Hacker 10 – Security Hacker

Tag: secret covert communications

  • CIA instructions for secure email communications leaked

    CIA instructions for secure email communications leaked

    After the recent arrest of CIA agent Ryan Fogle by the Russian counter intelligence agency Federal Security Service one of items they found in his possession and leaked to the press was a letter advising his Russian informer how to conduct secure email communications, this post will scrutinize these instructions to learn why the CIA adopted those particular security measures.

    • CIA Tip 1: “To get back to us please use an Internet cafe that has Wi-fi”

    The Central Intelligence Agency is advising Wi-Fi to make sure that their informer does not use someone’s else computer, when you use a public computer you agree to being monitored by the system administrator, it is impossible to known what kind of surveillance or viruses exist in that computer and any data left behind, like visited and written emails are recoverable from the Internet browser cache even after years.

    They are also making sure that if the informer home Internet connection is under surveillance by his ISP and checked by keywords, it will not be a threat.

    • CIA Tip 2: “Open a Gmail account which you will use exclusively to contact us” ; “As you register do not provide any personal info”

    They get their informer to use an American email company that can be easily accessible by the US government if needed, they make sure that he is not stupid enough to open the email account using his real name or address or other small details that could be linked to him like his phone number or a real password recovery email address belonging to him.

    CIA secure email instructions for spies
    CIA secure email instructions for spies

    As a side note, there must be something good about Gmail security because former CIA Director General David Petraeus also decided to use a Gmail account for cheating on his wife last year, something I can think of is that Gmail login is with SSL and username and password can not be captured over insecure Wifi.

    • CIA Tip 3: Once you register send a message to unbacggdA@gmail.com: “In exactly one week, check this mailbox for a response from us

    The CIA gets his informer to email to another Gmail address from the same company, with this they make sure that email content will not have to travel over the Internet from one provider to another, if you send an email from Gmail to Gmail, presumably data never leaves Gmail servers.

    The confusing email address the CIA is using makes it very difficult for a similar one to exist, so even if their informer makes a typo, the email will not be sent to someone else by mistake, it should bounce to his inbox instead.

    • CIA Tip 4: “If you use a Netbook or any other device (i.e. tablet) to open the account at a coffee shop please don’t use a device with personal data on it”

    The CIA wants to avoid cross contamination, if the tablet is lost, stolen or hacked and accessed without permission, a third party could link the email exchange with the informer’s real job exposing him as an American spy.

    • CIA Tip 5: “If possible buy a new device (paying in cash) which you will use to contact us”

    The best way to avoid mixing real life data with underground activities is using a dedicated device for illegal actions that will not be touched by anything else, this greatly reduces chances of a mistake and the device can be quickly disposed of if needed. The CIA also makes sure that the informer’s credit card can not be linked to the purchase of a new tablet, if the informer is investigated someone could notice in the financial transactions that he has spent money buying a new tablet nowhere to be found.

    Other spy items

    Other seized items showed to the press include a couple of wigs, three pair of sunglasses and a baseball cap, all of those items make facial recognition difficult if the Russians have that kind of software installed in their CCTV network (public transportation, street cameras, etc) to automatically flag people of interest. The British government has trialled facial recognition software on CCTV street cameras and Germany is known to employ it in Frankfurt international airport.

    Another interesting item found in his possession was an RFID shield that prevents reading of RFID chips embedded in passports and ID cards, this indicates that the CIA does not trust those chips otherwise there would be no need to protect them from unauthorized reading.

    CIA money bundle 500 Euro bank notes
    CIA money bundle 500 Euro bank notes

    Allegedly the CIA spy was also carrying a large bundle of €500 Euro bank notes, these are ideal for money smuggling and corruption. China for example limits its bank notes value to small amounts to make bribery more difficult, to carry a very large amount of money in Yuan would have required the CIA agent a box full of bank notes instead of a bundle, this could explain why the CIA wanted to pay the informer’s bribe in Euros and not dollars or Russian roubles.

    Computer savvy people will wonder why encryption and proxies are not mentioned at all, I am guessing here that the CIA instructions are addressed to someone who is a total computer knob and even an old grandma could follow.

    Read the full letter on the WashingtonPost article

  • Anonymous P2P encrypted messages with Bitmessage

    Anonymous P2P encrypted messages with Bitmessage

    Bitmessage is an open source P2P program utilizing a Bitcoin like protocol that instead of sending money sends anonymous encrypted messages to one or multiple people at once, the application has a portable mode that does not need installation, it uses 2048-bit RSA encryption keys stored inside a keys.dat file which can be opened with any text editor and OpenSSL for cryptographic functions. Bitmessage cryptic addresses closely resemble a Bitcoin address, the best part is that both keys are compatible, Bitmessage uses the other part public key to print their Bitcoin address in the console which can be used to send them money.

    Bitmessage sends data over its own P2P network, the nodes store messages for two days before erasing them, new nodes joining the network will download and broadcast the pool messages from the last two days. To stop spam the sender is required to spend computational processing power for each message he sends, modelled like the Hashash antispam scheme and the Bitcoin mining system, the protocol has been designed to be scalable as needed. I sent a small text message to a friend and it only took a few seconds of wait for it to be processed,  a “Doing work necessary to send message” warning will be displayed while you wait and your computer CPU works, I also subscribed to an open Bitmessage mailing list using the subscription tab by simply adding the address “BM-BbkPSZbzPwpVcYZpU4yHwf9ZPEapN5Zx

    Bitmessage anonymous encrypted messages
    Bitmessage anonymous encrypted messages

    Other tabs in the program allow you to blacklist and whitelist addresses, add contacts to your address book broadcasting to everyone listed there or selecting just one contact, the tabbed system makes Bitmessage usage spontaneously easy, you can also change the default listening port “8444” and network settings entering a Socks proxy, only the key management was very primitive, it opened up Bitmessage keys using Notepad.

    You can create as many Bitmessage addresses as you like, creating and abandoning them is encouraged, there is an “Identity” tab from where to manage your addresses, they can be labelled. Addresses can be generated using random numbers or a passphrase, called “deterministic address“, you can recreate this address on any computer from memory without having to back up your keys.dat file as long as you remember your passphrase but you will need to know the passphrase to recreate the keys if you lose them, you will also need to remember the address version and stream number, choosing a weak passphrase could result in a brute force attack and your identity stolen, deterministic addresses can be made one or two characters shorter spending a few extra minutes of computational processing power, these addresses are optional, I believe the random cryptic addresses to be more secure for those paranoid.

    Bitmessage encrypted mailing list
    Bitmessage encrypted mailing list

    Bitmesssages are first encrypted and then sent to a common message pool shared by all users to hide sender and receiver, only those listed in the receiving address will be able to decrypt and read them, the program has been designed to only send text without any attachments, I did not test it but theoretically it should be possible to send a jpeg photograph. After erasing a message there is no trash can to retrieve it but it will still be present in your hard drive to manually view it with a bit of work.

    I used Bitmessage with a VPN and I did not experience any problem besides a coloured network status code that turned yellow  indicating that my firewall or router couldn’t forward TCP connections, this is not a big problem, it only meant that my node was not relying messages to other nodes for other people but I could still receive and send them, as long as someone in the network has the green network status messages can be passed on in between peers.

    Note: The sofware is currently a beta release in testing.

    Visit Bitmessage homepage