Category Archives: Surveillance

Love False Positives – The Day The Bank Said I Bought A Heavy Machine Gun Online

On the 15th November 2013 I made a wire transfer using Permanent TSB Open24. Open24 is an online banking service. For those of you who do not know, Permanent TSB is a retail bank that operates in the Republic of Ireland.

Worthy of note is that retail banking in the Republic is characterised by spectacular systems malfunctionsoutages, IT meltdowns and downright thievery.

But that’s ok because the government of Ireland loves banks and they can really do or not do (as is often the case) what they like – without fear of sanction. Oh, and when they lose their shirts gambling with their customers money then the Irish tax payer gets to pay for it. But I digress.

When Kids Try To Be Adults

I first became aware of my international arms purchasing activities when I received a phone call on my cell phone from a private number. I answered and was greeted by a what sounded like a teenage girl who informed me that an intermediary bank, used by Permanent TSB for payments to South East Asia, had sent an email to the bank requesting information about an international payment that I had made a few days previously.

Before describing the contents of the email, the clearly worried banker (worried because she was talking to an international arms dealer who buys his weapons over the open internet (who needs the Dark Web)), stated that I had bought a heavy machine gun and that I had asked that it be mailed to the address of one of our corporate apartments in Dublin, Ireland. As you do.

The intermediary bank was CitiBank in Frankfurt she informed me. They had contacted the Treasury Department and they in turn were dealing directly with the beneficiary bank in Singapore who were the first to flag the transaction.

The email read:

REDACTED REDACTED REDACTED REDACTED REDACTED 

The beneficiary Bank sent the below SWIFT message to our treasury department via CitiBank:

WE HAVE BEEN INFORMED THAT THE BENEFICIARY BANK IS UNABLE TO APPLY THIS PAYMENT AND STATES:

  1. PLEASE CONTACT REMITTER TO OBTAIN BELOW.
    1. WHAT DOES TMG REFER TO PER F70?
    2. WHAT DOES IT STAND FOR?
    3. WHAT IS ITS FULL FORM?
    4. IF IT REFERS TO AN ORGANIZATION, PLS OBTAIN THE FOLLOWING:
      1. FULL NAME.
      2. FULL PHYSICAL ADDRESS AND COUNTRY OF LOCATION.

I trust the above is in order.

Kind Regards,

REDACTED REDACTED

She informed me that the Bank could not facilitate international arms purchases and that law enforcement had been informed including the local police station to the bank branch from which my transaction emanated, the Organised Crime Unit, and of course Security & Intelligence. The latter is the central point of contact for An Garda Síochána with all external agencies – both law enforcement and security/intelligence – with regard to international cooperation in the fight against terrorism and organised crime.

The Very Boring Reality

The transfer that caused this international “counter-terrorism / counter organised crime” flurry of activity between one local bank, two international banks and law enforcement in three countries was made by me to an organisation called SERVCORP.

SERVCORP is a company in SINGAPORE that provide a telephone answering service for my company TMG Corporate Services. The actual mandate for the transfer had been set up months previously by Permanent TSB themselves at the request of TMG Corporate Services Accounts Department. The same payment had been made on several previous occasions.

The transfer they said was for the purchase of an automatic weapon namely a BROWNING M2 Machine Gun TMG F70.

And how had they come to this conclusion? Well, simply because the reference on the payment was TMGF70. The reference was TMGF70 because that was the reference used by SERVCORP on the invoice that they had issued for that months services.

“TMG” being an acronym for The Mediator Group and F70 some internal reference for SERVCORP.

The Browning M2

The Browning M2 is a chain-fed, air-cooled heavy machine gun (TMG) in caliber 12.70 x 99 mm NATO , produced by the American manufacturer Browning at the end of World War II. The rifle has a maximum range of 7,500 meters and an effective range of 1,800 meters and can use different types of ammunition: full sharp, armor, armor fire and tracer.

Here I am proudly modelling a “Ma Deuce” I managed to buy in the duty free shop at Heathrow Airport.

Ma Deuce

Bargain Hunter

What was even more impressive about my purchase was that I acquired this impressive weapon for SGD$70 or EUR€45.25 at todays spot rate on XE.COM.

ENDS

 

The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.

ENDS

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

“All uR devICE r belong 2 US”, Vault 7, Weeping Angel, the CIA & Your Samsung TV

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS.

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is it’s most emblematic realization.

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.

In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

ENDS

Extracted entirely from Vault 7: CIA Hacking Tools Revealed

Post-truth, Fake-news and Big Data – Killing In The Name Of

In spite of the best efforts of Big Data acolytes to paint Big Data sceptics as Luddites (and, I have nothing against Luddites per se), the argument is babble, since the aged, brute-force and relatively unsophisticated approach to list creation and counting, isn’t that new and isn’t that smart and in many cases it certainly isn’t as uniquely cost-effective as it is touted to be either.

Moreover, it doesn’t even replace anyone with a machine – it just takes up time, money and patience – and worst of all, deflects attention away from more important initiatives and issues. So, no. Nothing to do with Luddites at all.

Nothing to do with ignorance of Big Data, nothing to do with clinging to the past, and, nothing to do with a refusal to embrace the new. It’s about pointing out amazing Big Data success stories that don’t deliver on their promise. It’s about calling bullshit on bullshit and the bombastic clowns who spread it.

Now, if there’s a cost-benefit advantage to be had, and the answer is Big Data technology, then one would simply use it. Naturally.

Source: Post-truth, Fake-news and Big Data

Is Kosinski “Tesla” to Nix’s “Marconi” for Big Data Psychographic Profiling?

Data Driven Democracy Where Opinions, Policies or Convictions Don’t Matter Just The Targeted Message on Facebook Dark Posts.

Cambridge Analytica (Steve Bannon, Board Member) owned by SCL (Strategic Communication Laboratories) – the self styled “premier election management agency” – and how they “helped” Trump, Farage, Brexit, Cruz, Ukraine, Nigeria, Nepal & Afghanistan influence outcomes using data modelling and psychographic profiling.

I HAD never heard of Mr. Kosinski until I read an article in Motherboard last week. The incredibly interesting read entitled The Data That Turned the World Upside Down was written by Hannes Grassegger and Mikael Krogerus who work for Das Magazin with additional research by Paul-Olivier Dehaye.

It discusses a series of intersections between the work of Mr. Kosinski, a vaguely sinister guy called Alexander James Ashburner Nix, CEO of Cambridge Analytica (board member Steve “Ahem” Bannon) and a seemingly innocuous chap called (in 2014) Aleksandr Kogan (now quite unbelievable known as Dr. Spectre (seriously)) with associations to a definitely sinister company called SCL, or Strategic Communication Laboratories who describe themselves as “the premier election management agency”.

The main points are this, but I strongly recommend that you read the original article:

  1. Kosinski and fellow student David Stillwell use data from a Facebook application called MyPersonality, that Stilwell developed in 2007, to create models from “personality profile” data acquired from users who opt-in to share their app answers with researchers. Kosinski and Stillwell are both doctoral candidates studying together in Cambridge University at the Psychometrics Centre;
  2. The MyPersonality app is an unexpected hit with millions of people submitting answers;
  3. They find that remarkably reliable deductions could be drawn from simple online actions. For example, men who “liked” the cosmetics brand MAC were slightly more likely to be gay; one of the best indicators for heterosexuality was “liking” Wu-Tang Clan. Followers of Lady Gaga were most probably extroverts, while those who “liked” philosophy tended to be introverts;
  4. In 2012, Kosinski proved that on the basis of an average of 68 Facebook “likes” by a user, it was possible to predict their skin color (with 95 percent accuracy), their sexual orientation (88 percent accuracy), and their affiliation to the Democratic or Republican party (85 percent);
  5. Kosinski continued to work on the models before long, he was able to evaluate a person better than the average work colleague, merely on the basis of ten Facebook “likes.” Seventy “likes” were enough to outdo what a person’s friends knew, 150 what their parents knew, and 300 “likes” what their partner knew. More “likes” could even surpass what a person thought they knew about themselves;
  6. On the day that Kosinski published these findings, he received two phone calls. The threat of a lawsuit and a job offer. Both from Facebook;
  7. Around this time, in early 2014, Kosinski was approached by a young assistant professor in the psychology department called Aleksandr Kogan. He said he was inquiring on behalf of a company that was interested in Kosinski’s method, and wanted to access the MyPersonality database. Kogan wasn’t at liberty to reveal for what purpose; he was bound to secrecy;
  8. Kogan revealed the name of the company he was representing: SCL, or Strategic Communication Laboratories;
  9. Kosinski came to suspect that Kogan and a company that he had formed might have reproduced the Facebook “Likes”-based Big Five measurement tool in order to sell it to this election-influencing firm;
  10. Cambridge Analytica subsequently acted for Farage in the Brexit campaign and Republican Ted Cruz then they were hired by Trump;
  11. Cambridge Analytica buys personal data from a range of different sources, like land registries, automotive data, shopping data, bonus cards, club memberships, what magazines you read, what churches you attend. Nix displays the logos of globally active data brokers like Acxiom and Experian—in the US, almost all personal data is for sale. For example, if you want to know where Jewish women live, you can simply buy this information, phone numbers included. Now Cambridge Analytica aggregates this data with the electoral rolls of the Republican party and online data and calculates a Big Five personality profile. Digital footprints suddenly become real people with fears, needs, interests, and residential addresses;
  12. Trump’s striking inconsistencies, his much-criticized fickleness, and the resulting array of contradictory messages, suddenly turned out to be his great asset: a different message for every voter. The notion that Trump acted like a perfectly opportunistic algorithm following audience reactions is something the mathematician Cathy O’Neil observed in August 2016;
  13. Why did he behave like this?;
  14. “Pretty much every message that Trump put out was data-driven,” Alexander Nix remembers. On the day of the third presidential debate between Trump and Clinton, Trump’s team tested 175,000 different ad variations for his arguments, in order to find the right versions above all via Facebook. The messages differed for the most part only in microscopic details, in order to target the recipients in the optimal psychological way: different headings, colors, captions, with a photo or video. This fine-tuning reaches all the way down to the smallest groups, Nix explained in an interview with us. “We can address villages or apartment blocks in a targeted way. Even individuals.”;
  15. When did having an opinion or a conviction matter in a “data driven” democracy – it certainly did not seem to matter to Trump;
  16. In the Miami district of Little Haiti, for instance, Trump’s campaign provided inhabitants with news about the failure of the Clinton Foundation following the earthquake in Haiti, in order to keep them from voting for Hillary Clinton. This was one of the goals: to keep potential Clinton voters (which include wavering left-wingers, African-Americans, and young women) away from the ballot box, to “suppress” their vote, as one senior campaign official told Bloomberg in the weeks before the election. These “dark posts” – sponsored news-feed-style ads in Facebook timelines that can only be seen by users with specific profiles – seem to have been highly significant in Trump’s election;
  17. In a statement after the German publication of this article, a Cambridge Analytica spokesperson said, “Cambridge Analytica does not use data from Facebook. It has had no dealings with Dr. Michal Kosinski. It does not subcontract research. It does not use the same methodology. Psychographics was hardly used at all. Cambridge Analytica did not engage in efforts to discourage any Americans from casting their vote in the presidential election. Its efforts were solely directed towards increasing the number of voters in the election.”;
  18. Confusingly the Cambridge Analytica website states “Powered by smarter data modeling At Cambridge Analytica we use data modeling and psychographic profiling to grow audiences, identify key influencers, and connect with people in ways that move them to action. Our unique data sets and unparalleled modeling techniques help organizations across America build better relationships with their target audience across all media platforms.”

ENDS

Is Moxie Still An Anarchist, Are Farcebook Deliberately Hobbling WhatsApp & Does SIGNAL Leak?

Recently I wrote in a blog post “When The Privacy Advocate Becomes An Apologist For The Opponent” about the main stream media sponsored spat that had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

1. Is Moxie Still An Anarchist?

I said of Moxie Marlinspike that:

“When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not. In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.”

The blog post drew some comment on Peerlyst and elsewhere that took the debate in a number of different directions that I think are worthy of note. My personal belief is that WhatsApp is a more inferior app than most people will accept and that Moxie’s stance also leads me to doubt the once unassailable position of Signal as a trustworthy option.

Peter Stone on Peerlyst commented that:

“Your assertion that Moxie‍ fundamentally is no longer an anarchist when he sides with Zuck holds. And you’re right it matters that they made this design choice, and yes it can be a threat if you have Governments in your threat model. I cannot argue with you at all. My only point, and thanks for the mention, was that it wasn’t, as such, a backdoor.”

Conclusion: Moxie is not an anarchist

2. Are Farcebook Deliberately Hobbling WhatsApp?

This comment led me to ask:

“I agree with you Peter and my post is only expressing my view from the lens of being one of those “crypto geeks” that you and Dave Howe were discussing on the original thread. I accept all of the points that you both make about barriers to entry / usage and cost factors for “average” users in adopting escalating levels of security. But would you agree with the statement that:

“WhatsApp have made a design choice that can be exploited as a backdoor – the rest is semantics”?

Any takers?”

Boelter in his articles laments the fact that Farcebook, after being notified of the weakness in the “design-choices” that they had made for WhatsApp, still refused to take action.

This to me betrays an unwillingness to properly secure the platform for whatever reason and while I accept that a legitimate interim position between releases of a product is to state “it is good enough – for now – but lets see if we can make it even better” that does not seem to be what the Farcebook approach is to ongoing WhatsApp app hardening.

I really liked what Dave Howe had to say in reply to my original comment:

“I can agree totally on the first part of that. WhatsApp have made a design choice that can be exploited as a backdoor.

In fact, I would go further; WhatsApp have made a series of poor design choices which impact severely the security of the solution.

The first is that mail will be retransmitted without an option to block if a new device is added.

The second is that a new device can be added and, by default, this will be silently accepted by the system, and

The third is that the account holder has no reliable way to know a new device was added unless WhatsApp notify them – which of course for a TLA “listening tap” will not happen.

However, “the rest is semantics” I disagree with.

The impact of these poor choices is severe, but the solution is still better than it was before the protocol was added, and more importantly, now WhatsApp is aware of the mistake, it is in a position to fix it.

The detail is therefore important, and while a lot of crypto purists would class anything not a provable success as an abject failure, a more pragmatic security enthusiast will take any improvement as an improvement, and work to build on that platform.

Similarly, to a purist, a system is broken if, given a compute cube the size of the moon, you could break a message on average every thousand years or so – while a pragmatist would say “it’s good enough – for now – but lets see if we can make it even better”

We need to push them to get better. If nothing else, this “backdoor” publicity put this in the public eye (only for Brexit and Trump to push it back under cover of course).

I have to wonder if there is some sort of instruction preventing them from doing so – I know they can insist on that in the UK now, but I wasn’t aware this was true in the US yet (See my blog post Silencing the Canary & The Key Powers & Reach of The IPA)

Solution is obvious though – increase user choice, and make it so they can turn that *off* if they want to, not off by default.

New device added? Have confirmation of new devices as an option.

Until confirmed, new messages will *not* be encoded to the new key, so you can email the old keyset asking if they really have added a new device.

Options can have “auto accept” “ask” and “deny” with the default set to “ask”.

Unacknowledged messages? Have that only resend if the new device is confirmed, and not until; that takes care of that problem too.

If users then choose to disable the “annoying popup” then that’s their choice, not something imposed on them by Farcebook.”

Aside from the poor “design choices” that are covered in “When The Privacy Advocate Becomes An Apologist For The Opponent” and above by Dave here are a few more “design choices” WhatsApp chose not to include from the SIGNAL protocol:

Ability To Password Protect The WhatsApp App

WhatsApp does not have any password system built into the app. WhatsApp say there are many apps in the Google Play store that provide that functionality so just tag on a third party app to make it even weaker

screen-shot-2017-02-01-at-20-41-45

“Disappearing Messages” Option in WhatsApp 

There is no “disappearing messages” option in WhatsApp.

Conclusion: Yes Farcebook are deliberately hobbling WhatsApp IMHO. Their reasons? I do not know but I do not accept “user experience” as a justification.

3. Does SIGNAL Leak? 

Would anyone care to comment on this statement regarding the signal app and “leakage”:

“Note that Open Whisper Systems, the makers of Signal, use other companies’ infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.”

Found at on a post on ELECTRONIC FRONTIER FOUNDATION Surveillance Self-Defense.

Conclusion: I don’t know

ENDS