richard abbott - infosecbc · post-2007 fisa amendments: ... -stoa report to the director general...
TRANSCRIPT
The Reality of Persistent Government Surveillance
Richard [email protected]
Disclosure
All info in this presentation is taken from publicly-accessible sources.
Some info may be “classified” but all is in the public sphere. (ie leaked documents)
PersistentOngoing, long-term, continuous
GovernmentCommanded by nation states or their agents
SurveillanceOverwatchCollection of information without regard to
specific incidents (not reactive)
Not Covered:
Targeted surveillance of actual suspects.
Surveillance by local law enforcement.
Surveillance of employees.-Government workers-Military Personnel
The Backstory of The Modern Surveillance State
The Cold War
BRUSA: 1943 British-US agreement to streamline intel sharing
UKUSA: 1946 Signals intel cooperation
-UK + USA + Canada + Australia + New Zealand
-AUSCANNZUKUS or the “Five Eyes”
Commonalities of the Five Eyes
English speaking
Allied during WWII
Geographically large
None occupied and/or liberated by Allied forces
-Not France/Germany/Japan
Key: None have permanent US military bases
-Blind spots –> need for allies
Satellites: A Case Study
Highly secretive, but impossible to hide
Highly expensive → lots of people → lots of leaks
Very long term programs (50+ year history)
Most capabilities are understandable via lay-observation
ECHELON
Existence first publicly reported in 1988
Examined by EU parliament in late 90's
-Formal report in 2001 (pre-9/11)
Primarily a satellite intercept program
-Listening Stations located near commercial satellite communication
facilities.
-Large antennae trained to geostationary sats
Yakima Research Station (1/2)
Yakima Research Station (2/2)
Yakima Purpose
Installation of antennae contemporaneous with launch of Intelsat and INMARSAT comercial communications sats
-Note lack of radomes → not hiding targets
May soon be closed, with work moved to another location.
Canada's contribution to ECHALON:CFB Leitrim, Canada (outside Ottawa)
CFB Leitrim Purpose
“According to official information, [CFB Leitrim's] task is to provide 'cryptologic rating' and to intercept diplomatic communications.”
“If a site houses two or more satellite antennae with a diameter of at least 18 m, one of its tasks is certainly that of intercepting civilian communications.“
-Europarlement report on ECHELON
RAF Menwith Hill
Misawa Air Base, Japan
National Reconnaissance Office (NRO)
“From our inception in 1961 to our declassification to the public in 1992, we have worked tirelessly to provide the best reconnaissance support possible to the Intelligence Community (IC) and Department of Defense (DoD). We are unwavering in our dedication to fulfilling our vision: Vigilance From Above.”
PGS involves space-based interception
-Geostationary (36,000km)
-Not imaging sats in LEO → not persistent
Evolution of Geostationary Sats
1970s: Rhyolite / Aquacade (4 sats, 20-meter dishes)
-Simple bent-pipes reflecting to Australia
1980s: Chalet/ Vortex (6 sats, 38-meter dishes)
1990s: Mercury (3 sats, 1,000,000,000$ each in 1998 dollars)
Current: Orion/Mentor (5 so far, 100+ meter dishes)
Like this, but think 16x bigger!
9/11 – The World Changes
The President's Surveillance Program (PSP)
Essentially a series of leaks by the president regarding
ongoing ECHELON-type operations
Terrorist Surveillance Program (TSP)
Warrantless wiretapping by NSA
Transfered to FISA in 2007, no longer “warrantless”, but
Identical in practice.
2001-2006, Changing public stories...
“We are only tapping terrorists”
“We are only tapping foreigners who talk to terrorists”
“We are only tapping foreign communications”
“We are only tapping calls where one party is foreign”
“We are tapping everyone, but only listening to X Y and Z”
The Legal Justification of the PSP(s)
(1) International communications are not private.
(2) Constitutional protections restrict only local governments
The “Rightless foreigners” defense
(3) State Secrets privilege
Bars all judicial oversight
See United States v. Reynolds
The Post-PSP Cleanup
Consistent efforts by FBI/NSA/CIA to gauge public reaction via controlled leaks.
Widespread domestic wiretapping now accepted by US public.
See Shia LaBeouf on Leno, 2008 talking about 2005 taps of his phone.
http://www.youtube.com/watch?v=7BMepsU6ycg
Room 461A
Top Secret NSA taping facility.
Located at 611 Folsom Street, San Fransisco CA
Hepting v. AT&T (2006)
Filed by EFF against AT&T
Mooted by 2007 grant of immunity for telecoms
cooperating with US government
"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal,"
Post-9/11 Transitions in Intelligence Operations
From prediction of future attacks to reporting on ongoing
““We have not been able to corroborate some of the more sensational threat reporting, such as that from a ---- service in 1998 saying that Bin Laden wanted to hijack a U.S. Aircraft...” -August 6, 2001 presidential daily brief
Failed to prevent attacks.
Need “They are going to attack THIS plane on THIS day.”
Need access to ALL relevant communications.
From Intelligence to Law Enforcement
Data needs to be absolute Specific persons must be named
Due process must be obeyed Chain of custody/evidence
High probability that public will be made aware of operations.
Touchstone shifts from method of collection to citizenship of person tapped.
Old School:
International communications are open to interception.
Domestic communications are open so long as handed over voluntarily by operators (ie Room 461a).
Post-2007 FISA Amendments:
“there is no substantial likelihood that the surveillance will ac-quire the contents of any communication to which a United States person is a party” 50 USC§1801(a)(1-3) -Source of the 51% standard for foreignness
The Privacy / Metadata Cycle
Government perspective:
If a corporation has access to data for purposes of profit, user has waived privacy rights.
Corporate Perspective:
If government claims no privacy interest at issue, we are free to use data however we wish.
Current State of Affairs
Wiretapping / Internet Caching
Hardcoded Backdoors
Voluntary Handovers
Wiretapping
Three Collection Methods:
(1) Taps on fiber backbone
Special Collection Service (SCS) from embassies
FORNSAT (ECHELON taps of foreign satellites)
Special Source Operations (SSO)
(2) Taps within US corporate systems (Prism)
(3) FISA-warranted handovers (ie Verison call records)
“Genie”
Leaked in Snowden “black budget” document
NSA Hacking of optical routers/switches
-for purposes of wiretapping
$652-million program
Hardcoded Backdoors
Extension of pre-1996 restrictions on export of encryption
Most likely how the Special Collection Service (SCS) gains data.
see Lotus Notes work reduction
http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html
RuggedCom (April 2012)
Username “factory” password based on MAC
RuggedCom and CERT were informed, but failed to act.
Links to Stuxnet:
RuggedCom owned by Siemens
Similar Backdoors in Siemens programmable logic
controllers (PLCs)
Stuxnet used similar backdoors in Siemens SCADA products
Baracudda networks (Jan 2013)
Backdoor accessible from specific IP ranges
Private ranges:
192.168.200.0/24
192.168.10.0/24
Public ranges:
205.158.110.0/24
216.129.105.0/24
Possible NSA Fronts?
mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC …
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting
What are they looking for?
(1) Terrorism (no debate)
(2) Other illegal activity The Airbus-Saudi bribery fiasco
Megaupload
(3) Military Intelligence (again, no debate)
(4) Intellectual property and/or
commercial advantage
Commercial Advantage ?!$#!@#$
“There is wide-ranging evidence indicating that major governments are routinely utilising communications intelligence to provide commercial advantage to companies and trade”
-STOA Report to the Director General for Research of the European Parliament 1999
“From a commercial communications satellite, NSA lifted all the faxes and phone calls between the European consortium Airbus, the Saudi national airline and the Saudi government. The agency found that Airbus agents were offering bribes to a Saudi official. It passed the information to U.S. officials pressing the bid of Boeing Co and McDonnell Douglas Corp., which triumphed last year in the $6 billion competition."”http://articles.baltimoresun.com/1995-12-03/news/1995337001_1_intelligence-agency-nsa-intelligence-national-security-agency
With nothing to hide, why should law-abiding organizations work to avoid monitoring?
Avoidance as Security Exercise
That which avoids Government surveillance also avoids competitors, third party hackers or other evil-doers.
Government surveillance technology can be exploited by third parties.
China's mandatory “Green Dam” software is full of exploitable vulnerabilities
Olympics-gate (2004)Vodaphone Greece“Software extensions in the Ericsson AXE switching equipment that
permitted the "lawful interception" of mobile messages and calls by law enforcement agencies were apparently subverted”
http://www.theregister.co.uk/2007/07/11/greek_mobile_wiretap_latest/?page=2
Protection of Customer Confidence
“For non-U.S. residents, 10 percent of respondents indicated that they had cancelled a project with a U.S.-based cloud computing provider; 56 percent said that they would be less likely to use a U.S.-based cloud computing service. For U.S. residents, slightly more than a third (36 percent) indicated that the NSA leaks made it more difficult for them to do business outside of the United States.”
http://www2.itif.org/2013-cloud-computing-costs.pdf
To avoid participating in illegal activity
2007 FISA amendments cleared US telecoms
Could/Should have resulted in many prosecutions
R. v. Telus (2013) reaffirmed that Canadian police must get wiretapping warrants (as opposed to general warrants)
To Avoid Becoming a Target
Operation Aurora (Google 2009)
China demands access similar to that give to the NSA/FBI
Google refuses.
Chinese hackers attack Google's CALEA systems
Similar story at Microsoft:
"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,"
-David W. Aucsmith, senior director of MS Institute for Advanced Technology”
Which Vendors are not cooperating?
Linus Torvalds on backdoors into linux:
http://www.youtube.com/watch?v=84Sx0E13gAo
at 24:00
Non-publicly traded entities-Lavabit-Mozilla Corporation
Charities-Wikimedia-Linux foundation-Mozilla Foundation
Snowden on Encryption
The Lavabit Story
June 2013: NSA, and everyone else, learn that Snowden is using Lavabit to reach out to reporters ([email protected]) Assumption made that Snowden may also have used other addresses prior to going public
June 28th: Lavabit receives order requiring it to provide metadata on all users To/From/Subject etc Installation of an fbi-operated tap device
July 16th: Lavabit receives order demanding Levison hand over “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.” Levison then agrees to work with FBI to bypass Lavabit security (Wants 2000$ and 60 days to create needed systems)
Government reps refuse to trust Levison, demand keys, judge agrees.
July 17th: Levision hands over SSL key on paper (11pages) Government declares this “illegible”
August 5th: 5000$/day if Lavabit does not cooperate
August 8th: Lavabit shutdown
What does Lavabit teach us about US wiretapping?
(1) They were unable/unwilling to break into Lavabit's systems.
(2) They had no records of Lavabit email traffic (no connection to PRISM)
(3) They were unable to decrypt Lavabit's SSL traffic without private key.
What tools and techniques are available to frustrate surveillance?
-F/OSS
-Strong End-to-end encryption
-Client-side encryption
-Proxy services (offshore VPNs/Tor)
The “Tor Stinks” Documents
What Can we do at a corporate level?
Avoid publicly-traded vendors, regardless of country
Properly update router/switching firmware
Deploy strong, client-side, encryption wherever possible
Mud-Puddle test everything
Anonymize highly sensitive information (ie Tor hidden-service mirrors)
Which services cannot be protected?
-Traditional telephony
-Smartphones
-“Free” services (ie Gmail)
“Parallel Construction”
Drug Enforcement Agency (DEA) Special Operations Division (SOD)
The link between national wiretap agencies and local law enforcement