richard abbott - infosecbc · post-2007 fisa amendments: ... -stoa report to the director general...

The Reality of Persistent Government Surveillance

Richard AbbottRabbit@shaw.ca

Oregonrabbit@hushmail.com

Disclosure

All info in this presentation is taken from publicly-accessible sources.

Some info may be “classified” but all is in the public sphere. (ie leaked documents)

PersistentOngoing, long-term, continuous

GovernmentCommanded by nation states or their agents

SurveillanceOverwatchCollection of information without regard to

specific incidents (not reactive)

Not Covered:

Targeted surveillance of actual suspects.

Surveillance by local law enforcement.

Surveillance of employees.-Government workers-Military Personnel

The Backstory of The Modern Surveillance State

The Cold War

BRUSA: 1943 British-US agreement to streamline intel sharing

UKUSA: 1946 Signals intel cooperation

-UK + USA + Canada + Australia + New Zealand

-AUSCANNZUKUS or the “Five Eyes”

Commonalities of the Five Eyes

English speaking

Allied during WWII

Geographically large

None occupied and/or liberated by Allied forces

-Not France/Germany/Japan

Key: None have permanent US military bases

-Blind spots –> need for allies

Satellites: A Case Study

Highly secretive, but impossible to hide

Highly expensive → lots of people → lots of leaks

Very long term programs (50+ year history)

Most capabilities are understandable via lay-observation

ECHELON

Existence first publicly reported in 1988

Examined by EU parliament in late 90's

-Formal report in 2001 (pre-9/11)

Primarily a satellite intercept program

-Listening Stations located near commercial satellite communication

facilities.

-Large antennae trained to geostationary sats

Yakima Research Station (1/2)

Yakima Research Station (2/2)

Yakima Purpose

Installation of antennae contemporaneous with launch of Intelsat and INMARSAT comercial communications sats

-Note lack of radomes → not hiding targets

May soon be closed, with work moved to another location.

Canada's contribution to ECHALON:CFB Leitrim, Canada (outside Ottawa)

CFB Leitrim Purpose

“According to official information, [CFB Leitrim's] task is to provide 'cryptologic rating' and to intercept diplomatic communications.”

“If a site houses two or more satellite antennae with a diameter of at least 18 m, one of its tasks is certainly that of intercepting civilian communications.“

-Europarlement report on ECHELON

RAF Menwith Hill

Misawa Air Base, Japan

National Reconnaissance Office (NRO)

“From our inception in 1961 to our declassification to the public in 1992, we have worked tirelessly to provide the best reconnaissance support possible to the Intelligence Community (IC) and Department of Defense (DoD). We are unwavering in our dedication to fulfilling our vision: Vigilance From Above.”

PGS involves space-based interception

-Geostationary (36,000km)

-Not imaging sats in LEO → not persistent

Evolution of Geostationary Sats

1970s: Rhyolite / Aquacade (4 sats, 20-meter dishes)

-Simple bent-pipes reflecting to Australia

1980s: Chalet/ Vortex (6 sats, 38-meter dishes)

1990s: Mercury (3 sats, 1,000,000,000$ each in 1998 dollars)

Current: Orion/Mentor (5 so far, 100+ meter dishes)

Like this, but think 16x bigger!

9/11 – The World Changes

The President's Surveillance Program (PSP)

Essentially a series of leaks by the president regarding

ongoing ECHELON-type operations

Terrorist Surveillance Program (TSP)

Warrantless wiretapping by NSA

Transfered to FISA in 2007, no longer “warrantless”, but

Identical in practice.

2001-2006, Changing public stories...

“We are only tapping terrorists”

“We are only tapping foreigners who talk to terrorists”

“We are only tapping foreign communications”

“We are only tapping calls where one party is foreign”

“We are tapping everyone, but only listening to X Y and Z”

The Legal Justification of the PSP(s)

(1) International communications are not private.

(2) Constitutional protections restrict only local governments

The “Rightless foreigners” defense

(3) State Secrets privilege

Bars all judicial oversight

See United States v. Reynolds

The Post-PSP Cleanup

Consistent efforts by FBI/NSA/CIA to gauge public reaction via controlled leaks.

Widespread domestic wiretapping now accepted by US public.

See Shia LaBeouf on Leno, 2008 talking about 2005 taps of his phone.

http://www.youtube.com/watch?v=7BMepsU6ycg

Room 461A

Top Secret NSA taping facility.

Located at 611 Folsom Street, San Fransisco CA

Hepting v. AT&T (2006)

Filed by EFF against AT&T

Mooted by 2007 grant of immunity for telecoms

cooperating with US government

"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal,"

Post-9/11 Transitions in Intelligence Operations

From prediction of future attacks to reporting on ongoing

““We have not been able to corroborate some of the more sensational threat reporting, such as that from a ---- service in 1998 saying that Bin Laden wanted to hijack a U.S. Aircraft...” -August 6, 2001 presidential daily brief

Failed to prevent attacks.

Need “They are going to attack THIS plane on THIS day.”

Need access to ALL relevant communications.

From Intelligence to Law Enforcement

Data needs to be absolute Specific persons must be named

Due process must be obeyed Chain of custody/evidence

High probability that public will be made aware of operations.

Touchstone shifts from method of collection to citizenship of person tapped.

Old School:

International communications are open to interception.

Domestic communications are open so long as handed over voluntarily by operators (ie Room 461a).

Post-2007 FISA Amendments:

“there is no substantial likelihood that the surveillance will ac-quire the contents of any communication to which a United States person is a party” 50 USC§1801(a)(1-3) -Source of the 51% standard for foreignness

The Privacy / Metadata Cycle

Government perspective:

If a corporation has access to data for purposes of profit, user has waived privacy rights.

Corporate Perspective:

If government claims no privacy interest at issue, we are free to use data however we wish.

Current State of Affairs

Wiretapping / Internet Caching

Hardcoded Backdoors

Voluntary Handovers

Wiretapping

Three Collection Methods:

(1) Taps on fiber backbone

Special Collection Service (SCS) from embassies

FORNSAT (ECHELON taps of foreign satellites)

Special Source Operations (SSO)

(2) Taps within US corporate systems (Prism)

(3) FISA-warranted handovers (ie Verison call records)

“Genie”

Leaked in Snowden “black budget” document

NSA Hacking of optical routers/switches

-for purposes of wiretapping

$652-million program

Hardcoded Backdoors

Extension of pre-1996 restrictions on export of encryption

Most likely how the Special Collection Service (SCS) gains data.

see Lotus Notes work reduction

http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html

RuggedCom (April 2012)

Username “factory” password based on MAC

RuggedCom and CERT were informed, but failed to act.

Links to Stuxnet:

RuggedCom owned by Siemens

Similar Backdoors in Siemens programmable logic

controllers (PLCs)

Stuxnet used similar backdoors in Siemens SCADA products

Baracudda networks (Jan 2013)

Backdoor accessible from specific IP ranges

Private ranges:

192.168.200.0/24

192.168.10.0/24

Public ranges:

205.158.110.0/24

216.129.105.0/24

Possible NSA Fronts?

mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC …

frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad

static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.

utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.

everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.

mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc

outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting

What are they looking for?

(1) Terrorism (no debate)

(2) Other illegal activity The Airbus-Saudi bribery fiasco

Megaupload

(3) Military Intelligence (again, no debate)

(4) Intellectual property and/or

commercial advantage

Commercial Advantage ?!$#!@#$

“There is wide-ranging evidence indicating that major governments are routinely utilising communications intelligence to provide commercial advantage to companies and trade”

-STOA Report to the Director General for Research of the European Parliament 1999

“From a commercial communications satellite, NSA lifted all the faxes and phone calls between the European consortium Airbus, the Saudi national airline and the Saudi government. The agency found that Airbus agents were offering bribes to a Saudi official. It passed the information to U.S. officials pressing the bid of Boeing Co and McDonnell Douglas Corp., which triumphed last year in the $6 billion competition."”http://articles.baltimoresun.com/1995-12-03/news/1995337001_1_intelligence-agency-nsa-intelligence-national-security-agency

With nothing to hide, why should law-abiding organizations work to avoid monitoring?

Avoidance as Security Exercise

That which avoids Government surveillance also avoids competitors, third party hackers or other evil-doers.

Government surveillance technology can be exploited by third parties.

China's mandatory “Green Dam” software is full of exploitable vulnerabilities

Olympics-gate (2004)Vodaphone Greece“Software extensions in the Ericsson AXE switching equipment that

permitted the "lawful interception" of mobile messages and calls by law enforcement agencies were apparently subverted”

http://www.theregister.co.uk/2007/07/11/greek_mobile_wiretap_latest/?page=2

Protection of Customer Confidence

“For non-U.S. residents, 10 percent of respondents indicated that they had cancelled a project with a U.S.-based cloud computing provider; 56 percent said that they would be less likely to use a U.S.-based cloud computing service. For U.S. residents, slightly more than a third (36 percent) indicated that the NSA leaks made it more difficult for them to do business outside of the United States.”

http://www2.itif.org/2013-cloud-computing-costs.pdf

To avoid participating in illegal activity

2007 FISA amendments cleared US telecoms

Could/Should have resulted in many prosecutions

R. v. Telus (2013) reaffirmed that Canadian police must get wiretapping warrants (as opposed to general warrants)

To Avoid Becoming a Target

Operation Aurora (Google 2009)

China demands access similar to that give to the NSA/FBI

Google refuses.

Chinese hackers attack Google's CALEA systems

Similar story at Microsoft:

"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,"

-David W. Aucsmith, senior director of MS Institute for Advanced Technology”

Which Vendors are not cooperating?

Linus Torvalds on backdoors into linux:

http://www.youtube.com/watch?v=84Sx0E13gAo

at 24:00

Non-publicly traded entities-Lavabit-Mozilla Corporation

Charities-Wikimedia-Linux foundation-Mozilla Foundation

Snowden on Encryption

The Lavabit Story

June 2013: NSA, and everyone else, learn that Snowden is using Lavabit to reach out to reporters (edsnowden@lavabit.com) Assumption made that Snowden may also have used other addresses prior to going public

June 28th: Lavabit receives order requiring it to provide metadata on all users To/From/Subject etc Installation of an fbi-operated tap device

July 16th: Lavabit receives order demanding Levison hand over “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.” Levison then agrees to work with FBI to bypass Lavabit security (Wants 2000$ and 60 days to create needed systems)

Government reps refuse to trust Levison, demand keys, judge agrees.

July 17th: Levision hands over SSL key on paper (11pages) Government declares this “illegible”

August 5th: 5000$/day if Lavabit does not cooperate

August 8th: Lavabit shutdown

What does Lavabit teach us about US wiretapping?

(1) They were unable/unwilling to break into Lavabit's systems.

(2) They had no records of Lavabit email traffic (no connection to PRISM)

(3) They were unable to decrypt Lavabit's SSL traffic without private key.

What tools and techniques are available to frustrate surveillance?

-F/OSS

-Strong End-to-end encryption

-Client-side encryption

-Proxy services (offshore VPNs/Tor)

The “Tor Stinks” Documents

What Can we do at a corporate level?

Avoid publicly-traded vendors, regardless of country

Properly update router/switching firmware

Deploy strong, client-side, encryption wherever possible

Mud-Puddle test everything

Anonymize highly sensitive information (ie Tor hidden-service mirrors)

Which services cannot be protected?

-Traditional telephony

-Smartphones

-“Free” services (ie Gmail)

“Parallel Construction”

Drug Enforcement Agency (DEA) Special Operations Division (SOD)

The link between national wiretap agencies and local law enforcement

The End!!

Richard AbbottRabbit@shaw.ca

Oregonrabbit@Hushmail.com