How Not to Recruit Spies Online and Off… Listen to Ira Winkler.
A twitter message aimed at me this morning contained the link above and I felt compelled to take a look as it was the infamous Ira Winkler. I had never really heard or seen him before, but, I had heard about him in such places as Attrition.org and in the comments by others (who then spat on the ground after they spoke his name, like a curse) So I already had the notion that this was going to be bad.
How little I knew how bad it would be…
Within the first minutes of this presentation at RSA 2011 I was besieged by his whining about how he had been placed on a schedule adjacent another talk on online espionage. After watching a little bit more (at about marker 2:59) he then goes on to say how he would like to Assassinate Julian Assange himself.
Holy what the?… I mean I don’t agree with Julian really on a lot of things, but calling for assassination of him? Even in jest…
Well, that should have been my warning like the ones on old maps (There be dragons here) but I decided to press on and watch this horrid presentation as he droned on about how he knows this or that spy (2 of them actually, one ex KGB *alleged* and One CIA *alleged*) as well as how he hates the term “Social Engineering” Basically, it is a waste of 50 minutes of anyone’s time AND if you were in that audience and took anything away from this talk, it should have been; “Never listen to this guy again”
Take a look for yourselves gentle readers and decide… For me though, his inane ramblings made me want to correct the misinformation he spat out and to clearly put out there some information concerning espionage.
Espionage vs. Digital Espionage vs. Skiddies
Espionage, the term used for “spying” has been around since… Well, forever I suspect. For many years the techniques of spycraft have been honed by the likes of the US and other countries. In fact, there are more than a few innovations today that came out of necessities that spies had and gadgetry were created for. Today though, the technologies of today have pushed the bounds of tradecraft away from more interaction with people in person to a more technical espionage where some social interaction is needed, but, mostly can be taken care of through vulnerabilities in systems and predictability of companies/governments/sysadmins. Much of the “cyberwar” everyone seems to be bellowing about today is in fact espionage activities and not so much “warfare” in reality. Gone (mostly) are the old days of cold war spying.. One might think.. But, I would say that those days are alive and well as well as may come to be even more important given the technologies and their rapid pace of change.
So, this article has been written by me to clear the air a bit for those who have little understanding of the “spook world” First though, I would like to further define the players and the game here within the title above. I have covered the “espionage” here, but now lets look at the “Digital” twist we have today.
Digital Espionage: Is a term that I think I have coined sorta kinda. I am sure others came up with it before but I am putting it down here and now. When I speak of digital espionage, I am talking about the infamous “APT” that we all have heard about ad nauseum. These are the players who are actually either supported by a nation state, or perhaps by corporations. The espionage is mostly technology based (i.e. hacking/phishing/vishing etc) and also may include social engineering exploits to gain access and or information for the operation in play.
When any type of espionage is being carried out at this level, there are goals and plans that they want to carry out for an objective. I submit to you here that APT equals espionage and both digital and traditional forms of it use a combination of technical and social means to get what they desire. The new overlay of technology only means that perhaps you do not have to meet your asset somewhere to trade data, pull a brush pass, or leave a mark on a lamp post to set up a meeting date.
Skiddies: In the talk that Ira presented (poorly) at RSA he talks about “hackers” in the context of espionage. He was wrong to even mention this in the presentation and it should be laid out here, that the common criminal hacker and or at this time, Anonymous, has yet to reach the breadth, scope, and patience that a real spy operation would accept as the SOP. Skiddies will use technology to make the quick hit and exfiltrate data, but, 99% of the time they do not do the foot printing and other assessment activities that spies do.
Nation State vs. Corporate
I just wanted a quick word on the nature of nation state actors versus corporate spies. In the history of espionage it has been shown that the two have been intertwined really since the early days of corporations. However, once things like telephones and cables came into existence, it became a cozy relationship at times where governments and companies started to work together for their own ends in the espionage world. Today, it is rather hard to tell where the corporation ends and the state function begins. Often times, NOC (Non Operation Cover) operatives are sent out by such services as the CIA under the guise of being employees of either faux companies or real ones that have taken on the agent as an “employee” (case in point: Valerie Plame and Brewster Jennings)
However, companies in and of themselves have been known to hire out boutique firms that spy for a fee. These companies go out and get “competitive intelligence” for corporations, and they get paid pretty well. Often, these firms are staffed by ex spooks from all over the world and all different services/countries. This too also brings the corporate and the state sponsored types of espionage together once again, and in fact often cross pollinate between the two.
Today’s APT could be either and one should take this into account when they start pointing fingers at countries and yelling “wolf”
APT vs. Old School
Going back to the notion of the changing landscape of espionage, I would like to make mention again the difference between the new digital means as opposed to the old days of smuggling microdots of “documents” and the use of brush passes. Today much of the espionage can be carried out without having to leave one’s back office and this is a real paradigm shift in the business. It has also been a problem for the nation state actors since technology has become too relied upon and the ways of HUMINT slacked as we found out post 9/11.
It turns out, that HUMINT is very important, as is having linguists… You can’t just re-task a keyhole and get everything you need it turns out. It also seems to be still a learning curve today as we read about the roll up of assets in Iran and Palestine because the handlers for the agents on the ground re-used the code word and the meet site (pizza and a pizza hut) thus giving the assets away and causing great damage to our network in the area.
It seems that even today, we (USA) are not teaching enough HUMINT techniques (Moscow Rules etc) to our agents and thus mistakes are being made. It is my contention, and others, that we need to get back into the old school methods even with the advent of all this technology. After all, people are still the easiest thing to exploit as well as the insider is one of the best sources/means of obtaining information that one might want.
Terms and Nomenclature
One of the things that I noted in the presentation that Winkler made was that he was at a loss to really describe espionage in the common nomenclature. Thus, I have decided to list terms that you all should be familiar with when talking about espionage operations.
dead drop – A secret location where materials can be left in concealment for another party to retrieve. This eliminates the need for direct contact in hostile situations.
dead telephone – A signal or code passed with the telephone without speaking.
in the black – Surveillance-free for a time span greater than a few seconds.
in the gap – Surveillance-free for a few seconds but not as long as a minute.
in the wind – When a target of surveillance has escaped and left for parts unknown.
provocateur – An operative sent to incite a target group to action for purposes of entrapping or embarrassing them.
provocative – A harassing act or procedure designed to flush out surveillance.
put up a signal – To clandestinely signal another operative or secret source, as in putting up a signal like a chalk mark on a light pole.
rabbit – The target in a surveillance operation
Roll-out – a surreptitious technique of rolling out the contents of a letter without opening it. It can be done with two knitting needles or a split chopstick.
rolled up – When an operation goes bad and the agent is arrested.
rolling car pickup – A clandestine car pickup executed so smoothly that the car hardly stops at all and seems to have kept moving forward.
RYBAT – A code word meaning that the subject matter is extremely sensitive.
SDR – Surveillance detection run; a route designed to erode or flush out surveillance without alerting them to an operative’s purpose.
signals – Any form of clandestine tradecraft using a system of marks, signs, or codes for signaling between operatives.
silver bullet – The special disguise and deception tradecraft techniques developed under Moscow rules to help the CIA penetrate the KGB’s security perimeter in Moscow.
SIS – Senior Intelligence Service of the CIA, which assigns the executive ranks equivalent to a general in the military. So an SIS-1 is equal to a one-star general.
SITREP – Situation report, sent to CIA headquarters during an operation or crisis.
smoking-bolt operation – A covert snatch operation in which a special entry team breaks into an enemy installation and steals a high-security device, like a code machine, leaving nothing but the “smoking bolts.”
staff agent – A CIA staff officer without access to CIA secure facilities or classified communications.
stage management – Managing the operational stage in a deception operation, so that all conditions and contingencies are considered: point of view of the hostile forces and the casual observers, physical and cultural environments, etc.
star-burst maneuver – A countersurveillance ploy in which more than one target car or target officer is being followed and they suddenly go in different directions, forcing the surveillance team to make instant choices about whom to follow.
Surreptitious Entry Unit – Unit in OTS whose specialty was opening locks and gaining access to enemy installations for the purpose of supporting bugging operations.
swallow – A female operative who uses sex as a tool.
timed drop – A dead drop that will be retrieved if it is not picked up by the intended recipient after a set time.
tosses (hand, vehicular) – Tradecraft techniques for placing drops by tossing them while on the move.
tradecraft – The methods developed by intelligence operatives to conduct their operations.
walk-in – A defector who declares his intentions by walking into an official installation, or otherwise making contact with an opposition government, and asking for political asylum or volunteering to work in place. Also known as a volunteer.
warming room – A location out of the weather where a surveillance team can go to keep warm and wait for the target.
watcher team – A surveillance team usually assigned to a specific target.
window dressing – Ancillary materials that are included in a cover story or deception operation to help convince the opposition or casual observers that what they are observing is genuine.
There are many more and you can see them here. This sampling though gives you a window into just how the lingo works and the technical terms that each service uses. Its a language unto itself really and if you decide to read more on the topic, this primer could be useful.
Tradecraft applies traditionally to the tools and techniques of espionage. Things like surveillance and counter surveillance as well as secret writing etc etc. However, today, you can also add the technical aspects of hacking as well. Another aspect though would also include the social elements of spying, recruiting spies, and on the hacking end, tricking people into giving you data as you would in any other spook op. The difference being that often times in the hacking scenario, you are not directly interfacing with them of late, you are sending an email.
All in all though, tradecraft is exceedingly important in both spheres of influence and must be kept up with. In the case of the “illegals” who were popped last year in America, their tradecraft was ok, in fact pretty good in most cases, but, their use of new technology caused certain failures that helped in their capture. (see the story about the laptops and the wifi adhoc connections) Meanwhile tradecraft failed at least one of the operatives physically, as the operative left the password to their system on a post it note…
Yep they did… Know why? Because the password was 15 chars… Too long to remember.
Tradecraft, like I said, needs to be practiced.
Social Engineering & Rapport Building a.k.a. Recruiting and Running an Asset
Within the presentation by Winkler, his aegis for the whole thing (by the title) was to talk about how to recruit online spies. Something that he really fails to talk about ironically. I believe much of this is because he loathes “social engineering” and NLP it seems as well. In fact, he pretty much says a lot that is counter to what you really need to be skilled at to obtain the complicity of an end user, or an employee in general and make them an asset for you. Ira pretty much glosses over all this, instead talking erratically about how he watched hackers on IRC…
Anyway, the point is that if you want to gain the complicity of a target you have some choices to make.
- Flattery (pride)
Those are pretty much the motivators for people to betray their companies or countries. Often times, these all take some cajoling on the part of the operative to get them to work for them but, nine times out of ten, you can get someone to give you what you want by simple manipulation or cash. Ira touched on these things, poorly, but the gist of it is that agents for foreign powers as well as corporations often are very skilled at social engineering.
You have to be.. Because you are manipulating people and their emotions.
One also has to be very calculating and able to separate ones self from the asset emotionally. Often times, you may have to burn an asset. In fact, most often, the assets who were recruited to sell out their own countries (i.e. Russia in the cold war) did not actually get exfiltrated out to Russia to live out comfortable lives… Unless they were high level defectors (like Philby, who in the end did not live so richly in the workers paradise) who might actually be exfiltrated and treated moderatly well.. Until their usefullness is gone.
Nope, over all, this is a cutthroat business and you need to have great people skills as well as be able to step outside of those skills emotionally.
It’s all about manipulation.
Honey Traps and Swallows: The Art of Blackmail and El Amor
Another topic that was given a glancing mention by Winkler was the use of sex and blackmail as a means to an end in espionage. It’s quite true that this technique was a favorite of the Russians specifically, but all the services have used this ploy to get what they want. China has become somewhat infamous of late for also using this type of exploit to get someone to give them information or technology. So much so, that they have the term “swallows” for them.
There have been recent cases where government officals in China on visits have been approached by Chinese women who later on physically steal their computers or other technical equipment as they walk out the door. This particular attack is augmented by the fact that often the Chinese set up tight and full schedules for visitors that comprise of many site visits as well as night time dinners that include much drink. This has been especially true for any of the nucelar physicists who visit China…
And that’s how secrets leak out, through lips loosened by fatigue and a couple drinks.
Back to the Russians and others, but primarily them, they have been known to use sex quite well to get their desired targets complicity. Often times, the Russians would set up cameras behind walls/glass (today just plant a wireless) and tape record the sexual encounters for playing later to the target. Often times, this too was used against those who were homosexual as this type of attention would ruin lives. Additionally, they often would ask for something small, then string the new asset along for bigger things later. This too also allowed the target to perhaps become more emotionally tied to the bait and thus, make them a willing agent for Russia.
Overall, the use of sex in espionage has been around since the dawn of time (Cleopatra etc) So, its nothing new..
But it bears some more description than the long and winding road of dribble that Winkler uttered on it at RSA.
China/Israel/Russia/UK/US All Have Different Methods…
Another thing to consider is that each of the services out there has different methods and bents toward recruitment and espionage in general. With the right research one can see how they play differently and what to look for should you ever be confronted with an operative or operation from a specific country. I thought it prudent to just have a short list of a few of their particular preferences per country.
- Russia: They favor the blackmail approach as mentioned above. They also are adept at inserting players into the environment who are deep cover like the illegals program. Though, in the case of “deep cover” I would not claim that for the illegals that were popped in the US completely. Anna was pretty much out there as a Russian as were a couple of the others.
- China: Patient and approach the game from the “Thousand Grains of Sand” approach. Many assets high and low value that pass data to the homeland and they use it all. China also favors “soft power” as opposed to Russia and their strong approach to diplomacy.
- Israel: The Mossad is an agency that one would not want to tangle with. For the most part, the Mossad is known for their assassination teams. (see the recent events in Dubai)
- CIA: The CIA’s clandestine branch uses many techniques… But of late seems to be out of step with HUMINT per our recent failures. As stated above, the technology has replaced the HUMINT and that needs to be shifted again.
I would suggest some reading for anyone interested. Do some Googling and take a look around… AND if you are in the DC area, check out the Spy Museum
HUMINT/SIGINT/MASINT etc etc…
Within the espionage space there are a lot of terms and methods of plying their trade. I would like to take this chance to delineate further the differences between types of intelligence gathering. Primarily though, I have talked about HUMINT, which was ostensibly what Winkler was to talk about (recruitment of assets) However, there are many other types of collection. Here are some of them.
SIGINT: Signals Intelligence involves intercepted signals from communications and electronic emissions; the National Security Agency (NSA) is responsible for SIGINT collection and reporting
MASINT: Measurement and Signature Intelligence involves a highly technical, multi-disciplinary approach to intelligence collection to provide detailed characteristics of targets including radar signatures of aircraft and telemetry of missiles; the Directorate for MASINT and Technical Collection (DT) at the Defense Intelligence Agency (DIA) is responsible for MASINT
PHOTINT: Photographic Intelligence involves the assessment of photographic media for intelligence purposes (think old school assessment of satelite photos or pictures from a high altitude plane)
ELINT: intelligence derived from electromagnetic radiations from foreign sources (other than radioactive sources)
GEOINT: Geospacial Intelligence involves the collection of information related to the earth from imagery, imagery intelligence, and geospatial information; the National Geospatial Agency (NGA) is responsible for geospatial intelligence collection management
IMINT: Imagery Intelligence nvolves representation of objects reproduced by optically or by electronic means from a variety of sources including radar, infrared sources and electro-optics; the National Geospatial-Intelligence Agency (NGA) is responsible for allimagery intelligence collection activities
OSINT: Open Source Intelligence information gathered from non-classified, non-secret sources including news media, the internet and commercial databases to name a few; the Open Source Center (OSC) in the Office of the Director of National Intelligence (ODNI) and the National Air and Space Intelligence Center (NASIC) are the major collectors of open-source intelligence
HUMINT: A abbreviation of the words HUMan INTelligence, refers to intelligence gathering by means of interpersonal contact, as opposed to the more technical intelligence gathering disciplinessuch as SIGINT, IMINT and MASINT. NATO defines HUMINT as “a category of intelligence derived from information collected and provided by human sources.”
Typical HUMINT activities consist of interrogations and conversations with persons having access to pertinent information.
The Moral of The Story… Don’t Listen to This Buffoon
I guess overall though, I wanted to shed some more light on espionage and the changing landscape to anyone who might not have a good feel for it. It seems today with the advent of the term APT, the explanation of the nuances have flown out the door. Either this is because people don’t understand them, or, they are unable to connect the dots between APT and espionage. It does seem though, that most vendors and media don’t get it though.
APT unfortunately only means China to the masses.. And this is a failure on the part of the security community as well as the Defense community at large. I recently had a conversation with someone that gets to the heart of this in fact. APT spawned from the DIB (Defense Industrial Base) as well as the DoD. Much of this terminology and the actual events that created them cannot be talked about because they are marked as “secret” by the companies and the military. So, it can be readily seen that when talking about them in the open, they omit much of what really happened and only allude to certain things. This makes it all seem mysterious and alluring to talk about.. And many do.. Who have no clue what they are talking about.
The same can be said about espionage and running/recruiting agents when you have someone like Ira Winkler speaking at a conference like RSA. At best, Ira Winkler wrote a book long ago about industrial espionage that may have been researched. Today the picture has changed dramatically and Ira has failed to follow up on what’s going on. Nor doe sit seem that he has a solid grasp of old school precepts of espionage and the players involved. At least that is my take away from this YouTube of his…
To conclude, I would like to say this.. Espionage both digital and other is the way of things today. The fact that technology that is compromiseable has permeated every part of our lives today makes us all targets of spying. Whether that spying be the local kid next door looking at your porn collection on your PC to the NSA looking at your emails and conversations. Just as much, it is important to know that your job, no matter what job you hold, is also a potential target for a spook to be interested in you and your data. If nothing else. one must look at the range and breadth of companies and entities being broken in to by the likes of China to see that no one is exempt.
Know the ins and outs of the technolgy as well as the spook landscape.. Especially if you work in INFOSEC today.. Lest you become the next target who has to report that they were compromised and data stolen.