How NSA targeted chancellor Merkel's mobile phone

Last week, the German weekly Der Spiegel revealed that NSA intercepted the mobile phone of the German chancellor Angela Merkel. Although most details were not known yet, the fact itself caused a severe crisis in the relationship between the United States and Germany.

Meanwhile, the original NSA targeting record containing chancellor Merkel's phone number has been published. One of the entries refers to a document about the NSA's SYNAPSE data model, which was disclosed earlier and provides us with a context for the targeting record. Finally, an impression of how the interception could have been conducted is given by a picture of the SCS interception equipment, which is presumably located in the US embassy in Berlin.



The NSA targeting record

The NSA document mentioning Merkel's phone number was published in the print editions of several German newspapers, but the tabloid paper BILD made a scan for their website:

Acoording to Der Spiegel, this document apparently comes from an NSA database in which the agency records its targets. This could be a database codenamed OCTAVE, which is used for tasking telephony targets. This record has the following entries:

- SelectorType: a selector is the intelligence term for a name or a number that identifies an espionage target. This line says the type of the selector is PUBLIC DIRECTORY NUM[ber]

- SynapseSelectorTypeID: this designator, SYN_0044, refers to the SYNAPSE Data Model (see below).

- SelectorValue: here's the actual phone number of Merkel. In the print edition of the magazine we can see this phone number written as +49173-XXXXXXX. The country code for Germany (+49) is followed by the prefix code for mobile phone numbers from Vodafone (0173). According to Der Spiegel this is the number of Merkel's cell phone which was provided by her political party and which is the one she uses most to communicate with party members, ministers and confidants, often by text message. It's is just an ordinary cell phone without any security features, and therefore an easy target for intelligence agencies like NSA. It means that her official secure mobile phone wasn't targeted nor compromised.

- Realm: according to Der Spiegel, this field determines the format.

- RealmName: the name of the format, in this case 'rawPhoneNumber'

- Subscriber: GE CHANCELLOR MERKEL. As Angela Merkel wasn't yet chancellor when the surveillance started in 2002, either this entry or the whole record must have been updated after she became chancellor in November 2005.

- Ropi: stands for Responsible Office of Primary Interest, an NSA unit that selects which targets should be monitored. In this case it's S2C32, the European branch of the so-called Product Line for International Security Issues.

- NSRL: stands for National SIGINT Requirements List, which is a daily updated compendium of the tasks, and the priority of those tasks, given to the various Signals Intelligence collection units around the world. 2002-388* indicates that this target was set in 2002, when Angela Merkel was head of the Christian democratic party CDU. Then Bundeskanzler Gerhard Schröder refused to join the US in the war against Iraq, so the US government could have been interested in knowing the position of his main political opponent.

- Status: A, which stands for Active. Der Spiegel says this status was valid a few weeks before President Obama’s Berlin visit in June 2013.

- Topi: stands for Target Office of Primary Interest. According to an NSA document, TOPIs are part of the Analysis & Production division, but Der Spiegel says these are units which are doing the actual interception. In this case, the TOPI is designated F666E, where F6 stands for the joint NSA/CIA Special Collection Service (SCS), which performs eavesdropping actions from inside US embassies in foreign capitals. 66E might then be (a part of) the SCS unit based in the US embassy in Berlin.

- Zip: this Zip code, 166E, is a distribution code for the OCTAVE tasking database (see below).

- Country Name: left blank, apparently the country code below was sufficient.

- CountryCode: which is GE for Germany


An interesting question is how Edward Snowden obtained this database record. Is it part of an NSA document for internal education or presentation purposes, or did he made a copy from the database itself? And if so, are there (many) more of these tasking records in his collection?

A targeting record like this marks the starting point of NSA's collection process. Because of that we know nothing about the follow up, except for the involvement of SCS unit F666E. Therefore, we have no indication about what form of surveillance has taken place: were only metadata gathered or also conversations recorded and text messages stored? And was this continuously, or (given the presumably small number of German linguists) only when there was a more specific need for information ?



The SYNAPSE data model

As we have seen, the second entry of the targeting record refers to SYNAPSE, which is some kind of data model used by NSA to analyze connections of foreign intelligence targets. A slide from a powerpoint presentation about this model was published by the New York Times on September 29, 2013. Note that the title has a huge spelling error as it reads SYANPSE instead of SYNAPSE:

SYNAPSE slide as published in the print edition of the NY Times
(scan by Cryptome - click for a bigger version)

The slide shows a rather complex diagram of all elements involved in examining the communications of a target. We will go through this diagram from top to bottom:

First we see a target, like a person or an organization, mentioned as "agent". These agents are designated by a name and identified by a NIC, which could stand for something like National Identification Card. 'Paki' could be a database for these ID numbers. The agents (targets) themselves are registered in TKB, which stands for Target Knowledge Base.

Agents use various devices, identified by designators like an e-mail or an IP address, a phone number or an IMEI, IMSI, IMN, RHIN or FHIN number (not clear what the last three stand for). The designations of these devices and the connections between them are collected in MAINWAY, which is NSA's main database for bulk telephone metadata.

The designators of the devices used by an agent/target get a 'Subscriber ID' for the OCTAVE database and are listed in the OCTAVE Tasked List. They also get a 'ShareableName' for the Unified Targeting Tool (UTT) to be listed in the UTT Active List. The designators are also labeled with UTT categories and OCTAVE Zip Codes.

Bottom right we see the Responsible Office of Primary Interest (ROPI) which somehow seems to manage the designators, maybe because these are the offices where Tasking takes place, which means selecting the targets to be monitored. Device designators (like phone numbers) of which the communications have to be collected are called Selectors.

Finally, the designators are referenced in the SIGINT Product Reports (blue dot) and the Intelligence Community (IC) Product Reports (red dot) which are released by the various Target Offices of Primary Interest (TOPI). LEXHOUND could be a database for these reports.

As the diagram shows pictures of a personal computer, but OCTAVE and MAINWAY are for telephony data, it seems the whole process is meant for both internet and telephony data.



The SCS interception equipment

Except for the targeting record, there is no information about how exactly NSA intercepted Merkel's phone, but there are some strong indications. In Berlin, Vodafone mostly uses microwave transmissions on its mobile network and intelligence agencies can intercepted these without much effort.

To show how this could have taken place, Der Spiegel published a slide from a presentation of the Special Collection Service (SCS) showing pictures of an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. This unit can apparently intercept cell phone signals while simultaneously locating people of interest.

In Berlin, the SCS unit operates from inside the US embassy, which is in a building next to the famous Brandenburger Tor. It was opened on July 4, 2008 - in the presence of chancellor Merkel. Before, the US embassy was in a 19th century building in the Neustädtischen Kirchstraße. The spying equipment of the SCS unit is likely to be on the roof of the building, in a structure with conceiled windows:

(photo: Christian Thiel/Der Spiegel)

According to investigative journalist Duncan Campbell, who revealed the existence of the ECHELON system, these windows are covered by special dielectric (insulating) panels, that allow radio waves to pass through and be intercepted, while blocking visible light and concealing the interception equipment behind it.

This equipment usually consists of antenna, dishes or arrays which can collect every type of wireless communications on all available wavelengths. On the opposite side of the embassy's rooftop stucture there's a similar conceiled window right at the corner. With these corner windows on both sides, SCS can catch signals from all directions:

(photo through Dailyphotostream.blogspot.com)

On German television, the US embassador to Germany said that on the embassy's roof there's rather ordinary communications equipment, to stay in touch with Washington and other US embassies around the world. The embassy wouldn't let reporters and politicians in to take a look inside the rooftop structure, probably also because only people with the proper security clearance are allowed to enter these areas.

Because the targeting record clearly mentions unit F666E, it's most likely that chancellor Merkel's cell phone was intercepted by SCS from inside the US embassy. But as her phone uses the Vodafone network, it's also possible that NSA has some kind of backdoor access to this cellular network. Vodafone is a British company and at least NSA's British counterpart GCHQ has an arrangement with this company for tapping undersea fiber optic cables.

It is supposed that data gathered by the various SCS embassy units are send to the SCS headquarters at the joint CIA/NSA facility in College Park, Maryland, through an SCS communications hub, which is at the US Air Force base in Croughton, Northamptonshire, England.

Infrared images taken by the German television station ARD showed that behind the windows there was heat producing (electronic) equipment. But shortly after the eavesdropping came out publicly, the heat signature dropped dramatically. This seems to indicate that the spying facility has been shut down for the time being.



Ending the interception

Apparently, NSA started bugging chancellor Merkel upon intelligence requests from the State Department, according to two anonymous US government officials. The phone number of Angela Merkel was finally removed from the NSA's target list this Summer. According to the Wall Street Journal there was an internal government review which turned up that the agency was monitoring some 35 world leaders.

After learning this, the White House ordered to cut of some of these programs, including the one tracking the German chancellor and some other world leaders. Obama also ordered NSA to stop eavesdropping operations against the headquarters of the United Nations, the International Monetary Fund and the World Bank.



Links and Sources
- NYTimes.com: Tap on Merkel Provides Peek at Vast Spy Net
- DuncanCampbell.org: How embassy eavesdropping works
- TheWeek.com: Did the NSA mislead the President and Congress about foreign leader spying?
- FAZ.net: Es war Merkels Parteihandy
- Spiegel.de: How NSA Spied on Merkel Cell Phone from Berlin Embassy

Read More

Kremlin Alledegly Slipped Spy Gadgets into G20 Summit Gift Bags

Russian hosts of the Group of 20 summit near St. Petersburg in September sent world leaders home with gifts designed to keep on giving: memory sticks and recharging cables programmed to spy on their communications, two Italian newspapers reported Tuesday.

A Kremlin spokesman denied the allegations reported by Il Corriere della Sera and La Stampa, both of which attributed their stories to findings of technical investigations ordered by the president of the European Council and carried out by German intelligence.

The USB thumb drives marked with the Russia G20 logo and the three-pronged European phone chargers were "a poisoned gift" from Russian President Vladimir Putin, Turin-based La Stampa said in its report.

“They were Trojan horses designed to obtain information from computers and cellphones,” the paper said.

The bugging devices were included in gift bags given to all delegates who attended the Sept. 5-6 summit at the palace in Stelna, outside of St. Petersburg, the newspapers said. (more)

Too obvious to be true? 
You decide.

Read More

Do You Have an IT Spy Guy?

Two tales to get you thinking...

Old tech equipment rarely dies, it just finds a new home -- and sometimes, that home is with your IT employees... The problem with taking equipment bound for the scrap heap or the recycling bin is that it often still contains sensitive data, which if lost could result in massive liability for the company that owns the equipment. Think... It is more than just theft, much more.

"There are no secrets for IT," says Pierluigi Stella, CTO for managed security service provider Network Box USA. "I can run a sniffer on my firewall and see every single packet that comes in and out of a specific computer. I can see what people write in their messages, where they go to on the Internet, what they post on Facebook. In fact, only ethics keep IT people from misusing and abusing this power. Think of it as having a mini-NSA in your office." Also think... "The scariest thing is that the same people who present the greatest risk are often the very people who approve access." (more)

Read More

Business Espionage in America - We Lose More Than We Take in Taxes

The United States has known for sometime that it has been victimized by economic espionage mounted by other countries, especially China and Russia. According to a counterintelligence expert hired by companies to help them counter this threat, the toll for these crimes is far, far higher than what has been officially reported.

Economic espionage represents “the greatest transfer of wealth in history,” said General Keith Alexander, NSA director and commander of U.S. Cyber Command, at the American Enterprise Institute in 2012...

Due to the nature of the business, it is often difficult to place solid numbers on the cost of economic espionage. To protect their investors, companies rarely want to announce breaches by spies or hackers to the public, and government agents often find gathering enough evidence to charge an insider with espionage difficult.

The lack of transparency on economic espionage makes it a difficult problem to tackle.

The FBI estimates that economic espionage costs the U.S. $13 billion a year, yet their numbers are based only on current FBI cases where spies have been caught and charged. It does not include the majority of theft that was not reported, or the scale of breaches that are unknown to the companies...

During his speech, General Alexander said investigations by the FBI and other agencies find that for every company that detects a cyberattack there are 100 others that are unknowingly being hacked...

Nonetheless, U.S. companies are still largely on their own when it comes to defending against economic espionage, and the threat is very real. When the “Economic Espionage Penalty Enhancement Act of 2011″ was passed, former U.S. Senator Herb Kohl said in a press release “As much as 80 percent of the assets of today’s companies are intangible trade secrets.” (more)

You don't have to be on your own. Help is available. Call me.

Read More

Ankle Bracelets Have Criminals Bugged

Ankle bracelets featuring GPS tracking technology can do more than allow authorities to follow the whereabouts of criminals ordered to wear them. They also can be used to eavesdrop on conversations without the wearer knowing what’s going on.

In Puerto Rico, defense lawyer Fermín L. Arraiza-Navas learned about the bracelet’s expanded surveillance capabilities after meeting with clients fitted with the technology. He told the Puerto Rico Center for Investigative Reporting (CPIPR) that clients noticed the bracelets would vibrate when having conversations with lawyers and others.

One client said authorities spoke to him through a hidden phone feature included in the bracelets, which are manufactured by a Utah-based company, SecureAlert. (more)

Read More

How secure is the Merkel-Phone?

(Latest update: October 28, 2013)

In an article by the German magazine Der Spiegel it was said that the NSA probably also eavesdropped on the mobile phone of chancellor Angela Merkel, which is dubbed Merkel-Phone in popular media. Der Spiegel provided little detail, but according to an article in Die Welt, the old cell phone number of Merkel was mentioned in a document provided by Edward Snowden.

Der Spiegel presented their evidence to the German government, which led to an investigation by German intelligence and security agencies. Apparently the material proved to be trustworthy and chancellor Merkel expressed her anger in the media and even in a phone call to president Obama.

For now, we have no further details about the alleged monitoring of Merkel's phone, like whether her number was just on an NSA 'wish-list', or that only metadata were gathered. Here we will take a closer look at how the official mobile phone of chancellor Merkel has been secured.

UPDATE #1:
A new article by Der Spiegel says that a phone number of chancellor Merkel was on an NSA target list since 2002. Targeting Merkel's phone number was requested by NSA unit S2C32 or the "European States Branch", and had to be done by a unit of the joint NSA/CIA Special Collection Services (SCS), which is covertly based inside the US embassy in Berlin. The document doesn't say what kind of communications were monitored or whether actual content had been recorded.

> Much more about this: How NSA targeted chancellor Merkel's mobile phone

German chancellor Angela Merkel using
her former Nokia 6260 Slide phone
(photo: dapd, March 1, 2011)

If NSA targeted Merkel's old cell phone number, it's likely the one that belonged to her former smart phone, a Nokia 6260 Slide. This phone was used heavily by Merkel from October 2009 until July 2013. Voice communications through this device were secured by a system called SecuVOICE, made by the small Düsseldorf based company Secusmart GmbH, which was founded in 2007.

Initially, the solution provided by Secusmart could only encrypt voice, not text messages (SMS) or e-mail. For encrypting text messages Secusmart introduced a separate solution called SecuSMS in 2010, which means that between October 2009 and the implementation of SecuSMS, it was rather easy for NSA to at least intercept the text messages from Merkel's official phone (maybe in the same way they collected text messages of the Mexican president).

Other easy options could have been the monitoring and/or intercepting of the non-secure mobile phones which chancellor Merkel uses, like the one provided by her political party (so no government money is used for party politics) and her private cell phone. For convenience, many politicians often use their private cell phones for government business too.

UPDATE #2:
On October 27, the German tabloid paper BILD revealed that according to anonymous intelligence officials, it was president Obama who ordered the monitoring of chancellor Merkel's communication and that NSA was apparently able to intercept her newest secure mobile phone (see below). Only the secure landline telephone in her office wasn't intercepted.

UPDATE #3:
In an unusual rapid and specific response, NSA said that director Alexander "did not discuss with President Obama in 2010 an alleged foreign intelligence operation involving German Chancellor Merkel, nor has he ever discussed alleged operations involving Chancellor Merkel. News reports claiming otherwise are not true".

UPDATE #4:
Already on October 24, the German paper FAZ learned that the Snowden-document seen by Der Spiegel mentioned the number of the cell phone provided to chancellor Merkel by her political party, which has no security features. There's no evidence that NSA targeted or even broke the encrypted communications from her secure mobile phone.



SecuSUITE @ BlackBerry 10

Since last July, chancellor Merkel uses the new BlackBerry Z10, which is equipped with the SecuSUITE system, consisting of SecuVOICE for encrypting voice, SecuSMS for encrypting text messages and some other applications for securing e-mail and sensitive data stored in the phone (SecuVOICE should not be confused with SecurVoice, the software which was used to secure Obama's Blackberry in 2009).

German chancellor Angela Merkel at the CeBIT 2013, showing
the BlackBerry Z10 with Secusmart encryption chip
(photo: Bundesregierung/Bergmann, March 4, 2013)

A new feature, which is standard available for this phone, is BlackBerry Balance. This enables users to keep both personal data and office work data securely separated in different partitions. In the personal section one can freely use social media and downloaded apps. These are separated from the business section, which can be automatically configured with business applications and e-mail through the Blackberry Enterprise Service 10 server. Users can easily switch from the personal to the business profile by entering a password. Stored user data are protected via 256-bit AES encryption.

For secure communications, the SecuSUITE application is added by inserting a Micro-SD card, called the Secusmart Security Card, in the memory card slot of the phone. This card contains a tamper-proof crypto-controller made by NXP, with a PKI-coprocessor for performing the user authentication and a high speed coprocessor for encrypting voice and other data using the 128-bit AES algorithm. These encryption keys are transmitted using the Elliptic Curve Diffie Hellman (ECDH) protocol.

The BlackBerry Z10 with SecuSUITE application has been approved by the German government for use at the classification level Restricted (in German: Verschlussache - Nur für den Dienstgebrauch, abbreviated: VS-NfD). It's somewhat surprising that this is the lowest level, which might be explained by the fact that communications are encrypted using only 128-bit keys. Nowadays, it's generally advised to use keys with 256-bit length. Another reason is that a commercial available smart phone device is used, which is less secure than a custom made one.

For conversations at a higher classification level, German government and military officials are bound to dedicated landline phones, and conversations classified as Top Secret (German: Streng Geheim) may only take place from inside rooms that are secured against eavesdropping. Such high level voice and data communications are encrypted through the Elcrodat 6-2 system.

Nonetheless, the German federal government ordered 5000 secured BlackBerry devices, costing around 2500,- euro a piece. The new BlackBerry 10 with SecuSUITE was first presented by Secusmart at the IT business event and conference CeBIT 2013 in March:

The SecuVOICE solution is also available in the Netherlands, where it is (or was?) sold by Fox-IT and approved by the government for encrypting phone calls at the classification level Restricted (in Dutch: Departementaal Vertrouwelijk). NATO also approved SecuVOICE for usage at the level of Restricted.



SiMKo3 @ Samsung Galaxy

The secured BlackBerry 10 is not the only secure mobile smartphone approved for German government use.

There's also the SiMKo3 (the abbreviation of the German Sichere Mobile Kommunikation, Generation 3) solution from Deutsche Telekom, which comes with the Samsung Galaxy S III smart phone devices. Presently, this application is only approved for data communications at the Restricted level, but priced at 1700,- euro a piece, these phones are less costly than the BlackBerrys.

The SiMKo3 technique is similar to that of GD Protected, a system developed by General Dynamics to secure Samsung Galaxy S IV and LG Optimus smart phones so they can be used by high level government officials in the United States.

Links and Sources
- BILD.de: Obama wollte alles über Merkel wissen
- Spiegel.de: NSA-Überwachung: Merkels Handy steht seit 2002 auf US-Abhörliste
- T-Online.de: Mit welchem Handy hat die Kanzlerin telefoniert?
- Welt.de: Merkels Handy-Nummer in Snowdens Dokumenten
- WiWo.de: Sicherheitshandys: Blackberry sticht Telekom aus
- Heise.de: Technische Details zum Merkel-Phone 2.0
- ComputerWoche.de: Das können die neuen „Merkel-Phones“

Read More

A Brilliant Halloween Costume, More LED Fun, and a tip of the tin foil hat to the ultimate paranoid!

It's Friday. 
Oddball time!


Weekend Electronics Project
Extreme LED Throwies

Click to enlarge.

LED throwies are cheery glow-dots you can make in seconds from simple components and stick to any ferro-magnetic surface. But that’s just the beginning — click link to learn how to hack and modify them. Easy to make!

...and an anti-NSA home... (just kidding)

Read More

Encryption Infographic

Every wonder how good your encryption is?

Read More

Citing "Terrifying" Surveillance Tactics, Yet Another U.S. Privacy Service Shuts Down

Yet another American Internet privacy service has bitten the dust, prompted by fears about broad government surveillance demands.

San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service. 

In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data. (more)

Read More

Court Rules: NO GPS for LEOs w/o CO

A federal appeals court has ruled that law enforcement officials must obtain a warrant before attaching a GPS unit to a suspect’s car and tracking them... 

“Today’s decision is a victory for all Americans because it ensures that the police cannot use powerful tracking technology without court supervision and a good reason to believe it will turn up evidence of wrongdoing,” American Civil Liberties Union attorney Catherine Crump said in a statement. “These protections are important because where people go reveals a great deal about them, from who their friends are, where they visit the doctor and where they choose to worship.”

The three-judge panel determined that installing GPS technology was a violation of the Fourth Amendment to the US constitution, which prohibits unreasonable searches and seizures. The judges’ final decision said the actions of the police were “highly disconcerting.” (more)

Read More

Rental Company Settles Spyware Case

The Federal Trade Commission says Atlanta-based furniture renter Aaron's Inc. has agreed to a settlement over allegations that it helped place spyware on computers that secretly monitored consumers by taking webcam pictures of them in their homes.

The FTC said in a Tuesday news release that Aaron's will be prohibited from using spyware that captures screenshots or activates the camera on a consumer's computer, except to provide requested technical support.

Aaron's officials previously blamed individual franchisees for the spyware. But the FTC said Aaron's knowingly played a direct role in the use of the spyware. (more)

Read More

No Jail for Skype Sex Scandal Cadets

Australia - The two men at the centre of the Australian Defence Force Academy Skype scandal have avoided jail time.

Daniel McDonald, 21, secretly filmed himself having sex with a female cadet and streamed it live to Dylan Deblaquiere, 21, in a nearby dorm room at ADFA in Canberra in 2011.

Earlier this year a jury found the pair guilty of sending offensive material over the internet without consent. McDonald was also found guilty of an act of indecency.

In sentencing today in the ACT Supreme Court, Acting Justice John Nield rejected jail time... Instead he handed McDonald two 12-month good behaviour bonds, to be served concurrently, and Deblaquiere a single 12-month good behaviour bond. He warned they will go to jail if they breach their orders... "General deterrence has been achieved," he said...

The Department of Defence has confirmed it will take action in relation to McDonald. (more)

Read More

Bugging Boss for a Raise Lands Three Employees in Jail

China - Three public officials were each sentenced to 20 months in jail for illegally wiretapping a county Communist Party chief of central China's Hunan Province, according to a local court ruling on Tuesday.
 
Li Yi, an official with the supervision office of the Mayang Miao Autonomous County Committee of the Communist Party of China (CPC), Yang Fan, a Mayang court officer and Liu Yang, a police officer, were guilty of illegal wiretapping and secretly filming a county Party chief, according to the ruling of the district people's court of Hecheng, Huaihua City, which administers Mayang County.

They were guilty of placing hidden cameras in the office of Hu Jiawu, secretary of the CPC Mayang Miao Autonomous County Committee, spying on Hu and storing video footage on a removable disk between March 13 and Oct. 2 in 2012. They used the footage to try and blackmail Hu for promotion, according to the ruling. (more)

Read More

Landlord, Tenant, SpyCam - What Could Possibly...

I stopped posting these stories a while back, simply because there were so many of them. This is just a reminder. The SpyCam is the Number One illegal eavesdropping tool in use today.

Canada - An employee at a major Canadian broadcaster is facing charges of voyeurism, mischief and defamatory libel. 56-year-old David Sealey was arrested Saturday after a man saw a woman he knew secretly filmed in an online video. He notified the victim, who reported the incident to police.

A search warrant was issued and over 150 voyeuristic videos of women were found on a computer inside Sealey’s home, along with recording devices.

The female victim rented a room from Sealey in the Richmond Ave. and Spadina Ave. area and police believe there could be more victims. (more)

Read More

Captain Crunch sez... "Here's looking at you, matey."

It’s not quite “Minority Report”-levels of creepiness, but it’s getting there.

He saw this coming.

Mondelez International, whose properties include Chips Ahoy, Nabisco, Ritz and other high-profile snack brands, says it’s planning to debut a grocery shelf in 2015 that comes equipped with sensors to determine the age and sex of passing customers.

The shelf, which is hooked up to Microsoft’s Kinect controller, will be able to use basic facial features like bone structure to build a profile of a potential snacker, Mondelez chief information officer Mark Dajani told the Wall Street Journal. While pictures of your actual face won’t be stored (yet), aggregate demographic data from thousands of transactions will be. (more)

I spy a tipping point. We are sailing into Fedup Bay. Watch the backlash, me hardies.

Read More

Ex-School IT Director Faces Trial on Wiretapping Charge

PA - The former technology director for Easton Area School District accused of secretly recording a private meeting will face trial in Northampton County Court.

Thomas Drago, 54, acknowledged at a hearing Tuesday that prosecutors have enough evidence to merit a wiretap violation charge. Drago's attorney, Philip Lauer said his client will apply for a first-time offender's program. Drago remains free on $50,000 unsecured bail.

In August, Drago surrendered to authorities for allegedly recording a conversation with school officials without their permission. Drago, 54, of Bushkill Township resigned shortly before an internal probe this year uncovered nude photos on his work computer. (more)

Read More

BOUNDLESSINFORMANT only shows metadata

(Updated: November 27, 2013)

Yesterday, the French paper Le Monde broke with a story saying that NSA is intercepting French telephone communications on a massive scale. This is mainly based upon a graph from the BOUNDLESSINFORMANT program, which shows that during one month, 70,3 million telephone data of French citizens were recorded by the NSA.

Here, it will be clarified that the BOUNDLESSINFORMANT tool only shows numbers of metadata. Also some screenshots will be analysed, showing information about collection from:

- France - The Netherlands - Germany - Spain - Norway - Afghanistan - WINDSTOP -

Metadata

As the Le Monde article, written by Jacques Follorou and Glenn Greenwald, failed to clarify the exact nature of the 70,3 million, it was unclear whether this number was about metadata or also about the content of phone calls. Combined with some sensationalism, this led to headlines like U.S. intercepts French phone calls on a 'massive scale'.

But this is incorrect. According to a presentation and a FAQ document, the BOUNDLESSINFORMANT tool is for showing the collection capabilities of NSA's Global Access Operations (GAO) division, which is responsible for intercepts from satellites and other international SIGINT platforms.

The program presents this information through counting and analysing all DNI (internet) and DNR (telephony) metadata records passing through the NSA SIGINT systems.

This means, all figures shown in the BOUNDLESSINFORMANT screenshots are about metadata and not about content. It is unclear how many phone calls are represented by the numbers of metadata records, but it's likely much less.

So for France, we only know for sure that NSA collected 70,3 million metadata records and not how many phone calls were actually intercepted in the sense of recording the call contents.

It should also be noted that BOUNDLESSINFORMANT is apparently only showing metadata collected by the GAO division. Therefore, data gathered by NSA's other main Signals Intelligence divisions, SSO (for collection from private companies) and TAO (for collection by hacking networks and computers), may not be included in the charts and the heat maps.


UPDATE #1:
On October 29, the Wall Street Journal reported that according to US officials, the metadata records for France and Spain were not collected by the NSA, but by French and Spanish intelligence services. The metadata were gathered outside their borders, like in war zones, and then shared with NSA. This confirms the explanation of the numbers of German metadata, given by Der Spiegel on August 5.

UPDATE #2:
On October 30, Glenn Greenwald published a statement claiming that his original reports, saying that NSA massively collected data in foreign countries, are still correct. Also, the Dutch interior minister Ronald Plasterk denied the suggestion that the 1,8 million Dutch metadata were collected by Dutch agencies and then shared with NSA.



France

Below is a screenshot from BOUNDLESSINFORMANT that shows information about collection from France between December 10, 2012 and January 8, 2013. In total, almost 70,3 million metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue. In this case only telephony metadata were collected, so we only see green bars.

In the lower part of the screenshot we see three sections with break-ups for "Signal Profile", "Most Volume" and "Top 5 Techs".

Signal Profile

The Signal Profile section shows a pie chart which can show the following types of communication:

- PCS: Personal Communications Service (mobile phone networks)
- INMAR: INMARSAT (satellite communications network)
- MOIP: Mobile communications over IP
- VSAT: Very Small Aperture Terminal
- HPCP: High Power Cordless Phone
- PSTN: Public Switched Telephone Network
- DNI: Digital Network Intelligence (internet data)

In this case, the majority of the signals are from PCS or mobile phone networks (dark blue) and a minor fraction from the Public Switched Telephone Network (dark yellow).

Most Volume

This section shows that all French metadata during the one month period were collected by a facility designated US-985D. This SIGAD is seen here for the first time and also Le Monde has no further information, except for the suggestion that it's from a range of numbers corresponding to the NSA's third party partners.

As the French metadata are all collected from mobile and traditional telephone networks, they may have been intercepted with the help of a (foreign or even French) telecommunications provider. In that case, it's possible that the metadata are from French phone numbers which are used by foreign targets (see Germany below).

Top 5 Techs

The techniques used for these interceptions appear under the codenames DRTBOX and WHITEBOX, which are disclosed here for the first time. Le Monde wasn't able to provide any more details about these programs or systems, but if we compare the numbers collected by these programs with the pie chart under Signal Profile, it seems likely that DRTBOX (which collected 89% of the data) accounts for the big PCS part of the pie chart, and WHITEBOX (11%) for the small PSTN part.



The Netherlands

Almost immediatly after Le Monde came with their story, the Dutch IT website Tweakers.net noticed that the German magazine Der Spiegel had published a similar screenshot about collection from the Netherlands early August:

In this case we only have the top part, with a bar chart showing that during a one month period, about 1,8 million telephony metadata records were collected from the Netherlands.

Again, this number is only about metadata, and therefore it doesn't tell us how many phone calls, let alone how many phone numbers were possibly involved.

The report by Tweakers.net was correct in explaining that the chart only shows metadata, but unfortunately, the headline initially said "NSA intercepted 1.8 million phonecalls in the Netherlands". This gave many people, including politicians, the idea that NSA was actually eavesdropping on a vast number of Dutch phone calls, which is not what the chart says, and which is also probably not what NSA is doing.



Germany

On August 5, the German magazine Der Spiegel published a screenshot from BOUNDLESSINFORMANT which shows information about collection from Germany between December 10, 2012 and January 8, 2013. In total, more than 552 million metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue.

Signal Profile

In case of Germany, the pie chart shows that the communication systems are roughly divided into:

- 40% PCS (mobile communications)
- 25% PSTN (traditional telephony)
- 35% DNI (internet traffic)

Most Volume

This section shows that all German metadata were collected by two facilities, designated by the following SIGADs:

- US-987LA (471 million records)
- US-987LB (81 million records)

In an additional article by Der Spiegel, it's the German foreign intelligence agency BND itself saying that it believed "that the SIGADs US-987LA and US-987LB are associated with Bad Aibling and telecommunications surveillance in Afghanistan". Bad Aibling is a small town in Southern Germany which had a huge listening post during the Cold War, which was also part of the ECHELON system. In 2004, the listening post was moved to a smaller facility nearby.

According to Der Spiegel, the BND collects metadata from communications which it had placed under surveillance and passes them, in massive amounts, on to the NSA. BND says that it's operating within German law and doesn't spy on German citizens. Therefore, Der Spiegel suggests that the data are only technically acquired in Germany, but are actually about foreign targets.

However, this explanation would only make sense if those foreigners were contacting (or using) German phone numbers and e-mail addresses, because otherwise there would be no reason for NSA to count their metadata as being German.

Top 5 Techs

The techniques used for these interceptions appear under the following codenames:

- XKEYSCORE (182 million records or 33% of the total of 552 million)
- LOPERS (131 million records or 24%)
- JUGGERNAUT (93 million records or 17%)
- CERF CALL MOSES1 (39 million records or 7%)
- MATRIX (8 million records or 1,4%)

(the record numbers don't add up to the total of 552 million, apparently there are more, smaller systems involved than the 5 shown here)

If we compare these percentages with the pie chart showing the signal profiles, we see that XKEYSCORE corresponds to the DNI or internet metadata. XKEYSCORE is a tool used for indexing and analysing internet data and therefore it's possible that also the other programs mentioned in the Top 5 Tech section are not for collecting data, but for processing and analysing them.

According to Der Spiegel, LOPERS is a system to intercept the public switched telephone network. Indeed, the approximately 24% of the data collected by LOPERS fits the PSTN part of the pie chart.

This leaves the other three programs, and also those not mentioned in this Top 5, being used for data from mobile communication networks. Der Spiegel confirms this for JUGGERNAUT, but we can assume this for CERF CALL MOSES1 and MATRIX too.



Spain

In the print edition of the Spanish paper El Mundo from October 28, 2013, there was the following screenshot from BOUNDLESSINFORMANT showing information about collection from Spain between December 10, 2012 and January 8, 2013. In total, 60 million metadata records were collected:

(screenshot via koenrh)

The various parts of this figure are the same as described above, so here we only look at the specifics for Spain.

Signal Profile / Most Volume

All records were collected from mobile communications networks (PCS) and this was done through an unknown facility designated by the following SIGAD:

- US-987S (60 million records)

This SIGAD is very similar to the ones used for collecting the German data (US-987LA and US-987LB) and it's assumed they stand for 3rd party facilities, that is, collection sites run by 3rd party partner agencies of NSA. It is also rather similar to US-985D, which collected the French metadata.

Top 5 Techs

All records were processed or analysed by only one system or program:

- DRTBOX (60 million records)

In the screenshot about France, we saw DRTBOX also being used for handling (meta)data derived from mobile communication networks, so we can assume this system is not specifically used for French communications, but for traffic from mobile communication systems in general.

DRTBOX

As almost all NSA codenames are (composed of) real words, it looks like DRTBOX is a spelling error, but a reader of this weblog pointed to another, very interesting option: DRT is also the abbreviation of Digital Receiver Technology, Inc. of Germantown, Maryland, which was taken over by US military contractor Boeing in 2009.

> See for more about DRT: DRTBOX and the DRT surveillance systems

This makes it quite likely that the intercept devices of DRT are also used by NSA for collecting data from mobile communication networks. This equipment might then be installed at the facilities with designators like US-987S and others, and maybe also at the SCS unit which intercepted the mobile phone of German chancellor Merkel.

With the DRT devices being installed at various interception locations, DRTBOX (or DRT Box) itself seems to be a system for processing or an interface for analysing the collected data, just like XKEYSCORE does for collected internet data. The use of DRT devices and DRT Box for SIGINT collection is also confirmed in a LinkedIn-profile.



Norway

On November 19, the website of the Norwegian tabloid Dagbladet published the following screenshot from BOUNDLESSINFORMANT which shows information about collection from Norway between December 10, 2012 and January 8, 2013. In total, over 33 million metadata records were collected:

Once again, only telephony metadata were gathered, so we see only green bars in the bar chart.

Signal Profile / Most Volume

All records were collected from mobile communications networks (PCS), which was done through an unknown facility designated by the following SIGAD:

- US-987F (33 million records)

After US-987L for Germany and US-987S for Spain, US-987F is now the third known SIGAD starting with US-987, which indicates that this is an umbrella-designator for collection facilities in or targeted at different countries, each designated by a different letter.

Following the interpretation of former Guardian journalist Glenn Greenwald, the Norwegian paper Dagbladet wrote that NSA monitored 33 million Norwegian phone calls. This was almost immediatly corrected by the Norwegian military intelligence agency Etteretningstjenesten (or E-tjenesten), which said that they collected the data "to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad" and that "this was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans".

This explanation is very similar to the one given by the German foreign intelligence agency about the metadata which appeared as being 'German' (see above), but also here it's the question on what grounds these data are counted as being Norwegian. If we follow the BOUNDLESSINFORMANT FAQ document, at least one end of the communication should be a Norwegian phone number.

Top 5 Techs

All records were processed or analysed by only one system or program:

- DRTBOX (33 million records)

Also in this case, the DRTBOX system is used for the communications collected from mobile networks, just like we saw in the BOUNDLESSINFORMANT screenshots about France and Spain.



Afghanistan

On November 22, the Norwegian tabloid Dagbladet published a screenshot from BOUNDLESSINFORMANT about Afghanistan:

> See for more: Screenshots from BOUNDELSSINFORMANT can be misleading



WINDSTOP

On November 4, the Washington Post published a screenshot from BOUNDLESSINFORMANT which shows information about collection under the WINDSTOP program. Between December 10, 2012 and January 8, 2013, more than 14 billion metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue.

According to the Washington Post, WINDSTOP is an umbrella program for at least four collection systems which are jointly operated by NSA and one or more signals intelligence agencies of the 2nd Party countries Britain, Canada, Australia and New Zealand.

Signal Profile

The pie chart shows that more than 95% of the metadata are collected from internet traffic (DNI), less than 5% is from mobile networks (PCS).

Most Volume

This section shows that under WINDSTOP, the metadata were collected by at least the following two facilities, designated by their SIGADs:

- DS-300 (14.100 million records)
- DS-200B (181 million records)

In a sidenote, the Washington Post says that DS-300 is the SIGAD for an interception facility which is also known under the codename INCENSER. With 14 billion internet metadata records in one month, INCENSER seems to be one of NSA's major internet collection programs, as for March 2013, the total of internet metadata collected worldwide was 97 billion records. For now, it's unclear where this enormous amount of data comes from.

DS-200B is a facility codenamed MUSCULAR, which is used for tapping the cables linking the big data centers of Google and Yahoo outside the US. This intercept facility is located somewhere in the United Kingdom and operated by GCHQ and NSA jointly. MUSCULAR collected some 181 million records, a small number compared to the 14 billion of INCENSER, but still way too much given its low intelligence value - according to NSA's Analysis and Production division.

It's interesting to see data from MUSCULAR mentioned in this screenshot, because a FAQ document about BOUNDLESSINFORMANT from 2010 said that no metadata from MUSCULAR were counted by this tool. But as this chart shows records from December 2012 and January 2013, it seems that meanwhile also metadata from MUSCULAR were added.

Top 5 Techs

The programs used for processing and analysing these interceptions are:

- XKEYSCORE (14.100 million records)
- TURMOIL (141 million records)
- WEALTHYCLUSTER (1 million records)

Just like we saw in the chart about the German metadata, the internet (DNI) data are processed by the XKEYSCORE tool. Almost all these internet data are collected by the facility designated DS-300 and codenamed INCENSER.

TURMOIL is a database or a system which is part of the TURBULENCE program, and seems to be used for selecting and storing common internet encryption technologies, so they can be exploited by NSA. If we compare the numbers, we see that TURMOIL is used for processing most of the data collected by DS-200B or MUSCULAR. An NSA presentation confirms that data collected by MUSCULAR are ingested and processed by TURMOIL.

WEALTHYCLUSTER is also related to the TURBULENCE program and is described as "a smaller-scale effort to hunt down tips on terrorists and others in cyberspace" and is said to have helped finding members of al-Qaida.

(Updated with the information about the German metadata, the new explanation by the Wall Street Journal, the WINDSTOP metadata and the data from Spain and Norway)



Links and Sources
- Dagbladet.no: NSA-files repeatedly show collection of data «against countries» - not «from»
- VoiceOfRussia.com: Denmark admits to tapping phones in conflict zones abroad
- Wall Street Journal: U.S. Says France, Spain Aided NSA Spying
- Cryptome.org: Translating Telephone metadata records to phone calls
- The Week: Why the NSA spies on France and Germany
- Le Monde: France in the NSA's crosshair : phone networks under surveillance
- Tweakers.net: NSA onderschepte in maand metadata 1,8 miljoen telefoontjes in Nederland
- De Correspondent: Wat doet de NSA precies met het Nederlandse telefoonverkeer?
- Der Spiegel: Daten aus Deutschland

Read More

Doc v. Doc Bugging Ends in House Call to Graybar Motel

India - Spying on his wife landed a qualified doctor husband behind bars on Saturday. 

Dr Gyaneshwar Maini, who owns a private hospital, was arrested for keeping a tab on the locations and conversations of his wife, while installing a high-quality Global Positioning System (GPS) along with a micro-mike packed in a black box in the steering wheel of her sedan car for the past eight months. 

The victim is also a qualified doctor and employed with a leading private hospital in Mohali.  

Police have also decided to take legal action against employees of a private firm, who installed the device in the car of the woman.

The GPS system, along with a mike, was in a black box worth Rs 18,000 ($293.76), which was detected with the help of an expert from a private company, which supplies these gadgets. 

The black box was linked with a 10-digit cell number used by Dr Maini's friend. Police said the installer of the device in the car has identified Dr Maini. In her complaint to the police, the woman suspected that there was some instrument in her car, which was keeping a tab on her movements and conversations, about which her husband would come to know even without her telling him. (more)

Read More

No more, "Gee, I thought you said..." — Record Your Cell Phone Calls

Here's a useful item for PIs, Security and LEOs — a way to document important cell phone calls, without app sapping charges. No more, "Gee, I thought you said..." 

Recording Cell Phone conversations using apps is not possible on iPhone, Droid or BlackBerry without paying per minute charges. The Call Mynah Cell Phone Recorder gives you complete control of Recording Cell Phone Calls. You decide to Record Mobile Phone Calls or not, set up your Call Mynah to Record Cell Phone (all calls) or only as you choose.

• 340 hours of Cell Phone Recording storage
• Connects to any mobile phone via Bluetooth to create a simple Cell Phone Call Recorder
• Automatically Record Cell Phone Calls (manual recording options too)
• Saves all Cell Phone Records, call details (date, time, number, duration, call type)
• Add comments to calls and flag as 'Important'
• Upload calls to your PC for easy management (software supplied)
• 150 Hours standby, 8 hours talking before battery charge
• Call recording warn tone or prompt can be sent to callers (optional)
• Handset, Speakerphone or Headset (supplied) operation
• Security features to prevent unauthorized listening to your calls (more)

Read More

RARE - Politico Admits to Phone Tapping & Butt Bugging

Zambia - Zambian President Admits to Spying on Fellow Officials
 
During his 2011 election campaign, the current president of Zambia, Michael Sata rose to popularity by playing on anti-Chinese sentiment and the anger of laborers over poor standards at the many large Chinese-run mines in Zambia... According to Global Voices, he tapped the phone of his foreign minister and also planted a bug underneath a chair in the office of the leader of Barotseland region, whose citizens want to secede from Zambia. (more)

Read More

Industrial Espionage Threats to Small and Medium-sized Enterprises (SMEs)

The former president of a transportation company in Texas was sentenced in federal court last month to five years in prison for hacking into his former employer’s computer network and stealing proprietary business information he intended to use for his start-up. The case underscores the fact that much like major corporations, small and medium-sized enterprises (SMEs) are targets for industrial espionage.

SMEs are in many ways are more vulnerable than big businesses, which are capable of employing a small army of security specialists to safeguard intellectual property, said Michel Juneau-Katsuya, president and CEO of the Northgate Group, an international security firm based in Canada.

SMEs very often perceive security as an extravagance. “In times of austerity that sin of security expense is one of the first things that get eliminated,” he told IMT.

To a certain extent, the strategic importance of protection has become even more critical for SMEs. When it comes to stolen prototypes or proprietary technology, larger companies seem more capable of absorbing the loss. “If you’re a big guy and you lose a gadget, you can probably recover from that,” he said. “But if you’re a small or medium-sized company, you lose your intellectual property, you might actually break your back and lose your company." (more)


Sometimes it is smart to be extravagant. ~Kevin

Read More

Yet Another Bird Spying Story

Headlines of fowl accused of spying for Israel are making rounds again in Middle Eastern press, with the most recent bird of espionage 'arrested' in Lebanon. Hezbollah and Iranian-affiliated websites reported today that an Israeli 'spy eagle' had been caught this past weekend in Lebanon. 

According to one Lebanese news site, the eagle had been caught in the town of Achkout by local hunters who alerted authorities after discovering that the bird had an ID ring attached to its leg with the words "Israel" and "Tel Aviv University" printed on it. (really bad spycraft :) 

"On the lookout for bird spies here."

The Hezbollah- affiliated Al-Manar TV, whose news site's section on Israel is simply called "Enemy Entity," claimed that the eagle was one of many birds sent by Israel to spy and gather information via GPS transmitters across the Middle East. The report pointed to the "arrest of birds carrying similar devices" in Saudi Arabia, Turkey and most recently in Egypt. (more) (sing-a-long)

Read More