FacebookTwitterGoogle+RedditEmail

An Honest Conversation About Evading Spies

“None of the claims of what comsec works is to be taken saltless: Tor, OTR, ZTRP are lures.”

Cryptome, December 30, 2014.

In the aftermath of Ed Snowden’s disclosures the American public has been deluged with talking points that advocate strong encryption as a universal solution for regaining our privacy. Unfortunately the perception of strong encryption as a panacea is flawed. In this report I’ll explain why strong encryption isn’t enough and then present some operational guidelines which can be used to enhance your online privacy. Nothing worthwhile is easy. Especially sidestepping the Internet’s global Eye of Providence.

Anyone who reads through privacy recommendations published by the Intercept or the Freedom of the Press Foundation will encounter the same basic lecture. In a nutshell they advise users to rely on open source encryption software, run it from a CD-bootable copy of the TAILS operating system, and route their internet traffic through the TOR anonymity network.

This canned formula now has a degree of official support from, of all places, the White House. A few days ago during an interview with Re/Code the President assured listeners that “there’s no scenario in which we don’t want really strong encryption.” It’s interesting to note how this is in stark contrast to public admonishments by FBI director James Comey this past October for key escrow encryption, which is anything but strong.

So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Ed Snowden who asserted that “properly implemented strong crypto systems are one of the few things that you can rely on.”

Only there’s a problem with this narrative and its promise of salvation. When your threat profile entails a funded outfit like the NSA cyber security is largely a placebo.

Down To the Metal

For example, a report released by Moscow-based anti-virus vendor Kaspersky Lab proves that, despite the self-congratulatory public relations messaging of Google or Apple, strong encryption might not be the trendy cure-all that it’s cracked up to be. The NSA has poured vast resources into hacking hardware platforms across the board, creating firmware modifications that allow U.S. spies to “capture a machine’s encryption password, store it in ‘an invisible area inside the computer’s hard drive’ and unscramble a machine’s contents.”

On a side note, Kaspersky Lab is one of two companies authorized by Russian security service to provide anti-virus technology to the Russian government. The company’s founder, Eugene Kaspersky, a former Soviet intelligence officer himself, has links to the Russian Federal Security Service, or FSB. So it makes sense that the one company with the audacity and skill to publicly showcase a global espionage program by the NSA would also be a company aligned with a countervailing power center outside of the United States.

Anyway, when it comes to bare-metal skullduggery there are plenty of proof-of-concept examples available in the public domain. But these experiments are nothing compared to the slick production-level malware deployed by NSA spies. When the Pentagon aims for information dominance they don’t screw around. Hence blind trust in encryption software is exposed as a sort of magical thinking. And by all means your author would discourage faith-based decision making in the domain of cyber security.

Some people would argue that the NSA’s hardware hacks aren’t a big deal because they’re used selectively for targeted intrusions. One problem with this stance is that spy gear has a habit of filtering down into the underworld because spies and crooks are kindred spirits who often work together. Another problem is that the NSA is actively working to industrialize attacks so that they can be pulled off on a mass scale against large swathes of users. The recent discovery of pre-installed malware on Lenovo PCs should offer an unsettling hint of where spies and their front companies are taking things.

Face it, an intelligence agency that makes off with the encryption keys from a large multinational company that manufactures billions of SIM cards each year is an agency that’s doing much more than just small-scale targeted hardware attacks. They want to “collect it all.”

OPSEC Is Law

“Iraqi Assault to Retake Mosul from Islamic State Is Planned for Spring”

New York Times headline, February 20, 2015.

Given the sorry state of software engineering and the sheer scope of clandestine subversion programs, if spies want to root your machine they’ll probably find a way. The Internet is akin to a vast swamp in the Deep South. Users wade through a hostile murky environment surrounded by alligators that prowl silently just below the surface.

And don’t think that tools like Tor will protect you. The FBI has demonstrated repeatedly that it can unmask Tor users with exploits. The FBI’s collection of cyber scalps includes a high-ranking cyber security director who probably though that his game was tight. The litany of Tor’s failures have led security researchers to conclude that: “Tor makes you stick out as much as a transgender Mongolian in the desert.”

Hence when going toe-to-toe with spies from the NSA’s Office of Tailored Access Operations or, heaven forbid, their more daunting CIA brethren in the Special Collection Service, operational security (OPSEC) becomes essential. This isn’t cynical “privacy nihilism” but rather clear-headed contingency planning. Once the NSA owns a computer the only things that stands between the user and spies is OPSEC. It takes groundwork, patience and (most of all) discipline. Even the professionals get this wrong. And when they do the results can be disastrous.

For a graphic illustration of this contemplate the case of Ross Ulbricht, the creator of Silk Road. The celebrated Tor anonymity network did very little to stop the Feds from getting a bead on him. To make matters worse you’d think that Ulbricht would know better to work with his back to the room so that the Feds could sneak up on him before he could log off, leaving his encrypted laptop in a decidedly vulnerable state.

It didn’t help that the Silk Road’s servers were configured to auto-login certain client machines and that Ulbricht’s laptop just happened to be connected to the Silk Road servers as a full administrator. Ditto that for Bitcoin wallets on the aforementioned laptop which allowed law enforcement agents to trace over $13 million in Bitcoins to Ulbricht. A trifecta, if you will, of blatant operational failures.

When professionals get operational security right they sometimes look a bit silly. Close circuit TVs are cheap and ubiquitous. Let’s just say that Ed Snowden wasn’t being paranoid when he covered himself with a red blanket (the so-called “magic mantle of power”) while entering his laptop password. For the sake of maintaining cover, simply obscuring your keyboard may be a wiser option in public as it’s less conspicuous. The last thing you want to do in a crowd is draw attention to yourself.

Anti-Forensics in Theory and Practice

“The only protection against communication systems is to avoid their use.”

Cryptome, Communications Privacy Folly, June 13, 2012.

A researcher like the Grugq will inform listeners, when he’s not out scoring zero-day exploits, that anti-forensics is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.

For instance, in the years following World War II the Soviet nuclear program was targeted heavily by U.S. spies. To counter this effort, the Soviets employed sophisticated, multi-level, denial and deception strategies. According to Mikhail Gladyshev, who was in charge of the plutonium enrichment station at the Mayak complex in the city of Ozersk, compartmentalization of information was pervasive:

“[W]e put the [plutonium] paste in a box and transferred it to the consumer plant. How much plutonium was in that box we didn’t know and it was not recommended for us to know. Even later, when I was the plant’s chief engineer, the plans for plutonium production were known only to the facility’s director, and all documents were prepared in single copies”

Given the reality of mass interception let’s look at mobile phones as a case study. They’re essentially portable Telescreens. Glorified tracking beacons that double as walkie-talkies. In private, when NSA spies feel comfortable enough to speak candidly with each other, iPhone users are referred to as ‘zombies’ who literally pay for their own surveillance. This is not an exaggeration and it speaks yards about how intelligence officers view society. You’ve been warned.

The best option is to follow the example of WikiLeaks activist Sarah Harrison and simply not carry a cellphone. Jihadists in the Middle East have learned this lesson the hard way and use hand couriers for sensitive messages. Other organization like Los Zetas in Mexico have built private radio networks to avoid official communication channels. Lebanon’s Hezbollah went so far as to set up its own covert fiber optic data network in an effort to elude conventional eavesdropping.

Listen to John Young of the web site Cryptome. The only sure-fire way to protect yourself against monitoring on a given communication system is not to use it.

If having a cellphone is an absolute necessity there are shielding cases available. Though removing the battery works just fine in a pinch as does sticking a cellphone in a sealed metal container like a refrigerator. Another thing to remember is that “dumb phones” lacking in bells and whistles tend to accumulate far less information than more elaborate smart phones.

Compromised mobile devices should be smashed and dumped in a remote location. Make sure the SIM card is completely destroyed. Recall how methodically the GCHQ officials disposed of hardware belonging to the Guardian newspaper. This is another area where $10 dumb phones have an advantage. One smart phone equals a small pile of dumb phones. Who said better security is expensive? Well, probably the marketing guys at Black Phone. Really? Rock solid security for only $600? Hey, let me get out my checkbook…

Once a cell phone is out in the open with its battery in place, consider the following recommendations. First, it’s extremely unwise for someone to power on a “secure” cell phone where they normally live and work. This includes recharging the phone! While traveling to a remote site to communicate be aware that automated license plate readers, traffic cameras, facial recognition software and built-in vehicle GPS units are becoming more commonplace.

Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.

Another aim should be to maintain a closed communication network at all costs. Secure cell phones should not be used casually to call friends or relatives. Dial only other cell phones intended specifically for sensitive communication. Also remember that calling a landline may end up exposing the person who answers.

Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag.

If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. For instance, when Ed Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.

Final Words

Ultimately there’s no ironclad formula for protecting your identity. No guarantees. Privacy isn’t something I can give you. It’s something you must attain on your own through hard work. In summary, expect security tools to fail, compartmentalize to contain damage, and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.

Bill Blunden is an independent investigator whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, includingThe Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs.

This story was originally published by AlterNet.

More articles by:

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.

April 25, 2018
Stanley L. Cohen
Selective Outrage
Dan Kovalik
The Empire Turns Its Sights on Nicaragua – Again!
Joseph Essertier
The Abductees of Japan and Korea
Ramzy Baroud
The Ghost of Herut: Einstein on Israel, 70 Years Ago
W. T. Whitney
Imprisoned FARC Leader Faces Extradition: Still No Peace in Colombia
Manuel E. Yepe
Washington’s Attack on Syria Was a Mockery of the World
John White
My Silent Pain for Toronto and the World
Mel Gurtov
Will Abe Shinzo “Make Japan Great Again”?
Dean Baker
Bad Projections: the Federal Reserve, the IMF and Unemployment
David Schultz
Why Donald Trump Should Not be Allowed to Pardon Michael Cohen, His Friends, or Family Members
Mel Gurtov
Will Abe Shinzo “Make Japan Great Again”?
Binoy Kampmark
Enoch Powell: Blood Speeches and Anniversaries
Frank Scott
Weapons and Walls
April 24, 2018
Carl Boggs
Russia and the War Party
William A. Cohn
Carnage Unleashed: the Pentagon and the AUMF
Nathan Kalman-Lamb
The Racist Culture of Canadian Hockey
María Julia Bertomeu
On Angers, Disgusts and Nauseas
Nick Pemberton
How To Buy A Seat In Congress 101
Ron Jacobs
Resisting the Military-Now More Than Ever
Paul Bentley
A Velvet Revolution Turns Bloody? Ten Dead in Toronto
Sonali Kolhatkar
The Left, Syria and Fake News
Manuel E. Yepe
The Confirmation of Democracy in Cuba
Peter Montgomery
Christian Nationalism: Good for Politicians, Bad for America and the World
Ted Rall
Bad Drones
Jill Richardson
The Latest Attack on Food Stamps
Andrew Stewart
What Kind of Unionism is This?
Ellen Brown
Fox in the Hen House: Why Interest Rates Are Rising
April 23, 2018
Patrick Cockburn
In Middle East Wars It Pays to be Skeptical
Thomas Knapp
Just When You Thought “Russiagate” Couldn’t Get Any Sillier …
Gregory Barrett
The Moral Mask
Robert Hunziker
Chemical Madness!
David Swanson
Senator Tim Kaine’s Brief Run-In With the Law
Dave Lindorff
Starbucks Has a Racism Problem
Uri Avnery
The Great Day
Nyla Ali Khan
Girls Reduced to Being Repositories of Communal and Religious Identities in Kashmir
Ted Rall
Stop Letting Trump Distract You From Your Wants and Needs
Steve Klinger
The Cautionary Tale of Donald J. Trump
Kevin Zeese - Margaret Flowers
Conflict Over the Future of the Planet
Cesar Chelala
Gideon Levy: A Voice of Sanity from Israel
Weekend Edition
April 20, 2018
Friday - Sunday
Paul Street
Ruling Class Operatives Say the Darndest Things: On Devils Known and Not
Conn Hallinan
The Great Game Comes to Syria
Jeffrey St. Clair
Roaming Charges: Mother of War
Andrew Levine
“How Come?” Questions
Doug Noble
A Tale of Two Atrocities: Douma and Gaza
Kenneth Surin
The Blight of Ukania
FacebookTwitterGoogle+RedditEmail