Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Stego’ Category

Russian Kulturny: Espionage Old School Meets the New Tech Comrade

with one comment

But many things shown even in bad movies are unfortunately true: Yes, the Russians like to wear fur hats, drink vodka, eat caviar, take pretty girls to the sauna. And, apart from some modern innovations like ad hoc networks, burst transmissions and steganography, the old proven tradecraft is pretty much the same. It is good and it normally works well (except in cases, when somebody is already being shadowed – then nothing works).

Boris Volodarsky: Former GRU Officer

Los Illegals.. Comrade…

With all of the hubub over the capture of the illegals, and of course all the rattling on about the “swallow” known as Anna Chapman, one has to cut through the dross to get to the real importance of the story. The fact is, that though the wall has fallen (long ago) and W looked into the “soul” of ol’ Pooty Poot and saw teddy bears and rainbows, the reality of it is that the “Bear” never went away or to sleep.

We are still a target, a rather rich one still, for collection of intelligence as well as corporate IP as Putin has pointed out in statements he has made over the years. It was Putin who actually said that Russia needed to step up its game in industrial espionage (I am paraphrasing) and created the means to do so within the new FSB *cough* KGB. This type of infiltration in hopes of collection never went away and I suspect that even with out own dismantling of the HUMINT departments of CIA, we still had a reasonable amount of assets and agents within Russia as they transitioned from the Sov bloc to today’s powerhouse of malware and Russian Mafia run state apparatus.

So, while reading all the news sites, it became clear to me that people really do not have a grasp of the realities surrounding the nature of espionage today. Everyone thinks that its all shiny technologies and protocols within the hacker scene that the next gen of spies are using and that old school techniques called “tradecraft” are outdated and useless.

Nope… It’s not just that. This is said rather well here by Boris again:

The public and writers alike do not really realise that this is NOT a film — a very large group of very experienced FBI agents and watchers spent a very considerable sum of taxpayers’ money and plenty of time to uncover a REAL group of the Russian undercover operators who brazenly operated in the United States, as they had been absolutely sure that no one would ever catch them because their education, training, intelligence tradition, and the belief that the wealth of the country behind them is much superior than the FBI. They forgot that the FBI of 2010 is much different from the Bureau of the 1950s.

It is highly likely that these agents were outed by a defector back in the 90’s. The defector was a Directorate S operative who worked within the UN in the NYC area and it is possible that he gave up the program. The FBI then was tasked with either finding them all blindly, or, they had at least one couple in their sites and steadily built their case by watching the illegals to get at their handlers. You see, the same logic applies to the FBI as does the perception of the KGB. The FBI is seen as slow witted and usually in the media, the blue sedan with guys in suits and sunglasses inside watching you ever so not subtly.

This is not necessarily the case as has been seen in some areas of the FBI’s counterintelligence unit. They really can do a good job at surveillance and counterintel collection.. They are not as bumpkin as they used to be in the 50’s… Nor the 80’s for that matter. Unfortunately though, it really took the Hanssen’s of the world to force them to be better.. But I digress..

Why Were They Here?

I think that there has been a basic misunderstanding in the press and the populace from reading poor press reports on the nature of the “illegals” program. Yes, they were tasked at times with getting data that could be readily available through open source (OSINT) channels such as the news or Google. However, their main task was to insert themselves into our culture, economy, and social strata in order to get “at” people of interest. Basically they were talent spotters.

These people got on to Linkedin and other social networks for the exact reason of making friends and gaining access to those who might be “of use” later on for their handlers and masters. They were facilitators really. You see, like the whole Robin Sage affair that is ongoing now, these folks already knew about the vulnerabilities within social networking and the social nature of human beings from the start. They were trained on this by the SVR and its not something that common people tend to think about. This is where the hacker world and the spy world meet (well they meet in many other places too but go with it for now) The hackers take advantage of the same flaws in our “systems” (cognitive as well as technical) to get what they want.

In this case, these illegals actually did gain some traction and some had access to potential sources that I think, had yet to be plumbed. Perhaps they were getting close to someone and this is what tripped the arrest cycle. Perhaps there are other more arcane reasons for that… As you may be seeing now that there is a prisoner swap with Russia in the works. Once again I direct you to Boris’ comments on their aegis:

What Russian intelligence in striving to get is secret information (political, economic, industrial, military, etc) and have a chance to influence decision-making and public opinion in favor of Russia. This is why agents are recruited or penetrated into sensitive or politically important targets.

The role of illegals is threefold:

  1. to act as cut-outs between important sources and the Centre (directly or via the SVR station);
  2. to serve as talent-spotters finding potential candidates for further intelligence cultivation and possible recruitment (a rather long and complex process, where the illegals only act at its early stage); and
  3. to establish the right contacts that would allow other intelligence operators (members of the SVR station) or the Centre (visiting intelligence officers under different covers, journalists, diplomats or scientists tasked by the SVR) to get intelligence information and/or receive favors that the Centre is interested in.

These illegals are really, like I said, facilitators for the real spies that are sent to our shores.They were practiced in the old school tradecraft of spying and were they not already under surveillance, they may not have been noticed at all by our counterintelligence services. Which brings me to another issue with all the reporting on this espionage round up.

Tradecraft VS High Tech Espionage:

As mentioned by Boris, the tradecraft angle is not only history for the SVR, KGB, or the GRU. Much as I believe that it is still in play for ALL of the intelligence services throughout the world. These practices are tired and true. They have been used to great effect by all spies and only are really heard about in books, film, or news stories like the ones today when the spies were busted.

Since the days of 007 on the screen, we have seen the Q branch and all their toys as a high profile part of “spying” when in reality there is some of that (see H. Kieth Melton’s books) but mostly, it has been the old school that has won the day for spies. The use of things like a Shortwave radio and a “One Time Pad” are still used today because they cannot easily be broken. The use of rapid burst radio transmissions too was a bit of a shock to me in the current case, but once I thought about it, the use of a rapid burst to a local “rezidentura” makes a lot of sense given the amount of RF we have placed into our landscape today. It would easily be lost in the noise and thus, a good way to go about secret communications.

Meanwhile, the use of “Brush Passes” “Chalking”, “Pass Phrases” and other old school techniques for communicating and passing intelligence never have lost their usefulness. Just because one can create an email dead drop on Gmail today pretty easily, does not infer that it is at all safer than meeting someone on the park bench, or leaving a postal stamp on a kiosk as a marker that “somethings up” These things hide within the static of every day life and often, because of “situational awareness” levels, go totally un-noticed. The other means via the “technology” of today’s internet is more circumspect because of so many factors. One of the primary of those being the hacking and cyberwar issues that are ongoing.

Even today, the news is full of “Perfect Citizen” an uber protection plan and technology that the NSA wants to use to protect the national infrastructure. How will it do this? By monitoring ALL of the traffic that it can and look for anomalous behavior. As the technology becomes more prevalent so too are the chances of your secret communications being discovered. It made sense that given the NSA’s power, the illegals and the SVR decided that old school was still the best bet. It was however, that the more technical approaches (i.e. netbooks, crypto, and adhoc networks) failed them, only proving my hypothesis above.

As an aside to LizzieB, the old bury the money under or near the bottle thing.. It still does work *heh*

The Final Analysis:

Much has yet to be told about these illegals as well as the reasons why this group was busted 10 years later. Why now? Why this sudden trade for spies? What tipped the FBI off to these spies in the first place? Was it indeed the defector I spoke of? We may never know. What we can deduce though, is this:

  • Spies never went away
  • Spies aren’t just stealing IP from corporations
  • Hey you, you with the access to the important people… You are a target
  • Technology does not always win the day, sometimes it is the weakest link
  • We have not seen the last of the SVR, KGB, Mossad, MI5 etc etc…
  • Russian spies do like their Vodka and sauna’s but they aren’t all Boris and Natasha caricatures

A full text of the cited Boris interview can be found HERE

CoB

Al-Qaida Goes “Old School” With Tradecraft and Steganography

with 3 comments

al-Qaida: Shifting into the spy shadows

12 March 2010 www.cicentre.net

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

WTOP, 12 March 2010: A growing list of terror suspects nurtured by al-Qaida is emerging. Former military interrogator Dave Gabutz informed WTOP Radio of this notion in June 2009 after he had spent years tracking al-Qaida sleeper units and recruiters. “We came across the first one in Falls Church, Va.,” Gabutz says. This “first one” was controversial Imam Anwar al-Awlaki, who worked at a location watched by Gabutz and his team. . . .

. . . Gabutz says the recruiters are spreading out. “Michigan, Florida, Texas, Nashville, Richmond, Knoxville, and California,” are prime locations, according to Gabutz. There are indications terrorist recruiters are using every available opportunity and option to lure more people into their world and plan attacks against the United States.

Hezbollah sympathizer Mahmoud Kourani was doing just that before his arrest near Detroit in 2002. “Kourani’s specialties appeared to be weaponry, spycraft, counterintelligence,” according to Tom Diaz, a former Congressional Crime Subcommittee staffer. Diaz says Khourani was recruiting people for training. Recruits were to be trained “to make things go bang, to attack, military type training, terror type training,” Diaz says. . . . .

. . . .One question that is puzzling investigators is how al-Qaida communicates with its foot soldiers and recruiters, some of whom may be embedded in the fabric of the U.S. military. With the almost daily capture and killing of key handlers in Pakistan, it seems al-Qaida is being forced to communicate in a completely different way. Since so many couriers and foot soldiers are being rolled up, al-Qaida is relying on “electronic dead-drops,” says Army Reserve Lt. Col. Tony Shaffer, a former Defense Intelligence Agency officer.

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

I have been seeing some hits these last couple days on my “Leggo My Steggo” post from a while back. The post covered some of what I had been finding on jihadist sites with regard to alleged “Stegged Images” that I had been testing to see if they were indeed hiding data.

Thus far I have found images that seem to be stegged but I have yet to actually crack an image open and see the data hidden within. So, it’s kind of up in the air if any of the images I have found are in fact stegged. Anyone who wants to give it a shot feel free to copy the files out of the share in the link above.

Of course this whole article and the premise that the jihadis have had to change their methods of command and control is on the whole correct I think. However, I believe that they have been using dead drops for some time and not only because of the roll ups recently. This is just a good standard “tradecraft” practice that should be used when waging such campaigns. Hell, they probably learned it from us or the Brits in the first place… Well maybe the KGB too.

Now that they have also made much more of their online persona, I am also sure that they have been maximizing this type of technique not only with steg, but also with dead drop email accounts. All one has to do is create an account, share the password, and then just talk amongst yourselves with draft emails. No need to hit the send button there huh. Add to that the use of TOR and you have a pretty safe way to communicate.

What’d be even more secure would be a one time pad.. But, I really don’t see them passing out OTP’s to each jiahdi cell.

This reminds me of “Hacking A Terror Network” which has a story line based approach talking about this very scenario of Steg use. I have talked to the author online and shared my data. The problem of how to prove these methods of communication are myriad. So, it may be hard to prove this theory…

I guess I am gonna have to wash some more pictures, video, and audio through the steg detection software and see what I get…

CoB

Malware Stego With Proper English

with one comment

Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people’s computers is to use “code-injection” attacks, in which malicious computer code is delivered to and then run on victims’ machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

Though this is a hard exploit to pull off because of all the groundwork that needs to go into it, it is a novel approach for say, a nation state actor such as China to try huh? Of course they would have to work a bit harder at using English properly and not go for the pidgin English that they are known for now in coding sites and malware at times. Imagine just getting infected from a grammatically correct http page on the internet eh?

This exploit would be classic steganography though. Lets see if this exploit shows up somewhere in the future….

“English Shell Code”

Written by Krypt3ia

2009/11/28 at 12:48