A CNN reporter found some sensitive — but, technically, not classified — documents about Super Bowl security in the front pocket of an airplane seat.
Entries Tagged "operational security"
Page 2 of 7
In this article, detailing the Australian and then worldwide investigation of a particularly heinous child-abuse ring, there are a lot of details of the pedophile security practices and the police investigative techniques. The abusers had a detailed manual on how to scrub metadata and avoid detection, but not everyone was perfect. The police used information from a single camera to narrow down the suspects. They also tracked a particular phrase one person used to find him.
This story shows an increasing sophistication of the police using small technical clues combined with standard detective work to investigate crimes on the Internet. A highly painful read, but interesting nonetheless.
Tidbits from the New York Times:
The final phase of Mr. Hame’s training took place at an Internet cafe in Raqqa, where an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.
More than a year and a half earlier, the would-be Cannes bomber, Ibrahim Boudina, had tried to erase the previous three days of his search history, according to details in his court record, but the police were still able to recover it. They found that Mr. Boudina had been researching how to connect to the Internet via a secure tunnel and how to change his I.P. address.
Though he may have been aware of the risk of discovery, perhaps he was not worried enough.
Mr. Boudina had been sloppy enough to keep using his Facebook account, and his voluminous chat history allowed French officials to determine his allegiance to the Islamic State. Wiretaps of his friends and relatives, later detailed in French court records obtained by The Times and confirmed by security officials, further outlined his plot, which officials believe was going to target the annual carnival on the French Riviera.
Mr. Hame, in contrast, was given strict instructions on how to communicate. After he used TrueCrypt, he was to upload the encrypted message folder onto a Turkish commercial data storage site, from where it would be downloaded by his handler in Syria. He was told not to send it by email, most likely to avoid generating the metadata that records details like the point of origin and destination, even if the content of the missive is illegible. Mr. Hame described the website as “basically a dead inbox.”
The ISIS technician told Mr. Hame one more thing: As soon as he made it back to Europe, he needed to buy a second USB key, and transfer the encryption program to it. USB keys are encoded with serial numbers, so the process was not unlike a robber switching getaway cars.
“He told me to copy what was on the key and then throw it away,” Mr. Hame explained. “That’s what I did when I reached Prague.”
Mr. Abaaoud was also fixated on cellphone security. He jotted down the number of a Turkish phone that he said would be left in a building in Syria, but close enough to the border to catch the Turkish cell network, according to Mr. Hame’s account. Mr. Abaaoud apparently figured investigators would be more likely to track calls from Europe to Syrian phone numbers, and might overlook calls to a Turkish one.
Next to the number, Mr. Abaaoud scribbled “Dad.”
This seems like exactly the sort of opsec I would set up for an insurgent group.
EDITED TO ADD: Mistakes in the article. For example:
And now I’ve read one of the original French documents and confirmed my suspicion that the NYTimes article got details wrong.
The original French uses the word “boîte”, which matches the TrueCrypt term “container”. The original French didn’t use the words “fichier” (file), “dossier” (folder), or “répertoire” (directory). This makes so much more sense, and gives us more confidence we know what they were doing.
The original French uses the term “site de partage”, meaning a “sharing site”, which makes more sense than a “storage” site.
The document I saw says the slip of paper had login details for the file sharing site, not a TrueCrypt password. Thus, when the NYTimes article says “TrueCrypt login credentials”, we should correct it to “file sharing site login credentials”, not “TrueCrypt passphrase”.
MOST importantly, according the subject, the login details didn’t even work. It appears he never actually used this method — he was just taught how to use it. He no longer remembers the site’s name, other than it might have the word “share” in its name. We see this a lot: ISIS talks a lot about encryption, but the evidence of them actually using it is scant.
El chapo then switched to a complex system of using BBM (Blackberry’s Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days at a public place with Wi-Fi) this intermediary (or “mirror”) would then transcribe the text to an I-Pad and then send that over a Wi-Fi network (not cellular networks which were monitored constantly by law enforcement). This WiFi text was then sent to another cut-out who would finally transcribe the message into a Blackberry BBM text and transmit it to Guzman. Although Guzman continued to use his Blackberry, it was almost impossible to analyze the traffic because it now only communicated with one other device. This “mirror” system is difficult to crack because the intermediaries or proxies, can constantly change their location by moving to new WiFi spots.
This article claims he was caught because of a large food order:
After construction was complete, the safehouse was quiet. Until 7 January 2016, when a car arrives carrying unknown passengers. Security forces suspected that this was Guzman. There was one final indicator that someone important enough to require an entourage was inside. A white van went off, at midnight, to fetch enough tacos to feed a large group of people. The police raided the house 4 hours later.
Here’s more detail about El Chapo’s opsec at the time of his previous capture.
This article talks about the opsec used by Sean Penn surrounding his meeting with El Chapo.
Security experts say there aren’t enough public details to fully analyze Penn’s operational security (opsec). But they described the paragraph above as “incomprehensible” and “gibberish.” Let’s try to break it down:
- Penn describes using “TracPhones,” by which he likely means TracFones, which are cheap phones that take calling cards so they’re not linked to a credit card or account. They’re often called burners, but you don’t actually throw it in the trash after a call; instead you might swap out the SIM card or use different calling cards for different people. Hollywood loves these! Katie Holmes reportedly used one to plan her divorce from Tom Cruise. They’re a reasonable security measure, but it still creates phone records that live with, and can be requested from, cell phone carriers.
- Penn says he “mirror[ed] through Blackphones,” which are relatively expensive phones sold by Silent Circle that offer a more secure operating system than a typical off-the-shelf phone. It runs Internet through a VPN (to shield the user’s IP address and encrypt their Web traffic) and end-to-end encrypts calls and messages sent to other Blackphones. Unlike with the TracFone, Penn would have a credit card tied to the account on this phone. It’s unclear what Penn means when he says he “mirrored” through the phone; the phrase “mirrored” typically means to duplicate something. As he wrote it, it sounds like he duplicated messages on the secure Blackphone that were being sent some other, potentially less secure, way, which would be dumb, if true. “I’m not sure what he means.” said Silent Circle CEO Mike Janke via email. “It’s a strange term and most likely he doesn’t know what he is saying.”
- Penn says he used “anonymous” email addresses and that he and his companions accessed messages left as drafts in a shared email account. That likely means the emails were stored unencrypted, a bad security practice. If he were sharing the account with a person using an IP address that was the target of an investigation, i.e. any IP address associated with El Chapo’s crew, then all messages shared this way would be monitored. For the record, that did not work out very well for former CIA director David Petraeus, who used draft messages to communicate with his mistress and got busted when her IP address was targeted in an online harassment investigation.
- Elsewhere in the article, Penn says Guzman corresponded with Mexican actress Kate del Castillo via BBMs (Blackberry messages). Those only have unique end-to-end encryption if a user has opted for BBM Protected. Law enforcement has been able to intercept BBMs in the past. And Mexican officials have told the media that they were monitoring del Castillo for months, following a meeting she had last summer with El Chapo’s lawyers, before she had reached out to Penn. Law enforcement even reportedly got photos of Penn’s arrival at the airport in Mexico.
- In the most impressive operational, if not personal, security on display, Sean Penn says that when he traveled to Mexico, he left all of his electronics in Los Angeles, knowing that El Chapo’s crew would force him to leave them behind.
There has been lots of speculation about whether this was enough, or whether Mexican officials tracked El Chapo down because of his meeting with Penn.
Good operational security is hard, and often uses manual technologies:
Investigators described how Messina Denaro, 53, disdains telecommunications and relies on handwritten notes, or “pizzini,'” to relay orders. The notes were wadded tight, covered in tape and hidden under rocks or dug into soil until go-betweens retrieved them. The messages were ordered destroyed after being read.
That’s a classic dead drop.
Matthew Cole explains how the Italian police figured out how the CIA kidnapped Abu Omar in Milan. Interesting use of cell phone metadata, showing how valuable it is for intelligence purposes.
See also this example.
Here’s an article on making secret phone calls with cell phones.
His step-by-step instructions for making a clandestine phone call are as follows:
- Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
- Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
- After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
- Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
- Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m. — or another pre-arranged “dormant” time — on the following day;
- Wipe down and destroy handset.
Note that it actually makes sense to use a one-time pad in this instance. The message is a ten-digit number, and a one-time pad is easier, faster, and cleaner than using any computer encryption program.
Sidebar photo of Bruce Schneier by Joe MacInnis.