Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
Archives: 2012 - 2020

I picked up the new book Compromised last week and was intrigued to discover that it may have shed some light on a small (and rather esoteric) cryptologic and espionage mystery that I've been puzzling over for about 15 years. Compromised is primarily a memoir of former FBI counterintelligence agent Peter Strzok's investigation into Russian operations in the lead up to the 2016 presidential election, but this post is not a review of the book or concerned with that aspect of it.

Early in the book, as an almost throwaway bit of background color, Strzok discusses his work in Boston investigating the famous Russian "illegals" espionage network from 2000 until their arrest (and subsequent exchange with Russia) in 2010. "Illegals" are foreign agents operating abroad under false identities and without official or diplomatic cover. In this case, ten Russian illegals were living and working in the US under false Canadian and American identities. (The case inspired the recent TV series The Americans.)

Strzok was the case agent responsible for two of the suspects, Andrey Bezrukov and Elena Vavilova (posing as a Canadian couple under the aliases Donald Heathfield and Tracey Lee Ann Foley). The author recounts watching from the street on Thursday evenings as Vavilova received encrypted shortwave "numbers" transmissions in their Cambridge, MA apartment.

Given that Bezrukov and Vaviloa were indeed, as the FBI suspected, Russian spies, it's not surprising that they were sent messages from headquarters using this method; numbers stations are part of time-honored espionage tradecraft for communicating with covert agents. But their capture may have illustrated how subtle errors can cause these systems to fail badly in practice, even when the cryptography itself is sound.

You may have noticed that this blog, and my domain, is now at www.mattblaze.org. Twenty five years ago, back in 1993, I registered the name crypto.com, which I've used as my personal domain as well as to host a variety of cryptography technology and policy resources.

During that quarter century the "dotcom" era came and went, but for whatever reason, I held on to the domain as basically a personal home, a kind of Internet version of the little house increasingly enveloped by skyscrapers in Pixar's Up. (You kids can get off my lawn now, please.)

Cryptography has long been intertwined with difficult public policy issues, especially the balance between security of data on the one hand and law enforcement access for surveillance on the other. I've spent a good part of my career grappling with these issues, and remember "crypto" being misguidedly derided as some kind of criminal tool during the very time when we needed to be integrating strong security into the Internet's infrastructure. (That "debate", in the '90's, set back Internet security by at least a decade, and we're still paying the price in the form of regular data breaches, many of which could have been prevented had better security been built in across the stack in the first place.)

Somehow, the word "crypto" has recently acquired an alternative new meaning, as a somewhat unfortunate shorthand for digital currencies such as Bitcoin. I've been involved around the edges of digital currency since early on -- old timers in this space will remember that I once chaired the Financial Cryptography conference, where much of the foundational work toward practical digital money began.

I don't think conflating cryptography and digital currency will serve either field well in the long run, particularly as to how they're perceived by the public and policymakers. Surprisingly few of the important aspects of digital currency are directly related to its cryptographic components. Cryptography itself already attracts disproportionate attention for its potential as a tool for criminals and evildoers. Digital currency adds a completely different (but equally fraught) regulatory and policy morass into the equation. Still, there's no doubt that, at this moment in time, the two have become hopelessly intermixed, at least in the minds of the digital money people. That doesn't mean this won't end badly, but it's unarguably where we are right now.

Over the last few years, I've gotten a growing barrage of offers, many of which were obviously non-serious, but a few of which were, frankly, attention-getting, for the crypto.com domain. I shrugged most of them off, but it became increasingly clear that holding on to the domain was making less and less sense for me. I quietly entered discussion with a few serious potential buyers earlier this year.

Last month, I reached an agreement to sell the domain. I have no idea what the new owner plans to use it for beyond what I read in the trade press, and I have no financial stake in their business. The details will have to stay confidential, but I will say that I'm satisfied with the outcome and that it involved neither tulips nor international postal reply coupons.

It's been, I think, a pretty good run, as these things go. See you on the Internets.

This Monday, The Intercept broke the story of a leaked classified NSA report [pdf link] on an email-based attack on a various US election systems just before the 2016 US general election.

The NSA report, dated May 5, 2017, details what I would assume is only a small part of a more comprehensive investigation into Russian intelligence services' "cyber operations" to influence the US presidential race. The report analyzes several relatively small-scale targeted email operations that occurred in August and October of last year. One campaign used "spearphishing" techniques against employees of third-party election support vendors (which manage voter registration databases for county election offices). Another -- our focus here -- targeted 112 unidentified county election officials with "trojan horse" malware disguised inside plausibly innocuous-looking Microsoft Word attachments. The NSA report does not say whether these attacks were successful in compromising any county voting offices or what even what the malware actually tried to do.

Targeted phishing attacks and malware hidden in email attachments might not seem like the kind of high-tech spy tools we associate with sophisticated intelligence agencies like Russia's GRU. They're familiar annoyances to almost anyone with an email account. And yet they can serve as devastatingly effective entry points into even very sensitive systems and networks.

So what might an attacker -- particularly a state actor looking to disrupt an election -- accomplish with such low-tech attacks, should they have succeeded? Unfortunately, the possibilities are not comforting.

Encryption, it seems, at long last is winning. End-to-end encrypted communication systems are protecting more of our private communication than ever, making interception of sensitive content as it travels over (insecure) networks like the Internet less of a threat than it once was. All this is good news, unless you're in the business of intercepting sensitive content over networks. Denied access to network traffic, criminals and spies (whether on our side or theirs) will resort to other approaches to get access to data they seek. In practice, that often means exploiting security vulnerabilities in their targets' phones and computers to install surreptitious "spyware" that records conversations and text messages before they can be encrypted. In other words, wiretapping today increasingly involves hacking.

This, as you might imagine, is not without controversy.

Recall NGNR2000 DNR Recent news stories, notably this story in USA Today and this story in the Washington Post, have brought to light extensive use of "Stingray" devices and "tower dumps" by federal -- and local -- law enforcement agencies to track cellular telephones.

Just how how does all this tracking and interception technology work? There are actually a surprising number of different ways law enforcement agencies can track and get information about phones, each of which exposes different information in different ways. And it's all steeped in arcane surveillance jargon that's evolved over decades of changes in the law and the technology. So now seems like a good time to summarize what the various phone tapping methods actually are, how they work, and how they differ from one another.

Note that this post is concerned specifically with phone tracking as done by US domestic law enforcement agencies. Intelligence agencies engaged in bulk surveillance, such as the NSA, have different requirements, constraints, and resources, and generally use different techniques. For example, it was recently revealed that NSA has access to international phone "roaming" databases used by phone companies to route calls. The NSA apparently collects vast amounts of telephone "metadata" to discover hidden communications patterns, relationships, and behaviors across the world. There's also evidence of some data sharing to law enforcement from the intelligence side (see, for example, the DEA's "Hemisphere" program). But, as interesting and important as that is, it has little to do with the "retail" phone tracking techniques used by local law enforcement, and it's not our focus here.

Phone tracking by law enforcement agencies, in contrast to intelligence agencies, is intended to support investigations of specific crimes and to gather evidence for use in prosecutions. And so their interception technology -- and the underlying law -- is supposed to be focused on obtaining information about the communications of particular targets rather than of the population at large.

In all, there are six major distinct phone tracking and tapping methods used by investigators in the US: "call detail records requests", "pen register/trap and trace", "content wiretaps", "E911 pings", "tower dumps", and "Stingray/IMSI Catchers". Each reveals somewhat different information at different times, and each has its own legal implications. An agency might use any or all of them over the course of a given investigation. Let's take them one by one.

New Jersey was hit hard by Hurricane Sandy, and many parts of the state still lack electricity and basic infrastructure. Countless residents have been displaced, at least temporarily. And election day is on Tuesday.

There can be little doubt that many New Jerseyans, whether newly displaced or rendered homebound, who had originally intended to cast their votes at their normal neighborhood polling stations will be unable to do so next week. Unless some new flexible voting options are made available, many people will be disenfranchised, perhaps altering the outcome of races. There are compelling reasons for New Jersey officials to act quickly to create viable, flexible, secure and reliable voting options for their citizens in this emergency.

A few hours ago, Gov. Christie announced that voters unable to reach their normal polling places would be permitted to vote by electronic mail. The directive, outlined here [pdf], allows displaced registered voters to request a "mail in" ballot from their local county clerk by email. The voter can then return the ballot, along with a signed "waiver of secrecy" form, by email, to be counted as a regular ballot. (The process is based on one used for overseas and military voters, but on a larger scale and with a greatly accelerated timeframe.)

Does email voting make sense for New Jersey during this emergency? It's hard to say one way or the other without a lot more information than has been released so far about how the system will work and how it will be secured.