The Null Device

GQ's website has a detailed account of last year's assassination in Dubai of Hamas leader Mahmoud al-Mabhouh, almost certainly by an elite Mossad hit squad, and the investigation that nailed down what happened, written up by Ronen Bergman, an Israeli journalist who writes about intelligence operations (and is the author of The Secret War With Iran):

At 6:45 a.m., the first members of an Israeli hit squad land at Dubai International Airport and fan out through the city to await further instructions. Over the next nineteen hours, the rest of the team—at least twenty-seven members—will arrive on flights from Zurich, Rome, Paris, and Frankfurt. They have come to kill a man named Mahmoud Al-Mabhouh, a Hamas leader whose code name within the Mossad—the Israeli intelligence agency—is Plasma Screen.

Then, in 2002, Prime Minister Ariel Sharon tapped Dagan, a former military commander with a reputation for ruthless, brutal efficiency, to restore the spy agency to its former glory and preside over, as he put it, "a Mossad with a knife between its teeth." "Dagan's unique expertise," Sharon said in closed meetings, "is the separation of an Arab from his head."

The laughable attempts of the Mossad operatives to disguise their appearance made for good television coverage, but the more fundamental errors committed by the team had less to do with cloak-and-dagger disguises than with a kind of arrogance that seems to have pervaded the planning and execution of the mission.

¶ deception dubai espionage history israel 0

According to a US government report, for 18 minutes in April, 15% of global internet traffic was rerouted through a state-owned ISP in China. The report strongly hints that this may have been no accident, but a deliberate attempt by the Chinese government to capture and analyse internet traffic between entities in the US or elsewhere.

Dmitri Alperovitch, a threat research analyst at internet security firm McAfee, said the capture "is one of the biggest – if not the biggest hijacks – we have ever seen". "No one except China Telecom operators" know what happened to the traffic during those 18 minutes, Alperovitch added. "The possibilities are numerous and troubling, but definitive answers are unknown."

Meanwhile, further analysis of the Stuxnet malware (which, it was previously speculated, was designed to attack Iran's nuclear enrichment programme, possibly by the Israeli Mossad) have shown that its payload was designed to subtly degrade the quality of enriched uranium coming from centrifuges:

According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.

The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

¶ china espionage internet iran 0

In the US, the FBI recently arrested ten alleged Russian spies, who had been sent to the US in the 1990s, assuming American identities and attempting to befriend influential businessmen and weapons scientists. More details on the alleged spies (and more here); by all accounts, it seems that they weren't spectacularly successful at stealing secrets; one or two of them were better at milking their expense accounts, but others seemed to have lost the trust of their handlers; their tradecraft also seemed rather old-school, with the addition of a few new twists such as uploading data to surreptitious WiFi access points in cars. Meanwhile, David Wolstencroft, the creator of BBC spy series Spooks, describes the incident as Smiley's People with a laughtrack.

Some of the alleged spies took the cover of married couples; apparently they were paired up in Russia by their handlers and given their identities, before moving to America and actually having children together as part of their cover. The children are now in state custody, and their parents, should they end up in federal supermax prison or deported to Russia, are unlikely to see them again. I wonder whether hypothetical American sleeper agents abroad would go to quite that extent to maintain a cover or whether that degree of acceptance of individual sacrifice (both on the agents' part and that of the children brought into the world essentially as cover props) for a collective goal is specific to Russian culture.

Meanwhile, according to MI5, the number of Russian spies in London is up to cold war levels.

¶ deception espionage fail russia tradecraft usa 0

A 1978 article on how to identify a CIA agent under diplomatic cover; back then, it was fairly easy to do so by simple techniques such as looking at US embassy personnel records and seeing who hangs out with whom at diplomatic dos.

• The CIA usually has a separate set of offices in the Embassy, often with an exotic-looking cipher lock on the outside door. In Madrid, for example, a State Department source reports that the Agency occupied the whole sixth floor of the Embassy. About 30 people worked there; half were disguised as "Air Force personnel" and half as State "political officers." The source says that all the local Spanish employees knew who worked on what floor of the Embassy and that visitors could figure out the same thing.
• CIA personnel usually stick together. When they go to lunch or to a cocktail party or meet a plane from Washington, they are much more likely to go with each other than with legitimate diplomats. Once you have identified one, you can quickly figure out the rest.
• The CIA has a different health insurance plan from the State Department. The premium records, which are unclassified and usually available to local employees, are a dead giveaway.
• The Agency operative is taught early in training that loud background sounds interfere with bugging. You can be pretty sure the CIA man in the Embassy is the one who leaves his radio on all the time.

(via Schneier) ¶ cia deception espionage sousveillance surveillance tradecraft 0

A phone carrier in the United Arab Emirates recently pushed out a patch for BlackBerry handsets, which it advertised as a "performance enhancement", but which, on closer examination, turned out to contain a remotely activatable surveillance programme:

The spying program in the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.

¶ blackberry dubai espionage middle east mobile phones surveillance united arab emirates 3

Via Jim's blog, which I should really check more often: the New Yorker has an excellent article by John le Carré about how spies go mad.

(via Found) ¶ deception espionage mental illness psychology 0

Someone is sending pro-Tibet groups documents infected with keylogging malware, configured to send back keystrokes to a server in China. The documents are sent from addresses forged to resemble human rights groups, and purport to be details of Chinese massacres in Tibet and similar information.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.

(via Schneier) ¶ china cyberwar deception espionage malware security skulduggery tibet 2

Details of how the NSA hacked cryptography machines from Swiss company Crypto AG, inserting an undetectable security hole which allowed them to read the traffic of users (including Iranian government orders to assassins and terrorists including the Lockerbie bombers):

On the day of his assassination and one day before his body was found with his throat slit, the Teheran headquarters of the Iranian Intelligence Service, the VEVAK, transmitted a coded message to Iranian diplomatic missions in London, Paris, Bonn and Geneva. "Is Bakhtiar dead?" the message asked.

"Different countries need different levels of security. The United States and other leading Western countries required completely secure communications. Such security would not be appropriate for the Third World countries that were Crypto's customers," Boris Hagelin explained to the baffled engineer. "We have to do it."

Juerg Spoerndli left Crypto AG in 1994. He helped design the machines in the late '70s. "I was ordered to change algorithms under mysterious circumstances" to weaker machines," says Spoerndli who concluded that NSA was ordering the design change through German intermediaries.

The ownership of Crypto AG has been to a company in Liechtenstein, and from there back to a trust company in Munich. Crypto AG has been described as the secret daughter of Siemens but many believe that the real owner is the German government.

(via Schneier) ¶ assassination crypto ag cryptography deception espionage germany iran nsa siemens switzerland terrorism 0

Speculation has arisen about the US intelligence services deploying insect-sized surveillance drones after anti-war protesters reported seeing unusually large and odd-looking dragonflies at a demonstration:

"I'd never seen anything like it in my life," the Washington lawyer said. "They were large for dragonflies. I thought, 'Is that mechanical, or is that alive?' "

At the same time, he added, some details do not make sense. Three people at the D.C. event independently described a row of spheres, the size of small berries, attached along the tails of the big dragonflies -- an accoutrement that Louton could not explain. And all reported seeing at least three maneuvering in unison. "Dragonflies never fly in a pack," he said.

(If these things do exist, it's a good thing that America is immune to totalitarianism; imagine what, say, the Stasi or the Burmese junta would do with such technologies.)

Actually, the CIA/FBI may be a red herring. Has anybody asked Google about these bugs?

(via Engadget) ¶ espionage national security paranoia robotics security surveillance the long siege 1

Former Australian defense minister Kim Beazley has revealed that the Australian security services cracked US a defence code in the 1980s, to enable them to reprogram their US-built Hornet fighters to identify potentially hostile aircraft. The Hornets, you see, were shipped pre-programmed with the profiles of Warsaw Pact aircraft, of which there weren't many in the Asia/Pacific region, and thus would have been somewhat less than useful when faced with, say, Indonesian or New Zealand fighters. This setting was impossible to change without top secret codes, which the US promised to provide but somehow never came up with. Given that there's no consumer complaints commission that can order the return of jet fighters should they prove unfit for purpose, the Australians (which, presumably, means ASIO/ASIS/DSD) did the only thing they could: they spied on the Americans and stole the codes. What happened to whoever authorised the purchase of the aircraft without ensuring that they were fit for purpose is not known.

"In the end we spied on them and we extracted the codes ourselves and we got another radar that could identify (enemy planes).

Mr Beazley said the Americans knew what the Australians were doing and were intrigued by the progress they made.

(via /.) ¶ australia cryptography espionage military usa 0

The Iranian government claims to have captured 14 squirrels equipped with "spy gear", which had been released inside Iran by Zionist-crusader-infidel forces.

Assuming that this story is in fact true (as opposed to being disinformation, a hoax, or something like the man-eating badgers the British are releasing in Iraq), it makes one wonder exactly how the CIA/MI6/Mossad are tricking out these squirrels. Presumably they'd be surgically implanted with some sort of telemetry and communications equipment (a GPS receiver and radio transmitter, for example), along with a power source (which could be a battery, possibly coupled with something to generate power from the squirrel's metabolism or body heat). The devices may be passive, merely transmitting captured data, or they may be wired into the squirrel's brain, controlling its behaviour by stimulating reward centres (this has been successfully done with rats). Whether they could get useful data from the squirrels' visual/auditory cortices is another matter; implanting a microphone may be doable, but a camera would, I suspect, look rather conspicuous.

(via Engadget) ¶ cyborgs espionage iran squirrels tech 0

The FBI has revealed that they have recently used a suspect's mobile phone to monitor their (non-phone) conversation. Which means that either (a) the mobile phone standards (at least those used in the US) allow the operators to switch phones into always-on bug mode when needed (i.e., such a mode is part of the standards), or (b) the operators can silently replace the firmware on such a phone at will, adding hidden "features". The phones in question can serve as Big Brother's ears even when ostensibly powered off.

On the Slashdot discussion, a number of posters have claimed to have seen proof that government agencies have the means to activate mobile phones to act surreptitiously as bugs. (And if the FBI can do it, chances are that more ambiguous agencies can do it as well.) Meanwhile, others have pointed out that, even if this is the case, it's easy to detect if your phone is spying on you by either (a) keeping it near audio equipment that it interferes with when transmitting (hint: if it's causing interference whilst switched off, something's afoot), or (b) getting one of those cheap LED antenna attachments that flashes when exposed to RF signals. And here is a guide on how to tell if your phone is surreptitiously spying on you.

(via /., jwz) ¶ espionage phone surveillance tech 0

While the spooks have their hands full keeping tabs on a terrifying proliferation of terrorists and extremists, they apparently have some help from a shadowy unofficial organisation named Vigil, comprised of retired intelligence personnel, amateur sleuths and other interested parties:

The group's director Dominic Whiteman said he set up Vigil with two other businessmen last year to act as an interface between retired spies who were still party to good, raw intelligence, and the police and security services. "This evidence was just getting lost in the system," Whiteman said in a telephone interview.

Sixty per cent of Vigil's work involves gaining information via the internet, by infiltrating online chatrooms, while the remainder is face-to-face or telephone work. The information gleaned is passed on to authorities like the US Federal Bureau of Investigation, the New York Intelligence Unit and British police's Counter Terrorism Command (CTC).

A CTC spokeswoman said the group was treated seriously.

One member of Vigil is credited with helping bring about the conviction of cleric Hamza, jailed in London in February for inciting racial hatred and soliciting murder, and wanted in the United States on terrorism charges.

Whiteman said a very trusted contact who had a "key security role in the UK" had revealed that 70 per cent of information given in a daily briefing to President Bush by US intelligence chief John Negroponte centred on the British capital.

¶ espionage intelligence intrigue london terrorism vigil 0

Former Russian spy turned defector Alexander Litvinenko has died in a London hospital, having been mysteriously poisoned. The authorities still don't know what substance was used to kill him, though thallium and radioactive agents were both suspected. The Russian secret services have denied poisoning him (though they of course would). Some are pointing the finger at Russian President Putin, an ex-KGB man, whose government Litvinenko had criticised.

¶ assassination espionage poison russia uk 0

After alleged British spies were caught in Russia using a wireless receiver hidden inside a rock to communicate with recruits (though it has been suggested that the story was partly if not wholly made up by Russian government agencies to justify a crackdown on non-government organisations), security guru Bruce Schneier's blog discusses the possibility of wireless "dead drops"; and, if anything, there would be less easily detectable ways of doing it than hiding a device in a rock:

Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won't be at all unusual.

To keep the counterespionage people from wiretapping the hotspot's ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.

Replace one access point at a support provider for Starbucks and then have someone figure out which one it is after it's up. Use an asic mac filter to send traffic to a special part of the access point itself.

Port knocking on that dangling PC. The PC stays in stealth mode and only replies (briefly) when knocked upon.

Even better, how about hacking one's wireless configuration manager to hide the contraband data in unused header fields, passing it to a similarly hacked access point that would be an otherwise functional dead end. The spy's laptop wifi antenna could be accidentally left activated and innocently trying to associate with whatever WAP it sees (like my wife's does in our neighborhood). Hit the right WAP(s) and the data is passed.

All that spam you get in your in-box is merely steganography. The word "viagra" isn't mis-spelled to get around the spam filters, it's a complicated encoding allowing the spammers and their prospective recipients to exchange messages without anyone suspecting that there are people who want the message in the message. That's why spammers don't care if they send it to people who don't want it, their goal is to make people think of their communications as discardable trash, rather than something that may have a value.

(via schneier) ¶ bruce schneier espionage security spam tradecraft 0

A fascinating article from the CIA describing, in some detail, the working career of a spy in the Soviet Union, from his volunteering to help the US in the late 1970s, through his delivery of key details of Soviet aircraft technology, and ultimately to his arrest in 1985 (he was subsequently found guilty of high treason and executed), and describing points of tradecraft such as methods of covert communication under the noses of the KGB, as well as mundane details of his daily life and psychological motivations:

Another technique that was used to defeat KGB surveillance was to disguise the identity of the case officer being sent out to meet with Tolkachev. This technique was first used in this operation in June 1980. John Guilsher drove to the US Embassy building at about 7:20 p.m., ostensibly having been invited to dinner at the apartment of an Embassy officer who lived there. Once inside, he disguised himself so that when he later left the compound in another vehicle, he would not be recognized by KGB surveillants waiting outside. Checking to ensure that he was free of surveillance, Guilsher, while still in the vehicle, changed out of his western clothes and made himself look as much as possible like a typical, working-class Russian by putting on a Russian hat and working-class clothes, taking a heavy dose of garlic, and splashing some vodka on himself. Guilsher then left his vehicle and proceeded on foot and by local public transportation to a public phone booth, where he called the agent out for a meeting at a prearranged site.

The periodically heavy KGB surveillance on various case officers, often without any apparent logic, did, however, force the CIA to become more creative in its personal-meeting tradecraft. A new countersurveillance technique that was used for this operation involved what was called a "Jack-in-the-Box" (JIB). A JIB (a popup device made to look like the upper half of a person) allowed a case officer to make a meeting with an agent even while under vehicular surveillance.

Typically, a JIB would be smuggled into a car disguised as a large package or the like. Subsequently Tolkachev's case officer and other station personnel would set out in the car many hours before a planned meeting with the agent. Following a preplanned route, the driver at some point would make a series of turns designed to provide a brief period when the trailing surveillance car would lose sight of the car containing the case officer and other CIA personnel. After one of these turns, Tolkachev's case officer would jump from the slowly moving vehicle, at which time the driver would activate the JIB. The JIB would give the appearance to any trailing surveillance team of being the missing case officer. The car would then continue its route, eventually arriving at a given destination, usually the home of one of the other CIA personnel in the car. The JIB, again concealed in a large package, would then be removed from the car.

One of Tolkachev's former case officers recalls that Tolkachev would periodically brainstorm on the subject, suggesting wildly improbable scenarios, such as having the CIA fly a specially made light aircraft into a rural area of the Soviet Union, where Tolkachev and his family could be picked up. When discussing that particular possibility, he noted that the only problem might be that such an aircraft designed to evade Soviet aircraft detection systems might have trouble accommodating his wife, due to her weight!

(via Schneier) ¶ cia cold war espionage kgb russia tradecraft 1

MI5 is warning British tourists to watch out for foreign spies when travelling abroad, or when returning from abroad:

The advice warns: "Lavish hospitality, flattery and the 'red carpet' treatment are used by some intelligence services to soften up a target for recruitment who may then feel obliged to co-operate rather than offend the hosts."

MI5 also urges sunseekers to be careful about holiday romances, as having sex with a stranger could make them vulnerable to blackmail. Tourists might also think twice about discussing national security within earshot of hotel staff or taxi drivers who in some countries are required to report to the local security service.

Holidaymakers are even being told to be alert on their return to Britain. MI5 has compiled a list of warning signals that could indicate a foreign intelligence service is "cultivating" them. They should consider contacting the police or their company's security co-ordinator if they come across people who prefer to meet face-to-face, want to become friends, or ask personal questions.

¶ espionage mi5 paranoia uk 0

Telephone tapping devices found in EU building, specifically the French and German offices. French newspaper Le Figaro blaims the Yanqui imperialists; though don't they have Echelon to do all that for them without an incriminating bugging device? Perhaps the bugs were intended to be found, as an intimidation ploy of some sort?

¶ espionage eu france germany surveillance 0

You can now download MP3s of the Conet Project (that's the 4CD set of recordings of "numbers stations" from the Cold War). The original set was quite expensive ($150 or so at Synæsthesia, I think) and apparently is now out of print (there are rumours that the FBI/MI5/ASIO/whoever went and bought up all outstanding copies shortly after 9/11); but you can now find what looks like all of it in glorious MP3. Enjoy. (via The Fix)

¶ conet project espionage mp3s mysteries numbers stations 2

What does an intelligence agency do to improve its public image? Germany's federal intelligence service, the BND, is opening a shop selling clothing and merchandise bearing its logo. As well as the usual T-shirts and calendars, the merchandise includes underwear bearing inscriptions such as Verschlusssache ("Classified") and Streng Geheim ("Top Secret"), as well as the agency's logo.

¶ bnd branding espionage germany merchandising 3

A former spy claims that Anthony Burgess' most famous novel, A Clockwork Orange was inspired by his work with the CIA; the "Ludovico technique", and the use of images to trigger emotional responses for Skinnerian conditioning, was based on top-secret trials of a mind-control technique, and the Russian-based slang used by Alex and his droogs comes from Burgess' dealing with secret agents. Apparently the location of Fort Bliss, a US military base used in mind-control research, is encoded fnord in writing on Alex's bedroom wall. (via Unknown News)

¶ a clockwork orange anthony burgess cia espionage mind-control 0

Several Britons arrested for spying near a military airfield in Greece may have been practitioners of a quaint British hobby: plane spotting:

"I've never seen doctors or judges train spotting," says Mr Richardson, "but people from the highest ranks and best professions spot planes."

¶ espionage plane spotting 0

And while we're on the subject of US spy agencies, The tree at the CIA's Christmas party is apparently quite a sight to see, festooned with ornaments designed in the agency's spy-gadget labs.

A dragonfly ornament's wings move at hummingbird speed when the tree lights are clear. The wings are made of sheer material that could be used to construct a microphone that would be almost impossible to detect... And if you put on a pair of special cardboard glasses, the words "happy holidays" appear dancing around the star, showing off a way to conceal messages.

One straggler with perky short brown hair and black-frame glasses snapped into a sandy-haired corporate type by shedding her disguise. Agents in the field can don a new look in two minutes, she said.

Myself, I wouldn't mind some of those compact speakers that can produce the sound equivalent of a 50-foot woofer.

¶ christmas cia espionage fun tech 0