Tag Archives: Central Intelligence Agency

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Using Data to Find Bin Laden

Map picture

Where they thought he was and where he was.

Great piece — Geographers Had Predicted Osama’s Possible Whereabouts – ScienceInsider (thanks Daily Kos- Geographers predict Osama’s location) which tells the story of Thomas Gillespie, a UCLA geographer

who, along with colleague John Agnew and a class of undergraduates, authored a 2009 paper predicting the terrorist’s whereabouts, were none too shabby. According to a probabilistic model they created, there was an 88.9% chance that bin Laden was hiding out in a city less than 300 km from his last known location in Tora Bora: a region that included Abbottabad, Pakistan, where he was killed last night.

Here’s their original paper: web.mit.edu-mitir-2009-online-finding-bin-laden.pdf. It’s not as if these guys identified the town correctly (and the Science article has had to backtrack on some of its original assertions and the comments aren’t kind), but they got a lot of things right: They figured out he was much likely to be in a house than a cave, and in a relatively large town rather than a village, and that he was in Pakistan rather than somewhere else. They also predicted the kind of building he would be living in. In the end they were less than 300 km off.

Not bad, when you look at what the CIA was saying about him before (of course, they may have been trying to put people off the scent, but we know that it was only earlier this year that they had an idea he might be in the house:

Data, WikiLeaks and War

I’m not going to get into the rights and wrongs of the WikiLeaks thing. Nor am I going to look at the bigger implications for the balance of power between governed and governing, and between the U.S. and its allies and foes. Others have written much better than I can on these topics.

I want to look at what the cables tell us about the sorting, sifting and accessing of this information. In short, what does this tell us about how the world’s most powerful nation organized some of its most prized data?

To start, with, I want to revisit a conversation I had sitting in the garden of a Kabul pub called the Gandermack a few weeks back when it struck me: the biggest problem facing NATO in winning the war in Afghanistan is data.

I was talking to a buff security guy—very buff, in fact, as my female companions kept remarking—who was what might have once been a rare breed, but are now in big demand in Afghanistan. He was a former marine (I think), but was also a computer guy with an anthropology or sociology degree under his black belt somewhere. This guy knew his stuff.

And he was telling the NATO forces where they were going wrong: data management.

The problem, he explained, is not that there isn’t enough of it. It’s that there’s too much of it, and it’s not being shared in a useful way. Connections are not being made. Soldiers are drowning in intelligence.

All the allied forces in Afghanistan have their own data systems. But, I was told, there’s no system to make sense of it. Nor is there one to share it. So data collected by a garrison from one country in one part of the country is not accessible by any of the other 48 nations.

On the surface it seems this problem was fixed. In the wake of 9/11 U.S. departments were told to stop being so secretive. Which is why we got to WikiLeaks–one guy apparently able to access millions of classified documents from pretty much every corner of the planet. If he could do then so could thousands of other people. And, one would have to assume, so could more than a few people who weren’t supposed to have access. To give you an idea of the trove unearthed, WikiLeaks has released about 1,000 so far, meaning it’s going to take them nearly seven years to get all the cables out. Cable fatigue, anyone?

So, it would seem that the solution to the problem of not having enough pooled information is to just let anyone have it. But that, it turns out, isn’t enough. That’s because what we see from the WikiLeaks material is how old it looks.

I spent much of the early 1980s trawling through this kind of thing as a history student. Of course, they were all declassified documents going back to the 1950s, but the language was remarkably similar, the structure, the tone, the topics, the look and feel. A diplomatic cable in 2010 looks a lot like a cable from 50 years ago. In the meantime communication has gone from the telegraph to the fax to email to blogs to the iphone to twitter to Facebook.

This, to me, is the problem. It’s not that we’ve suddenly glimpsed inside another world: We would have seen a lot of this stuff at some point anyway, though it’s useful to see it earlier. Actually we can take some succour from the fact that diplomats seem to be doing a pretty good job of reporting on the countries they’re posted to. Journalists shouldn’t be surprised; we’ve relied on diplomats for a while. (And they might rightly feel somewhat aggrieved we now do this to them.)

No, the problem that WikiLeaks unearths is that the most powerful nation on earth doesn’t seem to have any better way of working with all this information than anyone else. Each cable has some header material—who it’s intended for, who it’s by, and when it was written. Then there’s a line called TAGS, which, in true U.S. bureaucratic style doesn’t actually mean tags but “Traffic Analysis by Geography and Subject”—a state department system to organize and manage the cables. Many are two letter country or regional tags—US, AF, PK etc—while others are four letter subject tags—from AADP for Automated Data Processing to PREL for external political relations, or SMIG for immigration related terms.

Of course there’s nothing wrong with this—the tag list is updated regularly (that last one seems to be in January 2008). You can filter a search by, say, a combination of countries, a subject tag and then what’s called a program tag, which always begins with K, such as KPAO for Public Affairs Office.

This is all very well, but it’s very dark ages. The trouble is, as my buff friend in the Kabul garden points out, there’s not much out there that’s better. A CIA or State Department analyst may use a computer to sift through the tags and other metadata, but that seems to be the only real difference between him and his Mum or Dad 50 years before.

My buff friend made a comparison with the political officer in today’s ISAF with a political officer (sometimes called an agent) back in the days of the British Raj. Back then the swashbuckling fella would ride a horse, sleep on the ground and know the Afghan hinterlands like the back of his hand, often riding alone, sipping tea with local chieftains to collect intelligence and use it to effect change (in this case meaning extend the already bulging British sphere of influence.) He would know the ins and outs of local tribal rivalries, who hated whom, etc. All of it stored in his head or in little notebooks.

His modern equivalent may actually have the same information, but it’ll be gleaned from the occasional photo opportunity, a squillion intelligence reports, all suitably tagged, and perhaps footage from a couple of drones. If the chieftain he’s interested in coopting straddles a regional command, chances are that he won’t be able to access anyone else’s information on him–assuming they have any.

In short, the problem in the military and diplomatic world is the same we’re facing in the open world. We have a lot more information than we can use—or keep track of—and it’s not necessarily making us any smarter. Computers haven’t helped us understand stuff better—they’ve just helped us collect, share, and lose more of it.

I must confess I’ve not made much progress on this myself. My main contribution is persuading a researcher friend to use a program called PersonalBrain, which helps you to join the dots between people, things, organisations, whatever you’re trying to figure out. It’s all manual though, which puts people off: What you mean I have to make the connections myself? Well, yes. Computers aren’t magic.

Yet. It’s clear to me that 10 years down the track, I hope, we’ll finally get that writing in prose, and then adding a hierarchy of labels to a document, is no longer the way to go. Instead, we’ll be writing into live forms that make connections as we write, annotate on the fly, draw spindly threads to other parts of our text, and make everything come to life. I will be able to pull into the document visuals, audio, other people, old records, chronologies, maps, and work with the data in three dimensions.

If this sounds familiar, it’s probably because it sounds like science fiction, something like Minority Report. But it’s not; it’s a glimpse inside the mind of our imperial political agent; how he would make those connections because they were all in his head—neurons firing transmitters, axons alive, binding synapses.

If I were the U.S. government, I would take Cablegate as a wake up call. Not at the affrontery of this humiliation, but as a chance to rethink how its data is being gathered and made use of. Cablegate tells us that the world of the cable is over.

Plaxo Moves Into Macland

Plaxo, the software and service that lets you update your contact details with others — and lets them update theirs with you — automatically, is now available for Mac. A press release issued today (thanks, Joseph) says the move “represents a major step toward the company’s vision to offer the first truly universal personal contact management service, accessible on any platform, email client, browser, or mobile device.”

This is an interesting way of putting it. Plaxo has weathered the criticism about privacy concerns — some of them from this humble blog, despite my support for the service as a whole — to expand beyond Microsoft Outlook to America Online, Mozilla Thunderbird, and Outlook Express. Users can also import contacts from their Netscape, Palm, Yahoo! Mail, and Hotmail accounts.

Like a lot of folk I’m torn over a service like this. On the one hand I can see the obvious benefits: Who better to update the contacts in your address book than the contacts themselves? But on the other hand, how many of the contacts in your address book would be happy that the information is being stored on some company server somewhere, without their knowledge or consent? Then again, that last sentence looks less problematic than it did a year or so back. We’ve heard so many cautionary tales about private data getting lost, stolen or abused maybe we think this kind of thing isn’t important. Now, perhaps, we realise that Plaxo is not really the problem here. The problem lies in those companies deliberating collecting data on individuals, whether they’re ordinary Joes like you and me, or members of the CIA, as the Chicago Tribune recently discovered by searching a commercial online data service.

But I’m not sure that’s the case. The bottom line is complex: We should be as careful with other people’s data as we are with our own. If we don’t want a company to keep details of us we shouldn’t keep details of other people online. Of course, this refers as much to any web-based application or storage tool or networking site.

technorati tags: , ,

Did A Computer Virus Bring Down The Soviet Union?

Did software, deliberately programmed by the CIA to fail, hasten the end of the Soviet Union?

The Washington Post reports (registration required) that “President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline.”

It quotes a new memoir by Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time (At the Abyss: An Insider’s History of the Cold War, to be published next month by Ballantine Books) as saying the pipeline explosion was just one example of “cold-eyed economic warfare” that made the Soviet Union eventually “understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.”

Aspects of this operation have been revealed before, but it’s still a pretty extraordinary tale, and makes one realise the power that software holds over us. And given that all this happened in 1982 or even earlier, does that make the CIA the first successful virus writers? The record is presently held by Fred Cohen, who created his first virus when studying for a PhD at the University of Southern California and presented his results to a security seminar on 10 November, 1983, according to the BBC website.

Column: USB and the CIA

Loose Wire — How to Steal CIA Secrets: It’s as easy as USB; Universal Serial Bus drives are getting small enough to hide in coffee mugs, and you can attach them to most computers and all sorts of other gadgets

 
By Jeremy Wagstaff
from the 5 June 2003 of edition of the Far Eastern Economic Review , (c) 2003, Dow Jones & Company, Inc.
I got some flak last time I was rude about how implausible technology is in Hollywood movies, even supposedly authentic fare such as Minority Report, The Bourne Identity and Mary Poppins. One comment was “grab a beer and chill out, dude, it’s only a movie,” though that doesn’t count because it was from my mother.

But I can’t help venting my spleen, if that’s what you do with spleen, after watching The Recruit with Al Pacino and Colin Farrell. It’s a thriller revolving around a recruit (no, really) to the Central Intelligence Agency trying to smuggle a top secret program out of CIA headquarters at Langley. There are some neat gadgets in there, such as biodegradable bugs and a program that hijacks nearby television screens. But the premise is that it’s well nigh impossible to steal data from the CIA since none of its computers have floppy drives, printers or (presumably, if we’re going to get finicky) infrared ports or Bluetooth dongles. In short, how do you transfer data if you can’t download it? I wanted to shout out suggestions but my friends, alerted by previous visits to the cinema, had gagged me beforehand.

Anyway, not a bad idea and not a bad movie. Except (skip the rest of this paragraph if you intend to watch the movie) someone succeeds in downloading the top secret program by plugging a USB drive into a USB socket on a CIA computer (USB is a commonly used port that allows users to connect gadgets to their computer). She then hides the said drive — about the size of a lighter — in her aluminium coffee mug. I mean, duh! I can’t believe they have USB sockets in Langley and that the X-ray machine confuses a gadget for coffee dregs. Tsk.

Anyway, it made me realize that Hollywood really, really needs my help in making their scripts believable. So here are some ideas for future movies, all involving existing USB gadgets:

— Our hero penetrates high-security installation, wanders nonchalantly up to floppy-less computer, and accesses USB port (inexplicably left on computer despite it being responsible for massive security breach as revealed in The Recruit). Uncoils USB cable from watch strap, plugs into USB port, downloads data into USB watch from German company LAKS (between $40 and $95 from www.laks.com).

— Our hero wanders nonchalantly up to floppy-less computer, plugs USB drive into USB port (amazingly still there despite aforementioned movie and pioneering column from tech writer), and accesses own e-mail via newly released PocoMail PE ($40 from www.pocomailpe.com). Okay, this doesn’t sound that wild, but it’s a great plot twist if you’re using someone else’s computer and they don’t have an e-mail program you need, or, in the case of our hero, you don’t want to leave any trace of yourself (say at an Internet cafe or a public library).

— Our hero has made off with the data on a USB drive. But he’s caught by the bad guys. Being avid readers of this column, they know what to look for and quickly locate the USB drive. But our hero’s drive is a bit different: Made by Singapore’s Trek 2000 International (www.thumbdrive.com), his ThumbDrive Touch has a silver pad that requires the user’s thumbprint before data can be accessed. Unfortunately for our hero, but great for a plot twist, the baddies simply cut off his thumb and plonk it on the biometric pad.

— Armed with a $100 MP306 USB drive from Azio Technologies (www. azio-tech.com/azi0-root/products/MP 306.asp), our hero fails to access the CIA computer because his nemesis has installed a SecuriKey Computer Protection System, Personal Edition ($130 from Griffin Technologies at http://securikey.com/personal/). This looks just like a USB drive but in fact works like a key: If it’s not plugged into the computer, then the computer locks up. Confounded, our hero sucks his remaining thumb and admires the silver metal mini-briefcase that the SecuriKey dongle comes in. Resigned, our hero reaches for his Azio USB drive, dons earphones, kicks back and listens to MP3 music files stored on the drive. Fiddling with the built-in equalizer for improved playback quality, he hears footsteps and quickly switches the USB drive to recorder mode to eavesdrop on two CIA officers passing by, griping about their canteen lunch.

Okay, so not all these plots will win prizes. But one thing I’m willing to bet my DVD collection on: USB drives will replace floppy drives, those flat disks of old, as PC manufacturers add USB ports to new models and remove external disk drives. Prices will drop further, meaning gadgets smaller than lighters will carry gigabytes of data for peanuts. Already you can buy a 1 gigabyte model for $300: Expect to pay half that in a year or less. They will be so cheap people will give them away: Visitors to a recent launch in Britain of Microsoft’s Windows Server 2003 were given freebie press bags with 32-megabyte USB drives inside.

In future, folk will carry around all their programs and data aboard one dongle and run it from any computer they come across, effectively personalizing the computer for however long they’re sitting at it, but without leaving any trace. Wait for the futuristic movie where everyone’s life is stored on a USB drive and every computer in the world is for public consumption. Interested? Call my agent.