Printable version of Entry

Click here to view this entry in its original format

Johann's Blog

How To Get Secret Service Grade Security

You could be forgiven for thinking that spying is all about midnight parachute drops, Aston Martins and vodka martinis – shaken, not stirred. However, when you strip away all the fiction, spying can be reduced to one word: information.

Espionage is all about acquiring information, keeping it safe and transferring it securely. This makes spies and spying a valuable learning ground for anybody who takes PC and internet security seriously.

In this age of high-speed broadband and information overload, you might expect setting up a secure communications channel to be easy. You'd be wrong. Just look at the Russian agents – coyly dubbed 'illegals' by the FBI – who were unmasked in America this summer.

They all had rock-solid cover stories, wads of cash at their disposal and access to cutting-edge spy technology, yet they were unable to keep their messages safe from American counter-espionage teams. We can all become safer surfers by understanding the techniques and, more importantly, the errors made by real life spies.

Ciphers, for example, have been the mainstay of espionage for centuries. A cipher makes information useless unless you know how it works.

When in Rome

Julius Caesar is often cited as the first to use a mathematically-based system of obfuscation. His cipher system was simple: each letter in the alphabet was shifted forward a fixed number of places. A Caesar shift of three would turn 'A' into 'D' and 'PC Plus magazine' into 'SF SOXV PDJDCLQH'.

Even in Caesar's day, such a cipher probably wouldn't fox many people for long. Such shifts can now be solved in the blink of an eye, but that doesn't mean ciphers should be discounted. Indeed, modern ciphers have evolved to a point where they would take so long to solve that it's not practical to break them.


Practically speaking, we should all use ciphers to encrypt sensitive data. A good choice for field agents is the free, open source for Windows and Linux machines. This package uses some of the strongest freely available encryption algorithms, such as AES-256, the 448-bit Blowfish, CAST5 and Triple DES.

To give you an idea of its resilience, hard drives protected by TrueCrypt and belonging to jailed Brazilian banker Daniel Dantas were handed to the FBI for decryption in 2009. After four months of subjecting the software to intense attacks, the FBI gave up and returned the drives.

TrueCrypt isn't just useful for creating a virtual encrypted disc on your computer; it can also protect portable drives. This makes it ideal for 'brush passes' – a way of quickly handing over information as one spy walks past another in a public place. The process used to involve microfilm, but now a high-capacity USB key is the preferred medium – possibly why the FBI also calls brush passes 'flash meetings'.

A TrueCrypt USB drive has several layers of security. When set up properly, a TrueCrypt partition appears to consist of random data. Even if someone forces you to reveal the password (damn Jack Bauer and his rusty pliers!), you can create a partition to include a further hidden volume, or even an entire hidden operating system, containing sensitive information.

Take care when encrypting your files though, warns Steven Bellovin, Professor of Computer Science at Columbia University in New York. "Commercial cryptography software is so difficult to use that even experts find it challenging," he says. "Even really sophisticated people can get some subtle things wrong, and newcomers are likely to get a lot more wrong." Such as leaving the password for your encryption system written on a piece of paper at home for the FBI to discover, as demonstrated by clumsy illegal Richard Murphy.

Wireless networks

Even brief physical interaction has risks. If either spy is under surveillance, they risk exposing more of their network. A 21st century twist on the brush pass, then, is the wireless flash meet.

In New York, Anna Chapman, one of the Russian illegals, would hang out at a cafe or book shop with a laptop and create an ad-hoc Wi-Fi network: a private hotspot that requires neither a router nor an internet connection. A Russian government official carrying a smartphone would then approach the vicinity, join the network and exchange data as zip files. The spy handler never entered the building, and once completed the meeting while driving past in a minivan.

Wireless networks have their own problems, though. All wireless devices have a unique registration number, or Media Access Control (MAC) address, which is broadcast during a Wi-Fi data transfer. In the case of Anna Chapman, US law enforcement agents were able to divine her laptop's MAC address. This enabled them draw up a charge sheet showing that she'd visited certain places and joined ad-hoc networks, and sniff packets sent from her laptop in busy public network areas such as coffee shops.

If you're paranoid, you could change your network adaptor's MAC address. The 12-digit hexadecimal code is sometimes stored in an EPROM, which can be altered. Poke around the internet and you'll also find programs that enable you to spoof MAC addresses.

What can we learn from all this? Never, under any circumstances, send anything of importance over a public network. There are too many points of failure: the passage of data between your laptop and the network's access point, the access point itself, and the traffic between the access point and the internet.

o Wi-Fi is iffy – what about the phone? Sadly, no self-respecting spy should consider it. In the UK, the Regulation of Investigatory Power Act (RIPA) and the Data Retention Directive force phone companies to keep records of calls and texts for a year, and give wire-tapping rights to dozens of government departments.

In the US, the Windows-based DCS-5000 system combines point-and-click monitoring of voice calls with location-tracking via mobile phone towers, plus DVR-like recording and playback. It can be set up to eavesdrop and track any landline or mobile phone in the country within seconds.

Don't think you can rely on new smartphone security apps, either. Philip Zimmermann is a computer security guru and the creator of PGP (Pretty Good Privacy), the world's most widely used email encryption algorithm. He says, "Mobile phone encryption only works up until the point where it hands over to the voice network. At some point, there's a gateway between the data and voice parts of the phone network, where a wiretap becomes possible."

Using voice over IP (VoIP) services may be more secure, but Stephen Bellovin says it depends on which service you use: "A lot of VoIP products don't encrypt, even though it's in the [widely used] SIP standard. However, Skype uses very strong cryptography and the best thing is that people don't have to worry about it – it just works."


Zimmermann is more sceptical. "Skype encrypts, but we don't know how, so it's hard to evaluate the quality of the encryption," he told PC Plus. "I don't hear a lot of complaints from governments about their citizens using Skype. The oppressive governments around the world seem fairly happy with it." Which is as good a reason as any for spies to avoid it.

Zimmerman has his own solution: an open source voice and video encryption protocol called Zfone that works with SIP VoIP systems such as Google Talk and Apple iChat. When Zfone is running on two computers, they negotiate a strong encryption key in a peer-to-peer fashion. This means there are no public keys, certificate authorities or trust models. When the call ends, the key is destroyed. A new version of the (free) Zfone software will be released shortly.

Digital forest

Secure phone calls can be handy for arranging to meet 'the swift hawk by the silent pond at midnight' (pre-arranged pass-phrases help confirm who you're talking to), but they're less useful for passing on gigabytes of data. And if you're venturing into the digital world, the smart spy knows that the best place to hide a tree is in a forest.

Every day, three billion email accounts send and receive over 300 billion messages. Surprisingly, email is fairly secure according to Philip Zimmermann. "Even if you don't encrypt your mail, your mail server might encrypt it when it sends it to another mail server. The two servers can have an SSL (secure socket layer) connection between them – the same protocol your bank uses to communicate with your web browser."

You'll want to bump up security, perhaps with Zimmermann's own PGP, although this can be tricky to use. Hushmail removes the hassle, enabling you to send private emails via SSL to other Hushmail users – or even to normal email addresses using a question and answer combination.

"The best public scientific knowledge suggests that it would be impossible to decrypt our emails with current technology," explains Ben Cutler, CEO of Hush Communications. "However, it's likely that Hushmail messages have been intercepted by other means. For example, a customer doing human rights work in Eastern Europe reported certificate warnings when accessing our website. We determined that someone was trying to eavesdrop on the connection between his computer and Hushmail by proxying his computer's network traffic. Fortunately, he heeded the warning and avoided the attempt."

Of equal concern to secret agents should be Hushmail's willingness to deal with law enforcement. Hushmail has been forced on several occasions to hand over plain-text copies of emails, including those of US National Security Agency (NSA) whistleblower Thomas Drake. Ironically, Drake was intending to show reporters details of two failed NSA programmes, code-named Trail Blazer and Thin Thread, designed to check billions of phone calls, emails and chats for potential espionage and terrorist threats.

Another problem with encrypted emails is that they stick out like sore thumbs amid the sea of spam, automated messages and Facebook updates that comprise most email traffic. Professor Bellovin sums it up:

"If the FBI or MI6 see encrypted messages going from the US or the UK to known addresses in Moscow, they'll get suspicious and start investigating."

Hiding in plain sight

What a shy spy needs is a way of communicating with handlers without it even looking as though a message is being sent. And here's where things get really interesting, because the Russian illegals in America were all supplied with custom steganography software.

Steganography is the art of hiding not just the content of a message, but the existence of a message itself. The Russian software enabled the agents to insert a hidden file into an innocuous-looking image, such as a photo of Anna Chapman in a bikini. That image could then be attached to a normal, unencrypted email or even posted on a website for the world to see. Only its intended recipient would be able to extract and decrypt its payload.

However, image steganography has its limitations. Steganographic communication only works as long as no one suspects its existence, and sending a large batch of stolen documents could mean a conspicuous series of photos flying back and forth to Moscow.

Forward-thinking spies should consider network steganography, where secret data is concealed in the ebb and flow of data online.

Elzbieta Zielinska is a researcher in the Network Security Group at the Warsaw University of Technology. Her team has succeeded in using VoIP services to hide a stream of steganographic secrets. "We've tested it and proved it to work," says Zielinska. "You can modify the delays between packets so that certain packets are dropped at the receiver. This might escape the attention of the people talking, but those dropped packets can carry just about anything."

The Warsaw researchers have found ways to inject steganographic information into everyday web traffic, potentially turning Flickr and Facebook into ultra-secure data channels. They even have a system called HICCUPs (Hidden Communication System for Corrupted Networks) that can embed concealed files in Wi-Fi networks by modifying wireless packets' check sum data.

Underground video

Surely tinkering with individual packets results in glacially slow bit-rates? Not so, says Zielinska. "We came up with the idea of using steganography at the physical layer of an Ethernet network, where packets are often padded out with zeroes," she says. "Introducing network steganography here gives data rates sufficient for a decent quality MPEG-4 video stream. There are no limitations." If only that were true.

The truth is that all 'secure' communications systems have one major limitation: you and your fellow secret agents. Any encryption technology is only ever as strong as its weakest user.

As Steven Bellovin says, "You don't go through strong cryptography – you go around it. If I want to read someone's email, I'm not going to try to break strong cryptography, I'm going to hack into their desktop and wait until they decrypt it."

Cutler admits that Hushmail users are rarely as reliable as his algorithms. "We've had people getting their passphrases stolen by Trojan horse programs, installed by users who are unaware of what they are or by computer viruses," he says.

Philip Zimmerman agrees. "Once a computer is compromised, all bets are off," he says. "Spyware can capture keystrokes while you type your pass-phrase or decrypt your key and send it to the mother ship. As long as you're using general purpose computers that can be used to download games, open attachments and visit porn sites, you're going to have this problem."

There's only one thing for it. Spies like us – and the hapless Russian illegals – are just going to have to disconnect from the grid, unplug our computers, break out the invisible ink and start studying cipher books. The condor will see you at the queen's castle.

Powered by IP.Blog (
© Invision Power Services (