An Honest Conversation About Evading Spies

“None of the claims of what comsec works is to be taken saltless: Tor, OTR, ZTRP are lures.”

Cryptome, December 30, 2014.

In the aftermath of Ed Snowden’s disclosures the American public has been deluged with talking points that advocate strong encryption as a universal solution for regaining our privacy. Unfortunately the perception of strong encryption as a panacea is flawed. In this report I’ll explain why strong encryption isn’t enough and then present some operational guidelines which can be used to enhance your online privacy. Nothing worthwhile is easy. Especially sidestepping the Internet’s global Eye of Providence.

Anyone who reads through privacy recommendations published by the Intercept or the Freedom of the Press Foundation will encounter the same basic lecture. In a nutshell they advise users to rely on open source encryption software, run it from a CD-bootable copy of the TAILS operating system, and route their internet traffic through the TOR anonymity network.

This canned formula now has a degree of official support from, of all places, the White House. A few days ago during an interview with Re/Code the President assured listeners that “there’s no scenario in which we don’t want really strong encryption.” It’s interesting to note how this is in stark contrast to public admonishments by FBI director James Comey this past October for key escrow encryption, which is anything but strong.

So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Ed Snowden who asserted that “properly implemented strong crypto systems are one of the few things that you can rely on.”

Only there’s a problem with this narrative and its promise of salvation. When your threat profile entails a funded outfit like the NSA cyber security is largely a placebo.

Down To the Metal

For example, a report released by Moscow-based anti-virus vendor Kaspersky Lab proves that, despite the self-congratulatory public relations messaging of Google or Apple, strong encryption might not be the trendy cure-all that it’s cracked up to be. The NSA has poured vast resources into hacking hardware platforms across the board, creating firmware modifications that allow U.S. spies to “capture a machine’s encryption password, store it in ‘an invisible area inside the computer’s hard drive’ and unscramble a machine’s contents.”

On a side note, Kaspersky Lab is one of two companies authorized by Russian security service to provide anti-virus technology to the Russian government. The company’s founder, Eugene Kaspersky, a former Soviet intelligence officer himself, has links to the Russian Federal Security Service, or FSB. So it makes sense that the one company with the audacity and skill to publicly showcase a global espionage program by the NSA would also be a company aligned with a countervailing power center outside of the United States.

Anyway, when it comes to bare-metal skullduggery there are plenty of proof-of-concept examples available in the public domain. But these experiments are nothing compared to the slick production-level malware deployed by NSA spies. When the Pentagon aims for information dominance they don’t screw around. Hence blind trust in encryption software is exposed as a sort of magical thinking. And by all means your author would discourage faith-based decision making in the domain of cyber security.

Some people would argue that the NSA’s hardware hacks aren’t a big deal because they’re used selectively for targeted intrusions. One problem with this stance is that spy gear has a habit of filtering down into the underworld because spies and crooks are kindred spirits who often work together. Another problem is that the NSA is actively working to industrialize attacks so that they can be pulled off on a mass scale against large swathes of users. The recent discovery of pre-installed malware on Lenovo PCs should offer an unsettling hint of where spies and their front companies are taking things.

Face it, an intelligence agency that makes off with the encryption keys from a large multinational company that manufactures billions of SIM cards each year is an agency that’s doing much more than just small-scale targeted hardware attacks. They want to “collect it all.”

OPSEC Is Law

“Iraqi Assault to Retake Mosul from Islamic State Is Planned for Spring”

New York Times headline, February 20, 2015.

Given the sorry state of software engineering and the sheer scope of clandestine subversion programs, if spies want to root your machine they’ll probably find a way. The Internet is akin to a vast swamp in the Deep South. Users wade through a hostile murky environment surrounded by alligators that prowl silently just below the surface.

And don’t think that tools like Tor will protect you. The FBI has demonstrated repeatedly that it can unmask Tor users with exploits. The FBI’s collection of cyber scalps includes a high-ranking cyber security director who probably though that his game was tight. The litany of Tor’s failures have led security researchers to conclude that: “Tor makes you stick out as much as a transgender Mongolian in the desert.”

Hence when going toe-to-toe with spies from the NSA’s Office of Tailored Access Operations or, heaven forbid, their more daunting CIA brethren in the Special Collection Service, operational security (OPSEC) becomes essential. This isn’t cynical “privacy nihilism” but rather clear-headed contingency planning. Once the NSA owns a computer the only things that stands between the user and spies is OPSEC. It takes groundwork, patience and (most of all) discipline. Even the professionals get this wrong. And when they do the results can be disastrous.

For a graphic illustration of this contemplate the case of Ross Ulbricht, the creator of Silk Road. The celebrated Tor anonymity network did very little to stop the Feds from getting a bead on him. To make matters worse you’d think that Ulbricht would know better to work with his back to the room so that the Feds could sneak up on him before he could log off, leaving his encrypted laptop in a decidedly vulnerable state.

It didn’t help that the Silk Road’s servers were configured to auto-login certain client machines and that Ulbricht’s laptop just happened to be connected to the Silk Road servers as a full administrator. Ditto that for Bitcoin wallets on the aforementioned laptop which allowed law enforcement agents to trace over $13 million in Bitcoins to Ulbricht. A trifecta, if you will, of blatant operational failures.

When professionals get operational security right they sometimes look a bit silly. Close circuit TVs are cheap and ubiquitous. Let’s just say that Ed Snowden wasn’t being paranoid when he covered himself with a red blanket (the so-called “magic mantle of power”) while entering his laptop password. For the sake of maintaining cover, simply obscuring your keyboard may be a wiser option in public as it’s less conspicuous. The last thing you want to do in a crowd is draw attention to yourself.

Anti-Forensics in Theory and Practice

“The only protection against communication systems is to avoid their use.”

Cryptome, Communications Privacy Folly, June 13, 2012.

A researcher like the Grugq will inform listeners, when he’s not out scoring zero-day exploits, that anti-forensics is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.

For instance, in the years following World War II the Soviet nuclear program was targeted heavily by U.S. spies. To counter this effort, the Soviets employed sophisticated, multi-level, denial and deception strategies. According to Mikhail Gladyshev, who was in charge of the plutonium enrichment station at the Mayak complex in the city of Ozersk, compartmentalization of information was pervasive:

“[W]e put the [plutonium] paste in a box and transferred it to the consumer plant. How much plutonium was in that box we didn’t know and it was not recommended for us to know. Even later, when I was the plant’s chief engineer, the plans for plutonium production were known only to the facility’s director, and all documents were prepared in single copies”

Given the reality of mass interception let’s look at mobile phones as a case study. They’re essentially portable Telescreens. Glorified tracking beacons that double as walkie-talkies. In private, when NSA spies feel comfortable enough to speak candidly with each other, iPhone users are referred to as ‘zombies’ who literally pay for their own surveillance. This is not an exaggeration and it speaks yards about how intelligence officers view society. You’ve been warned.

The best option is to follow the example of WikiLeaks activist Sarah Harrison and simply not carry a cellphone. Jihadists in the Middle East have learned this lesson the hard way and use hand couriers for sensitive messages. Other organization like Los Zetas in Mexico have built private radio networks to avoid official communication channels. Lebanon’s Hezbollah went so far as to set up its own covert fiber optic data network in an effort to elude conventional eavesdropping.

Listen to John Young of the web site Cryptome. The only sure-fire way to protect yourself against monitoring on a given communication system is not to use it.

If having a cellphone is an absolute necessity there are shielding cases available. Though removing the battery works just fine in a pinch as does sticking a cellphone in a sealed metal container like a refrigerator. Another thing to remember is that “dumb phones” lacking in bells and whistles tend to accumulate far less information than more elaborate smart phones.

Compromised mobile devices should be smashed and dumped in a remote location. Make sure the SIM card is completely destroyed. Recall how methodically the GCHQ officials disposed of hardware belonging to the Guardian newspaper. This is another area where $10 dumb phones have an advantage. One smart phone equals a small pile of dumb phones. Who said better security is expensive? Well, probably the marketing guys at Black Phone. Really? Rock solid security for only $600? Hey, let me get out my checkbook…

Once a cell phone is out in the open with its battery in place, consider the following recommendations. First, it’s extremely unwise for someone to power on a “secure” cell phone where they normally live and work. This includes recharging the phone! While traveling to a remote site to communicate be aware that automated license plate readers, traffic cameras, facial recognition software and built-in vehicle GPS units are becoming more commonplace.

Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.

Another aim should be to maintain a closed communication network at all costs. Secure cell phones should not be used casually to call friends or relatives. Dial only other cell phones intended specifically for sensitive communication. Also remember that calling a landline may end up exposing the person who answers.

Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag.

If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. For instance, when Ed Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.

Final Words

Ultimately there’s no ironclad formula for protecting your identity. No guarantees. Privacy isn’t something I can give you. It’s something you must attain on your own through hard work. In summary, expect security tools to fail, compartmentalize to contain damage, and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.

Bill Blunden is an independent investigator whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, includingThe Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs.

This story was originally published by AlterNet.

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.