atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">

  <title><![CDATA[Hacker OPSEC]]></title>
  <link href="http://grugq.github.com/atom.xml" rel="self"/>
  <link href="http://grugq.github.com/"/>
  <updated>2015-01-28T07:51:10+07:00</updated>
  <id>http://grugq.github.com/</id>
  <author>
    <name><![CDATA[the grugq]]></name>
    <email><![CDATA[the.grugq@gmail.com]]></email>
  </author>
  <generator uri="http://octopress.org/">Octopress</generator>

  
  <entry>
    <title type="html"><![CDATA[Jihadist Fan Club CryptoCrap]]></title>
    <link href="http://grugq.github.com/blog/2014/08/09/jihadist-fan-crypto/"/>
    <updated>2014-08-09T20:41:00+07:00</updated>
    <id>http://grugq.github.com/blog/2014/08/09/jihadist-fan-crypto</id>
    <content type="html"><![CDATA[<p>Think of <em>Mujahideen Secrets</em> as a branded promotional tool, sort of
like if Manchester United released a branded fan chat app.</p>

<p>Although there has been a lot of FUD written about the encrypted messaging systems
developed and promoted by jihadis groups, very little has focused on the how
they are actually used. I wrote <a href="http://grugq.tumblr.com/post/93584051363/how-al-qaeda-uses-encryption-post-snowden-part-2">some notes about this earlier</a>
but wanted to expand on the subject in more depth.</p>

<h2>Web Warriors: Security Practices on Jihadi Web Forums</h2>

<p>There are a number of internet web forums that are used by supporters of the various
jihadi groups fighting in the middle east. These sites are primarily cheerleading
and &#8220;in grouping&#8221; social networks, rather than opertational message boards.</p>

<p>An important point to understand about these online forums is that they are about
group dynamics. They provide a mechanism for people to feel like they are part
of the struggle with a graded scale of committment. They dont actually need
to worry about getting their hands dirty or risking their lives (technically, they might be risking their lives and freedom).</p>

<p>The sites all attempt to educate their users on security best practices, for example
the Islamic State (nee ISIS) web forum heavily <a href="https://twitter.com/switch_d/status/484806826404618241/photo/1">promotes the use of TAILS</a>, AQAP <a href="https://twitter.com/switch_d/status/484809802363969538">advocates for Tor usage in a 9 page guide</a>. Despite
this, few users actually bother with security precautions. Indeed, many continue
to use Facebook and Skype as their <a href="https://twitter.com/Raed667/status/495791460915347456">primary communications channels</a> with fellow
online jihadists.</p>

<p>The encryption tools are branded software for self identifying
jihadis to <a href="https://twitter.com/Raed667/status/495791831721213952">feel like they belong</a>.
Indeed, other than the <a href="https://twitter.com/switch_d/status/495908728500404224">media outlets</a> who
emphasise the use of the tools (branding and messaging), the actual jihadis have
a hard time using the tools. Actual web jihadis <a href="https://twitter.com/switch_d/status/495909042490191872">complain of usability problems</a>
that prevent them from using the tools.</p>

<p>The media outlets for the different groups: IS, Nusra, AQ, all make sure that
their followers know about their own branded encrypted messenger. Indeed, this
is the primary clue to how these apps are actually used. They are branding tools
that promote in-group sentiment. &#8220;I&#8217;m using the AQ encrypted messenger, so I am
basically AQ&#8221;. These tools deliberately identify the user as a jihadi associate,
not by accident or due to bad security practice, but rather as a deliberate part
of their value proposition. &#8220;Use our encrypted messaging app and you will securely
let the world know that you are with us!&#8221;</p>

<p><img src="http://grugq.github.com/images/blog/jihobbyist_fan_club.jpg" alt="mujahideen secrets" /></p>

<p>All of the major apps are simply branded wrappers around industry standard
libraries, ciphers, and protocols. There is nothing particularly Islamic or
Jihadist about them except the branding. That is because <strong>the branding is actually the point</strong>.
These are just <a href="http://en.wikipedia.org/wiki/Signalling_theory">social signals</a>.
Using AQAP&#8217;s messaging tool is the rough equivalent of wearing a sports jersey.
It signals to others that there is group identity. (Of course, given the outlaw
nature of these groups it seems like an extremely poor life decision)</p>

<p>These apps are not designed for actual clandestine operational use. They are for
making a social statement. Signaling membership in a peer group. Despite this
simple purpose for using the apps, there is still remarkably low uptake amongst
the online jihadist set who still primarily rely on Facebook and Skype for comms.</p>

<p>So if almost no one is using the encryption apps, and those that do are using them
to signal membership in a broader organisation, what are the real jihadis using
operationally? <strong>Facebook</strong>.</p>

<h2>Jihadi Operational Covert Communications:</h2>

<p>There was a Facebook account <a href="https://www.facebook.com/profile.php?id=100004481327363&amp;fref=ufi">&#8220;sniper outside the law&#8221;</a> that was posting clear text, but coded, messages
believed to be related to jihadi operations in Tunisia. The account has been taken
down and the guy running it <a href="https://translate.google.com/translate?hl=en&amp;sl=ar&amp;tl=en&amp;u=http%3A%2F%2Fwww.shemsfm.net%2Far%2Factualite%2F%D8%A7%D9%84%D9%82%D8%A8%D8%B6-%D8%B9%D9%84%D9%89-%D8%B5%D8%A7%D8%AD%D8%A8-%D8%B5%D9%81%D8%AD%D8%A9-%D9%82%D9%86%D8%A7%D8%B5-%D8%AE%D8%A7%D8%B1%D8%AC-%D8%B9%D9%86-%D8%A7%D9%84%D9%82%D8%A7%D9%86%D9%88%D9%86-87983">was arrested</a>.</p>

<p>Here are some examples of what he was posting (<a href="http://pastebin.com/hT0DJT05">taken from here</a>):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>Eagle 1 group please change route to k :?via trees !.ch</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>Refiling will be through the loaded mule same place of refiling thank you</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>(Yesterdays posts (before today's attack))
</span><span class='line'>To all "units" please change direction towards .?k1 after 500m (meters?).
</span><span class='line'>Info came from scout about invaluable avant-post</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>Expecting news in the coming days we promise heavy news(important),
</span><span class='line'>For those fighting Islam? wake up before it is too late you traitors
</span><span class='line'>and snitches you will regret your tyranny</span></code></pre></td></tr></table></div></figure>


<h2>Jihadi Encryption Is Overrated</h2>

<p>The key take away is that the encrypted messaging apps from ISIS or AQAP are as
operationaly relevant as an encrypted messaging app from Man U or Liverpool. It
might be exciting for some hardcore fans who want to show their support, but the
real players don&#8217;t touch the stuff.</p>

<p>Real jihadis use <a href="http://grugq.tumblr.com/post/68453478391/secure-communications">secure codes</a> and <a href="http://www.theguardian.com/world/2014/jun/15/iraq-isis-arrest-jihadists-wealth-power">couriers</a>, not some Android toy My First Crypto Chat.</p>

<p><strong>Must Read</strong>: <a href="http://krypt3ia.wordpress.com/2014/08/09/post-hoc-ergo-propter-hoc-poop-recorded-future-and-the-jihadi-fud-o-sphere/">An article by Kryt3ia</a> (published minutes before me, the swine!)</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[When In Doubt, It's A Tout]]></title>
    <link href="http://grugq.github.com/blog/2014/06/16/when-in-doubt-its-a-tout/"/>
    <updated>2014-06-16T00:25:00+07:00</updated>
    <id>http://grugq.github.com/blog/2014/06/16/when-in-doubt-its-a-tout</id>
    <content type="html"><![CDATA[<h1>When in doubt, it&#8217;s a tout</h1>

<h2>Robust Operational Security Practices Aren&#8217;t Enough</h2>

<p>A British man, Lauri Love, has been <a href="http://www.theregister.co.uk/2014/02/28/lauri_love_us_federal_reserve_hacking_charges/">indicted for hacking</a>. The indictment
is thin on details, but does have some interesting OPSEC insights that can be teased out by the patient reader.</p>

<p>The <a href="http://www.justice.gov/usao/nj/Press/files/pdffiles/2013/Love,%20Lauri%20Indictment.pdf">indictment of Lauri Love</a> doesn&#8217;t reveal much about how he was identified. There is some interesting info about the operational security measures taken by his crew, and they appear robust. The lack of information on how Mr Love was caught, along with the revelation of good security practices suggests one thing: informant.</p>

<p>This post will only highlight the good operational security practices of the hacker group, since we don&#8217;t know what the mistakes were.</p>

<h2>Indictment Critical Analysis</h2>

<p>The indictment lists four members of the crew:</p>

<ol>
<li>Lauri Love, &#8220;nsh&#8221;, &#8220;peace&#8221;, &#8220;route&#8221;</li>
<li>CC-1 &#8220;in New South Wales, Australia&#8221;</li>
<li>CC-2 &#8220;in Australia&#8221;</li>
<li>CC-3 &#8220;in Sweden&#8221;</li>
</ol>


<p>If I were to venture a guess, I&#8217;d reckon that <em>CC-1</em> was caught first and became the informant used to take down the crew. I think this because <em>CC-1</em> has the most specific geographic information, and the others are more vague in their location. As if there was a lot of effort invested in locating <em>CC-1</em>, and then the investigation focussed in on Mr Love.</p>

<h2>Timeline</h2>

<ul>
<li>October, 2012: Start of the conspiracy</li>
<li>October 2, 2012: Army Network Enterprise Technology Command (&#8220;NETCOM&#8221;) hack</li>
<li>October 6, 2012: log of <code>nsh</code> on IRC discussing NETCOM hack with <em>CC-1</em>, later w/ <em>CC-2</em></li>
<li>October 7-8, 2012: Army Contracting Command&#8217;s Army Materiel Command (&#8220;ACC&#8221;) SQLI hack</li>
<li><p>October 10, 2012: LOVE discusses ACC hack on IRC</p></li>
<li><p>October, 2013: End of the conspiracy</p></li>
</ul>


<h2>Hacking 101</h2>

<p>The crew used scanners to locate vulnerable servers to exploit, and they shared the findings via their IRC.</p>

<pre><code>peace: so can pivot and scan for other vulns [vulnerabilities] 
peace: we might be able to get at real confidential shit
</code></pre>

<p>The crew used SQLI and ColdFusion exploits.</p>

<p>The crew used proxies and <code>Tor</code> to mask the origins of their attacks.</p>

<blockquote><p>conceal their attacks by disguising, through the use of Proxy Servers, the IP addresses from which their attacks originated. Defendant LOVE and the other Co-Conspirators further used the Tor network, which was an anonymizing proxy service, to hide their activities.</p></blockquote>

<h2>Operational Security Measures</h2>

<h3>Migration</h3>

<p>The crew moved comms to new systems <strong>and</strong> changed their identities when they did so. This is a very good practice. Unfortunately, it appears that at least one member was logging the comms traffic. This created a security problem that could be exploited
by the authorities.</p>

<pre><code>route: consideration 1 : behaviour profile should not change 
route: public side i mean 
route: so whatever "normal", activities we do 
route: should continue 
route: but we move from this irc to better system 
route: also 
route: these nicks should change 
route: i think 
route: when we get on new communications 
route: all new names
</code></pre>

<p><strong>OPSEC Violation</strong>: No logs, no crime. Do not keep any unnecessary logs. If
there is operationally critical information, make a record of that information.
Practically, this means: cut and paste into a file; keep that file encrypted.</p>

<p><strong>OPSEC Lesson</strong>: Migrating communications infrastructure and changing identities
regularly is a good idea. It creates chronologically compartmented silos of info
that limit the impact of a compromise. It can provide plausible deniability,
and it can reduce the severity of a compromise. Do not contaminate between the
compartments. And, of course, ensure that each commo channel is secure.</p>

<h3>Logistical Compartmentation</h3>

<p>For at least some operations (all?) the crew spun up a new dedicated support
server. This compartmented server was then discarded after use to minimize the
connection to the group and any other operations. This is very effective OPSEC.</p>

<pre><code>CC#2: but server must have no link to you or us
peace: :)
CC#2: when done we kill it
CC#2: for this plan
CC#2: we can reopen another one for other ongoing stuff
CC#2: but once this plan done we need to make sure they cannot all trace it back to us
</code></pre>

<p><strong>OPSEC Lesson</strong>: Compartment as much as possible for each operation to avoid
linking separate ops together. This also helps contain the damage if an operation
is compromised and an investigation launched. Dedicated logistical infrastructure
is best. Don&#8217;t forget to santize it, both at the beginning and the end of the op.</p>

<h2>Conclusion</h2>

<p>Even a group with robust operational security practices is vulnerable to the oldest
trick in the book: the informant. The take away lessons are slightly more interesting:</p>

<ul>
<li>Migrate comms and identity on a regular basis</li>
<li>Never store incriminating logs</li>
<li>Compartment heavily, and sanitize frequently</li>
</ul>


<p>So it is sad news for Mr Lauri Love facing hacking charges, but at least there&#8217;re
some valuable OPSEC lessons for the rest of us. Remember: No logs, no crime.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Episode 17]]></title>
    <link href="http://grugq.github.com/blog/2014/05/11/the-episode-17/"/>
    <updated>2014-05-11T02:37:00+07:00</updated>
    <id>http://grugq.github.com/blog/2014/05/11/the-episode-17</id>
    <content type="html"><![CDATA[<p>[this email was in response to a thread which started as a distress call
over the unusually poor quality of CFP proposals. It is the start of
some thoughts over how to &#8220;fix&#8221; the Info Sec Conference problem. ]</p>

<pre><code>X-Mailer: iPhone Mail (9A405)
From: the grugq &lt;thegrugq gmail com&gt;
Subject: Re: [redacted: name + title of the guilty talk]
Date: Thu, 5 Jan 2012 11:05:12 +0700
To: [conference committee list]

&gt;&gt; I have a different take on it [redacted-name]. I feel there is a lot of new
&gt;&gt; security research and work being done out there but it is being hidden
&gt;&gt; by the flood of introductory/survey/low-value talks. With 1,791 infosec
&gt;&gt; talks at cons record in 2010 (source: http://cc.thinkst.com/statistics/)
&gt;&gt; as an industry we've fucked ourselves and have elevated the role of a
&gt;&gt; speaking spot at a conference to something mythical and special when in
&gt;&gt; reality it has been watered down to the level that we've seen thus far
&gt;&gt; with the submissions to [this conference]


I agree to a large extent with this analysis, but I think there is
another facet that hasn't been brought up yet, which I call the "Episode
17a Ensign #3" problem.

(I'll be incendiary first, so if you're impatient you can stop reading
now and start flaming.)

Essentially (most) security cons are comic / star trek conventions, but
with less cosplay and even fewer girls. The conference talk might be
styled (somewhat) on the academic lecture, but realistically the
audience would rather a Steve Jobs style product unveiling than a
lecture. They want some background info to ground themselves and align
expectations, then they want the big product reveal at about 40 minutes
in; and for a real treat, a "one more thing".  (for product unveiling
see demo; and don't forget the tool release: "available right now, you
can download this today,... and hack the shit out of something")

This is entertainment, it is not knowledge transfer.

• most regional cons would be vastly improved as informal peer training
activities focused events. Like the LUGs and Python groups and so on.
Regular meetings to actively do something with a few "event centric"
talks thrown in as part of the evenings entertainment but also to guide
the discussions and activities along.  That's how you get people
learning shit, have them actually do it. Novel concept, eh? ;)

• the big cons get big names cause they have a symbiotic relationship.
And it doesn't require any backhanded arrangements; as a researcher with
a new topic to present, you're faced with two choices: blow your wad at
NoNameRegional Con, or save it for MassiveMediaExposure con in 4 months.
Guess which one will work more towards getting you laid?

This is why the big cons get the hit singles and the small cons get
supporting acts and "best of greatest hits" talks. It's part of why I
think conferences aren't helping the community very much.

• other problems include the high value that original research
frequently has, far in excess of the cost of the price of a ticket and
hotel... This makes independent researchers inclined to maximize value
on the market directly, rather than indirectly through conference driven
reputation building. For employees, they're in a similar situation
except their employers want to minimize liability and maximize ROI on
their big name researcher. So they aren't keen to release anything super
awesome, for free,  at a con (i.e. someone else's branded event).

So that leaves a reduced set of potential speakers, combined with an
incentive to present something sufficiently interesting to provide
entertainment but not sufficiently useful enough that it decreases in
value. Note: I say these are incentivized behaviors, not what everyone
(or anyone) does or wants to do.

• as a conference that isn't swamped with submissions, that means you
have to be proactive. For SyScan Taiwan 2011, we made a hit list of
topics we wanted, and another list of people who were either subject
matter experts on a target topic, or whom we wanted to meet up with. We
then spent about 6 weeks chasing every single speaker down personally
and inviting them to speak. In the end, if you see our line up, I think
it is fair to say this is an effective strategy for getting an AllStar
line up.

Obviously this isn't effective at finding new talent, because you can't
chase down someone you don't know exists).

That's why we, as a community need breeder events that help to make the
existing conferences stronger by finding the new talent, encouraging
them to develop their technical skills and their presentation skills
(they got to learn to entertain an audience for an hour, ). Presenting a
bit of research at the local security meetup is a good start to a career
of talking about typing on a keyboard...

Oh right, so how we're all just at a cosplay-free comic con.

So the one hour talk format isn't good for knowledge transfer,  it
rewards entertainers more than pure researchers. This leads to a few
super rockstars who deliver(ed) the goods, and know how to do a product
unveil at 42 minutes into their slot. This ends with a few Shatneresque
rockstars and loads of "ensign #3 from episode 17a, the one where
Shatner massaged the heap for an hour and then dropped shells all over
everything, it was the first time he did a multiple root in public. So
cool!!!"

The 1 hour presentation format is completely shit for knowledge
transfer. I  hold by the barcon inspiring theory that your new research
is either simple enough that you can explain it over a beer(ie .5min of
content) or something so complex that I want the white paper version to
work through at my own pace. There is genuine frustration at the
(frequently) horrible Product Unveil style talks which take an hour to
reveal 5 minutes of content.

On the other side is the frustration at talks which are made up of
potentially interesting info, but the slide deck is all lolcats, the
code is never released, and the presenter never writes up the white paper.
</code></pre>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[New York's Finest OPSEC]]></title>
    <link href="http://grugq.github.com/blog/2014/02/13/new-yorks-finest-opsec/"/>
    <updated>2014-02-13T19:35:00+07:00</updated>
    <id>http://grugq.github.com/blog/2014/02/13/new-yorks-finest-opsec</id>
    <content type="html"><![CDATA[<h2>NYPD Social Media Investigation OPSEC</h2>

<p>The NYPD created an operations formula for conducting undercover investigations on social media. The <a href="http://publicintelligence.net/nypd-social-network-investigations/">procedural document</a> reveals the operational security for these investigations. The security is founded on the use of an &#8220;online alias&#8221; (the officer&#8217;s undercover account) and strict compartmentation. Given the capabilities of the adversaries that the NYPD faces this is probably sufficient security.</p>

<p>It is a fascinating glimpse into the operational process of an investigation. Definitely worth reading to get a sense of what the police face when conducting an online investigation (hint: paperwork).</p>

<h2>Core NYPD OPSEC</h2>

<p>Fundamentally this is basic operational security grounded on compartmentation. The use of dedicated hardware, and pseudononymous internet access, allows the officer to create and operate an online undercover account without any links to the NYPD. The basic security precautions are designed to protect the officer&#8217;s laptop from being compromised. A compromised laptop could enable the adversary to conduct a counterintelligence investigation.</p>

<ul>
<li>Compartmentation:

<ul>
<li>Use dedicated hardward and pseudononymous internet connection (laptop + &#8220;aircard&#8221;)</li>
<li>Avoid accounts, usernames, passwords associated with NYPD</li>
<li>Avoid personal accounts and internet access</li>
</ul>
</li>
<li>Basic Computer Security:

<ul>
<li>Delete &#8220;spam&#8221;</li>
<li>Don&#8217;t open attachments</li>
<li>Exercise caution when clicking on links</li>
</ul>
</li>
</ul>


<p>This is very basic stuff, but should be more than sufficient against the adversaries that the NYPD pursues. These adversaries should not have access to any of the records of the phone company supplying the internet access.</p>

<h2>Primary Document</h2>

<p>Here is the information that is required to create the undercover account:</p>

<blockquote><ol type="a">
<li> Username (online alias)</li>
<li> Identifiers and pedigree to be utilized for the online alias, such as email address, username and date of birth.</li>
<li> Do not include password(s) for online alias and ensure password(s) are secured at all times.</li>
<li> Indicate whether there is a need to requisition a Department laptop with aircard.</li>
<li>Review photograph to be used in conjunction with online alias, if applicable.</li>
<li> Consider the purpose for which the photograph is being used and the source of the photograph.</li>
</ol>
</blockquote>

<p>Here is the full section dealing with operational security:</p>

<blockquote><h1>Operational Considerations</h1>

<p>When a member of the service accesses any social media site using a Department network connection, there is a risk that the Department can be identified as the user of the social media. Given this possibility of identification during an investigation, members of the service should be aware that Department issued laptops with aircards have been configured to avoid detection and are available from the Management Information Systems Division (MISD). A confidential Internet connection (e.g., Department laptop with aircard) will aid in maintaining confidentiality during an investigation. Members who require a laptop with aircard to complete the investigation shall contact MISD Help Desk, upon APPROVAL of investigation, and provide required information.</p>

<p>In addition to using a Department laptop with aircard, members of the service are urged to take the following precautionary measures:</p>

<ol type="a">
<li>Avoid the use of a username or password that can be traced back to the member of the service or the Department;</li>
<li>Exercise caution when clicking on links in tweets, posts, and online advertisements;</li>
<li>Delete “spam” email without opening the email; and</li>
<li>Never open attachments to email unless the sender is known to the member of the service.</li>
</ol>


<p>Furthermore, recognizing the ease with which information can be gathered from minimal effort from an Internet search, the Department advises members against the use of personal, family, or other non-Department Internet accounts or ISP access for Department business. Such access creates the possibility that the member’s identity may be exposed to others through simple search and counter-surveillance techniques.</p></blockquote>

<h2>Conclusions</h2>

<p>Undercover operations online rely on very basic operational security. Primarily compartmentation and reviews to ensure that the account isn&#8217;t going to be associated with the NYPD.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[A Fistful of Surveillance]]></title>
    <link href="http://grugq.github.com/blog/2014/02/10/a-fistful-of-surveillance/"/>
    <updated>2014-02-10T19:11:00+07:00</updated>
    <id>http://grugq.github.com/blog/2014/02/10/a-fistful-of-surveillance</id>
    <content type="html"><![CDATA[<p>The publication of <a href="https://firstlook.org/theintercept/article/2014/02/10/the-nsas-secret-role/">this piece</a> at <a href="https://firstlook.org/theintercept/">The Intercept</a> about NSA targeting via mobile phones prompted me to release this collection of notes. Some quotes and statements in the article wrongly promote the idea that the SIM card is the only unique identifier in a mobile phone. I&#8217;ve enumerated the identifiers that exist, and they go far beyond the SIM card. At a minimum the physical identifiers of a mobile phone are the <a href="http://en.wikipedia.org/wiki/International_mobile_subscriber_identity">IMSI</a> and the <a href="http://en.wikipedia.org/wiki/International_Mobile_Station_Equipment_Identity">IMEI</a>, that is the SIM card and the mobile phone hardware itself.</p>

<p>This is a short collection of notes I&#8217;ve put together on how you can be identified via your mobile phone. If you want to securely use a mobile phone, you&#8217;ll need to use a burner. This is non-trivial. <a href="http://b3rn3d.herokuapp.com/blog/2014/01/22/burner-phone-best-practices/">Here&#8217;s a good guide</a>.</p>

<h2>Clandestine Mobile Phone Use</h2>

<p>Mobile phones should primarily be used for signalling, rather than for actually communicating operational information. Remember the golden rule of telephone conversations:</p>

<ul>
<li>keep it short</li>
<li>keep it simple</li>
<li>stick to your cover</li>
</ul>


<h2>Identifiers</h2>

<ul>
<li><strong>Location</strong>

<ul>
<li>Specific location (home, place of work, etc.)</li>
<li><a href="http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html">Mobility pattern</a> (from home, via commuter route, to work) &#8211; very unique, 4 loc&#8217;s will identify 90%</li>
<li>Paired mobility pattern with a known device (known as &#8220;mirroring&#8221;, when two devices or more devices travel together)</li>
</ul>
</li>
<li><strong>Network</strong>

<ul>
<li>numbers dialed (who you call)</li>
<li>calls received (who calls you)</li>
<li>calling pattern (numbers dialed, for how long, how frequently)</li>
</ul>
</li>
<li><strong>Physical</strong>

<ul>
<li>IMEI (mobile phone device ID)</li>
<li>IMSI (mobile phone telco subscriber ID)</li>
</ul>
</li>
<li><strong>Content</strong>

<ul>
<li>Identifiers, e.g. names, locations</li>
<li>Voice fingerprinting</li>
<li>Keywords</li>
</ul>
</li>
</ul>


<h2>Mitigations</h2>

<h3>Turn it OFF, for real.</h3>

<p>Know how to turn the phone to a completely off state. This means removing the battery, taking out the SIM card and placing in a shielded bag (if possible). This <strong>really off</strong> state is how you store and transport the phone when not in use.</p>

<p>A note on storage: it should not be at your house or anywhere that is directly linked to you.</p>

<h3>Take a hike, buster</h3>

<p>Where you use the phone is itself very important. Never use it at locations which are associated with you, that means never at home, never at the office/work, never at a friend&#8217;s house. Never have the phone in an <strong>ON</strong> state at locations that are associated with you, or your immediate social network. Never.</p>

<p>Do not turn the phone in the same location as a phone associated with you. Make sure that your real phone is somewhere else, but not in an <strong>OFF</strong> state if possible. You don&#8217;t want the disappearance of one phone from the network to coincide with the appearance of another. Paired events are indicators of relation, and you want to avoid those as much as possible. You also want you regular phone to appear with a typical usage pattern, which means keeping it on as you normally would.</p>

<h3>Contamination, avoid it</h3>

<p>Never use different phones from the same location.</p>

<p>Never carry phones for different compartments together (keep them turned off, batteries out)</p>

<p>Never carry phones turned on over the same routes you normally take. Avoid patterns and predictability.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Codes, What Are They Good For?]]></title>
    <link href="http://grugq.github.com/blog/2013/12/21/codes-what-are-they-good-for/"/>
    <updated>2013-12-21T20:00:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/12/21/codes-what-are-they-good-for</id>
    <content type="html"><![CDATA[<h2>What is a Secure Communication?</h2>

<p>The goals of secure communications are the following. Some of these are surprisingly difficult to achieve:</p>

<ol>
<li>Make the <strong>content</strong> of a message <strong>unreadable</strong> to parties other than the intended one(s)</li>
<li>Make the <strong>meaning</strong> of a message <strong>inaccessible</strong> to parties other than the intended one(s)</li>
<li>Avoid <strong>traffic analysis</strong> — don’t let other parties know that a connection exists between the communicating parties</li>
<li>Avoid <strong>knowledge of the communication</strong> — don’t let other parties know the communication channel or pathway exists</li>
</ol>


<p>The first and second objectives can be accomplished using some combination of <strong>cryptography</strong> and <strong>coding</strong>. Unfortunately, this is the easy part. The more
complicated and difficult component of a secure communications infrastructure is
achieving the third and fourth objectives. For now, however, I will focus only
on the first two issues: protecting content, and meaning.</p>

<p>First lets define our terms so we can discuss the subject with clarity:</p>

<ul>
<li><strong>Cryptography</strong> systems that use transformation processes to turn <em>signal into noise</em>, by obscuring the symbols used for communication</li>
<li><strong>Coding</strong> systems that substitute or alter meaning, and thus hide the real message</li>
</ul>


<h2>The Eagle Has Landed</h2>

<p>Codes are extremely useful mechanisms for sending small messages, although as they are <em>plain text</em> their hidden mean can be revealed once the <em>key</em> is cracked. Another issue with codes is that they are inflexible, compared to a cipher system. Coding requires pre-arranged mappings of meanings (what symbols or words translate to what), or at least pre-arranged mechanisms to derive the mappings (e.g., book codes).</p>

<p>To be effective, a code must maintain <strong>proper grammar</strong>, be <strong>consistent</strong>, and fit a <strong>plausible</strong> pretext. If it fits these requirements, and is used appropriately (briefly, consistently, with <a href="http://www.stratfor.com/weekly/20100616_watching_watchers"><em>cover for action</em></a>) then a code system is an excellent choice for simple signalling purposes.</p>

<h3>Doing It Right</h3>

<p>During World War II the BBC cooperated with the intelligence services to send
open code signals to operatives in the occupied territories. These signals were
prearranged with the operatives, and then sent out at two scheduled times. This
signalling channel was used exclusively for indicating whether an operation was
going to take place.</p>

<p>The BBC would broadcast the signal for the first time at 1930, and then confirm
the signal at 2115. If the operation had been canceled before the second scheduled
signal window, the code phrase would not be repeated.</p>

<p>During the early phase of the war, the code system was slightly more complex.
There would be a positive code, and a negative code, for example: &#8220;Jeanne sends
her greetings&#8221; might be a &#8220;go code&#8221;, and &#8220;Jeanne says hello&#8221; might be the &#8220;abort
code&#8221;. Later this was simplified to just the positive code (a tradition that,
apparently, the CIA still follows).</p>

<h3>Doing It Wrong</h3>

<p>There are problems when codes are used inconsistently. For example, some <a href="http://www.wmob.com/cast.html">mafia codes</a> used oblique references to the boss as &#8220;aunt&#8221;, or &#8220;Aunt Julia&#8221;. This was very ineffective when the mafioso suffered pronoun slippage and called their &#8220;aunt&#8221; &#8220;he&#8221;.</p>

<ul>
<li>&#8220;Ah, Aunt Julia said he wanted to help me out, too.&#8221;</li>
</ul>


<h2>Codes Gone Wild</h2>

<p>I&#8217;ve collected some examples of <a href="http://grugq.tumblr.com/post/60890158036/al-qaedas-codes">real al Qaida codes</a> that were used actively used
prior to the 9/11 attacks. Other types of basic open code are &#8220;business code&#8221;,
which is also used by some criminal groups, where the actors are refered to as
business interests or rivals, and criminal activities are described as &#8220;projects&#8221;
or other innocuous business terms.</p>

<p>A simple code that was used by two KGB operatives was the phrase &#8220;I think we
should go fishing now&#8221;, which indicated that they should discuss business.</p>

<h3>KGB Says What?</h3>

<p>During the early stages of the KGB handling of their FBI penetration Hanssen,
they had a mishap with locating and loading the deaddrop for his payment. To
correct this error, they had to contact Hanssen by phone and use a code that was
not pre-arranged (there was no contingency in place for &#8220;what happens if we cant
find the dead drop&#8221;). The dead drop location was underneath a footbridge and the
KGB operative had placed his load underneath the wrong corner.</p>

<p>Since they had used a pretext of purchasing a used car for
their initial contact, the KGB continued to use that pretext for their &#8220;oops!&#8221;
communique. The KGB operative prepared his telephone conversation
thoroughly before hand so that it would sound natural and plausible:</p>

<blockquote><p>KGB: The car is still available for you as we have agreed last time, I prepared
all the papers and left them on the same table. You didn&#8217;t find them because I
put them in another corner of the table.</p>

<p>Hanssen: I see</p>

<p>KGB: You shouldn&#8217;t worry, everything is okay. The papers are with me now.</p>

<p>Hanssen: Good</p>

<p>KGB: I believe under these circumstances, its not necessary to make any changes
concerning the place and time. Our company is reliable, and we are ready to
give you a substantial discount which will be enclosed in the papers. Now,
about the date of our meeting. I suggest that our meeting will take place
without delay on Febuary 13, one, three, 1:00 PM. Okay? Feburary 13</p>

<p>Hanssen: &#8230;. Okay.</p></blockquote>

<p>The conversations is clearly stilted and strange, but no so strange as to draw
attention to itself. It also doesn&#8217;t reveal anything of the <strong>meaning</strong> that is
being relayed.</p>

<h3>Signaling Codes</h3>

<p>When creating a signaling code, it is important that the pretext for the signal
be broad and widely applicable. Generally it is better that the code be a
specific subject, rather than a specific phrase. Phrases are easy to mixup,
forget, or otherwise confuse. They are also more rigid and hard to work into
a conversation. A subject, on the other hand, is very easy to raise and discuss
in a plausible fashion without seeming forced or unnatural.</p>

<p>A final short code example. This is a signaling code, adapted from a novel,
however it accurately conveys how simple these codes can be. This is phone call
between two colleagues, where <em>Alice</em> has to signal an emergency has occured:</p>

<blockquote><p>Alice: Hi, sorry to call so late</p>

<p>Bob: No problem</p>

<p>Alice: Is our meeting scheduled for tomorrow at 8:30, or at 9?</p>

<p>Bob: It is 8:30, bright and early.</p>

<p>Alice: Ok, right. Just checking. Thanks, bye</p></blockquote>

<h2>Open Codes Fail Open</h2>

<p>When using a code to refer to a classified subject, even though unclassified terms
are used, the subject is still classified. This is a breach of security. See
the US Army <a href="http://www.ncms-isp.org/documents/COMSEC_Material.pdf">handbook on COMSEC</a>
section dealing with <em>ATTEMPTS TO DISGUISE INFORMATION</em> (Section 8.4).</p>

<blockquote><p>“Talking around” is a
technique in which you try to get the information across to the recipient in a
manner you believe will protect it. However, no matter how much you try to
change words about a classified or sensitive subject, it is still classified or
sensitive.</p>

<p>self-made reference system. This is an
attempt to encipher your conversation by using your own system. This system
rarely works because few people are clever enough to refer to an item of
information without actually revealing names, subjects, or other pertinent
information that would reveal the classified or sensitive meaning</p></blockquote>

<p>These are concerns to keep in mind when developing a code system for discussing
sensitive information.</p>

<h2>Final Thoughts</h2>

<p>Codes: keep them generic, keep them consistent, limit their use to simple signalling.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[In Search of OPSEC Magic Sauce]]></title>
    <link href="http://grugq.github.com/blog/2013/12/21/in-search-of-opsec-magic-sauce/"/>
    <updated>2013-12-21T05:15:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/12/21/in-search-of-opsec-magic-sauce</id>
    <content type="html"><![CDATA[<h2>Of Bomb Threats and Tor</h2>

<p>Recently (December 16th, 2013) there was a <a href="http://www.thecrimson.com/article/2013/12/16/unconfirmed-reports-explosives-four-buildings/">bomb threat at Harvard University</a>, during finals week. The threat was a hoax, and the <a href="http://www.thecrimson.com/article/2013/12/17/student-charged-bomb-threat/">FBI got their man</a> that very night. The <a href="https://drive.google.com/file/d/0Bzt0K7_O4qyqUlEtd2pUWE42amM/edit?usp=sharing">affidavit is here</a>.</p>

<p>This post will look at the tools and techniques the operative used to attempt
to hide his actions, why he failed, and what he should&#8217;ve done to improve his
OPSEC. As a hint: I provided an outline of what he should&#8217;ve done 6 months
ago in <a href="http://grugq.github.io/blog/2013/06/13/ignorance-is-strength/">&#8220;<strong>ignorance is strength</strong>&#8221;</a>.</p>

<p><strong>Disclaimer:</strong> This post is to outline why OPSEC is so difficult to get right,
even for people who go to Harvard. I am not encouraging any illegal behavior,
but instead analyzing how OPSEC precautions can be so difficult to get right.
Don&#8217;t send bomb threats.</p>

<h3>Key Takeaways</h3>

<ol>
<li>The phases of an operation</li>
<li>Counterintelligence (&#8220;know your enemy&#8221;) as a factor in operational design</li>
<li>Avoid reducing the set of suspects

<ul>
<li>If all students are suspects, all one needs to do is avoid narrowing the pool of potential suspects</li>
</ul>
</li>
</ol>


<h2>Strategic Objectives: Avoid Final Exam</h2>

<p>Strategically, the principal behind this operation (Eldo Kim) was attempting to avoid taking
a Final Exam scheduled for the morning of December 16th. To accomplish his objectives
he designed an operation that would cause an evacuation of the building where he
was to take his final. Rather than recruit an agent
and delegate the execution of the operation, the principal decided to do it himself.</p>

<p>This was not an enlightened decision.</p>

<h2>The Structure of All Things (for values of Things = &#8220;Operations&#8221;)</h2>

<p>All offensive operations share a similar core structure. This structure has been
known for a long time in the military, but is rarely applied in other fields.
Operations have distinct phases that they move through as they progress from vague
idea, to concrete plan, through execution and, finally, onto the escape.</p>

<p>The outline framework for an operation, all of the phases, is the following:</p>

<ol>
<li>Target Selection</li>
<li>Planning (and Surveillance)</li>
<li>Deployment</li>
<li>Execution</li>
<li>Escape and Evasion</li>
</ol>


<p>This framework is frequently used when dissecting a terrorist attack post mortem,
allowing the security forces to identify the agents involved in each phase. Ideally,
the security forces want to remove the people involved in the <em>Target Selection</em>
and <em>Planning</em> stages. These people tend to be the principals, and are more
valuable than the agents who actually perpetrate the attack.</p>

<p>For hacker groups, the operational phases are rarely acknowledged, and followed
in an ad hoc manner. Primarily because few hackers are aware of them. It would be
beneficial for hackers to understand the structure of preparing an operation
thoroughly, but that is an issue we&#8217;ll address another day.</p>

<p>As an aside, it is worth noting that these operational phases apply to a
consultancy making a sale, providing a service, dropping a deliverable, and then
vanishing. ;)</p>

<h2>College Kids are Inexperienced, News at 11.</h2>

<p>All real criminals know that the most important part of an operation is the
get away, the <em>git</em> (as it used to be called). Of course, real criminals don&#8217;t
go to Harvard University (although there&#8217;s an argument to be made that some
graduate from there), and so poor Eldo Kim had no one to teach him the criticality
of the final stage of an operation: <strong>Escape and Evasion</strong>.</p>

<h2>Operation &#8220;Doomed to Failure&#8221;</h2>

<p>The operative used an ad hoc approach to his operational design, and as a result
he made a fatal error. Here is his operational plan:</p>

<ul>
<li>Obtain Tor Browser Bundle</li>
<li>Select target email addresses &#8220;randomly&#8221; [see para 11]</li>
<li>Compose email</li>
<li>For each target email address

<ul>
<li>Create new GuerillaMail &#8220;account&#8221;</li>
<li>Send email (<a href="https://www.guerrillamail.com/compose">using this</a>)</li>
</ul>
</li>
</ul>


<p>For security, the operative chose to rely on a pseudonymous email tool and the
Tor anonymity network. He used the Tor Browser Bundle on OSX rather
than the TAILS distribution (see: para 11). Provided he closed the tab between
each session, there should be no forensic evidence left on the laptop.</p>

<p><strong>NOTE:</strong> When using <strong>Tor Browser Bundle</strong> close all the tabs and exit the
application when you are done. The TBB will clean up thoroughly after itself,
<em>but only on exit</em>! When you are done, shut it down. Runa&#8217;s <a href="https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf">paper</a> explores this in
detail.</p>

<h3>Phase 1: Target Selection</h3>

<p>The strategic target was the hall hosting the final exam. Tactically, the
principal selected &#8220;email addresses at random&#8221; to receive a bomb threat intended
to force an evacuation of the hall, along with a number of other cover locations.</p>

<h3>Phase 2: Planning</h3>

<p>This step appears to have been focused solely on the technical requirements of
masking the origination of the threatening emails. However, insufficient resources
were devoted to this phase, and therefore it was fundamentally flawed.</p>

<p>Here is the email he sent:</p>

<pre><code>shrapnel bombs placed in: 

science center 
sever hall 
emerson hall 
thayer hall 

2/4. guess correctly. 

be quick for they will go off soon
</code></pre>

<p>Clearly he intended to provide cover locations, and he attempted to prolong the
bomb search by suggesting that some locations where legitimately bomb free. It
is standard operating procedure for bomb threats to be investigated thoroughly
and in parallel.</p>

<h3>Phase 3: Deployment</h3>

<p>The operative chose to use GuerrillaMail to send the emails, and because
GuerrillaMail reveals the source IP of the sender, he also chose Tor to mask his
IP address. However, he used a monitored network to access Tor, which severely
limits the anonymity provided by Tor. This error was to prove fatal.</p>

<h3>Phase 4: Execution</h3>

<p>Kim used the Harvard University wifi network. To gain access, he had to login
with his username and password. The university monitors and logs all network
activity. This was the fatal error. He authenticated to the network, his IP was
used to access Tor, and this information was logged.</p>

<p>When the incident was investigated the FBI was able to pull the logs and determine
not just whether anyone had accessed Tor, but exactly <strong>who</strong> had accessed Tor.</p>

<h3>Phase 5: Escape and Evasion</h3>

<p>There was nothing at all done for this phase. It is worth noting that there is
little he could have done to prepare for an interview by seasoned professional
FBI interrogators. As an amateur, he stood approximately zero chance of surviving.</p>

<h2>Counterintelligence: Know your Adversary</h2>

<p>A study of the investigation methods used by the law enforcement officials
engaged to investigate bomb threats would have been beneficial for Mr Kim. He
would have realized that they would target the likely suspects, attempt to
narrow the suspect pool down to the minimum set, then start interviewing. The
more strongly the evidence points to a set of suspects, the more aggressive the
interviews will be. From &#8220;do you know anything about&#8230;&#8221; to &#8220;We have all the
evidence we need, why don&#8217;t you make it easy for yourself?&#8221;</p>

<p>Initially the suspects for the case would have been any student scheduled to
take an exam
at one of the targeted halls. This is doubtless a large number, and without any
specific information to go on, the chance of interviewing all of them is slim.
If, however, the FBI did interview all of them, the questioning would be general
and undirected, rather than specific and probing. An amateur, like Kim, who kept
his cool and simply denied any knowledge of the hoax would have had a reasonable
chance of evading suspicion.</p>

<p>Knowing the investigative techniques of his adversary would have allowed Kim to
design an operation that provided for a reliable escape and evasion phase. He
would have used an unmonitored network, in an unmonitored location near by the
school, to send his threats. This would have left the suspect pool extremely
large &#8211; &#8220;everyone&#8221;.</p>

<p>When planning an operation, know how the adversary will respond. This will allow
you to factor that response into your planning. If you do not know how your
adversary will respond, then their response will be a surprise. Do not allow
the reactive force to surprise you.</p>

<h2>There is no OPSEC magic sauce</h2>

<p>The content and context of the threat make it clear
that the originator of the emails was a student (or possibly a professor/TA trying
to avoid grading exams). The important thing to hide is <strong>which</strong> student, not
that it was a student. Therefore simply using a nearby cafe with free wifi should
have been sufficient to mask the specific identity of the operative. Assuming:</p>

<ul>
<li>there are cafes that do not know the operative by sight,</li>
<li>there are cafes that are not monitored by CCTV (wear a hat, don&#8217;t look up),</li>
<li>that he wore a simple disguise to reduce the recall of the witnesses (look generic), and</li>
<li>that a college kid in a cafe at 8am during Finals week is not unusual</li>
</ul>


<p>Using Tor from the college campus was a fatal error. The pool of suspects was
immediately reduced to &#8220;everyone that used Tor during the time the bomb threats
were sent&#8221;. Since Silk Road v1 has been shut down, that is obviously going to be
a small number.</p>

<h2>Lets call it half a win</h2>

<p>Strategically, the operation was successful. Eldo Kim will not have to take his
final exam. Or, indeed, other final exams he might not be prepared for. However,
it is hard to imagine this is the outcome he was hoping for.</p>

<p><strong>Suggested Reading</strong> <a href="http://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/">Runa&#8217;s analysis</a> of the Harvard Bomb Hoax</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Yardbird's Effective Usenet Tradecraft]]></title>
    <link href="http://grugq.github.com/blog/2013/12/01/yardbirds-effective-usenet-tradecraft/"/>
    <updated>2013-12-01T07:15:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/12/01/yardbirds-effective-usenet-tradecraft</id>
    <content type="html"><![CDATA[<h1>Survival in an Extremely Adversarial Environment</h1>

<blockquote><p>If your secure communications platform isn&#8217;t being used by terrorists and pedophiles, you&#8217;re probably doing it wrong. &#8211; [REDACTED]</p></blockquote>

<p>A few years ago a group of child pornographers was infiltrated by police who were
able to monitor, interact, and aggressively investigate the members. Despite
engaging in a 15 month undercover operation, only one in three of the pedophiles
were successfully apprehended. The majority, including the now infamous leader
<em>Yardbird</em>, escaped capture. The dismal success rate of the law enforcement
officials was due entirely to the strict security rules followed by the group.</p>

<p>This post will examine those rules, the reasons for their success, and the
problems the group faced which necessitated those rules.</p>

<p>(An examination of the group&#8217;s security from a slightly different perspective
was conducted by <code>Baal</code> and is available <a href="http://dee.su/uploads/baal.html">here</a>)</p>

<h2>Covert Organizations, Seen One, Seen &#8216;em All</h2>

<p>All covert organizations face a similar set of problems as they attempt to execute
on their fundamental mission &#8211; to <strong>continue to exist</strong>. A covert organization
in an adversarial environment faces a number of organizational challenges and
constraints. Fundamentally how it handles trade-offs between operational
security and efficiency mandates how group members perform their operational
activities. Strong OPSEC means low efficiency, while high efficiency necessitates
weak OPSEC. The strength of the oppositional forces dictate the minimum security
requirements of the covert organization.</p>

<p>Examining the operational activities &#8211; those actions the organization must engage
in to self perpetuate &#8211; allows us to evaluate their operational security decisions
within their environmental context.</p>

<h3>Operational Activities:</h3>

<p>The <em>Yardbird</em> child abuse content group (hereafter also called the <em>enterprise</em>)
had a number of core goals that had to be addressed to continue operation: they
needed to distribute their child abuse content to members; communicate between
members; raise funds to acquire new content; recruit new members (presumably for
access to additional child abuse content).</p>

<p>Explicitly stated, this is an enumerated list of the operational activities that
the group <strong>had</strong> to engage in to self perpetuate.</p>

<ol>
<li>Distribution of Child Abuse Content</li>
<li>Communication and Coordinate Action</li>
<li>Fund raising</li>
<li>Recruitment and Vetting</li>
</ol>


<p>Except for the first issue (strategically significant only to this group),
these are pretty typical activities for a clandestine organization. Besides their
defining operational activity, they need a communications channel, fund raising
capability, and membership management processes.</p>

<h2>Opposition Success: The Penetration</h2>

<p>The law enforcement authorities caught a pedophile distribution child abuse
content. He is a member of the <em>Yardbird</em> group and offers up complete access
to the group, along with archival logs, in exchange for leniency.</p>

<p>All of the information about this group comes from the <a href="https://drive.google.com/file/d/0Bzt0K7_O4qyqMi0ycjZFdzhxYTA/edit?usp=sharing">Castleman Affidavit</a>,
the <code>Baal</code> <a href="http://dee.su/uploads/baal.html">analysis</a>, and some <code>Baal</code> <a href="http://alt.privacy.anon-server.narkive.com/VRl3dTFH/the-fourth-of-yardbird-s-chums-grabs-his-ankles">follow ups</a>.</p>

<h2>A Frustrating Infiltration</h2>

<p>The law enforcement authorities were about to completely penetrate the <em>enterprise</em>
for a 15 month period from 2006-08-31 through 2007-12-15. During that time the
group&#8217;s posted 400,000 images and 1,1000 videos. The <em>enterprise</em> had approximately
45 active members, although <a href="http://alt.privacy.anon-server.narkive.com/VRl3dTFH/the-fourth-of-yardbird-s-chums-grabs-his-ankles">independent observers</a> have claimed this is low with
the real membership anywhere from 48 to 61.</p>

<p>The total number of arrests was 14, or somewhere around 1/3rd. A fully staffed,
highly motivated, well trained adversarial force with complete penetration of
a large complacent group was only about to achieve a one in three success rate.
The majority of those successes were achieved due to group members being insufficiently
cautious and violating the <em>enterprise</em> security rules. Obviously, these security
rules are extremely resilient against adversarial assault.</p>

<p>The members who were caught were those who violated the security SOP of the group:</p>

<ul>
<li>Accessing a newsgroup server without using Tor (e.g. VPN, or directly)</li>
<li>Revealing personal details about themselves</li>
<li>Contacting each other outside the group&#8217;s secure comms channel</li>
</ul>


<h2>Operational Activity: Distribution</h2>

<p>The <em>enterprise</em> was careful to ensure that the location of the encrypted files
containing child abuse images was a different newsgroup from the communications
newsgroup. One possible reason is to unlink the obvious encrypted group discussion
from the larger encrypted content posts. That is, they compartmented their
commo from their file sharing. As an additional, although superfluous step, the
<em>enterprise</em> would apparently alter the sequence number of the split binary
uploads so that reassembly would be hampered. What this cumbersome step added
beyond the existing PGP encryption is unclear (if your adversary can break PGP
they can probably figure out the order some files).</p>

<h2>Operational Activity: Communications</h2>

<p>The <em>enterprise</em> would use the primary newsgroup, at the start of the investigation
<code>alt.anonymous.messages</code>, to announce the location of a media cache for group
members. The communications newsgroup is always reserved strictly for communications.
The announcements regarding new downloads provided detailed instructions as to
the location of the child abuse content, plus how to download, assemble and decrypt it.</p>

<p>The group used a single shared PGP key for all members. On the one hand, this
would completely negate the security provided by PGP if the key falls into the
wrong hands. It also limits the groups ability to expel a member who transgresses
the rules and needs to be punished. On the other hand, the use of a shared key
makes key management significantly easier which is a serious concern when you
need to rekey every few months. Additionally, using only one key reduces the
ability of the adversary to determine group size by examining the PGP packets.
It also removes the potential for a group member to reuse a key that is linked
to their real identity. See <a href="http://ritter.vg/blog-deanonymizing_amm.html">this excellent</a> presentation for more details on those attacks.</p>

<h2>Operational Activity: Recruitment</h2>

<p>The <em>enterprise</em> expanded by allowing new members to join. There were clear
guidelines, procedures and rules for expansion. First there was a background
check to ensure that the prospective member was an established and active
participant in the wider community of child abuse image traders. Then an existing
member has to invite the prospect to the group. Finally, to demonstrate both
their deep involvement in the activity and to prove they are not an undercover
cop, they must pass a timed written test on the minutiae of various child abuse
victims and media.</p>

<h3>Vetting</h3>

<ul>
<li>Demonstrate active participation in the &#8220;trading scene&#8221;</li>
<li>Invited by existing member</li>
<li>Must exhibit deep domain specific knowledge via timed written test</li>
</ul>


<h2>Security Rules that Work</h2>

<ul>
<li>Never reveal true identity to another member of the group</li>
<li>Never communicate with another member of the group outside the usenet channel</li>
<li>Group membership remains strictly within the confines of the Internet

<ul>
<li>No member can positively identify another</li>
</ul>
</li>
<li>Members do not reveal personally identifying information</li>
<li>Primary communications newsgroup is migrated regularly

<ul>
<li>If a member violates a security rule, e.g. fails to encrypt a message</li>
<li>Periodically to reduce chance of law enforcement discovery</li>
</ul>
</li>
<li>On each <strong>newsgroup migration</strong>

<ul>
<li>Create new PGP key pair, unlinking from previous messages</li>
<li>Each member creates a new nickname

<ul>
<li>Nickname theme selected by <em>Yardbird</em></li>
</ul>
</li>
</ul>
</li>
</ul>


<h2>Root of Success</h2>

<p>The reason the majority of the group was able to avoid capture was in a small way
due to the technology they were using (Tor), but primarily it was adherence to the
security rules of the group. They had very good OPSEC and they followed it
consistently. Fundamentally, they had complete compartmentation within the group
&#8211; they did not reveal information to each other. The
law enforcement authorities were able to get logs of all their communications
traffic, plus logs of their IP addresses they used for posting. Everyone that
used Tor (as per the recommendation of <em>Yardbird</em>) was anonymous at the IP
layer. This protected them from a subpoena revealing their identity. As long as
there was no additional information that they had revealed about themselves in
their messages, they were secure against the opposition.</p>

<p>The use of PGP was essentially a No-OP in this case. It excluded the general
public from accessing the content of the communications traffic (and the child
abuse videos and images). It did not protect the traffic against analysis by the
opposition (who had successfully infiltrated the group). The encryption was not
a factor in their successful evasion. Rather, it was the content of the messages,
controlled and dictated by the security rules, which protected their secrets.</p>

<h2>Lessons Learned</h2>

<p>Guarding secrets involves not sharing them. Encryption can only ever protect the
content of a communique. Real security must start with the content itself, and
then use encryption as an additional layer.</p>

<h3>Note from the Editor</h3>

<p>(Feel free to skip this part if you don&#8217;t think studying how child pornographers
avoid capture is relevant)</p>

<p>When analyzing the activities of groups operating in an adversarial environment to learn what works, what doesn&#8217;t, and why, (unfortunately) the pool of covert organisations is somewhat limited: intelligence agencies; terrorist groups; hacker crews; narcos; insurgents; child pornographers&#8230; Few other groups face such a hostile operating environment that their security measures are really &#8220;tested&#8221;.</p>

<p>The group examined in this post had an incredibly effective set of security practices. They imposed strict compartmentation, regularly migrated identities and locations, required consistent Tor and PGP use, etc. They had legitimate punishments for people who transgressed the rules (expulsion) and they survived a massive investigation effort. Clearly, they were doing something right (actually a number of things).
Just as clearly, they are reprehensible people who engage in activity that is immoral and unethical, by any measure. (Paying for child pornography to be produced is flat out wrong, regardless on where you stand on the spectrum of <a href="http://falkvinge.net/2012/05/23/cynicism-redefined-why-the-copyright-lobby-loves-child-porn/">opinions regarding child porn laws</a>).</p>

<p>The thing is, there are basically no nice people who provide case studies of OPSEC practices. Most are engaged in violence, serious drug trafficking (at the &#8220;kill people for interfering&#8221; level), theft and manipulation of human beings, etc. Thats the nature of the beast.</p>

<p>People with well funded, trained and motivated adversaries have the strongest incentives to practice the highest level of security. They&#8217;re the ones to learn from.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[How to Win at Kung Fu and Hacking]]></title>
    <link href="http://grugq.github.com/blog/2013/11/22/challenges-for-hackers/"/>
    <updated>2013-11-22T20:02:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/11/22/challenges-for-hackers</id>
    <content type="html"><![CDATA[<h2>Everybody Was Hack Foo Fighting</h2>

<p>I&#8217;m going to discuss a serious problem with the organisational structure and
social dynamics of the hacker community, and why this puts hackers at risk.
Hackers operate essentially the same way as the henchmen in a kung fu movie:
they attack the adversary one by one by one&#8230; always losing. This is a terrible
way of developing a robust core of knowledge about which OPSEC techniques work,
which techniques fail, and why.</p>

<h2>Organisational Learning for Dummies</h2>

<p>There are two types of knowledge: individual, and organisational. Hackers are
very individualistic, and the knowledge they acquire tends to be very
practical; experience based. There are few hacker organisations that seek to
collect, retain, test and spread knowledge. The organistations that do crop up
are either some zines, which are knowledge artefacts that transmit techne, or
hacker groups, which share tool chains and experience. However, these hacker
groups have very short lifespans (measured in months and single digit years,
not decades). They are compartmented in that there is some effort made to
retain the group&#8217;s proprietary information, but internally they usually
have a very poor security posture. They are social groups in many ways, so
they are heavily compromised. As we say in infosec &#8220;crunchy on the outside,
chewy in the middle&#8221;.</p>

<p>Their opposition, the intelligence agencies and law enforcement departments,
have decades of organisational history and knowledge. The individual members
can display wide ranges of skill and competence, but the resources and core
knowledge of the organisation dwarf what any individual hacker has available.
Many of the skills that a hacker needs to learn, his clandestine tradecraft
and OPSEC, are the sort of skills that organisations are excellent at
developing and disseminating. These are not very good skillsets for an
individual to learn through trial and error, because those errors have
significant negative consequences. An organisation can afford to lose people
as it learns how to deal with the adversary; an individual cannot afford to
make a similar sacrifice &#8211; afterall, who would benefit from your negative
example?</p>

<h2>Challenges? More Like Opportunities!</h2>

<p>Hackers are facing some very serious challenges now:</p>

<ul>
<li>they lack organistations for collecting intelligence and knowledge about their adversary;</li>
<li>they face off against the adversary one at a time,</li>
<li>they learn very poorly from prior mistakes</li>
<li>they don&#8217;t even know what skills they need,</li>
<li>and perhaps most dangerously, they aren&#8217;t even aware they&#8217;re in the game</li>
</ul>


<p>It is amusing how many people think that interrogations involve violence and
torture. Successful elicitation far more frequently involves whiskey,
flattery, playing dumb, and being doubtful (&#8221;<em>really? I didn&#8217;t know it was
possible to do that. You must be pretty damn smart to have figured it
out&#8230;</em>&#8221;).</p>

<h2>Winning at Secrets</h2>

<p>There needs to be more information available on the techniques used during
investigations, as well as before they begin. There needs to be documentation
on how to evade those techniques, and why those evasions are successful. That
knowledge needs to be captured and dissemminated out to those who can use it.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[required reading]]></title>
    <link href="http://grugq.github.com/blog/2013/11/06/required-reading/"/>
    <updated>2013-11-06T07:23:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/11/06/required-reading</id>
    <content type="html"><![CDATA[<p>This is a short list of articles and papers that you absolutely must read if you want to understand OPSEC.</p>

<ul>
<li><p><a href="http://repository.library.georgetown.edu/bitstream/handle/10822/553096/mobleyBlake.pdf?sequence=1">Terrorist Group Counterintelligence</a> :: This is the thesis which later became the book <a href="http://www.amazon.com/Terrorism-Counterintelligence-Terrorist-Detection-Irregular/dp/0231158769">Terrorism and Counterintelligence</a>. Read at least one of them (the thesis is free).</p></li>
<li><p><a href="http://www.oss.net/dynamaster/file_archive/100102/0a947a77d762061cc87ec541c2d2dcc7/2010-01-02%20Dulles%20on%20Tradecraft%20via%20Srodes.pdf">Allen Dulles&#8217;s 73 Rules of Spycraft</a> :: This is the handbook of how to live and operate securely. It is 50 years old and it has aged remarkably well. Read it. Study it. This will be on the test.</p></li>
<li><p><a href="http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA505161">Clandestine Cellular Networks</a> :: This paper deals primarily with the lessons learned from fighting insurgents, but it is extremely valuable as a handbook on tradecraft. I previously posted just the tradecraft <a href="http://grugq.github.io/resources/tradecraft-howto.pdf">chapter</a> for people who don&#8217;t want to slog through all of it. I suggest reading all of it.</p></li>
<li><p><a href="http://igcc3.ucsd.edu/research/security/DACOR/presentations/Shapiro.pdf">The Terrorists Challenge: Security, Efficiency, Control</a> :: This paper examines the primary trade offs that need to be made when operating a covert organisation. If you have multiple people working in secret, managing them and their work requires making tradeoffs between security, efficiency and control. This paper will help you to understand those tradeoffs.</p></li>
</ul>


<h3>Optional</h3>

<ul>
<li><a href="http://www.tandfonline.com/doi/pdf/10.1080/10576100802670803">A Study of al Quaeda&#8217;s use of Intelligence and Counterintelligence</a> :: This pulls a lot of the information above into a single case study of a covert (terrorist) organisation planning and conducting an operation. Anything else you can lay your hands on by the author I recommend as well.</li>
</ul>

]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Morris Worm OPSEC lessons]]></title>
    <link href="http://grugq.github.com/blog/2013/11/06/morris-worm-opsec-lessons/"/>
    <updated>2013-11-06T04:08:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/11/06/morris-worm-opsec-lessons</id>
    <content type="html"><![CDATA[<h2>25th Anniversary of STFU about your computer crimes</h2>

<p>Reading <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/05/heres-what-the-morris-worm-prosecutor-thinks-about-aaron-swartz/">this interview</a> with the prosecutor of Robert Morris Jr about the Morris Worm there are a few cool OPSEC lessons we can learn.</p>

<h2>How was Morris caught?</h2>

<blockquote><p>One way was with computer forensics. Tracing back the source of the worm. The second way was one of Morris&#8217;s friends told The New York Times in response to some articles that John Markoff was writing he inadvertently gave his initials.</p></blockquote>

<p>There were a couple of ways that he was discovered. The first was the forensic analysis of the worm itself, and tracing that back to the original infection point. This sort of evidence shows where to look (the original infection), but it does not provide enough information to successfully prosecute. It is circumstantial so far, and given some careful sanitisation of the original box, it would be a very hard case to prove.</p>

<p>The far more damaging way that Morris was caught was via an OSINT case officer doing HUMINT collection (a reporter interviewing people about the worm). The journo managed to elicit information about the worm&#8217;s author (his initials). This is the sort of extremely damaging information leakage that happens when there is poor OPSEC. There was no anti-interrogation training provided to the members of the Morris cell (i.e. all his friends who knew about the development of the worm).</p>

<h2>Deny everything. Admit nothing. Or, you know, not.</h2>

<blockquote><p>he did testify that he wrote the worm. He came in and testified, &#8220;I did it, and I&#8217;m sorry.&#8221; I turned to my co-counsel and asked, &#8220;Should I prove he didn&#8217;t do it or he&#8217;s not sorry?&#8221;</p></blockquote>

<p>When the prosecution has to prove that you committed a felonious act, it is a lot easier for them when you <strong>confess</strong> on the stand. I can&#8217;t second guess the decisions of Morris&#8217; legal counsel, but unless you are instructed to do so by your lawyer: STFU.</p>

<h2>The Morris Cell and &#8220;Need to know&#8221;</h2>

<blockquote><p>We talked to his friends. His friends were witnesses for us. They didn&#8217;t have a choice.
There was a core group. &#8230;one of the meetings where Robert Morris was discussing the worm occurred at a Legal Seafood in Kendall Square&#8230;
He talked about how it was developed, how it worked, what vulnerabilities it exploited. At one point he was at a meeting back at Harvard, he got so excited that he literally jumped up on a table pacing back and forth on the table explaining how it worked&#8230;</p></blockquote>

<p>The close friends of Robert Morris, the Morris Cell, were fully briefed on all aspects of the worm. Its capabilities, its functionality, and its author&#8217;s real identity. None of the other members of the cell were actively exposed to the risks of the operation. They had no &#8220;need to know&#8221;.</p>

<p>This failure to STFU, to properly compartment the design and development of the worm, was a key factor leading to his capture and prosecution. Fortunately, things worked out well for him, in the long run.</p>

<h2>How to evaluate &#8220;Need to know&#8221;</h2>

<p>The rule of thumb is: <em>if someone is actively sharing the risk, they have a need to know</em>. This need to know is, of course, restricted to only those aspects of the operation in which they are actively involved.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[OPSEC isn't security through obscurity]]></title>
    <link href="http://grugq.github.com/blog/2013/11/04/opsec-isnt-security-through-obscurity/"/>
    <updated>2013-11-04T01:04:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/11/04/opsec-isnt-security-through-obscurity</id>
    <content type="html"><![CDATA[<h2>OPSEC revisited</h2>

<blockquote><p>The goal of OPSEC is to control information about your capabilities and intentions to keep them from being exploited by your adversary.</p></blockquote>

<p>In typical hacker fashion, the term OPSEC has come to mean more than just information about capabilities and intentions, but also personal information about the yourself.</p>

<h2>Kerckoff&#8217;s Principle and OPSEC</h2>

<p>A common source for the idea that &#8220;security through obscurity is bad&#8221; is <a href="http://en.wikipedia.org/wiki/Kerckhoffs%27_principle">Kerckoffs&#8217; principle</a> which states that: <code>A cryptosystem should be secure even if everything about the system, except the key, is public knowledge</code>. OPSEC as a system of security is sometimes confused with &#8220;security through obscurity&#8221;. This is not the case. Such thinking reflects a confusion of both the problem with opaque security systems and the foundations of OPSEC.</p>

<h2>OPSEC is a System</h2>

<p>The way to clear this confusion, I believe, is to point out that OPSEC is a security system, not any one specific practice. The system itself is open source, in that we know how and why the various techniques and practices work. For example, the tradecraft technique of a <a href="http://en.wikipedia.org/wiki/Dead_drop">dead drop</a> is public knowledge. The security of a dead drop is not that no one knows how they work, but rather the adversary does not know <strong>where</strong> a specific dead drop is locate, nor <strong>when</strong> that dead drop is being serviced (loaded or unload). That information, primarily the location of that dead drop, is the <strong>secret key</strong> to the dead drop security system. This information is what must remain secret for the dead drop to remain secure.</p>

<h2>Why OPSEC Works</h2>

<p>So OPSEC as a system of security does not violate Kerckoff&#8217;s principle, and is not &#8220;security through obscurity&#8221;. The specifics of any one application of OPSEC techniques provide security, but those are analogous to the private key to the system. If they are compromised, then security they provide will be be compromised.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Observations on OPSEC]]></title>
    <link href="http://grugq.github.com/blog/2013/10/21/observations-on-opsec/"/>
    <updated>2013-10-21T19:03:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/10/21/observations-on-opsec</id>
    <content type="html"><![CDATA[<p>Briefly, I would like to highlight some important considerations for good OPSEC. Firstly, OPSEC is a mode of operating, not a tool or a collection of tools. Secondly, OPSEC comes at a cost, and a significant part of that cost is efficiency. OPSEC is slow. Finally, maintaining a strong security posture (i.e. “good OPSEC”) for long periods of time is very stressful, even for professionally trained espionage officers.</p>

<p>Learning good OPSEC requires internalizing the behavioural changes required to continually maintain a strong security posture. The operational activities have to become habit, because the small things matter, and every careless mistake can compromise security. The only way to develop good OPSEC habits, good security hygiene, is to practice. Make the foolish beginners mistakes during a practice session, rather than in the field. Two relevant sayings:</p>

<ul>
<li>Amateurs practice until they get it right, professionals practice until they can’t get it wrong</li>
<li>The more you sweat in peace, the less you bleed in war</li>
</ul>


<p>After developing good security hygiene habits, the second most difficult thing about good OPSEC is learning patience. Increased OPSEC security comes at the cost of efficiency, primarily in communication time-frames. The OPSEC mechanisms that must be in place to reduce the risks during communication add latency. As a result, communication takes significantly longer and is less reliable. Obviously, this is more of an issue with time sensitive operations than those that have more generous deadlines.</p>

<p>The single greatest security risk is communication between operatives. Clandestine agencies, such as the CIA, MI6, DGSE, etc. will work incredibly hard to minimize the risks surrounding communication with their recruited agents. In the simplest form, this involves a 2-4 hour “surveillance detection route” (SDR) to see if they are “in the black” before they perform any operational activity. This is on top of the hours of planning for the operation itself (note: these are minimums, operations requiring high security might take weeks or months of planning, and 12 hour SDRs).</p>

<p>The technology that exists to facilitate information security, e.g. encryption, is important, but it is not sufficient or even the starting point for robust OPSEC. By all means, learn to use encryption software correctly and in a properly secure fashion. However, it is more important to compartment sensitive activities and structure your operational environment for impact containment than
install use particular software.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Silk Road Security]]></title>
    <link href="http://grugq.github.com/blog/2013/10/10/silk-road-security/"/>
    <updated>2013-10-10T18:53:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/10/10/silk-road-security</id>
    <content type="html"><![CDATA[<h2>Counterintelligence Lessons for Drug Dealers</h2>

<p><strong>NOTE</strong> Events have overtaken my slow writing speed. This post was in the works
before the Silk Road bust in September 2013. I&#8217;m uploading it anyway because it
has some useful information, however there seems little point in finish it now.</p>

<p>The dealers on Silk Road ship a large amount of illegal products around the world, and it is clear that they&#8217;re successful at it. However, the US Postal service has been aware that drug dealers user their service for shipping illegal substances and has developed guidelines for determining suspect packages efficiently. Unfortunately for them, those guidelines have leaked and this allows someone abusing the US mail as an illicit distribution channel to evade the USP&#8217;s checks.</p>

<h2>Suspicious Post Guidelines</h2>

<p>The actual <a href="http://teknopolitik.tumblr.com/post/48178417204/fbi-law-enforcement-bulletin-via-findarticles">guidelines for suspicious packages</a> list a number of major indicators that the inspectors look for. This guide is somewhat outdated, and a <a href="http://www.orlandocriminaldefenseattorneyblog.com/2012/05/drug-trafficking-via-express-m.html">revised version</a> has also be leaked. In both cases, the <strong>triggers</strong> and the reasoning behind them are similar.</p>

<h3>FBI Profiling Criteria</h3>

<ol>
<li>Heavy taping along the seams;</li>
<li>poor preparation for mailing;</li>
<li>uneven weight distribution;</li>
<li>apparent package reuse; and</li>
<li>labels that are handwritten, contain misspellings, originate from a drug-source State, indicate person-to-person not business-to-individual mail, have a return zip code that does not match the accepting post office zip code, a fictitious return address, names of senders or recipients with features in common (John Smith, e.g.) and having no connection to either address</li>
</ol>


<h3>Drug Mail Profile</h3>

<ol>
<li>the use of Express Mail,

<ul>
<li>Express Mail is primarily used by businesses for document delivery.</li>
</ul>
</li>
<li>the weight of the package,

<ul>
<li>drug traffickers are mailing approximately one kilo of cocaine per package, plus some dummy weights</li>
</ul>
</li>
<li>the package is sent from Puerto Rico, a known drug source location,</li>
<li>the package was mailed from a post office address outside of the zip code on the return address,</li>
<li>an Accurint check reveals that no one by the sender&#8217;s name lived at the return address,

<ul>
<li>Police will also check Google and Facebook to get more information</li>
</ul>
</li>
<li>the package is heavily taped at all seams

<ul>
<li>heavy taping may or may not help evade detection by drug sniffing dogs&#8211;but we know one thing for sure&#8211;it certainly helps draw police attention to the package!</li>
</ul>
</li>
<li>the label is handwritten

<ul>
<li>Since most Express Mail is business-to-business, or business-to-client, labels that aren&#8217;t typed are suspect</li>
</ul>
</li>
</ol>


<h3>Collated</h3>

<p>Anything that looks like someone is sending slightly over an even metric weight of <em>something</em>, from a known suspect location, to another person, in an old heavily taped package with a fake return address. Sounds like bad tradecraft.</p>

<ol>
<li>Suspicious packaging

<ul>
<li>Heavy taping</li>
<li>Package reuse</li>
</ul>
</li>
<li>Not business mail

<ul>
<li>No printed label</li>
<li>Clearly not documents</li>
<li>Individual to individual</li>
</ul>
</li>
<li>Known suspicious origin

<ul>
<li>Occasionally specific post offices</li>
<li>Specific countries (Puerto Rico)</li>
</ul>
</li>
<li>Flimsy &#8220;return address&#8221; cover

<ul>
<li>Fake name</li>
<li>Mismatched name + address</li>
<li>Mismatched address + zipcode</li>
</ul>
</li>
</ol>


<p>Main points to take away:</p>

<ul>
<li>drug packages appear different from normal mail</li>
<li>many factors are contribute to creating a plausible cover/alias.</li>
<li>The packaging of a drug shipment provides a cover, which needs to be backstopped.</li>
</ul>


<p>Don&#8217;t make shit up, do your research and steal an identity with a real address.</p>

<h2>Backstop your cover</h2>

<p>When creating a cover, make sure it is as fully fleshed out as possible. This means developing supporting evidence to bolster the validity of the cover. In intelligence lingo, this is called backstopping.</p>

<p>A backstopped cover is one where checks to verify the authenticity of the cover story are verifiable. For example, if the cover story includes a name, there are matching identity documents; if there is an phone number, it connects to someone who will substantiate the cover story; if there is an address, it exists. The old Soviet illegals used to spend years developing their cover and backstopping them. They&#8217;d live for a few years in a country they claimed to be immigrating from, so they would have the memories, experience and verifiable evidence that they were from there.</p>

<p>If you are going to use a cover (you probably should), then put in the effort to create a backstop. The complexity and depth of that backstop are dependant on how deeply the cover will be investigated. Remember though, it is better to have too much, than not enough&#8230;</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[It was DPR, in the Tor HS, with the BTC]]></title>
    <link href="http://grugq.github.com/blog/2013/10/09/it-was-dpr/"/>
    <updated>2013-10-09T19:44:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/10/09/it-was-dpr</id>
    <content type="html"><![CDATA[<h2>Give it to me straight, dr the grugq</h2>

<p>Generally, it appears that Ross Ulbricht was applying his economic and
techno-libertarian philosophy to real life. As his project grew, his security
posture improved &#8211; too late. The most serious mistakes that Ross Ulbricht made
were made during the period Jan 2011 - Oct 2011. A full timeline of the events
in the Complaint is available on <a href="http://grugq.tumblr.com/post/62914009002/silk-road-investigation-timeline">my tumblr</a>.</p>

<p><strong>NOTE:</strong> This is an abridged version of a longer post pulling out the lessons learned
from the <a href="http://grugq.tumblr.com/post/62909883417/ulricht-indictment-aka-dread-pirate-roberts-aka-silk">Silk Road Complaint</a> of 27th September 2013. This post will only list the OPSEC errors,
rather than explore them in detail.</p>

<h2>The OPSEC Failures</h2>

<p>The fundamental error is poor compartmentation. Ross Ulbricht, the real person
and the online persona (Google+, LinkedIn, etc), and the Dread Pirate Roberts
persona share ideological views and geographic locations. There is contamination
between the two personas. Most of these seem to be due to the organic evolution
of the Silk Road venture, where early naive Ulbricht makes mistakes that later
smarter DPR wouldn&#8217;t. Unfortunately, the later DPR is more ideologically
extreme and consequently less savvy about mainstream society.</p>

<ol>
<li>Poor Compartmentation</li>
<li>Profiling</li>
<li>Geographic Location</li>
<li>Isolation</li>
</ol>


<h3>Poor Compartmentation</h3>

<ul>
<li><strong>Contamination</strong>: seriously fatal links created between personas

<ul>
<li><strong>Silk Road</strong> + <strong>altoid</strong>: Shroomery, BitcoinTalk forums</li>
<li><strong>altoid</strong> + <strong>rossulbricht@gmail.com</strong>: BitcoinTalk</li>
<li><strong>Ross Ulbricht</strong> + <strong>frosty@frosty[.com]</strong>: StackOverflow</li>
<li><strong>frosty@frosty</strong> + <strong>Silk Road</strong>: Silk Road server admin SSH key</li>
</ul>
</li>
</ul>


<p>The compartmentation failures are somewhat pervasive, in particular the ideological
&#8220;Austrian School of Economics&#8221; and the mises.org site. However two particular
contamination errors stand out:</p>

<ol>
<li><strong>Silk Road</strong> &#8211;> <strong>altoid</strong> &#8211;> <strong>rossulbricht@gmail.com</strong> link in 2011</li>
<li><strong>Ross Ulbricht</strong> &#8211;> <strong>frosty@frosty.com</strong> &#8211;> <strong>Silk Road</strong> server link in 2013</li>
</ol>


<p>The first of these failures happened because the <strong>altoid</strong> persona used to
promoted <strong>Silk Road</strong> was poorly fleshed out (e.g. no email address). Ross did not
put the plumbing in place to backstop his <strong>altoid</strong> cover. He then joined the
BitcoinTalk community using this contaminated cover. His participation and search
for social validation left him with his guard down. Consequently, he revealed a
great deal of profiling information about his project and beliefs. Many of his
posts are about Silk Road infrastructure or his mises.org influenced economic
theories. After participating for 10 months he finally made the
<strong>fatal OPSEC error</strong> of posting his personal email address.</p>

<p>The second error was poor compartmentation of his online Ross Ulbricht persona,
the tech savvy San Francisco based startup guy, and &#8220;frosty&#8221; the system admin
of the server hosting the Silk Road site. His poor compartmentation, likely
using the same computer for both personal and business use, and his
limited backstopping of the DPR/altoid/frosty persona meant that any error would be
fatal.</p>

<p>These two errors combine to link Silk Road with Ross Ulbricht, and Ross Ulbricht
with Silk Road.</p>

<h3>&#8220;I&#8217;ll take Profiles for $300, Alex&#8221; : &#8220;Too much in common&#8221; : &#8220;What do Ulbricht and DPR share?&#8221;</h3>

<ul>
<li><strong>Profiling</strong>: Ross Ulbricht talks and acts like Dread Pirate Roberts

<ul>
<li>LinkedIn profile</li>
<li>Timezone leakage: private messages, <a href="http://media.encrypted.cc/files/dpr_posts_pdt.png">forum posting times</a></li>
<li>BitcoinTalk <strong>altoid</strong> <a href="http://grugq.tumblr.com/post/62919678278/osint-case-study-ross-ulbricht-aka-dread-pirate">posts about</a>: economics (mises.org), security, programming</li>
<li>Silk Road Forum <strong>Dread Pirate Roberts</strong> -> Mises + &#8220;Austrian School of Economics&#8221;</li>
<li>Mises.org <strong>Ross Ulbricht</strong> account</li>
</ul>
</li>
</ul>


<p>Ross Ulbricht, the person, was an active participant in the mises.org website
and the BitcoinTalk forums. In both cases he was deeply committed to the
&#8220;Austrian School of Economics&#8221;, something the Dread Pirate Roberts was also a
huge fan of. The <strong>altoid</strong> cover alias, linked directly to Ross Ulbricht,
frequently talked about bitcoin security and PHP programming. He is, based on
his posts, clearly invovled in running some sort of PHP based bitcoin using
venture that requires high security. Sort of like the <strong>Silk Road</strong> site.</p>

<ul>
<li>Geographic Location

<ul>
<li>Silk Road web server administered over VPN from a server</li>
<li>VPN server IP stored in the Silk Road PHP source code</li>
<li>VPN server accessed from a location <code>15240 cm</code> (<code>500 ft</code>) from a location that accessed the Ross Ulbricht GMail account.</li>
</ul>
</li>
</ul>


<p>The location of the Dread Pirate Roberts was something of an open secret. It is
clear that he was based in the west coast of the US. Ulbricht was located
in San Francisco at the same time as DPR, as proved by his large online
footprint: Google+, YouTube, GMail.</p>

<h2>Isolation is bad, mmmkay</h2>

<ul>
<li>Isolation without relief

<ul>
<li>Rented room under assumed name</li>
<li>No &#8220;mainstream&#8221; social circle to realign with social mores</li>
<li>No peers to talk to, only Silk Road forum members and admins</li>
</ul>
</li>
</ul>


<p>After the <strong>altoid</strong> persona is retired from BitcoinTalk, Ulbricht migrates
his social interaction to a more extreme community: the Silk Road forums. This
appears to have been his &#8220;scene&#8221;, where he interacted with people and
cultivated friends (including an impressive array of undercover law
enforcement officials).</p>

<p>The underground life forced on Ulbricht as the Dread Pirate Roberts led to
the major problem of isolation. Human beings are social animals. We require
social interaction to maintain a healthy mental state. The strict
security of DPR required isolation, leaving Ross Ulbricht living his social
life on forums with niche ideological views, initially BitcointTalk (in 2011)
and then the Silk Road forums. Isolation from mainstream society is known to
lead to ideological extremism as members of the niche community self-reinforce
their ideological tendencies. Consequently, they are less able to understand
mainstream society&#8217;s ideas, beliefs and morals. This is dangerous. This
isolation leads him to rationalize hiring online hitmen to preserve the
Silk Road community is morally acceptable.</p>

<p>Apparently the only source of social validation and ego gratification that Ross
had was a group of bitcoin libertarians, drug seekers, drug dealers and undercover
cops. This is not a healthy social environment conducive to a balanced state of
mental health.</p>

<h2>What have we learned?</h2>

<p>So, the Dread Pirate Roberts Complaint basically tells us nothing that we didn&#8217;t
already <a href="http://www.slideshare.net/grugq/opsec-for-hackers">know about OPSEC</a>.
There are some lessons learned which can be used to harden OPSEC practices going
forward. The main things are still: strong compartmentation; use Tor
all the time; avoid leaking profiling information, and it is prudent to
regularly migrate to new cover personas.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Drug Delivery Service OPSEC]]></title>
    <link href="http://grugq.github.com/blog/2013/10/07/drug-delivery-service-opsec/"/>
    <updated>2013-10-07T06:41:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/10/07/drug-delivery-service-opsec</id>
    <content type="html"><![CDATA[<p>Some interesting lessons on how a modern New York City drug delivery service
uses basic tradecraft to create a reasonable security posture.</p>

<h2>The Source</h2>

<p>This <a href="http://www.vice.com/read/confessions-of-a-drug-dealers-delivery-service-guy">Vice article</a>
provides the source of the information for this blog post. Using some
basic background knowledge on how covert groups operate, it is simple to parse
and analyze the drug delivery service tradecraft.</p>

<h2>Recruitment</h2>

<blockquote><p>a friend of mine solicited hardcore drugs for a Manhattan drug kingpin, who was looking for a new pot delivery guy. My friend encouraged me to try out for the job.</p></blockquote>

<p>As with many covert groups, the recruitment process relied on personal connections.
This <strong>social network</strong> grounded approach to expanding a covert organisation
is generally good for initial security. The recruits are unlikely to be agents
sent to infiltrate the organistation as the long standing social ties between
members and recruits both establishes trust and serves as <strong>vetting</strong>.</p>

<p>Developing a covert organisation based on <strong>social network</strong> ties provides a
means of rapid expansion and easy security clearance. The downside is that once
a single member of the organisation is compromised, the adversarial security forces
can easily roll up the whole network. The poor compartmentation of a <strong>social network</strong>
based covert organisation is its Achilles heel. The security of the organisation
is critically dependent on the security of each individual member.</p>

<p><strong>ProTip:</strong> Expand your covert network with individuals who are passionate about
your ideological beliefs. Ensure strong compartmentation, starting with recruitment.</p>

<h2>Leverage</h2>

<blockquote><p>He asked me to provide documentation of my current address and phone number as an insurance policy. If I ran out on him, he warned me he’d hold my friends responsible for the deficit funds and/or drugs.</p></blockquote>

<p>The principal of the organisation &#8220;Nathan&#8221; requires that the recruit provide
a verifiable address and means of contact, along with dire warnings of consequences
in the case of infractions. This is very basic control principles, typical of
covert organisations.</p>

<p>The major security problem with this approach, of course, is that the records
maintained by the network&#8217;s principal are a high value target for the adversary.
Compromise of the principal&#8217;s records will lead to total collapse of the network,
and interdiction for every member involved. There is no chance of evasion.</p>

<p><strong>ProTip:</strong> No logs, no crime. Do not keep records of the members of your covert
organisation. These records are extremely sensitive.</p>

<h2>Operational Actions</h2>

<blockquote><p> the transaction and exit should be as swift as possible. “You aren&#8217;t here to hang out,” she said. “It&#8217;s not a social call, and they aren&#8217;t your friends. You want to walk in and be friendly and make conversation but also get to the business at hand and get out of there quickly.”</p></blockquote>

<p>The illicit operation, the drug sale, is intended to be rapid and minimize
the period of vulnerability for both parties. Interestingly, this is possibly a
poor choice if the threat is surveillance. There are few reasons a random individual
would enter a domicile for a short duration. Also of note, the covert organisation
provides no reasonable cover story for why the agent (the drug courier) is entering
the residence of the client. A simple &#8220;what were you doing?&#8221; type question would
likely completely blow the whole operation.</p>

<p><strong>ProTip:</strong> Minimising the period of vulnerability improves the chances of operational
success. Always make sure your agents are capable of delivering plausible cover
stories. <strong>Cover for action</strong></p>

<h2>Cover for Status</h2>

<blockquote><p>Nathan forced me to wear a button-up shirt and slacks, shave my face, and keep my hair conservatively short. He believed this uniform would attract little attention as I walked around with thousands of dollars worth of pot in a laptop case slung over my shoulder.</p></blockquote>

<p>The covert organisation has, surprisingly enough, chosen to enforce a uniform
that makes their agents blend in with the mainstream. This is completely inline
with the typical operational disguises employed by covert organistations operating
in controlled territory the world over. (See: Moscow Rules <code>go with the flow</code>;
Murphy&#8217;s Laws of War: <code>don't stand out, it draws fire</code>)</p>

<p><strong>ProTip:</strong> They got this one exactly right.</p>

<h2>All phones are bugged</h2>

<blockquote><p>Although I used my flip-phone constantly at work, I was never given clients&#8217; addresses over the phone. Clients calls would go to a dispatcher—a third party who took the call, traced the number through a database of numbers, and then returned the call from a different phone to confirm their request for drugs. After their request was confirmed, I received a call from another phone. The dispatcher only told me, “You got Nick,” or “You got Lucy.” I was banned from responding with anything besides a murmured “OK.”</p></blockquote>

<p>Each operational use of the phone provides the adversary with minimal value.
There is a unique identifier for the client (e.g. &#8220;Lucy&#8221;), and the agent
acknowledges receipt of the directive (&#8220;OK&#8221;). The dispatchers interaction
with the client is itself run over multiple phone lines and kept to short,
simple, normal statements.</p>

<p><strong>ProTip:</strong> This is very much inline with all covert organisations&#8217;
guidelines for using phones. Never use keywords, keep the content as vague as possible,
minimize the period of vulnerability &#8211; get off the phone!</p>

<h2>OPSEC FAIL: attracting attention</h2>

<blockquote><p>Each day I was given a stipend of $40 for cabs. No one knew if I didn’t spend the $40. Instead of taking cabs, I ran around in a frantic state that negated every other measure I took to not draw unwanted attention</p></blockquote>

<p>This is an instance of <strong>preference divergence</strong>, a common problem for covert
organisations. The financial resources provided to the agent of the principal
are siphoned off and directed towards non-operational uses (the drug courier
skims and pockets his cab stipend.) There doesn&#8217;t appear to be any consequence
to this operational security failure, however it jeopardizes the entire organisation.
If &#8220;Nathan&#8221; were a more disciplined principal he would monitor his agents more
closely and ensure they are conforming to the organisational security requirements.
Strangely, drug dealers are not strict disciplinarians.</p>

<p><strong>ProTip:</strong> if the securit of the entire organisation is dependent on the security
of each individual agent &#8211; enforce the operational security requirements strictly!</p>

<h2>Aliases</h2>

<blockquote><p> I shook his hand and said, “I&#8217;m Jack.” He gave me a knowing grin. “So that&#8217;s the name you&#8217;re using?” he asked.</p></blockquote>

<p>The agent is using an alias to provide pseudonymity from malicious clients. This
provides some minimal level of security. It is definitely better than not having
any cover at all. However, as noted above, it should be combined with a robust
cover story for why the agent is visiting a residential home for a brief period.</p>

<h2>Discharging the agent</h2>

<p>After a promotion, the drug courier decides to find a new line of work. If the
organisation was stricter in their OPSEC practices, the departure of an agent
wouldn&#8217;t place anyone else in jeopardy. As it stands, it seems clear that the
agent who is now drawing attention to himself by writing about his experience
in a national magazine(!) still retains sufficiently sensitive information to
unravel the network.</p>

<p><strong>ProTip:</strong> compartment early, compartment often. It is safer than any alternative.</p>

<h2>TL;DR</h2>

<p>Compartment your covert organisation from recruitment through to operational
action so that when your agents leave or are compromised they are unable
to compromise the organisation. Ensure that your operational activities have
good <strong>cover for status</strong> (e.g. a disguise) and <strong>cover for action</strong> (e.g. a strong cover story).
Strong compartmentation, strong cover, and be aware of the risks of using social networks
for building a covert organisation.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Thru a PORTAL Darkly]]></title>
    <link href="http://grugq.github.com/blog/2013/10/05/thru-a-portal-darkly/"/>
    <updated>2013-10-05T15:08:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/10/05/thru-a-portal-darkly</id>
    <content type="html"><![CDATA[<h2>The Design and Implementation of P.O.R.T.A.L</h2>

<p>The <strong>P</strong>ersonal <strong>O</strong>nion <strong>R</strong>outer <strong>T</strong>o <strong>A</strong>ssure <strong>L</strong>iberty is designed
to protect the user by isolating their computer behind a router that forces all
traffic over the Tor network.</p>

<h2>PORTAL Gooooooooooooooaaaaaaaaaaals!!!!!!</h2>

<p>The goal of the PORTAL project is to create a compartmented network segment
that can <strong>only</strong> send data to the Tor network. To accomplish this the PORTAL
device itself is physically isolated and locked down to prevent malicious
tampering originating from the protected network. So if the user&#8217;s computer is
compromised by malware, the malware is unable to modify the Tor software or
configuration, nor can it directly access the Internet (completely
preventing IP address leakage). Additionally, the PORTAL is configured to fail
close &#8211; if the connection to Tor drops, the user loses their Internet access.
Finally, the PORTAL is &#8220;idiot proof&#8221;, simply turn it on and it works.</p>

<h2>The Implementation, the Pain, the Horror</h2>

<p>The initial requirement was to develop PORTAL for a small personal sized router,
such as the TP-Link 703N, 3040, or M1U. All of these devices are small, portable
and support the OpenWRT open source router firmware. Unfortunately, it turns out
that &#8220;small&#8221; and &#8220;portable&#8221; is synonymous with &#8220;weak&#8221; and &#8220;underpowered&#8221;.</p>

<p>Unfortunately, Tor is quite resource intensive for an embedded device. Tor uses 16MB of RAM
and for complete functionality (requiring the GeoIP database) it occupies slightly
over 1.2MB of <code>squashfs</code> space. The stock TP-LINK routers have only 4MB of flash
and 16MB of RAM (later models have increased RAM). This caused a lot of problems
when building early versions. A bare bones OpenWRT system stripped down to just
support an Internet uplink USB device occupies 3.2MB of <code>squashfs</code> space. Using
the power of math we see: <code>3.2 + 1.2 &gt; 4.0</code>. Fuck.</p>

<h3>Enter The Dragon, or Chinese Hackers to the Rescue</h3>

<p>Fortunately, the TP-LINK routers are not just small, they are also extremely hackable. They are very popular
with hackers who have modified the hardware and expanded the capabilities of the
stock device. I got in contact with a Chinese hacker who has upgraded the
TP-LINK 703N to 16MB of flash and 64MB of RAM. Sweet. Using these modified routers
development of the PORTAL became much much easier.</p>

<h2>PORTAL System Architecture</h2>

<p>The PORTAL requires a minimum of two network interfaces: one for the Internet
uplink, and one for the isolated network segment. In order to protect the PORTAL from
tampering from malware (or malicious users), it also requires a third administration
interface. This can be either a serial console, or physical connection. The reason
not to use WiFi for the administration network is that that would expose the
administration interface to anyone within WiFi range, including potentially the
user&#8217;s compromised laptop&#8217;s WiFi card.</p>

<h3>Three Interfaces to Rule Them All</h3>

<p>The requirement to protect the PORTAL from a malicious user caused some problems
since the device hardware has very limited interfaces. The TP-LINK 703N has only:</p>

<pre><code>* 1 x USB 2.0
* 1 x 100MB ethernet
* 1 x onboard wifi
</code></pre>

<p>All available interfaces are required to get us to the three networks we need:</p>

<pre><code>* Tor: isolated proxy interface
    * Tor SOCKS proxy
    * Tor Transparent TCP proxy
    * Tor Transparent DNS proxy
    * DHCP (optional)
* Admin: configuration management interface
    * ssh
    * https (optional)
    * DHCP (optional)
* Internet: uplink connection interface
    * No services
</code></pre>

<h2>Operational PORTAL</h2>

<p>After the user has configured the <code>Internet</code>, and whatever other adjustments they
wish to make, they shouldn&#8217;t need to connect to the <code>Admin</code> interface again. This
leaves us with a very hard target for any attacker who wishes to unmask us
(modulo any issues with Tor itself).</p>

<p>The PORTAL has been hardened to make it significantly more difficult for the user
to make a mistake, or for an attacker to subvert the Tor protections. From the
<code>Tor</code> network the only exposed ports are Tor&#8217;s DNS proxy, TCP proxy, and SOCKS.
Optionally, you can use DHCP on this network.</p>

<p>If, somehow, the firewall doesn&#8217;t work properly, you&#8217;re still safe because the
PORTAL doesn&#8217;t actually route packets. The <em>only</em> way you can reach the Internet
(regardless of which interface you&#8217;re connected to) is via Tor. This stops stupid
mistakes, such as connecting to the <code>Admin</code> interface and forgetting to swap to
the <code>Tor</code> network. Don&#8217;t worry, you can&#8217;t do that, it won&#8217;t work, you&#8217;re welcome.</p>

<p>Final hardening is left up to the user who will have to assign the <code>Admin</code> and
<code>Tor</code> networks to physical interfaces. There are security trade offs either way.</p>

<ul>
<li><p>Medium Security:</p>

<ul>
<li><code>Tor</code> = WiFi</li>
<li><code>Admin</code> = Ethernet</li>
<li>pros: ease of use</li>
<li>cons: pre-Tor plaintext will be broadcast over the AEther (see: Hammond)</li>
</ul>
</li>
<li><p>Maximum Security:</p>

<ul>
<li><code>Tor</code> = Ethernet</li>
<li><code>Admin</code> = WiFi</li>
<li>pros: ultra secure</li>
<li>cons: if an attacker cracks your WPA2 PSK, they&#8217;ll have access to your
    management sshd. Of course, they&#8217;ll be so physically close to you
    at that point, leaking your IP is the least of your worries.</li>
<li><strong>NOTE:</strong> remove the WiFi card from your computer to block access via
      malware compromise</li>
</ul>
</li>
</ul>


<h2>Just Do It</h2>

<p>The PORTAL project has been migrated to the RaspberryPi, which has more power
to support Tor. It requires more configuration, which is something I&#8217;ll work on,
however the ease of acquisition of the RPi makes this the current platform of
choice. So go install <a href="http://github.com/grugq/PORTALofPi">PORTAL of Pi</a> and
compartment all of your sensitive operational activities inside an isolated Tor network.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[you can't get there from here]]></title>
    <link href="http://grugq.github.com/blog/2013/06/14/you-cant-get-there-from-here/"/>
    <updated>2013-06-14T10:06:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/06/14/you-cant-get-there-from-here</id>
    <content type="html"><![CDATA[<p>There have been some responses to my <a href="http://grugq.github.io/blog/2013/06/10/good-luck-with-that/">post</a> about the limitations of public
countersurveillance tools. Most of them have focused on my statements about
the limitations of the Tor network. I started to write a comment addressing one of the more coherent
<a href="http://www.reddit.com/r/onions/comments/1g437b/the_surveillance_capability_of_the/cagw3vb">replies</a>
but then decided to simply post it here instead.</p>

<h2>Rebuttal</h2>

<p>The responses all wandered slightly off topic from what my post was about. The point was that simply installing and running off the shelf counter-surveillance software is not sufficient against a nation state level adversary. Saying &#8220;Install Tor&#8221; or &#8220;Install I2P&#8221; is not the correct way to develop a counterintelligence program. It is not even the correct place to start. While those tools may be components of a CI program, but they are not sufficient in and of themselves.</p>

<p>To expand on what I was getting at in the post, the core issue is that when Tor and I2P and other countersurveillance solutions are developed, they are developed with certain assumptions about the capabilities of the adversary. For example, Tor does not work against an adversary who has total information awareness about the traffic on the Internet. The assumption for Tor is &#8220;adversary can monitor a subset of all IP traffic&#8221;, where subset usually equals &#8220;a single country&#8221;. Because we, the public, do not know the real capabilities of the adversary, those assumptions might be (and in some cases, likely are) completely incorrect. In this example, it is widely suspected that the US has the capability to monitor a significant portion of global IP traffic, not just limited to a single country. At a minimum we can assume that they will be able to get traffic logs for 5 eyes members, and most likely for all of NATO.</p>

<p>My article makes the claim that these off the shelf countersurveillance networks are insufficiently secure against nation state level adversaries. I also claim that we don&#8217;t know the capabilities of those adversaries, and therefore cannot know what technology would evade their surveillance capabilities. I stand by both claims.</p>

<p>My point regarding the cost of doubling the count of Tor exit nodes is simply that the financial cost of compromising the Tor network is not even a rounding error in a nation state budget. It is the equivalent of a portion  of the change found in the couch. Further more, Tor is not new. It isn&#8217;t as if nation state level adversaries just woke up last week, &#8220;holy shit, this Tor thing! we better get on that!&#8221;. It is conceivable that a nation state has been setting up cover organisations, using agents, and compromising existing hosts for years with the sole goal of subverting the security of the Tor system. We have no way of knowing this because we have limited/no knowledge of their capabilities. Which was exactly my point.</p>

<h2>Evil Exit Nodes Unmasked me, and all I got was this lousy jail term</h2>

<p>To address the specific objections about &#8220;all smart Tor users know to encrypt traffic to combat malicious exit nodes&#8221;: yes malicious snooping nodes can be evaded provided you are using encryption to another termination point. This is why I&#8217;ve recommended using a VPN over Tor to mitigate against the monitoring that <em>is</em> done by evil exit nodes. However, an additional problem with a malicious exit node is simple traffic analysis, where the content of the data is irrelevant, but unmasking the end user is still possible. There are cases where unmasking an end user is sufficient, if they are going to &#8220;www.how-do-I-wage-jihad-in-the-usa.com.ir&#8221;, for example. If we take the case of a nation state level adversary who can monitor all IP traffic within their country, and we combine that with the same adversary operating (or monitoring) a significant percentage of exit nodes, then that adversary can trivially unmask Tor users. The cost of this operation would be well within the budget of any respectable intelligence agency.</p>

<h2>Backlash caused severe pain in my lower nonspecific</h2>

<p>Regarding risk of backlash if it is known that a nation state has compromised all (or many) ISPs: Firstly, we can all agree that the compromise of an ISP is well within the scope of an intelligence agency. If you have been around the underground long enough, you know how many different people and groups have compromised Tier 1 ISPs. But regarding the &#8220;backlash&#8221;, a nation state adversary will classify everything that could leak their tools, techniques and procedures. The means by which they collect information is usually as classified, or even more classified, than the information they collect. It is not likely that they would ever willingly allow this information to become known. Frequently intelligence agencies will classify information simply because revealing that they know it would reveal their collection capability, and thus compromise their ability to exploit that capability in the future.</p>

<p>Which is what brings me back to the point I was getting at in the post. If you are engaged in activities which will put you up against a nation state level adversary, you have no knowledge of what their capabilities are. Fortunately for just about everyone (reading this), you do not have a nation state level adversary. A law enforcement agency, such as the FBI, will have access to some nation state level capabilities in certain circumstances. For example, if it was known that a trained al Quaida cell was operating in the continental US and using Tor for their communications platform, the NSA would very likely use whatever Tor unmasking capability they have to assist the FBI. They would do this in a blackbox fashion: get a request -> send a response. They would not reveal <em>how</em> they performed the unmasking because the FBI would not have people who are cleared for that information. (This is compartmentation in action.)</p>

<p>As a thought experiment, imagine that Osama bin Laden was still alive and that he used the Tor network to do a Reddit AMA once a month. How long do you imagine it would take for the US to find and neutralize him? I posted <a href="https://twitter.com/thegrugq/status/344492461432926208">this question</a> on Twitter and, while responses varied, ex-NSA Global Network Exploitation Analyst Charlie Miller guessed <a href="https://twitter.com/0xcharlie/status/344498844161155072">one to two months</a>. I would be very surprised if it took more than three. This is because OBL <em>had</em> a <strong>nation state level adversary</strong>. You (probably) do not.</p>

<h2>Good news everyone, nobody gives a fuck</h2>

<p>There is good news, of course. Nation state level adversaries are concerned about nation state actors (and some non-nation state actors). They really don&#8217;t have the resources to spend monitoring law enforcement issues. Unless you are a policy maker, a ranking military official, an intelligence officer/agent, a member of a known terrorist organisation, or have somehow otherwise ended up on a targeting list, the Intelligence Community (IC) really doesn&#8217;t give a fuck about you. The product they produce for their clients - security cleared government officials - is documentation and analysis that helps these officials make informed policy decisions (or at least, that is the intention).</p>

<h2>You Should OPSEC anyway</h2>

<p>Now, as I advocate elsewhere, it is best to start your counterintelligence program early, because after you are targeted it is (usually) too late.</p>

<p>My central recommendation on how to operate safely, whether you are a hacker, a spy, a whistleblower, or whatever, is to implement compartmentation first. Classify the data which is sensitive (e.g. your real identity and anything linked to your real identity) and segregate it from everything related to your illicit activity. Preferably, by physically separating onto different machines. When conducting the illicit activity, use your illicit activity equipment, and do it over an internet link that cannot be linked to you. By all means, use Tor, or I2P, or a VPN, or whatever. But that technology must not be your primary and only line of defence.</p>

<p>This is how you do good CI. Develop a SOP that will protect your sensitive data even when things fail.
That said, most of what will sink people is poor OPSEC, not poor SIGSEC. The more people that know about your illicit activity the higher the chance that Murphy will raise his head and it&#8217;ll all end in tears.</p>

<h2>Counterintelligence Cliff Notes</h2>

<p>So, to reiterate, choosing a technology first and then relying on it for security is completely ass backwards. To do things properly, operate in this order. Figure out what you are trying to protect (and from whom), separate it from everything else, and then select tools, techniques and procedures that will enable you to protect it.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[ignorance is strength]]></title>
    <link href="http://grugq.github.com/blog/2013/06/13/ignorance-is-strength/"/>
    <updated>2013-06-13T01:02:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/06/13/ignorance-is-strength</id>
    <content type="html"><![CDATA[<blockquote><p>Seven, this rule is so underrated<br/>Keep your family and business completely separated</p><footer><strong>Biggie Smalls</strong> <cite>Counterintelligence Theory and Practice for Crack Dealers</cite></footer></blockquote>


<h2>Guerrillas, Terrorists, Narcos, Spooks, and You</h2>

<p>Guerrillas, terrorists, narcos and spooks the world over have learned the hard
way how to keep their illicit activity safe from their opponents. The same principles
of counterintelligence (CI) that help protect them from death can
be applied to protect you from your adversary. If you engage in behavior
that carries the risk of negative consequences from an adversary, you will need
to develop and implement a robust CI program. This post will explain the foundations of
strong OPSEC, a critical part of just such a program.</p>

<h2>Establish Cells, or Live in One</h2>

<p>The cornerstone of any solid counterintelligence program is <strong>compartmentation</strong>.
Compartmentation is the separation of information, including people and activities,
into discreet cells. These cells must have no interaction, access, or knowledge
of each other. Enforcing ignorance between different cells prevents any one
compartment from containing too much sensitive information. If any single cell
is compromised, such as by an informant, the limitats of the damage will be at
the boundaries of the cell.</p>

<p>Now, compartmenting an entire organisation is a difficult feat, and can
seriously impede the ability of the organisation to learn and adapt to changing circumstance.
However, these are are not concerns that we need to address for an individual
who is compartmenting their personal life from their illicit activity.</p>

<p>Spooks, such as CIA case officiers, or KGB illegals, compartment their illicit
activity (spying) from their &#8220;regular&#8221; lives. The first part of this is, of course,
keeping their mouths shut about their illicit activities! There are many other
important parts of tradecraft which are beyond the scope of this post. But remember,
when you are compartmenting your life, the <strong>first rule</strong> is to never discuss your
illicit activities with anyone outside of that <strong>compartment</strong>.</p>

<h2>Compartmentation For Dummies</h2>

<p>This will cover a basic set of guidelines for compartmenting a particular online
activity. In our hypothetical scenario there are two people, Alice and Bob (natch),
who want to exchange information with each other. They are deathly afraid that
the adversary will learn (in ascending order of risk to Alice):</p>

<ul>
<li>Two people have been in contact (low risk)</li>
<li>Bob has been in contact with someone (medium risk)</li>
<li>Alice has been in contact with someone (high risk)</li>
<li>Alice has been in contact with Bob (extreme risk)</li>
</ul>


<p>While this guideline is a starting point for someone who seeks to conduct illicit
activity under hostile internet surveillance it is not concrete set of rules.
When developing a CI program you must evaluate the threats and risks to yourself
and create a custom set of tools and procedures that address your needs. The
specific SOP that you develop for will differ from the outline below, but if it
is to be resilient against the adversary it must be based on some form of compartmentation.</p>

<h2>Step 1: Cleanliness is Next to Not-Being-in-Jailiness.</h2>

<p>Alice must purchase new dedicated equipment used exclusively for communicating
with Bob. This means, buy a new laptop. Don&#8217;t bother with a new virtual machine,
that isn&#8217;t sufficiently compartmented. Any existing equipment that Alice owns
might already be compromised and is therefore not safe against potential monitoring.</p>

<p>The software installed should be the bare minimum of generic utilities required
to do the communications. Here is an example setup:</p>

<ul>
<li>Laptop (cover the webcam with tape, disable the mic if possible)</li>
<li>Virtualization Software (VBox, VMware, Parallels, etc)</li>
<li>Ubuntu installed in the VM (disable all the logging + reporting)</li>
<li>Recommended Software:

<ul>
<li>Tor Browser bundle</li>
<li>PGP (generate and store new keys on a USB drive)</li>
<li>OTR enabled chat client</li>
</ul>
</li>
<li>Snapshot the VM</li>
</ul>


<p>This is the base platform that Alice will use when contacting Bob. Obviously,
Bob should go through the same process (if he faces similar risks, or is concerned
about Alice&#8217;s wellbeing).</p>

<p>The usernames and hostnames used should be generic, not associated with Alice&#8217;s
real name, location, place of work, etc. If the VM is compromised, there will be
no identifying information, or keys that can be used to decrypt previous comms.
If the VM is escaped and the adversary has access to the host, again, there will
be no identifying information. The host machine has only the virtualization software
on it. Use full disk encryption on the host machine, probably on the VM, use
different passwords between the two, and keep the machine fully powered off when
not in immediate active use.</p>

<h2>Step 2: Take a Trip</h2>

<blockquote><p>Number 5: never sell no crack where you rest at <br/>I don&#8217;t care if they want a ounce, tell &#8216;em &#8220;bounce!&#8221;</p><footer><strong>Biggie Smalls</strong> <cite>Counterintelligence Theory and Practice for Crack Dealers</cite></footer></blockquote>


<p>Alice must ensure that every single time she contacts Bob, or checks for contact
from Bob, she is in a location which is not linked to her. Additionally, she must
use an internet connection which is not linked to her, for example a public WiFi
or a prepaid 3G card.</p>

<p>When Alice goes to contact Bob, she must ensure that she does not carry any device
which will transmit her physical location. For example, her mobile phone(s). Leave
it at home.</p>

<h2>Step 3: UnlinkedIn</h2>

<p>After Alice has used her dedicated machine to communicate with Bob, she should
revert the VM snapshot to the pristine state from right after she installed. This
should limit the ability of the adversary to persist after a compromise (provided
they didn&#8217;t escape the VM).</p>

<p>The <em>converse-with-Bob</em> machine must be used with new accounts created specifically
for, and exclusively to, converse with Bob. These accounts must be created from
the new machine, and never be used for anything else except Bob related activity.
Alice must create new accounts that don&#8217;t have any links to her real identity.
For email, one option is a <a href="http://www.tormail.net">TorMail</a> account. For instant
messaging there is either Cryptocat over Tor, or create a new Jabber
account such as with <a href="http://jabber.ccc.de">jabber.ccc.de</a>.</p>

<h2>Concluding Thoughts</h2>

<p>The core concept to take away here is: separate identity, with equipment and
accounts, used only for one activity. The essense of compartmentation is separation
without contamination. My strong recommendation is to use: a virgin machine, with
virgin accounts, to contact the target. This machine is used exclusively for this one
activity: it is <strong>compartmented</strong>. Associating the activity of that online entity,
even with full and complete global internet monitoring (and 0day attacks) with a
specific individual should be difficult. [<strong>NOTE:</strong> don&#8217;t count on this if you
happen to be the new <em>al Quaida</em> #3].</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[good luck with that]]></title>
    <link href="http://grugq.github.com/blog/2013/06/10/good-luck-with-that/"/>
    <updated>2013-06-10T12:30:00+07:00</updated>
    <id>http://grugq.github.com/blog/2013/06/10/good-luck-with-that</id>
    <content type="html"><![CDATA[<h2>Story time</h2>

<p>Back in the day we used to have AOL for internet access. If you&#8217;ve never suffered AOL, then you probably don&#8217;t know that it would disconnect you if the service didn&#8217;t detect any traffic for some period of time. It popped up an alert that said something like &#8220;no activity detected for 30 minutes. If there is no activity in the next 10 minutes, you will be disconnected&#8221;. When this dialog popped up my father would try to stay connected by moving the mouse around a bit. Obviously, this was completely ineffective.</p>

<p>The problem was his understanding of the problem was completely wrong. His mental model of how the whole system worked was so flawed, he was unable to identify the steps he had to take to actually solve his problem.</p>

<h2>I lolled</h2>

<p>When I read articles and blog posts on &#8220;how to avoid surveillance&#8221;, or &#8220;how to stay anonymous online&#8221;, I am reminded of my father waving his mouse around to appease the dialog box, never understanding how completely wrong he was.</p>

<p>The publicly available tools for making yourself anonymous and free from surveillance are woefully ineffective when faced with a nationstate adversary. We don&#8217;t even know how flawed our mental model is, let alone what our counter-surveillance actions actually achieve. As an example, the Tor network has only 3000 nodes, of which 1000 are exit nodes. Over a 24hr time period a connection will use approximately 10% of those exit nodes (under the default settings). If I were a gambling man, I&#8217;d wager money that there are at least 100 malicious Tor exit nodes doing passive monitoring. A nation state could double the number of Tor exit nodes for less than the cost of a smart bomb. A nation state can compromise enough ISPs to have monitoring capability over the majority of Tor entrance and exit nodes.</p>

<p>Other solutions are just as fragile, if not more so.</p>

<p>Basically, all I am trying to say is that the surveillance capability of the adversary (if you pick a nationstate for an adversary) exceeds the evasion capability of the existing public tools. And we don&#8217;t even know what we should be doing to evade their surveillance.</p>

<h2>Concluding remarks</h2>

<p>Practicing effective counterintelligence on the internet is an extremely difficult process and requires planning, evaluating options, capital investment in hardware, and a clear goal in mind. If you just want to &#8220;stay anonymous from the NSA&#8221;, or whomeever&#8230; good luck with that. My advice? Pick different adversaries.</p>
]]></content>
  </entry>
  
</feed>