How to be a better spy: Cyber security lessons from the recent russian spy arrests
On Monday, a number of Russian nationals got arrested for espionage against the US [1]. With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently found valuable. Skynet hasn't taken over quite yet. However, the story has a few neat cyber security lessons.
Lesson 1: Encrypt your Wifi
The spies evidently used WiFi networks to communicate. However, instead of all of them to connect to a particular access point, they established Ad-Hoc networks. This idea is interesting in so far as it does make remote surveillance of the connection a bit harder. The FBI had to have a listening post close by in order to intercept the connection. It appears the FBI used to be parked close to coffee shops and such frequented by the spies in order to observe them meeting with their embassy contacts. The FBI was able to intercept the communication, and apparently used MAC addresses to track the participant. It is not clear if any kind of encryption was used for the WiFi connection. But Ad-Hoc networking would only allow for WEP unless encrypted chat software is used.
As a "sub lesson" one may take away that you should change your MAC address as a spy to avoid tracking. But it is not clear if this would have made a difference.
One neat side effect of this meeting method: The participants of the meeting never had to acknowledge each other visibly.
Lesson 2: Keep your password secure
The FBI followed these spies for a while already. A few years back, the FBI secretly searched the homes of some of the spies, copying various hard disks in the process. Small problem: The hard disk was encrypted. Luckily, an observant FBI agent noted a piece of paper during the search with a long number / letter combination. Turned out it was the password. This turned out to be critical as it allowed the agents to not only decrypt the hard disk, but after decrypting the hard disk the agents found steganography software and other encryption tools, as well as lists of web sites used to exchange steganographic messages.
Lesson 3: Obscurity != Security
The spies to some extend used steganography to exchange messages. These messages where encoded into an image, and then uploaded to various web sites. As explained above, the FBI was able to obtain a list of these sites and the software used to encode them. However, at least according to some reports, the messages were not encrypted. Typically, if you want to do steganography right, first encrypt the message, then encode it in an image. In particular if you use standard software to perform your steganography. (Update: Some reports mention that the messages had been encrypted before encoding them into the images)
Lesson 4: Perfect forward security
Perfect forward security is an important cryptographic concept. You never want to use an old password to encrypt the new password. If you do, once an attacker figured out one password, they will be able to decrypt all future passwords. It appears that the spies frequently made arrangements about future meetings and communication protocols over insecure channels (like the ad-hoc wifi). In some ways this may also be considered as relying on obscurity again.
[1] http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo062810a.htm
various other news reports like:
http://www.cnn.com/2010/POLITICS/06/28/russian.spying.arrests/index.html?hpt=T1
http://www.guardian.co.uk/world/2010/jun/29/russian-spies-uk-irish-passports
http://www.dailymail.co.uk/news/worldnews/article-1290475/U-S-charges-Russian-spies-FBI-swoop-Cold-War-style-espionage-plot.html
http://www.nytimes.com/2010/06/30/world/europe/30spy.html?hp
http://www.theregister.co.uk/2010/06/29/spy_ring_tech/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
In the networking side, they should have limit specific MAC's only to accept communication or configure their IP tables.Filter Inbound/outbound traffic
For their internet access, they should have used tools like Sandboxie-> http://www.securitytube.net/Protecting-your-Browser-using-Sandboxie-video.aspx and anonymity sites.
My 2 cents
Yaggi
Jun 30th 2010
1 decade ago