Category Archives: Security

History, Security

BBC Journalists Tortured by Libyan Military

Leave a comment

A harrowing first-person account has been published by BBC journalists who were arrested and tortured in Libya. The role of identities in these conflicts is illuminating. Note for example that one of the three journalists, a Palestinian, receives the harshest treatment. The torturer seems to call out bad relations between Libya and Hamas, as well as a hatred for Al-Jazeera:

“He said something bad about Palestinians, a lot of bad things, and he asked his team what they thought about Palestinians and they said the same things. He thought they had helped the Palestinians a lot, but Hamas has given a very bad reaction to Gaddafi. Lots of bad language.

“When I tried to respond he took me out to the car park behind the guard room. Then he started hitting me without saying anything. First with his fist, then boots, then knees. Then he found a plastic pipe on the ground and beat me with that. Then one of the soldiers gave him a long stick. I’m standing trying to protect myself, I’m trying to tell him we’re working, I’m a Palestinian, I have a good impression of the country. He knew who we were [ie journalists] and what we were doing.

“I think there was something personal against me. They knew me and the sort of coverage I had been doing, especially from Tajoura the Friday before. I think they monitored the BBC and had an idea, not just the reports but also DTLs [interviews from the studio with a correspondent in the field]. They don’t like us or Al-Arabiya or Al-Jazeera.”

While in detention they had access to other prisoners and their stories.

…they had been arrested because their phone calls had been intercepted – including ones to the foreign media…

Then after days of beatings and interrogation by the military, they are sent to intelligence headquarters for review.

We were crammed in worse than sardines. The others were so badly beaten, and it was so full, that every time you moved someone screamed. They had mashed faces, broken ribs. We were handcuffed, really tightly, behind our backs.

The intelligence group changes the situation dramatically. The BBC journalists point out that things are cleaner, and more organized. Their description of their oppressors switches, from the above examples of basic and angry brutality, to something far more sinister.

A man with a small sub-machine gun was putting it to the nape of everyone’s neck in turn. He pointed the barrel at each of us. When he got to me at the end of the line, he pulled the trigger twice. The shots went past my ear.

“They all laughed as though it was very funny. There was a whole group of them in plain clothes.”

At this point a man “who spoke very good English, almost Oxford English” interrogates them and then they are released. Another man tells them “sorry it was a mistake by the military”.

It is hard not to notice the flow of identities in this story from an outsider view; a British man is left unharmed and even finds a commonality when facing Libyan intelligence, while an Arab is despised and brutalized. Differences between people obviously have been the source and focus of great tragedy in history, however differences are very relative. Another awful reality is seen here; the fear of espionage and civil war leads oppressors to treat those who we may see as similar to them far more brutally than those who are far more different. The integrity (papers, please) and confidentiality (networking) of communication in Libya today thus are issues of life and death.

Updated to add: below is a video released today of an American Congressman remembering an American 9/11 first responder who died while trying to help rescue people from the North Tower.

Muhammad Hamdani loved his country and sacrificed himself to help other Americans similar to himself, but other Americans have tried to denigrate him and hold his differences in contempt.

After Mr. Hamdani, 23, disappeared on Sept. 11, ugly rumors circulated: he was a Muslim and worked in a lab; he might have been connected to a terrorist group. Months later the truth came out. Mr. Hamdani’s remains had been found near the north tower, and he had gone there to help people he did not know.

Security

Exposing Anonymous With Frequent Pattern

Leave a comment

Eight years ago, in 2003, we proposed and presented the use of linguistic analysis for email author identification. Our use case was started with the investigation of Advanced Fee Fraud (AFF), also known as 419 scams from Nigeria. We proved, albeit from a small data set, that language can identify a message author using several key indicators. We further proved that bias made victims far more susceptible to social engineering attacks.

About five years later, in 2008, an educational institution in Quebec picked up this theme of email author identification by applying pattern analysis to data sets. They released an online paper called A novel approach of mining write-prints for authorship attribution in e-mail forensics

In this paper, we introduce an innovative data mining method to capture the write-print of every suspect and model it as combinations of features that occurred frequently in the suspect’s e-mails. This notion is called frequent pattern, which has proven to be effective in many data mining applications, but it is the first time to be applied to the problem of authorship attribution.

Er, well, they are obviously wrong. The first time was not 2008. It probably was not even in 2006 (when we wrote our paper) or 2003. I would be far more impressed if they gave a little credit to the long history of language and data analysis, let alone our published and presented work. Our presentations on pattern frequency for authorship attribution predates not only their paper but, for at least two or three of the authors, their entire career.

At the start of 2010 we presented our findings at the RSA Conference in San Francisco and showed how anonymous authors could be distinguished using linguistic analysis. We pulled apart email messages, presented them based on their use of language (including stylometric features), and presented a taxonomy that predicts fraud based on key indicators.

The audience in our presentations always gets a quiz at the end; many always seem surprised they suddenly are able to see uniqueness in messages where none existed prior.

I just noticed that the Quebec crew have republished their paper under a more contemporary title with almost the same specific use case in mind: Mining writeprints from anonymous e-mails for forensic investigation

In this paper, we focus on the problem of mining the writing styles from a collection of e-mails written by multiple anonymous authors. The general idea is to first cluster the anonymous e-mail by the stylometric features and then extract the writeprint, i.e., the unique writing style, from each cluster. We emphasize that the presented problem together with our proposed solution is different from the traditional problem of authorship identification, which assumes training data is available for building a classifier.

Here is a major differentiation point. We did not assume a massive amount of training data was available or necessary to build a classifier. Our system can be taught to virtually anyone so that they then can start identifying authorship immediately. We have applied it and presented around the world, from Turkey to Brazil, with success.

Here is another major differentiation point. We were not trying to beg “first time” innovation recognition because we combined the extant body of knowledge in linguistics and security (social engineering). It was done in a novel way to help reduce fraud — stop people from falling victim to 419 scams — but we gave attribution.

We could have saved them a lot of time and hassle since we have been reporting it for eight years now. Perhaps there is a chance for collaboration in the future.

I could go on with differentiation points, but here’s one more. We don’t charge you to read our paper or presentation.

Security

Hard Math CAPTCHAs – Easy As Pie

Leave a comment

I mean Pi. Funny example of security control failure:

It seems these scientists want to ward off ruffians who can’t do advanced math. After all, the service they’re offering is access to truly random numbers — a difficult computer science feat on its own, and one that only responsible adults should have access to.

The scientists thought it would be a good idea to give their viewers a math challenge — solve a basic calculus problem to prove they are human. An equation version of the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is posted on their sign up page. Would this be called a CAPECHA?

Solve Me

But these math elitists may have a problem on their hands. As calculus teachers around the world are now discovering, the Internet will now do your math homework for you. Just go to WolframAlpha and pop in the problem, and boom, you’ll have access to all the random numbers your heart could desire.

Perhaps they did it for the publicity, or just for the humor. Or maybe they did it to drive up the market price for hired CAPTCHA-solution labor. I wonder if the next Craigslist ad for “easy money, work from home” will include basic calculus as a required skill.

Energy, History, Security

It’s China! It’s Israel! It’s…

Leave a comment

Pick your favorite bogeyman. The latest outsider attack is probably their fault…

My presentation at BSidesSF this year tried to make the argument that attribution is harder than ever online. Attackers make extensive use of proxies and remote control, so it can be very difficult to trace all the points back to an actual person…and even if you do, they may only be one of a thousand mules following instructions. It was gratifying to hear General Alexander at the RSA keynote on February 17th after my presentation admit to his audience “We don’t have situational awareness”.

I could go into the complicated philosophy of why attribution is a double-edged sword (e.g. users on the Internet do not want to sacrifice their privacy) or go into the long history of technical issues with attribution (e.g. smurfing), but instead I just want to point out the two most recent spectacular attribution failures.

First, WordPress suffered a denial of service attack that came from systems in China. I asked my audience at BSidesSF “how many people in the audience use products made in China” and the entire room raised their hand. Granted, there were only three people in the room (jk), but my point is that “it came from China” should be immediately discounted as a strong attribution link. If a weapon found after an attack has “from China” stamped on it, investigators should not jump to the conclusion that the attacker therefore must also be from China. Even worse is to super-impose Chinese state motives onto a suspected Chinese attacker, all because the weapon is “from China”.

WordPress said last week the attacks might have been politically motivated and aimed at an unnamed Chinese-language blog, but it no longer has that view.

“Don’t think it’s politically motivated anymore,” WordPress Founder Matt Mullenweg said in an e-mail to IDG News Service. “However the attacks did originate in China.”

Mullenweg did not elaborate on the change in view or offer details on the source of the attacks.

I had tried to warn against this in my Operation Sloppy Night Dragon post.

Second, I have a lot of respect for Ralph Langner who has been credited with exposing the details of the Stuxnet attack. When I listened to his recent interview he made points like Stuxnet was very basic because it did not need to be complex and Stuxnet was directed at Natanz, never at Busheir. Why did he say at first it was probably directed at Busheir? In the interview he said it was because he assumed that would be a target of Mossad…in other words, his bias on international politics overshadowed his analysis of the facts. He recently reiterated it was the Mossad.

“My opinion is that the Mossad is involved,” Ralph Langner said while discussing his in-depth Stuxnet analysis at a prestigious TED conference in the Southern California city of Long Beach.

We should not lose sight of the fact that he already has admitted he made one serious mistake because he believed Mossad was to blame before his investigation started. The Mossad certainly has a lot of people spooked, but every suspicious bird and rock is not necessarily their handiwork.

Every piece of dog poop you see, on the other hand, should in fact be attributed to the CIA.

I appreciate Langner’s honest, clear and open style; yet it seems when he switches to geopolitical analysis he overlooks important data points like the significance of Pakistan and German intelligence operations.

Note the recent mass exodus of US special forces and operatives from Pakistan after the arrest of Davis. The US denies he was anything more than a diplomat, but let’s face the fact that a fight with Afghans and Iranians makes Pakistan a really good proxy. The British certainly made this point when they told the CIA under Tenet that Iran was stealing nuclear secrets from Pakistan. Without the Davis incident (he killed two motorcyclists that probably were trying to assassinate him) we would have far less data on how Pakistani operations might be attributed back to American objectives. Instead an exodus of US operatives now is suggested by some to be related to the drop in US drone attacks in Afghanistan (e.g. disruption of intelligence channels); it probably also is impacting other Pakistan-originated operations that could affect Iran (e.g. Stuxnet).

While there is a case to be made that Pakistan has been a proxy to US and Israeli objectives, that is far from achieving attribution. Maybe Britain was acting on its own, with the support of Germany, on behalf of the US. Time will tell and probably reveal a more complicated picture than we might believe today; and that is just for the physical world. Take for example the overthrow of Iran’s Mossadegh in 1953. It served British objectives, but today we know it was an American-led operation masked to look like an insider revolt against nationalism, despite the fact that the prior year Iran’s nationalist movement fit American interests. Attribution of crowd events was hard. Attribution of Internet crowd events is even harder.