and then transformed into something relatively innocuous, in order to hide the reality of what was going on from weapons inspectors. But I do know that the yellow captions influence how we see the pictures. “Chemical Munitions Bunker” is different from “Empty Warehouse” which is different from “International House of Pancakes.” The image remains the same but we see it differently.

Change the yellow labels, change the caption and you change the meaning of the photographs. You don’t need Photoshop. That’s the disturbing part. Captions do the heavy lifting as far as deception is concerned. The pictures merely provide the window-dressing. The unending series of errors engendered by falsely captioned photographs are rarely remarked on.

Posted on August 27, 2008 at 7:27 AMView Comments

World War II Deception Story

Great security story from an obituary of former OSS agent Roger Hall:

One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.

The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, “Mail!”

The lid opened, and in went two grenades.

Hall’s book about his OSS days, You’re Stepping on My Cloak and Dagger, is a must-read.

Posted on July 29, 2008 at 1:50 PMView Comments

The Case of the Stolen BlackBerry and the Awesome Chinese Hacking Skills

A high-level British government employee had his BlackBerry stolen by Chinese intelligence:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.

That can’t look good on your annual employee review.

But it’s this part of the article that has me confused:

Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.

Um, what? I assume the IT department just turned off the guy’s password. Was this nonsense peddled to the press by the UK government, or is some “expert” trying to sell us something? The article doesn’t say.

EDITED TO ADD (7/22): The first commenter makes a good point, which I didn’t think of. The article says that it’s Chinese intelligence:

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence.

But Chinese intelligence would be far more likely to clone the BlackBerry and then return it. Much better information that way. This is much more likely to be petty theft.

EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you’re a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you’re not going to immediately burn him by stealing his BlackBerry. That’s just stupid.

Posted on July 22, 2008 at 10:05 AMView Comments

Man-in-the-Middle Attacks

Last week’s dramatic rescue of 15 hostages held by the guerrilla organization FARC was the result of months of intricate deception on the part of the Colombian government. At the center was a classic man-in-the-middle attack.

In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they’re talking to each other, and the attacker can delete or modify the communications at will.

The Wall Street Journal reported how this gambit played out in Colombia:

“The plan had a chance of working because, for months, in an operation one army officer likened to a ‘broken telephone,’ military intelligence had been able to convince Ms. Betancourt’s captor, Gerardo Aguilar, a guerrilla known as ‘Cesar,’ that he was communicating with his top bosses in the guerrillas’ seven-man secretariat. Army intelligence convinced top guerrilla leaders that they were talking to Cesar. In reality, both were talking to army intelligence.”

This ploy worked because Cesar and his guerrilla bosses didn’t know one another well. They didn’t recognize one anothers’ voices, and didn’t have a friendship or shared history that could have tipped them off about the ruse. Man-in-the-middle is defeated by context, and the FARC guerrillas didn’t have any.

And that’s why man-in-the-middle, abbreviated MITM in the computer-security community, is such a problem online: Internet communication is often stripped of any context. There’s no way to recognize someone’s face. There’s no way to recognize someone’s voice. When you receive an e-mail purporting to come from a person or organization, you have no idea who actually sent it. When you visit a website, you have no idea if you’re really visiting that website. We all like to pretend that we know who we’re communicating with—and for the most part, of course, there isn’t any attacker inserting himself into our communications—but in reality, we don’t. And there are lots of hacker tools that exploit this unjustified trust, and implement MITM attacks.

Even with context, it’s still possible for MITM to fool both sides—because electronic communications are often intermittent. Imagine that one of the FARC guerrillas became suspicious about who he was talking to. So he asks a question about their shared history as a test: “What did we have for dinner that time last year?” or something like that. On the telephone, the attacker wouldn’t be able to answer quickly, so his ruse would be discovered. But e-mail conversation isn’t synchronous. The attacker could simply pass that question through to the other end of the communications, and when he got the answer back, he would be able to reply.

This is the way MITM attacks work against web-based financial systems. A bank demands authentication from the user: a password, a one-time code from a token or whatever. The attacker sitting in the middle receives the request from the bank and passes it to the user. The user responds to the attacker, who passes that response to the bank. Now the bank assumes it is talking to the legitimate user, and the attacker is free to send transactions directly to the bank. This kind of attack completely bypasses any two-factor authentication mechanisms, and is becoming a more popular identity-theft tactic.

There are cryptographic solutions to MITM attacks, and there are secure web protocols that implement them. Many of them require shared secrets, though, making them useful only in situations where people already know and trust one another.

The NSA-designed STU-III and STE secure telephones solve the MITM problem by embedding the identity of each phone together with its key. (The NSA creates all keys and is trusted by everyone, so this works.) When two phones talk to each other securely, they exchange keys and display the other phone’s identity on a screen. Because the phone is in a secure location, the user now knows who he is talking to, and if the phone displays another organization—as it would if there were a MITM attack in progress—he should hang up.

Zfone, a secure VoIP system, protects against MITM attacks with a short authentication string. After two Zfone terminals exchange keys, both computers display a four-character string. The users are supposed to manually verify that both strings are the same—”my screen says 5C19; what does yours say?”—to ensure that the phones are communicating directly with each other and not with an MITM. The AT&T TSD-3600 worked similarly.

This sort of protection is embedded in SSL, although no one uses it. As it is normally used, SSL provides an encrypted communications link to whoever is at the other end: bank and phishing site alike. And the better phishing sites create valid SSL connections, so as to more effectively fool users. But if the user wanted to, he could manually check the SSL certificate to see if it was issued to “National Bank of Trustworthiness” or “Two Guys With a Computer in Nigeria.”

No one does, though, because you have to both remember and be willing to do the work. (The browsers could make this easier if they wanted to, but they don’t seem to want to.) In the real world, you can easily tell a branch of your bank from a money changer on a street corner. But on the internet, a phishing site can be easily made to look like your bank’s legitimate website. Any method of telling the two apart takes work. And that’s the first step to fooling you with a MITM attack.

Man-in-the-middle isn’t new, and it doesn’t have to be technological. But the internet makes the attacks easier and more powerful, and that’s not going to change anytime soon.

This essay originally appeared on Wired.com.

Posted on July 15, 2008 at 6:47 AMView Comments

N-DEx National Intelligence System

An article from The Washington Post:

Federal authorities hope N-DEx will become what one called a “one-stop shop” enabling federal law enforcement, counterterrorism and intelligence analysts to automatically examine the enormous caches of local and state records for the first time.

[…]

The expanding police systems illustrate the prominent roles that private companies play in homeland security and counterterrorism efforts. They also underscore how the use of new data—and data surveillance—technology to fight crime and terrorism is evolving faster than the public’s understanding or the laws intended to check government power and protect civil liberties, authorities said.

Three decades ago, Congress imposed limits on domestic intelligence activity after revelations that the FBI, Army, local police and others had misused their authority for years to build troves of personal dossiers and monitor political activists and other law-abiding Americans.

Since those reforms, police and federal authorities have observed a wall between law enforcement information-gathering, relating to crimes and prosecutions, and more open-ended intelligence that relates to national security and counterterrorism. That wall is fast eroding following the passage of laws expanding surveillance authorities, the push for information-sharing networks, and the expectation that local and state police will play larger roles as national security sentinels.

Law enforcement and federal security authorities said these developments, along with a new willingness by police to share information, hold out the promise of fulfilling post-Sept. 11, 2001, mandates to connect the dots and root out signs of threats before attacks can occur.

Posted on March 31, 2008 at 6:13 AMView Comments

NSA's Domestic Spying

This article from The Wall Street Journal outlines how the NSA is increasingly engaging in domestic surveillance, data collection, and data mining. The result is essentially the same as Total Information Awareness.

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA’s own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge’s approval when a link to al Qaeda is suspected.

[…]

Two former officials familiar with the data-sifting efforts said they work by starting with some sort of lead, like a phone number or Internet address. In partnership with the FBI, the systems then can track all domestic and foreign transactions of people associated with that item—and then the people who associated with them, and so on, casting a gradually wider net. An intelligence official described more of a rapid-response effect: If a person suspected of terrorist connections is believed to be in a U.S. city—for instance, Detroit, a community with a high concentration of Muslim Americans—the government’s spy systems may be directed to collect and analyze all electronic communications into and out of the city.

The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information doesn’t generally include the contents of conversations or emails. But it can give such transactional information as a cellphone’s location, whom a person is calling, and what Web sites he or she is visiting. For an email, the data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.

Intelligence agencies have used administrative subpoenas issued by the FBI—which don’t need a judge’s signature—to collect and analyze such data, current and former intelligence officials said. If that data provided “reasonable suspicion” that a person, whether foreign or from the U.S., was linked to al Qaeda, intelligence officers could eavesdrop under the NSA’s Terrorist Surveillance Program.

[…]

The NSA uses its own high-powered version of social-network analysis to search for possible new patterns and links to terrorism. The Pentagon’s experimental Total Information Awareness program, later renamed Terrorism Information Awareness, was an early research effort on the same concept, designed to bring together and analyze as much and as many varied kinds of data as possible. Congress eliminated funding for the program in 2003 before it began operating. But it permitted some of the research to continue and TIA technology to be used for foreign surveillance.

Some of it was shifted to the NSA—which also is funded by the Pentagon—and put in the so-called black budget, where it would receive less scrutiny and bolster other data-sifting efforts, current and former intelligence officials said. “When it got taken apart, it didn’t get thrown away,” says a former top government official familiar with the TIA program.

Two current officials also said the NSA’s current combination of programs now largely mirrors the former TIA project. But the NSA offers less privacy protection. TIA developers researched ways to limit the use of the system for broad searches of individuals’ data, such as requiring intelligence officers to get leads from other sources first. The NSA effort lacks those controls, as well as controls that it developed in the 1990s for an earlier data-sweeping attempt.

Barry Steinhardt of the ACLU comments:

I mean, when we warn about a “surveillance society,” this is what we’re talking about. This is it, this is the ballgame. Mass data from a wide variety of sources—including the private sector—is being collected and scanned by a secretive military spy agency. This represents nothing less than a major change in American life—and unless stopped the consequences of this system for everybody will grow in magnitude along with the rivers of data that are collected about each of us—and that’s more and more every day.

More commentary.

Posted on March 26, 2008 at 6:02 AMView Comments

Searching for Terrorists in World of Warcraft

So, you’re sitting around the house with your buddies, playing World of Warcraft. One of you wonders: “How can we get paid for doing this?” Another says: “I know; let’s pretend we’re fighting terrorism, and then get a government grant.”

Having eliminated all terrorism in the real world, the U.S. intelligence community is working to develop software that will detect violent extremists infiltrating World of Warcraft and other massive multiplayer games, according to a data-mining report from the Director of National Intelligence.

Another article.

You just can’t make this stuff up.

EDITED TO ADD (3/13): Funny.

Posted on March 11, 2008 at 2:42 PMView Comments

Why Some Terrorist Attacks Succeed and Others Fail

In “Underlying Reasons for Success and Failure of Terrorist Attacks: Selected Case Studies” (Homeland Security Institute, June 2007), the authors examine eight recent terrorist plots against commercial aviation and passenger rail, and come to some interesting conclusions.

From the “Executive Summary”:

The analytic results indicated that the most influential factors determining the success or failure of a terrorist attack are those that occur in the pre-execution phases. While safeguards and controls at airports and rail stations are critical, they are most effective when coupled with factors that can be leveraged to detect the plot in the planning stages. These factors include:

  • Poor terrorist operational security (OPSEC). The case studies indicate that even plots that are otherwise well-planned and operationally sound will fail if there is a lack of attention to OPSEC. Security services cannot “cause” poor OPSEC, but they can create the proper conditions to capitalize on it when it occurs.
  • Observant public and vigilant security services. OPSEC breaches are a significant factor only if they are noticed. In cases where the public was sensitive to suspicious behavior, lapses in OPSEC were brought to the attention of authorities by ordinary citizens. However, the authorities must likewise be vigilant and recognize the value of unexpected information that may seem unimportant, but actually provides the opening to interdict a planned attack.
  • Terrorist profile indicators. Awareness of and sensitivity to behavioral indicators, certain activities, or past involvement with extremist elements can help alert an observant public and help a vigilant security apparatus recognize a potential cell of terrorist plotters.
  • Law enforcement or intelligence information sharing. Naturally, if security services are aware of an impending attack they will be better able to interdict it. The key, as stated above, is to recognize the value of information that may seem unimportant but warrants further investigation. Security services may not recognize the context into which a certain piece of information fits, but by sharing with other organizations more parts of the puzzle can be pieced together. Information should be shared laterally, with counterpart organizations; downward, with local law enforcement, who can serve as collectors of information; and with higher elements capable of conducting detailed analysis. Intelligence collection and analysis are relatively new functions for law enforcement. Training is a key element in their ability to recognize and respond to indicators.
  • International cooperation. Nearly all terrorist plots, including most of those studied for this project, have an international connection. This could include overseas support elements, training camps, or movement of funds. The sharing of information among allies appears from our analysis to have a positive impact on interdicting attack plans as well as apprehending members of larger networks.

I especially like this quote, which echos what I’ve been saying for a long time now:

One phenomenon stands out: terrorists are rarely caught in the act during the execution phase of an operation, other than instances in which their equipment or weapons fail. Rather, plots are most often foiled during the pre-execution phases.

Intelligence, investigation, and emergency response: that’s where we should be spending our counterterrorism dollar. Defending the targets is rarely the right answer.

Posted on February 28, 2008 at 6:25 AMView Comments

1 18 19 20 21 22 25

Sidebar photo of Bruce Schneier by Joe MacInnis.