Spy Files Russia – PETER-SERVICE – Wikileaks – September 19th 2017

Today, September 19th 2017, WikiLeaks starts publishing the series “Spy Files Russia” with documents from the Russian company Петер-Сервис (PETER-SERVICE). This release includes 209 documents (34 base documents in different versions) dated between 2007 and 2015.

PETER-SERVICE was founded 1992 in St. Petersburg as a provider for billing solutions and soon became the major supplier of software for the mobile telecommunications industry in Russia. Today it has more than 1000 employees in different locations in Russia, and offices in major cities in Russia and Ukraine. The technologies developed and deployed by PETER-SERVICE today go far beyond the classical billing process and extend into the realms of surveillance and control. Although compliance to the strict surveillance laws is mandatory in Russia, rather than being forced to comply PETER-SERVICE appears to be quite actively pursuing partnership and commercial opportunities with the state intelligence apparatus.

As a matter of fact PETER-SERVICE is uniquely placed as a surveillance partner due to the remarkable visibility their products provide into the data of Russian subscribers of mobile operators, which expose to PETER-SERVICE valuable metadata, including phone and message records, device identifiers (IMEI, MAC addresses), network identifiers (IP addresses), cell tower information and much more. This enriched and aggregated metadata is of course of interest to Russian authorities, whose access became a core component of the system architecture.

Selected components of PETER-SERVICE software

The base architecture of the software from PETER-SERVICE (SVC_BASE) includes components for data retention (DRS [en], [ru]), long-term storage in SORM (SSP, Service СП-ПУ), IP traffic analysis (Traffic Data Mart, TDM) and interfaces (adapters) for state agencies to access the archives.

Traffic Data Mart (TDM)

The Traffic Data Mart is a system that records and monitors IP traffic for all mobile devices registered with the operator. It maintains a list of categorized domain names which cover all areas of interest for the state. These categories include blacklisted sites, criminal sites, blogs, webmail, weapons, botnet, narcotics, betting, aggression, racism, terrorism and many more. Based on the collected information the system allows the creation of reports for subscriber devices (identified by IMEI/TAC, brand, model) for a specified time range: Top categories by volume, top sites by volume, top sites by time spent, protocol usage (browsing, mail, telephony, bittorrent) and traffic/time distribution.

Data Retention System (DRS)

The data retention system is a mandatory component for operators by law; it stores all communication (meta-)data locally for three years. State intelligence authorities use the Protocol 538 adapter built into the DRS to access stored information. According to PETER-SERVICE, their DRS solution can handle 500,000,000 connections per day in one cluster. The claimed average search time for subscriber related-records from a single day is ten seconds.

Service СП-ПУ

In SORM call monitoring functions are concentrated in control points (пунктах управления, ПУ) which are connected to network operators. The Service СП-ПУ is a data exchange interface based on HTTPS between components in SVC_BASE/DRS and SORM. The interface receives search requests from state intelligence authorities and delivers results back to the initiator. Search requests for lawful interceptions (based on a court order) are processed by the operator on the same system.

Deep Packet Inspection products

As a related document, this first release contains a publically available slide show presentation given by Валерий Сысик (Valery Syssik, Director of Development) from PETER-SERVICE at the Broadband Russia Forum in 2013. Titled “National stacks of DPI / BigData / DataMining technologies and solutions for collection and analysis of information, as well as means of predicting social and business trends – the key to digital and financial sovereignty of the state and business in the XXI century”, the presentation – which appears to already be publicly available on PETER-SERVICE’s website – is not targeted at the usual telecom provider, but at a closed group of people from the ФСБ (FSB, Russian Federal Security Service), МВД (Interior ministry of Russia) and the три ветви власти (“three pillars of Power” – legislature, executive and judiciary).

The presentation was written just a few months after Edward Snowden disclosed the NSA mass surveillance program and its cooperation with private U.S. IT-corporations such as Google and Facebook. Drawing specifically on the NSA Prism program, the presentation offers law enforcement, intelligence and other interested parties, to join an alliance in order to establish equivalent data-mining operations in Russia. PETER-SERVICE claims to already have access to a majority of all phone call records as well as Internet traffic in Russia, and in the description of the current experiences, it claims to have deployed technology for Deep Packet Inspection “with not just the headings of IP packets, but the contents of whole series”. PETER-SERVICE is presented as a natural ally for intelligence agencies in “the most lucrative business [of] manipulating minds”.

However, the core of the presentation is about a new product (2013) called DPI*GRID – a hardware solution for “Deep Packet Inspection” that comes literally as “black boxes” that are able to handle 10Gb/s traffic per unit. The national providers are aggregating Internet traffic in their infrastructure and are redirecting/duplicating the full stream to DPI*GRID units. The units inspect and analyse traffic (the presentation does not describe that process in much detail); the resulting metadata and extracted information are collected in a database for further investigation. A similar, yet smaller solution called MDH/DRS is available for regional providers who send aggregated IP traffic via a 10Gb/s connection to MDH for processing.

PETER-SERVICE advertises its experience in SORM technologies – especially DPI – and its ability to collect, manage and analyse “Big Data” for commercial and intelligence purposes. “From DPI solutions for SORM to contextual advertising, we have the experience and the solution. We are offering to coordinate a scalable national solution for control of the digital network. We strive for effective cooperation within a symbolic network alliance: operator – vendor – search engine – business – state organs.”

The above graphics shows the Internet backbone infrastructure in Russia and the nodes at various providers that run components of the proposed DPI*GRID system in different locations. The node TopGun most likely refers to a multi terabit DPI system developed by PETER-SERVICE.

About SORM

SORM is the technical infrastructure for surveillance in Russia. It dates back to 1995 and has evolved from SORM-1 (capturing telephone and mobile phone communications) and SORM-2 (interception of Internet traffic, 1999) to the current SORM-3. SORM now collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations. In 2014, the system was expanded to include social media platforms, and the Ministry of Communications ordered companies to install new equipment with Deep Packet Inspection (DPI) capability. In 2016, SORM-3 added additional classified regulations that apply to all Internet Service providers in Russia. The European Court for Human Rights deemed Russia’s SORM legislation in breach of the European Convention on Human Rights in 2015 (Zakharov v. Russia). [source: https://en.wikipedia.org]


Share on FacebookTweet about this on TwitterShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisemail hidden; JavaScript is required
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Vault7 – Protego – Wikileaks – September 2017

Today, September 7th 2017, WikiLeaks publishes four secret documents from the Protego project of the CIA, along with 37 related documents (proprietary hardware/software manuals from Microchip Technology Inc.). The project was maintained between 2014 and 2015.

Protego is not the “usual” malware development project like all previous publications by WikiLeaks in the Vault7 series. Indeed there is no explicit indication why it is part of the project repositories of the CIA/EDG at all.

The Protego project is a PIC-based missile control system that was developed by Raytheon. The documents indicate that the system is installed on-board a Pratt & Whitney aircraft (PWA) equipped with missile launch systems (air-to-air and/or air-to-ground).

Protego consists of separate micro-controller units that exchange data and signals over encrypted and authenticated channels:

» On-board TWA are the ‘Master Processor’ (MP) and the ‘Deployment Box’. Both systems are layed-out with master/slave redundancy.

» The missle system has micro-controllers for the missle itself (‘Missle Smart Switch’, MSS), the tube (‘Tube Smart Switch’, TSS) and the collar (which holds the missile before and at launch time).

The MP unit receives three signals from a beacon: ‘In Border’ (PWA is within the defined area of an operation), ‘Valid GPS’ (GPS signal available) and ‘No End of Operational Period’ (current time is within the defined timeframe for an operation). Missiles can only be launched if all signals received by MP are set to ‘true’. Similary safeguards are in place to auto-destruct encryption and authentication keys for various scenarios (like ‘leaving a target area of operation’ or ‘missing missle’).

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisemail hidden; JavaScript is required
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Vault 7 – ExpressLane – 8/24/17

Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.

ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisemail hidden; JavaScript is required
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Vault 7 – CouchPotato and Dumbo – Wikileaks – August 2017

CouchPotato

10 August, 2017

Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.

Dumbo

3 August, 2017

Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisemail hidden; JavaScript is required
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Qubes OS 3.1 Overview/Demo/Introduction

An Introduction to Qubes OS

What is Qubes OS?

Qubes OS is a security-oriented operating system (OS). The OS is the software that runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

Why is OS security important?

Most people use an operating system like Windows or OS X on their desktop and laptop computers. These OSes are popular because they tend to be easy to use and usually come pre-installed on the computers people buy. However, they present problems when it comes to security. For example, you might open an innocent-looking email attachment or website, not realizing that you’re actually allowing malware (malicious software) to run on your computer. Depending on what kind of malware it is, it might do anything from showing you unwanted advertisements to logging your keystrokes to taking over your entire computer. This could jeopardize all the information stored on or accessed by this computer, such as health records, confidential communications, or thoughts written in a private journal. Malware can also interfere with the activities you perform with your computer. For example, if you use your computer to conduct financial transactions, the malware might allow its creator to make fraudulent transactions in your name.

Aren’t antivirus programs and firewalls enough?

Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any signature-based antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best of these programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s too late for those who have already been compromised. More advanced antivirus software may perform better in this regard, but it’s still limited to a detection-based approach. New zero-day vulnerabilities are constantly being discovered in the common software we all use, such as our web browsers, and no antivirus program or firewall can prevent all of these vulnerabilities from being exploited.

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.

Moreover, all of these isolated qubes are integrated into a single, usable system. Programs are isolated in their own separate qubes, but all windows are displayed in a single, unified desktop environment with unforgeable colored window borders so that you can easily identify windows from different security levels. Common attack vectors like network cards and USB controllers are isolated in their own hardware qubes while their functionality is preserved through secure networking, firewalls, and USB device management. Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root filesystem without sacrificing security (and saving disk space, to boot). Qubes even allows you to sanitize PDFs and images in a few clicks. Users concerned about privacy will appreciate the integration of Whonix with Qubes, which makes it easy to use Tor securely, while those concerned about physical hardware attacks will benefit from Anti Evil Maid.

How does Qubes OS compare to using a “live CD” OS?

Booting your computer from a live CD (or DVD) when you need to perform sensitive activities can certainly be more secure than simply using your main OS, but this method still preserves many of the risks of conventional OSes. For example, popular live OSes (such as Tails and other Linux distributions) are still monolithic in the sense that all software is still running in the same OS. This means, once again, that if your session is compromised, then all the data and activities performed within that same session are also potentially compromised.

How does Qubes OS compare to running VMs in a conventional OS?

Not all virtual machine software is equal when it comes to security. You may have used or heard of VMs in relation to software like VirtualBox or VMware Workstation. These are known as “Type 2” or “hosted” hypervisors. (The hypervisor is the software, firmware, or hardware that creates and runs virtual machines.) These programs are popular because they’re designed primarily to be easy to use and run under popular OSes like Windows (which is called the host OS, since it “hosts” the VMs). However, the fact that Type 2 hypervisors run under the host OS means that they’re really only as secure as the host OS itself. If the host OS is ever compromised, then any VMs it hosts are also effectively compromised.

By contrast, Qubes uses a “Type 1” or “bare metal” hypervisor called Xen. Instead of running inside an OS, Type 1 hypervisors run directly on the “bare metal” of the hardware. This means that an attacker must be capable of subverting the hypervisor itself in order to compromise the entire system, which is vastly more difficult.

Qubes makes it so that multiple VMs running under a Type 1 hypervisor can be securely used as an integrated OS. For example, it puts all of your application windows on the same desktop with special colored borders indicating the trust levels of their respective VMs. It also allows for things like secure copy/paste operations between VMs, securely copying and transferring files between VMs, and secure networking between VMs and the Internet.

How does Qubes OS compare to using a separate physical machine?

Using a separate physical computer for sensitive activities can certainly be more secure than using one computer with a conventional OS for everything, but there are still risks to consider. Briefly, here are some of the main pros and cons of this approach relative to Qubes:

Pros
  • Physical separation doesn’t rely on a hypervisor. (It’s very unlikely that an attacker will break out of Qubes’ hypervisor, but if one were to manage to do so, one could potentially gain control over the entire system.)
  • Physical separation can be a natural complement to physical security. (For example, you might find it natural to lock your secure laptop in a safe when you take your unsecure laptop out with you.)
Cons
  • Physical separation can be cumbersome and expensive, since we may have to obtain and set up a separate physical machine for each security level we need.
  • There’s generally no secure way to transfer data between physically separate computers running conventional OSes. (Qubes has a secure inter-VM file transfer system to handle this.)
  • Physically separate computers running conventional OSes are still independently vulnerable to most conventional attacks due to their monolithic nature.
  • Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.

(For more on this topic, please see the paper Software compartmentalization vs. physical separation.)

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisemail hidden; JavaScript is required
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •