Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along with a broader story, in January of this year:
In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. The call back provided us access to further exploit the device and survey the network. Upon initiating the survey, SIGINT analysis from TAO/Requirements & Targeting determined that the implanted device was providing even greater access than we had hoped: We knew the devices were bound for the Syrian Telecommunications Establishment (STE) to be used as part of their internet backbone, but what we did not know was that STE's GSM (cellular) network was also using this backbone. Since the STE GSM network had never before been exploited, this new access represented a real coup.
Now Cisco is taking matters into its own hands, offering to ship equipment to fake addresses in an effort to avoid NSA interception.
I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.
Posted on March 20, 2015 at 6:56 AM • View Comments
I've been reading lots of articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with:
The FBI obliged -- apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the sender’s anonymous Google Mail account to others accessed from the same computers, accounts that belonged to Petraeus biographer Paula Broadwell. The bureau could then subpoena guest records from hotels, tracking the WiFi networks, and confirm that they matched Broadwell’s travel history. None of this would have required judicial approval -- let alone a Fourth Amendment search warrant based on probable cause.
While we don't know the investigators’ other methods, the FBI has an impressive arsenal of tools to track Broadwell’s digital footprints -- all without a warrant. On a mere showing of "relevance," they can obtain a court order for cell phone location records, providing a detailed history of her movements, as well as all people she called. Little wonder that law enforcement requests to cell providers have exploded -- with a staggering 1.3 million demands for user data just last year, according to major carriers.
An order under this same weak standard could reveal all her e-mail correspondents and Web surfing activity. With the rapid decline of data storage costs, an ever larger treasure trove is routinely retained for ever longer time periods by phone and Internet companies.
Had the FBI chosen to pursue this investigation as a counterintelligence inquiry rather than a cyberstalking case, much of that data could have been obtained without even a subpoena. National Security Letters, secret tools for obtaining sensitive financial and telecommunications records, require only the say-so of an FBI field office chief.
While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.
The guest lists from hotels, IP login records, as well as the creative request to email providers for "information about other accounts that have logged in from this IP address" are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the "what" being communicated; the government's powers to determine "who" communicated remain largely unchecked.
This is good, too.
The EFF tries to explain the relevant laws. Summary: they're confusing, and they don't protect us very much.
My favorite quote is from the New York Times:
Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, said the chain of unexpected disclosures was not unusual in computer-centric cases.
"It's a particular problem with cyberinvestigations -- they rapidly become open-ended because there’s such a huge quantity of information available and it’s so easily searchable," he said, adding, "If the C.I.A. director can get caught, it’s pretty much open season on everyone else."
And a day later:
"If the director of central intelligence isn't able to successfully keep his emails private, what chance do I have?" said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation, a digital-liberties advocacy group.
In more words:
But there's another, more important lesson to be gleaned from this tale of a biographer run amok. Broadwell's debacle confirms something that some privacy experts have been warning about for years: Government surveillance of ordinary citizens is now cheaper and easier than ever before. Without needing to go before a judge, the government can gather vast amounts of information about us with minimal expenditure of manpower. We used to be able to count on a certain amount of privacy protection simply because invading our privacy was hard work. That is no longer the case. Our always-on, Internet-connected, cellphone-enabled lives are an open door to Big Brother.
Remember that this problem is bigger than Petraeus. The FBI goes after electronic records all the time:
In Google’s semi-annual transparency report released Tuesday, the company stated that it received 20,938 requests from governments around the world for its users’ private data in the first six months of 2012. Nearly 8,000 of those requests came from the U.S. government, and 7,172 of them were fulfilled to some degree, an increase of 26% from the prior six months, according to Google’s stats.
So what's the answer? Would they have been safe if they'd used Tor or a regular old VPN? Silent Circle? Something else? This article attempts to give advice; this is the article's most important caveat:
DON'T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake -- forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once -- to ruin you.
"Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use," Mr. Blaze warned. "We've all made the mistake of accidentally hitting 'Reply All.' Well, if you're trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make."
In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.
Some people think that if something is difficult to do, "it has security benefits, but that’s all fake -- everything is logged," said Mr. Kaminsky. "The reality is if you don't want something to show up on the front page of The New York Times, then don't say it."
The real answer is to rein in the FBI, of course:
If we don't take steps to rein in the burgeoning surveillance state now, there’s no guarantee we'll even be aware of the ways in which control is exercised through this information architecture. We will all remain exposed but the extent of our exposure, and the potential damage done to democracy, is likely to remain invisible.
"Hopefully this [case] will be a wake-up call for Congress that the Stored Communications Act is old and busted," Mr Fakhoury says.
I don't see any chance of that happening anytime soon.
EDITED TO ADD (12/12): E-mail security might not have mattered.
Posted on November 19, 2012 at 12:40 PM • View Comments
Dead drops have gone high tech:
Russia's Federal Security Service (FSB) has opened an investigation into a spying device discovered in Moscow, the service said Monday.
The FSB said it had confiscated a fake rock containing electronic equipment used for espionage on January 23, and had uncovered a ring of four British spies who worked under diplomatic cover, funding human rights organizations operating in Russia.
BBC had this to say:
The old idea of the dead-drop ('letterboxes' the British tend to call them) - by the oak tree next to the lamppost in such-and-such a park etc - has given way to hand-held computers and short-range transmitters.
Just transmit your info at the rock and your 'friends' will download it next day. No need for codes and wireless sets at midnight anymore.
Transferring information to and from spies has always been risky. It's interesting to see modern technology help with this problem.
Phil Karn wrote to me in e-mail:
My first reaction: what a clever idea! It's about time spycraft went hi-tech. I'd like to know if special hardware was used, or if it was good old 802.11. Special forms of spread-spectrum modulation and oddball frequencies could make the RF hard to detect, but then your spies run the risk of being caught with highly specialized hardware. 802.11 is almost universal, so it's inherently less suspicious. Randomize your MAC address, change the SSID frequently and encrypt at multiple layers. Store sensitive files encrypted, without headers, in the free area of a laptop's hard drive so they're not likely to be found in forensic analysis. Keep all keys physically separate from encrypted data.
Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won't be at all unusual.
To keep the counterespionage people from wiretapping the hotspot's ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.
I am reminded of a dead drop technique used by, I think, the 9/11 terrorists. They used Hotmail (or some other anonymous e-mail service) accounts, but instead of e-mailing messages to each other, one would save a message as "draft" and the recipient would retrieve it from the same account later. I thought that was pretty clever, actually.
Posted on January 31, 2006 at 7:17 AM • View Comments
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.