Entries Tagged "tradecraft"

Page 2 of 4

The Simple Trick that Will Keep You Secure from Government Spies

Last week, the German government arrested someone and charged him with spying for the US. Buried in one of the stories was a little bit of tradecraft. The US gave him an encryption program embedded in a—presumably common—weather app. When you select the weather for New York, it automatically opens a crypto program. I assume this is a custom modification for the agent, and probably other agents as well. No idea how well this program was hidden. Was the modified weather app the same size as the original? Would it pass an integrity checker?

Related: there is an undocumented encryption feature in my own Password Safe program. From the command line, type: pwsafe -e filename

Posted on July 7, 2014 at 1:51 PMView Comments

Explaining and Speculating About QUANTUM

Nicholas Weaver has a great essay explaining how the NSA’s QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against any government or criminal use of these sorts of techniques.

Posted on November 18, 2013 at 7:35 AMView Comments

The Story of the Bomb Squad at the Boston Marathon

This is interesting reading, but I’m left wanting more. What are the lessons here? How can we do this better next time? Clearly we won’t be able to anticipate bombings; even Israel can’t do that. We have to get better at responding.

Several years after 9/11, I conducted training with a military bomb unit charged with guarding Washington, DC. Our final exam was a nightmare scenario—a homemade nuke at the Super Bowl. Our job was to defuse it while the fans were still in the stands, there being no way to quickly and safely clear out 80,000 people. That scenario made two fundamental assumptions that are no longer valid: that there would be one large device and that we would find it before it detonated.

Boston showed that there’s another threat, one that looks a lot different. “We used to train for one box in a doorway. We went into a slower and less aggressive mode, meticulous, surgical. Now we’re transitioning to a high-speed attack, more maneuverable gear, no bomb suit until the situation has stabilized,” Gutzmer says. “We’re not looking for one bomber who places a device and leaves. We’re looking for an active bomber with multiple bombs, and we need to attack fast.”

A post-Boston final exam will soon look a lot different. Instead of a nuke at the Super Bowl, how about this: Six small bombs have already detonated, and now your job is to find seven more—among thousands of bags—while the bomber hides among a crowd of the fleeing, responding, wounded, and dead. Meanwhile the entire city overwhelms your backup with false alarms. Welcome to the new era of bomb work.

Posted on November 5, 2013 at 6:53 AMView Comments

Code Names for NSA Exploit Tools

This is from a Snowden document released by Le Monde:

General Term Descriptions:

HIGHLANDS: Collection from Implants
VAGRANT: Collection of Computer Screens
MAGNETIC: Sensor Collection of Magnetic Emanations
MINERALIZE: Collection from LAN Implant
OCEAN: Optical Collection System for Raster-Based Computer Screens
LIFESAFER: Imaging of the Hard Drive
GENIE: Multi-stage operation: jumping the airgap etc.
BLACKHEART: Collection from an FBI Implant
[…]
DROPMIRE: Passive collection of emanations using antenna
CUSTOMS: Customs opportunities (not LIFESAVER)
DROPMIRE: Laser printer collection, purely proximal access (***NOT*** implanted)
DEWSWEEPER: USB (Universal Serial Bus) hardware host tap that provides COVERT link over US link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network.
RADON: Bi-directional host tap that can inject Ethernet packets onto the same targets. Allows bi-directional exploitation of denied networks using standard on-net tools.

There’s a lot to think about in this list. RADON and DEWSWEEPER seem particularly interesting.

Posted on October 23, 2013 at 10:03 AMView Comments

Silk Road Author Arrested Due to Bad Operational Security

Details of how the FBI found the administrator of Silk Road, a popular black market e-commerce site.

Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called “altoid” advertised he was looking for an “IT pro in the Bitcoin community” to work in a venture-backed startup. The post directed applicants to send responses to “rossulbricht at gmail dot com.” It came about nine months after two previous posts—also made by a user, “altoid,” to shroomery.org and Bitcoin Talk—were among the first to advertise a hidden Tor service that operated as a kind of “anonymous amazon.com.” Both of the earlier posts referenced silkroad420.wordpress.com.

If altoid’s solicitation for a Bitcoin-conversant IT Pro wasn’t enough to make Ulbricht a person of interest in the FBI’s ongoing probe, other digital bread crumbs were sure to arouse agents’ suspicions. The Google+ profile tied to the rossulbricht@gmail.com address included a list of favorite videos originating from mises.org, a website of the “Mises Institute.” The site billed itself as the “world center of the Austrian School of economics” and contained a user profile for one Ross Ulbricht. Several Dread Pirate Roberts postings on Silk Road cited the “Austrian Economic theory” and the works of Mises Institute economists Ludwig von Mises and Murray Rothbard in providing the guiding principles for the illicit drug market.

The clues didn’t stop there. In early March 2012 someone created an account on StackOverflow with the username Ross Ulbricht and the rossulbricht@gmail.com address, the criminal complaint alleged. On March 16 at 8:39 in the morning, the account was used to post a message titled “How can I connect to a Tor hidden service using curl in php?” Less than one minute later, the account was updated to change the user name from Ross Ulbricht to “frosty.” Several weeks later, the account was again updated, this time to replace the Ulbricht gmail address with frosty@frosty.com. In July 2013, a forensic analysis of the hard drives used to run one of the Silk Road servers revealed a PHP script based on curl that contained code that was identical to that included in the Stack Overflow discussion, the complaint alleged.

We already know that it is next to impossible to maintain privacy and anonymity against a well-funded government adversary.

EDITED TO ADD (10/8): Another article.

Posted on October 7, 2013 at 1:35 PMView Comments

Developments in Microphone Technology

What’s interesting is that this matchstick-sized microphone can be attached to drones.

Conventional microphones work when sound waves make a diaphragm move, creating an electrical signal. Microflown’s sensor has no moving parts. It consists of two parallel platinum strips, each just 200 nanometres deep, that are heated to 200° C. Air molecules flowing across the strips cause temperature differences between the pair. Microflown’s software counts the air molecules that pass through the gap between the strips to gauge sound intensity: the more air molecules in a sound wave, the louder the sound. At the same time, it analyses the temperature change in the strips to work out the movement of the air and calculate the coordinates of whatever generated the sound.

EDITED TO ADD (10/6): This seems not to be a microphone, but an acoustic sensor. It can locate sound, but cannot differentiate speech.

Posted on October 4, 2013 at 6:59 AMView Comments

NSA Job Opening

The NSA is looking for a Civil Liberties & Privacy Officer. It appears to be an internal posting.

The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to the Director of NSA for ensuring that privacy is protected and civil liberties are maintained by all of NSA’s missions, programs, policies and technologies. This new position is focused on the future, designed to directly enhance decision making and to ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies. The NSA CLPO will consult regularly with the Office of the Director of National Intelligence CLPO, privacy and civil liberties officials from the Department of Defense and the Department of Justice, as well as other U.S. government, private sector, public advocacy groups and foreign partners.

EDITED TO ADD (9/23): Better link here that allows new registration for prospective applicants—it’s Job ID 1039797.

Posted on September 23, 2013 at 1:14 PMView Comments

The Limitations of Intelligence

We recently learned that US intelligence agencies had at least three days’ warning that Syrian President Bashar al-Assad was preparing to launch a chemical attack on his own people, but wasn’t able to stop it. At least that’s what an intelligence briefing from the White House reveals. With the combined abilities of our national intelligence apparatus—the CIA, NSA, National Reconnaissance Office and all the rest—it’s not surprising that we had advance notice. It’s not known whether the US shared what it knew.

More interestingly, the US government did not choose to act on that knowledge (for example, launch a preemptive strike), which left some wondering why.

There are several possible explanations, all of which point to a fundamental problem with intelligence information and our national intelligence apparatuses.

The first possibility is that we may have had the data, but didn’t fully understand what it meant. This is the proverbial connect-the-dots problem. As we’ve learned again and again, connecting the dots is hard. Our intelligence services collect billions of individual pieces of data every day. After the fact, it’s easy to walk backward through the data and notice all the individual pieces that point to what actually happened. Before the fact, though, it’s much more difficult. The overwhelming majority of those bits of data point in random directions, or nowhere at all. Almost all the dots don’t connect to anything.

Rather than thinking of intelligence as a connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Which picture is the relevant one? We have no idea. Turning that data into actual information is an extraordinarily difficult problem, and one that the vast scope of our data-gathering programs makes even more difficult.

The second possible explanation is that while we had some information about al-Assad’s plans, we didn’t have enough confirmation to act on that information. This is probably the most likely explanation. We can’t act on inklings, hunches, or possibilities. We probably can’t even act on probabilities; we have to be sure. But when it comes to intelligence, it’s hard to be sure. There could always be something else going on—something we’re not able to eavesdrop on, spy on, or see from our satellites. Again, our knowledge is most obvious after the fact.

The third is that while we were sure of our information, we couldn’t act because that would reveal “sources and methods.” This is probably the most frustrating explanation. Imagine we are able to eavesdrop on al-Assad’s most private conversations with his generals and aides, and are absolutely sure of his plans. If we act on them, we reveal that we are eavesdropping. As a result, he’s likely to change how he communicates, costing us our ability to eavesdrop. It might sound perverse, but often the fact that we are able to successfully spy on someone is a bigger secret than the information we learn from that spying.

This dynamic was vitally important during World War II. During the war, the British were able to break the German Enigma encryption machine and eavesdrop on German military communications. But while the Allies knew a lot, they would only act on information they learned when there was another plausible way they could have learned it. They even occasionally manufactured plausible explanations. It was just too risky to tip the Germans off that their encryption machines’ code had been broken.

The fourth possibility is that there was nothing useful we could have done. And it is hard to imagine how we could have prevented the use of chemical weapons in Syria. We couldn’t have launched a preemptive strike, and it’s probable that it wouldn’t have been effective. The only feasible action would be to alert the opposition—and that, too, might not have accomplished anything. Or perhaps there wasn’t sufficient agreement for any one course of action—so, by default, nothing was done.

All of these explanations point out the limitations of intelligence. The NSA serves as an example. The agency measures its success by amount of data collected, not by information synthesized or knowledge gained. But it’s knowledge that matters.

The NSA’s belief that more data is always good, and that it’s worth doing anything in order to collect it, is wrong. There are diminishing returns, and the NSA almost certainly passed that point long ago. But the idea of trade-offs does not seem to be part of its thinking.

The NSA missed the Boston Marathon bombers, even though the suspects left a really sloppy Internet trail and the older brother was on the terrorist watch list. With all the NSA is doing eavesdropping on the world, you would think the least it could manage would be keeping track of people on the terrorist watch list. Apparently not.

I don’t know how the CIA measures its success, but it failed to predict the end of the Cold War.

More data does not necessarily mean better information. It’s much easier to look backward than to predict. Information does not necessarily enable the government to act. Even when we know something, protecting the methods of collection can be more valuable than the possibility of taking action based on gathered information. But there’s not a lot of value to intelligence that can’t be used for action. These are the paradoxes of intelligence, and it’s time we started remembering them.

Of course, we need organizations like the CIA, the NSA, the NRO and all the rest. Intelligence is a vital component of national security, and can be invaluable in both wartime and peacetime. But it is just one security tool among many, and there are significant costs and limitations.

We’ve just learned from the recently leaked “black budget” that we’re spending $52 billion annually on national intelligence. We need to take a serious look at what kind of value we’re getting for our money, and whether it’s worth it.

This essay previously appeared on CNN.com.

Posted on September 17, 2013 at 6:15 AMView Comments

Opsec Details of Snowden Meeting with Greenwald and Poitras

I don’t like stories about the personalities in the Snowden affair, because it detracts from the NSA and the policy issues. But I’m a sucker for operational security, and just have to post this detail from their first meeting in Hong Kong:

Snowden had instructed them that once they were in Hong Kong, they were to go at an appointed time to the Kowloon district and stand outside a restaurant that was in a mall connected to the Mira Hotel. There, they were to wait until they saw a man carrying a Rubik’s Cube, then ask him when the restaurant would open. The man would answer their question, but then warn that the food was bad.

Actually, the whole article is interesting. The author is writing a book about surveillance and privacy, one of probably a half dozen about the Snowden affair that will come out this year.

EDITED TO ADD (8/31): While we’re on the topic, here’s some really stupid opsec on the part of Greenwald and Poitras:

  • Statement from senior Cabinet Office civil servant to #miranda case says material was 58000 ‘highly classified UK intelligence documents
  • Police who seized documents from #miranda found among them a piece of paper with the decryption password, the statement says
  • This password allowed them to decrypt one file on his seized hard drive, adds Oliver Robbins, Cabinet Office security adviser #miranda

You can’t do this kind of stuff when you’re playing with the big boys.

Posted on August 30, 2013 at 1:54 PMView Comments

Stories from MI5

This essay is filled with historical MI5 stories—often bizarre, sometimes amusing. My favorite:

It was recently revealed that back in the 1970s—at the height of the obsession with traitors—MI5 trained a specially bred group of Gerbils to detect spies. Gerbils have a very acute sense of smell and they were used in interrogations to tell whether the suspects were releasing adrenaline—because that would show they were under stress and lying.

Then they tried the Gerbils to see if they could detect terrorists who were about to carry a bomb onto a plane. But the gerbils got confused because they couldn’t tell the difference between the terrorists and ordinary people who were frightened of flying who were also pumping out adrenaline in their sweat.

So the gerbils failed as well.

Posted on August 14, 2013 at 12:06 PMView Comments

1 2 3 4

Sidebar photo of Bruce Schneier by Joe MacInnis.