PI-PMS Report - final - Privacy International

PI-PMS Report - final - Privacy International
IPT 14/85/CH / Statement of Peter Sommer, p 1
IN THE INVESTIGATORY POWERS TRIBUNAL
Case No. IPT 14/85/CH
BETWEEN:
PRIVACY INTERNATIONAL
Claimant
and
(1) SECRETARY OF STATE FOR FOREIGN AND COMMONWEALTH
AFFAIRS
(2) GOVERNMENT COMMUNICATION HEADQUARTERS
Respondents
IN THE INVESTIGATORY POWERS TRIBUNAL
Case No. IPT 14/120-126/CH
BETWEEN:
GREENNET LIMITED
RISEUP NETWORKS, INC
MANGO EMAIL SERVICE
KOREAN PROGRESSIVE NETWORK (“JINBONET”)
GREENHOST
MEDIA JUMPSTART, INC
CHAOS COMPUTER CLUB
Claimants
-and(1) SECRETARY OF STATE FOR FOREIGN AND COMMONWEALTH
AFFAIRS
(2) GOVERNMENT COMMUNICATION HEADQUARTERS
Respondents
________________________________________________________________________
EXPERT REPORT OF PROFESSOR PETER MICHAEL SOMMER
________________________________________________________________________
IPT 14/85/CH / Statement of Peter Sommer, p 2
1. I am instructed by Bhatt Murphy, solicitors who act for the Claimants,
to provide the Tribunal with expert evidence in relation to the
technical features of the various forms of Computer Network
Exploitation and Equipment Interference. I am asked to provide a
description and to indicate the degree of interference with privacy
involved in such activities, and issues that may arise in the
authorisation and deployment of these techniques and their oversight.
2. For the purpose of this Report my over-riding duty is to the Tribunal
and not to those who instruct me. I understand that the Tribunal does
not have procedural rules similar to those in the Civil and Criminal
Courts but nevertheless I have followed the obligations on Expert
Witnesses laid down in Civil Procedure Rule 35 and Criminal
Procedure Rule 33 (Rule 19 in the version with effect from 5 October
2015).
3. This Report is aimed principally at addressing elements in Item 6 in
the Proposed Legal Issues document of 27 July 2015 and in particular
providing factual evidence to support the assumptions that the use of
CNE might have involved the following:
•
The obtaining of information from a particular device, server
or network. (item a)
•
The creation, modification or deletion of information on a
device, server or network. (item b)
•
The carrying out of intrusive surveillance. (item c)
•
The use of CNE in respect of numerous devices, servers or
networks, without having first identified any particular device
or person as being of intelligence interest. (item e)
•
The use of CNE to weaken software or hardware at its source,
prior to its deployment to users. (item f)
•
The obtaining of information for the purpose of maintaining or
further developing the intelligence services’ CNE capabilities.
(item g)
I understand that item 6(d) is being addressed in a report by my
colleague Professor Ross Anderson.
IPT 14/85/CH / Statement of Peter Sommer, p 3
4. In addition the Report also sets out my opinion on the following
elements in Item 5:
•
What records ought to be kept of CNE activity? Is it necessary
that records of CNE activity are kept that record the extent of
the specific activity and the specific justification for that
activity on grounds of necessity and proportionality,
identifying and justifying the intrusive conduct taking place?
(item b)
•
What, if any, is the relevance of the fact that, until February
2015, it was neither confirmed nor denied that the
Respondents carried out CNE activities at all? (item d)
•
What, if any, is the relevance of the Covert Surveillance and
Property Interference Code, issued in 2002 and updated in
2010 and 2014? (item e)
•
What, if any, is the effect of the publication of a Draft
Equipment Interference Code of Practice in February 2015?
(item f)
•
What, if any, is the relevance of the Intelligence Services
Commissioner’s oversight of the use of the powers contained
within ISA 1994? (item g)
•
What, if any, is the relevance of the oversight by the Tribunal
and the Intelligence and Security Committee of Parliament?
(item h)
Qualifications
5. I am an academic and cyber security consultant. I have acted as an
expert, over the last 20 years, in many criminal and civil proceedings
in the UK and elsewhere usually where digital evidence has been an
issue including official secrets, terrorism, state corruption, global
hacking, murder, corporate fraud, privacy, defamation, breach of
contract, copyright breach, professional regulatory proceedings,
harassment, allegations against the UK military in Iraq and child
sexual abuse. Particular themes have been situations where the Court
requires assistance to understand technology and assessments of
quantum and extent of damage. I have acted as an expert for the
prosecution and defence, for claimants and defendants and have
advised governments and individuals.
IPT 14/85/CH / Statement of Peter Sommer, p 4
6. My first degree is in law, from Oxford University. Until 2011 I was a
Visiting Professor in the Department of Management at the London
School of Economics. I am currently a Visiting Professor at De
Montfort University Cyber Security Centre and lecture, examine and
validate curricula at other universities. I have been a specialist
advisor in the House of Commons and consulted for the OECD, the
UN, the European Commission, the UK Cabinet Office Scientific
Advisory Panel on Emergency Response, the UK National Audit
Office, the Audit Commission and the Home Office. The OECD
work, written with Professor Ian Brown of Oxford University,
addressed the cyber aspects of Future Global Threats. I have given
evidence to the Home Affairs and Science & Technology Select
Committees, the Joint Committee on the Communications Data Bill
and to the Intelligence and Security Committee.
7. I am the author, pseudonymously, of The Hacker's Handbook,
DataTheft and The Industrial Espionage Handbook and under my own
name Digital Evidence, Digital Investigations and E-Disclosure
(IAAC) now in its 4th edition.
8. During its existence I was the joint lead assessor for the digital
speciality at the Home Office-sponsored Council for the Registration
of Forensic Practitioners and currently advise the UK Forensic
Science Regulator and the Home Office on communications data.
9. I am a Fellow of the British Computer Society and also a Fellow of
the Royal Society of Arts.
What techniques are involved in “Computer Network Exploitation” and
“Equipment Inference”?
10. Computer Network Exploitation - CNE - means the use of what are
commonly called “hacking” techniques in order to gain access to
computer-held information. It can also refer to aggressive destructive
actions, for example to disable or disrupt a computer resource.
IPT 14/85/CH / Statement of Peter Sommer, p 5
Equipment Interference - EI - refers to a number of related specific
techniques; the interference can be to software including operating
systems but also to hardware. A related three-letter acronym, CNA,
stands for Computer Network Attack, activities designed to destroy or
degrade the computer resources of others. The terms are, to an extent,
used interchangeably.
11. Equipment Interference, as it appears in the Home Office’s Draft Code
of Practice (“Draft EI CoP”) published in February 20151 uses
language which, intentionally or not, does not make obvious what in
practice is involved. Similarly the Home Office Covert Surveillance
and Property Interference Code of Practice of December 20142 appears
at first reading to be about authorisations in particular circumstances to
enter private premises without saying that frequent reasons for so
doing include the planting of devices that will capture activities within
those premises via audio and video and transmit the results – by wire,
radio, mobile phone or other means – so that they can be heard, and if
appropriate, recorded and analysed by investigators. None of the
provided examples refer to this.
12. Paragraph 1.6 of the Draft EI CoP refers to the following:
This code applies to (i) any interference (whether remotely or otherwise)
by the Intelligence Services, or persons acting on their behalf or in their
support, with equipment producing electromagnetic, acoustic and other
emissions, and (ii) information derived from any such interference, which
is to be authorised under section 5 of the 1994 Act, in order to do any or all
of the following:
a)
obtain information from the equipment in pursuit of intelligence
requirements;
b) obtain information concerning the ownership, nature and use of the
equipment in pursuit of intelligence requirements;
c)
locate and examine, remove, modify or substitute equipment hardware
or software which is capable of yielding information of the type
described in a) and b);
d ) enable and facilitate surveillance activity by means of the equipment.
1
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/401863/Draft_Equipment_Int
erference_Code_of_Practice.pdf
2
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/384975/Covert_Surveillance_
Property_Interrefernce_web__2_.pdf
IPT 14/85/CH / Statement of Peter Sommer, p 6
“Information” may include communications content, and communications
data as defined in section 21 of the 2000 Act
13. The position of the Agencies, referred to in the Proposed Legal Issues
document, is that they neither confirm nor deny (“NCND”) their
capabilities. One reason for this is that they fear that publication
would alert their targets who would then take more effective evasive
action3. The problem with this position is that politicians who grant
general powers through legislation and Codes of Practice, those who
authorise specific activity and those charged with pre- and postdeployment oversight may not have sufficient understanding of the
levels of intrusion involved in an application and hence not be able to
make informed judgements about necessity, proportionality and issues
of collateral intrusion. In addition, as will be seen later, a number of
actual acts of exploitation involve several stages of technical activity
each of which perhaps ought to be the subject of separate
authorisations.
14. It might appear that the only sources of public information about the
use of various EI technologies by government agencies are described
in the Snowden papers as published by various news outlets and
unredacted passages in the Privacy and Security Report of the
Intelligence and Security Committee of Parliament (“ISC Report”)4
published in March 2015.
15. But there is a substantial literature going back over 40 years on
“hacking” and cybercrime techniques. The authors include academics,
analysts employed by ‘malware’ (malicious software) detection and
security companies5, specialists in digital forensics, expert witnesses
providing evidence in court and specialist technical journalists6. There
3
Respondent’s Open Response paras 4-9
https://b1cba9b3-a-5e6631fd-ssites.googlegroups.com/a/independent.gov.uk/isc/files/20150312_ISC_P%2BS%2BRpt%28web%29.pdf?att
achauth=ANoY7crYc43Cbff6kwUhw2tElXsnPjfTY60jAkf2L6dyGPaMXrTNy4Sq88aR13DmKI6G7R440y
egEMPM0Tgb6vxgrrG3gXOtPXChZkVMnXb42oeUg_0HyTWoBIHTC_4TU8nmXF302GttG5HOZ01qbn
AglR1bzPI2ISows98Q0mRS3OMv4EEENcNmcrQv7ofxOVr9ubqBWfAxvNKydeaucjRnaBLeQVz7pfPW
msWDkRAOeRKB8PYqsvJ3-Pl0o5CgG5D4MF1uJm9g&attredirects=0
5
For example https://securelist.com/ , http://www.symantec.com/security_response/
6
For example http://krebsonsecurity.com/, https://www.schneier.com/
4
IPT 14/85/CH / Statement of Peter Sommer, p 7
are also specialist conference series such as ‘BlackHat’7 and ‘Defcon’
where such techniques are presented and discussed8. “Penetration
Testers”, sometimes known as ‘White Hat’ Hackers, are technicians
employed by businesses to test the security of their systems by
employing hacking techniques to an agreed and designed agenda to
examine whether the business has proper security procedures and
systems. Some collections of tools used by penetration testers are
freely available, for example Kali Linux and Metasploit9. These are
collections of software tools that bring together a range of CNE
techniques to allow such techniques to be deployed quickly and easily.
These tools are freely available and do not require extensive technical
skill to make use of, although a skilled user will obviously be able to
do more.
16. Hacking in the non-Agency world may be carried out for a variety of
reasons: as a demonstration of technical skill (recreational hacking),
as a form of propaganda to draw attention to a political or ideological
aim, as an element in perpetrating a crime such as theft, criminal
damage and extortion, as a means of industrial espionage, as a means
of destroying the reputation of an individual or an organisation, as a
means of circumventing copyright protections. People with these
different aims may use the same or very similar techniques.
17. GCHQ will be fully aware of this literature both for its own CNE
activities and as part of its remit to provide advice on cyber defence
via its CESG unit. To put it in a more tabloid fashion – if certain
exploit tools can be deployed by 16- and 17-year-olds to significant
effect as I have seen in my practice as an expert witness then it would
be very surprising if GCHQ were not able to call upon and use similar
or better techniques.
7
8
9
https://www.blackhat.com
https://www.defcon.org
https://www.kali.org/. There are also a number of related books, eg Kali Linux: Assuring Security by
Penetration Testing and Mastering Kali Linux for Advanced Penetration Testing
IPT 14/85/CH / Statement of Peter Sommer, p 8
18. It is thus relatively easy to assist the Tribunal about many of the
CNE/EI techniques from open sources. There is no definitive
generally agreed taxonomy of hacking methods and, as will be seen,
many actual exploits may require more than one hacking technique to
achieve success. The paragraphs that follow provide a non-exhaustive
overview of some of the most widely-used; there is some unavoidable
overlap in some of the descriptions and some exploits can be placed in
more than one category. Later I will also refer to some of the
“Snowden” slides.
Remote Access: Software
19. The simplest form of unauthorised remote access to a computer is to
acquire by some means its sign-on credentials. The means can
include “shoulder surfing”, watching a legitimate user, and social
engineering tricks10 such as phishing11, but also information acquired
through the examination of paperwork linked to a user. It is also
possible to use “brute force” guessing of credentials, the successive
trying of possible passwords until one is successful.
20. There are also the results of the deployment on other devices of some
of the techniques explained below and where the devices contain the
credentials. Armed with the credentials the intruder can then user the
computer in exactly the same way as a legitimate user; indeed it may
not be possible, from the digital evidence alone, to distinguish
between the intruder and the legitimate user.
21. Personal Computers Beyond this it is trivially easy to control a
personal computer and many other devices remotely across a network
including the Internet. Facilities to do so are included in most
versions of Microsoft Windows in the form of “Remote Desktop
Connection”12. The main aims are, for example, to allow a user to
access an office computer from home or a travelling user to access a
10
To induce some-one to carry out an action against their interests – see paragraph 68 below.
The sending of booby-trapped email and the use of booby-trapped websites.
12
http://windows.microsoft.com/en-gb/windows/connect-using-remote-desktop-connection#connect-usingremote-desktop-connection=windows-7
11
IPT 14/85/CH / Statement of Peter Sommer, p 9
home computer, and to allow users to receive remote assistance from
a technician. More sophisticated facilities are available via such
commercial products as TeamViewer13, Logmein14 and
GoToMyPC15. The essence is that the computer to be remotely
accessed needs to have present a small program which can receive
and accept remote commands.
22. There are two types of facility – the ability to view and interact with
the computer in the same way as a local user, and the ability to see
and explore a list of files on the remote computer in much the same
way as in “My Computer” or “File Manager”. Files can be
downloaded from the remote computer and indeed uploaded to it.
23. The programs mentioned above are overt in their operation and in
practice the technical problems for investigators are not the basic
facilities but finding ways to make the operation covert. The aspects
that need to be addressed are:
23.1.
To insert software on to the target computer without being
detected; it will need to evade any malware-detection programs
likely to be present. The usual mechanisms are via compromised
attachments in emails, via code embedded in websites and via
compromised USB sticks.
23.2.
To hide any sign that the software exists and the device is
being remotely controlled – the hiding has to include any onscreen activity but also the presence of untoward files.
23.3.
To hide the fact that data is being transmitted from the
computer; this will need to evade security facilities such as
firewalls.
24. Commercial and hacker programs to achieve these aims are widely
available. Hacker programs are also known as Trojans and RATs –
13
https://www.teamviewer.com/
https://secure.logmein.com/
15
https://www.gotomypc.com
14
IPT 14/85/CH / Statement of Peter Sommer, p 10
Remote Access (or Administration) Tools – and have been in
existence for at least 30 years16. Commercial programs are aimed at
businesses concerned about their employees, private investigators
and private individuals concerned about partners and family
members and at costs from about £60. These programs offer, in
addition to the simple remote viewing and file access, the scrutiny of
live activity, keystroke monitoring, email tracking, web activity
monitoring, and the remote use of microphones and web cameras. 17
This audio and video capability may have the benefit that there is
then no need to use conventional bugs of the sort installed under a
Property Interference warrant18. The significance of these will be
discussed later.
25. Commercial and hacker programs tend to rely on a mixture of social
engineering19 – tricking individuals into performing actions that
assist the intruder, such as ignoring a security alert, or giving up their
password and other confidential information – and technical tricks.
Often the latter exploit discovered defects in operating systems and
application programs. The most sophisticated of these technical tricks
are multi-stage – this approach makes detection more difficult. Once
a particular defect or bug is known malware detection programs are
adapted to find them so that the commercial and hacker programs
must constantly be updated in order to remain effective.
26. Thus the secrecy GCHQ may be justified in seeking via NCND is not
the basic facts of the possibilities of remote control and remote
access but the precise technical methods by which they are achieved.
27. Forensic Access A further development of the PC-based activity
monitoring programs referred to above is the use of digital forensic
16
Examples include HakaTak, Blackshades, Back Orifice and many others
Examples include SpyAgent (http://www.spytech-web.com/spyagent.shtml), Webwatcher
(http://www.webwatcher.com), PC Pandora (http://www.pcpandora.com/), Spector Pro
(http://www.spectorsoft.com/products/), and eBlaster
(http://www.spectorsoft.com/products/eblaster_windows/).
18
The audio and video would only be captured in the vicinity of the computer – but the computer may be a
laptop or tablet.
19
See also paragraph 68 below
17
IPT 14/85/CH / Statement of Peter Sommer, p 11
analysis programs in remote mode. Regular digital forensic analysis
programs are able to access the entirety of a hard disk as opposed to
those elements that are normally presented to the regular user.
Among other things they can perform recovery of deleted data and in
some instances restore a disk to a previous state. The major
products in this arena can also carry out remote analyses, once an
appropriate server has been installed20. In addition they can carry out
live interrogations, which may be useful if the target computer is
encrypted or is itself accessing other remote services which are
password and/or encryption protected. There is also a facility to
download a full forensic disk image of a target computer for later,
off-line analysis.
28. Smart phones The above accounts deal with personal computers.
Similar techniques exist for smart phones, though achieving results
may require the use of different techniques21. Commercial “activity
monitoring” software is available22. Smartphone monitoring
software can also collect geolocation data, social media activity and
SMS text messages.
29. Tablets In terms of investigatory issues tablets are very similar to
smartphones, lacking only the “phone” aspect; the main operating
systems, Android and Apple IOS, are shared between smartphones
and tablets
30. Mainframes The oldest targets of hacking were large mainframe
computers. Most mainframes have remote access facilities and the
simplest form of intrusion is to use compromised access control
facilities – username and password combinations. Many
20
https://www.guidancesoftware.com/products/Pages/encase-enterprise/overview.aspx;
http://accessdata.com/solutions/digital-forensics/ad-enterprise; https://www.f-response.com/software/cec
21
https://www.blackhat.com/docs/us-15/materials/us-15-Trummer-QARK.pdf and
http://tools.kali.org/hardware-hacking/android-sdk and http://www.cnet.com/uk/news/researcher-findsmother-of-all-android-vulnerabilities/ and http://9to5mac.com/2015/06/17/major-zero-day-security-flaws-inios-os-x-allow-theft-of-both-keychain-and-app-passwords/; http://blog.zimperium.com/experts-found-aunicorn-in-the-heart-of-android/
22
For example http://www.mobile-spy.com/, https://mobile-tracker-free.com/,
http://www.phonesheriff.com/, http://www.mspy.com/
IPT 14/85/CH / Statement of Peter Sommer, p 12
organisations have centralised server facilities – for email, shared
files and corporate Internet access. The most popular of the products
in use is the Microsoft Exchange Server family – this would be
vulnerable to many of the hacks used for Microsoft desktop
(Windows) products. The potential “harvest” and also the dangers of
collateral intrusion depend on the information held and processed on
the mainframe.
31. Cloud Services Many individuals and organisations use ‘cloudbased’ services both for data storage and large-scale data-processing.
Web-mail, where emails are received and sent via a web-browser as
opposed to via a program on a PC and phone and where the archived
emails is stored locally, is also a cloud service. Under web-mail
emails sent and received are on the cloud’s servers. Access to these
services is usually via username/password credentials. Presumably
the Agencies will in some circumstances have access via specific or
general warrant, but UK law, discussed below, also gives a route via
the amendment of s 10 Computer Misuse Act 1990 in s 44 Serious
Crime Act 2015 which allows for police and agency use of
“computer interference” techniques. The potential “harvest” and also
the dangers of collateral intrusion depend on the information held
and processed on the cloud service.
32. “Back-doored” and compromised software A further route to
gaining access to a device beyond those referred to above (see
paragraph 23) is to offer enticing programs or apps which themselves
contain a hidden Trojan/RAT. They can also contain command-andcontrol software23 for BotNets (see below) though a number of those
so far uncovered seem directed at fraud and extortion rather than
exfiltration of information.
23
http://www.computerworld.com/article/2487533/security0/android-trojan-app-targets-facebookusers.html; http://www.pcworld.com/article/2360460/trojan-app-encrypts-files-on-android-devices-and-asksfor-ransom.html; http://www.v3.co.uk/v3-uk/news/2328691/android-apps-with-trojan-sms-malware-infect300-000-devices-net-crooks-usd6m
IPT 14/85/CH / Statement of Peter Sommer, p 13
33. Mass Remote Control: Botnets The taking over of a computer and
controlling it remotely can be expanded to the point at which very
large numbers of poorly protected computers are compromised and
herded together in what is called a BotNet (robot network) – a
network of compromised computers that can be instructed, en masse,
to carry out the controller’s instructions. The main criminal use of
these botnets is to create a Distributed Denial of Service (DDoS)
attack in which a target computer is overwhelmed with large
numbers of requests sent by the computers in the BotNet.24 In the
cybercrime world these then are often accompanied by demands
relating either to some ideological objective or to extortion25.
Website Injection
34. Website injection can consist of planting covert code on a website so
that visitors are induced either to give away information about
themselves (via a form of social engineering) which can then be later
exploited or to receive a Trojan providing backdoor access to their
computer26. The website may be genuine and have been hacked or
may have been created by the hackers, perhaps to masquerade as a
“real” website.
35. Another example is SQL Injection. In this the contents of a remote
website and more particularly an associated database are downloaded
by the use of special commands. Many websites consist of a “frontend” – the pages the users see – and a “back-end”, a database of
customer information, orders in progress etc. When a visitor asks the
website for information, code on the page translates that into a query
24
There are a number of variants.
http://motherboard.vice.com/read/history-of-the-ddos-attack;
http://www.digitalattackmap.com/understanding-ddos/; http://www.techrepublic.com/article/chinesegovernment-linked-to-largest-ddos-attack-in-github-history/; http://www.darkreading.com/attacks-andbreaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787;
http://www.theregister.co.uk/2014/12/17/london_teen_pleads_guilty_to_spamhaus_ddos/;
https://en.wikipedia.org/wiki/Operation_Payback; http://www.cnet.com/news/wikileaks-endures-a-lengthyddos-attack/
26
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
25
IPT 14/85/CH / Statement of Peter Sommer, p 14
to the database. When the database responds, web page code
translates the result into a page which is then seen by the user. Very
often the database works to a computer language known as SQL –
Structured Query Language. In a poorly protected website, a
knowledgeable hacker can craft requests directly to SQL and use that
to download all or substantial parts of the database.27
Service Provider Compromise
36. “Service Provider” in this context means a business operating on the
web that allows participants to send messages and files, post
information about themselves, conduct e-commerce and Internet
look-up facilities, picture editing etc. 28 The techniques of getting
unauthorised access to such services are the same as those mentioned
above but because of the volume of personal data likely to be
available the consequences are much greater29.
27
http://www.darkreading.com/risk/sql-injections-top-attack-statistics/d/d-id/1132988?;
http://www.eweek.com/security-watch/sony-woes-continue-with-sql-injection-attacks.html
28
Google, Facebook, Amazon, Apple, Twitter and many smaller and less well-known entities all fall into
this category so do retail operations with a significant online presence
29
Among significant hacks of this kind: Ashley Madison (http://www.bbc.co.uk/news/technology34002915), Carphone Warehouse (http://www.independent.co.uk/news/uk/crime/carphone-warehouse-hack24-million-customers-details-breached-after-cyberattack-10446745.html) , Target
(http://www.businessinsider.com/heres-what-happened-to-your-target-data-that-was-hacked-2014-10?IR=T)
IPT 14/85/CH / Statement of Peter Sommer, p 15
Hardware Exploits
37. The techniques referred to so far involve software-based exploits.
They tend to be easier to deploy as often targets can be induced to
install them themselves having been tricked via social engineering.
Once the cyber security community is aware of their existence
detection software can be written. Hardware-based exploits often
require physical access to targets; but their advantages are that
software detection tools may not be able to locate their presence and
they may also have “persistence”, a feature discussed below.
38. The need for physical access may mean that in some circumstances
an Equipment Interference authority will also require one for
Property Interference.
39. Keyloggers The purpose of a keylogger is to capture and record
keystrokes from the legitimate user of a computer. The most
common aim is to acquire username/password credentials.
Keyloggers are available in software (see paragraph 24 above) but a
hardware device consists of a small unit placed between a keyboard
and a computer. Commercial versions are available for a few
pounds30.
40. KVMs KVM stands for Keyboard Video and Mouse and is an item
of hardware with a legitimate use of allowing an operator to have one
keyboard, video display and mouse which can be quickly switched
between several computers. Its main use is by technical staff who
may have to manage large numbers of computers. A KVM allows
them to use a single keyboard, mouse and display screen, rather than
have to have separate devices for each computer. But these devices
can be modified to provide hardware-based keylogging and remote
access. The technique was used against Barclays and Santander and
30
For example, on Amazon: http://www.amazon.co.uk/KeyGrabber-USB-KeyLogger-8MBBlack/dp/B004TUBOKW
IPT 14/85/CH / Statement of Peter Sommer, p 16
referred to in a trial which concluded in 2014. 31 The modified KVM
was linked to a 3G data dongle to allow stolen information to be
exfiltrated and bank computers remotely controlled.
41. PCs All personal computers have on their motherboard a piece of
firmware (software on a chip) the function of which is that when the
computer is powered up, the computer is made aware of the hardware
– keyboard, display unit, in/out ports, storage devices – attached to
it. It then seeks out a storage device, typically a hard disk, CD/DVD
drive, USB stick, looking for an operating system. All being well,
the operating system is located and the computer is “booted up”.
This piece of firmware is known as the BIOS (Basic In Out System).
The BIOS is designed to be re-writeable so that, if necessary, the
detail of its operations can be subsequently upgraded.
42. It is possible to subvert the process so that the BIOS contains
additional features which can include enabling remote access. The
advantages of this approach are two-fold. First, regular malware
detection only looks at the contents of a hard disk and not any
activity before the hard disk is started up. Second, the facility is
persistent. The wiping of a hard disk or even its entire replacement
will not defeat the BIOS-based program. The use of this technique
was much criticised when the manufacturer Lenovo was discovered
to have placed persistent advertising software (‘adware’) on some of
its laptops32.
43. Hard Disks Hard disks consist of the magnetic platters upon which
the data is stored, a series of heads which move across the platters to
the specific location where the data is stored and some controller
hardware which accepts commands from the PC and then directs the
heads to read or write the data. The controller hardware can be
31
http://www.theregister.co.uk/2014/04/25/kvm_crooks_jailed/;
http://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays-hacking-attack-gang-stole-1.3-millionpolice-say.html
32
http://arstechnica.co.uk/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-toinstall-persistent-crapware/
IPT 14/85/CH / Statement of Peter Sommer, p 17
modified so as to create hidden partitions; in fact manufacturers can
use this facility to determine the capacity of a disk as sold to the
public.33
44. USB sticks as vectors of malware USB sticks are normally used as
a low cost small-sized means of storing data and transferring data
from one device to another. They can also be used as “boot” devices
on PCs – the USB stick contains an entire operating system and the
PC is started from the stick rather than the hard drive. One use for
this is to “run” an alternative operating system such as Linux while
leaving the original hard disk – perhaps with Windows – intact34.
45. USB sticks can be used to insert malware on a PC without the
knowledge of the owner by use of the “autorun” facility. When a
USB stick is inserted into a PC, the PC will, unless the facility has
been deliberately disabled, list out its contents. If among the contents
is a file called ‘autorun.inf,’ a program referred to in the file will then
immediately run. The facility has a number of legitimate uses but the
program may be malware.
46. A more sophisticated version involves reprogramming a USB
peripheral so that although it appears to be a storage device it
emulates a keyboard and calls a malicious program which could, for
example install a back-door. Nothing untoward will appear on
screen. This is referred to as “BadUSB”35
47. Many accounts of the Stuxnet malware used to compromise Iranian
centrifuges used in nuclear fuel production claim that USB devices
were used as the infection vector.36
33
https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-296267BEB146864A2671.pdf; http://www.atola.com/products/insight/disk-utilities.html
34
For example: http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows;
http://www.pendrivelinux.com/
35
https://srlabs.de/badusb/
36
http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/;
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
IPT 14/85/CH / Statement of Peter Sommer, p 18
48. Smartphones On a smartphone the whole of the operating system is
in firmware and can be completely changed. Indeed this is the
process when manufacturers upgrade the operating system – many
recently-purchased but slightly older Android-based smartphone will
have been bought with version 4 of the operating system and then
given an over-the-air upgrade to version 537 . On the IPhone and
IPad there is a current transition from version 8 to version 9.
Although most regular upgrades are over-the-air (via a download
from an official site) it is also possible to install an upgrade
manually38 and also introduce a new operating system with more
facilities than the official one39. In addition mobile phone companies
who have sold phones “locked” to their particular network are able to
send upgrades and alterations without the customer being aware.
This facility gives the opportunity to create a back-door access to
smartphones.
49. It is also possible to inject malware, including remote access, via a
SIM card. It appears that the injection has to be made or be carried
out with the co-operation of the mobile phone company40.
50. Wifi Access Points Most customers of Internet broadband facilities
receive their services through a device called a hub which combines a
modem to connect via a telecommunications service (telephone,
cable) and a means of internal distribution via a local area network.
Often the internal distribution is via wifi. Many retail outlets, coffee
shops, hotels and travel locations – airports, train stations – offer
Internet access via wifi hotspots41. The devices which perform this
function are all designed to be upgradeable42; just as with PCs and
37
In fact there are usually a number of minor upgrades to each major version.
http://xda-university.com/as-a-user/android-flashing-guide
39
For example Cyanogen: http://www.cyanogenmod.org/
40
http://www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flawcould-affect-millions-of-phones/ ; http://www.theverge.com/2015/2/24/8101585/the-nsas-sim-heist-couldhave-given-it-the-power-to-plant-spyware-on
41
In 2013 one major UK supplier, The Cloud owned by BskyB claimed that 10 m UK adults logged on to
one of its sites every week. http://www.ispreview.co.uk/index.php/2013/04/10-million-britons-a-weeklogging-on-to-public-wifi.html
42
http://www.thegeekstuff.com/2009/06/how-to-upgrade-linksys-wireless-router-firmware/
38
IPT 14/85/CH / Statement of Peter Sommer, p 19
smartphones, the upgrade facility can be subverted43. A common
criminal application is the so-called “evil twin”, a subverted device
which appears legitimate, entices users to log on but is able to
intercept traffic passing through it. 44 This route would also be useful
to Agencies and law enforcement in circumstances where an
interception warrant on a communications service provider under
RIPA Part 1 Chapter 1 was for one reason or another difficult to
obtain, for example where premises were thought to be used to share
and download information but there was incomplete information
about all possible users such that they could be identified.
51. Switches Physically the Internet consists of a series of cables and
switches; the function of the switches is to direct Internet packets –
information traveling over the Internet - towards their destination.
The switches also collect information about network conditions so
that packets can if necessary be rerouted via less congested paths45.
The cables and switches vary considerably in their capacity –smaller
for local traffic, very large for traffic between continents. Most
switches are remotely accessible and upgradeable for routine
management purposes but this provides a means of subverting the
facilities so that interception of traffic can take place. In addition, by
prior arrangement with the manufacturers it would be technically
easy for special Agency facilities to be added. Alternatively products
could be intercepted between supplier and customer and the switch
firmware modified. One of the leading manufacturers has recently
warned of rogue firmware46.
43
http://www.dd-wrt.com/site/index
http://netsecurity.about.com/od/secureyourwifinetwork/a/The-Dangers-Of-Evil-Twin-Wi-FiHotspots.htm; http://www.techrepublic.com/article/minimizing-the-threats-of-public-wi-fi-and-avoidingevil-twins/; https://www.youtube.com/watch?v=LwEjYL6Eoro
45
Specification of products by a leading manufacturer can be seen at:
http://www.cisco.com/c/en/us/support/index.html?overlay=switches
46
http://tools.cisco.com/security/center/viewAlert.x?alertId=40411
44
IPT 14/85/CH / Statement of Peter Sommer, p 20
Man in the Middle (MITM) Exploits
52. Encryption Defeat The basic aim of a common form of man-in-themiddle (MITM) exploit is to overcome situations where data in
transmission is encrypted. The technique consists of interposing a
device between the two communicating parties; each believes
themselves to be communicating with the other but their traffic is
being intercepted before being passed on. In the most common
forms of encrypted traffic transmission, the devices being used by the
two parties exchange authentication information between themselves,
usually via a digital certificate. Once the authentication has taken
place a session key is created to carry out the encryption of the
subsequent traffic. Different session keys are created for each
“conversation” and it is this feature that makes regular interception
difficult.
53. The MITM device has knowledge of the respective digital certificates
and is hence able to provide apparently satisfactory authentication to
both parties. Digital certificates can be obtained by several means –
previous “hack” of users’ computers where the certificates will be
stored, or by compromising the authorities that issue the
certificates4748. Other forms of encryption defeat are discussed
below at paragraph 58 below.
54. Rogue Wifi Access Points, referred to above at paragraph 50 can
also be categorised as a form of MITM attack.
55. IMSI Catchers An IMSI catcher is a device designed to identify
and capture mobile phone traffic. It is also known as a Stingray,
which is the name of one of the available products. It consists of a
fake mobile telephone base station and mobile phones in its vicinity
are induced by virtue of the strength of the signal it puts out to log on
47
http://arstechnica.com/security/2015/08/attackers-are-hijacking-critical-networking-gear-from-ciscocompany-warns/
48
See for example, the compromise the Dutch certificate authority DigiNotar. https://threatpost.com/finalreport-diginotar-hack-shows-total-compromise-ca-servers-103112/77170
IPT 14/85/CH / Statement of Peter Sommer, p 21
to the fake station as opposed to an official one provided by a regular
mobile phone company. The fake base station intercepts traffic
before passing it on to a legitimate base station which is part of the
general telecommunications network49. There have been accusations
in the United States that IMSI catchers have been used by law
enforcement as a means of by-passing the warranting procedures for
interception50. A possible use in the UK by the Agencies and law
enforcement is to identify hitherto unknown mobile phones operating
within a small physical area of interest. 51
Encryption Defeat
56. A frequent requirement of hackers and cybercriminals is the ability to
defeat encryption. Encryption can be software based, as when files
are protected but is also deployed in hardware, often to provide
copyright protection but also to control access to hardware such as
computers, smart phones and data storage devices such as hard disks
and USB sticks.
57. Robust encryption of any kind is difficult to defeat but many forms of
encryption are not robust – either the encryption algorithm has
weaknesses or the overall cryptosystem has been poorly managed so
that encrypting passphrases or cleartext versions of files can be
located.
58. Encrypted data in transmission can sometimes be defeated via a Man
In The Middle attack. See paragraph 52 above.
49
; http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/;
https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-CatcherACSAC2014.pdf; https://www.youtube.com/watch?v=3oHx0zj3GWQ;
https://www.youtube.com/watch?v=rXVHPNhsOzo&index=5&list=PLD479F2812AE804DD
50
http://arstechnica.com/tech-policy/2015/04/county-prosecutor-says-it-has-no-idea-when-stingrays-wereused-so-man-sues/
51
This would be an alternative to the a “tower dump” from a mobile phone provider as the official tower
may not be in an optimal position and may identify many irrelevant and innocent mobile phone subscribers.
IPT 14/85/CH / Statement of Peter Sommer, p 22
59. For file decryption there are a number of commercial products, for
example Passware52 and Elcomsoft53. These “know” about weakness
in popular encryption systems and/or use “brute force” and “rainbow
tables” (a method where much of the computational work needed to
break a password is done in advance and stored in a large database,
making the cracking process much faster)54. Software is also available
to remove the copy protection from entertainment DVDs and BluRay
disks55
60. There have been cases where copy-protected software has had the
protection removed so that it can be freely distributed and used via
hacker websites56.
61. Hardware exploits have, in the cybercrime world, been concentrated
around compromising games machines so that they can play more than
officially supplied (and encrypted) games and compromising
equipment for the reception of satellite and cable tv services so that
encrypted programmes can be viewed without payment to the official
suppliers57.
62. A further area of activity has been to compromise the ink cartridges
used in some printers and where the official supplier has designed the
printer so that it will only work with cartridges from the original
manufacturer.
63. There has been a debate suggesting that GCHQ and NSA have sought
artificially to weaken encryption facilities in order to gain easier access
to data. I believe that this is the subject of a separate Expert Report
before the Tribunal from Professor Ross Anderson.
52
http://www.lostpassword.com/;
http://www.elcomsoft.co.uk/eprb.html
54
Eg https://www.freerainbowtables.com/; http://kestas.kuliukas.com/RainbowTables/
55
http://www.winxdvd.com/resource/best-free-dvd-decrypter-software-review.htm
56
Eg DrinkorDie, http://www.theregister.co.uk/2005/05/06/drinkordie_sentencing/
57
http://forums.xbox-scene.com/index.php?/topic/653015-mrmodchips-wins-appeal-in-1m-gbp-ukmodchip-case/page-3
53
IPT 14/85/CH / Statement of Peter Sommer, p 23
Reverse Engineering
64. Reverse engineering involves the processes of examining a product,
hardware or software to see how it operates, often for the purpose of
creating an alternative means of producing the same result. In the
“open” world there are two main reasons for utilising the techniques;
the first is to circumvent intellectual property rights. The second, often
used by malware analysts, is to seek to understand the inner workings
of an item of malware, partly as a contribution to general knowledge
but also to develop detection and mitigation products.
65. In the hacker world, as already mentioned, reverse engineering is used
to thwart copyright protections on hardware such as games consoles
and satellite and cable set-top boxes.
66. Reverse engineering can also be used in seeking to thwart security
products, including those for access control. One area where there has
been significant “cybercrime” activity is the reverse engineering and
compromise of credit and debit card Point-of-Sale terminals as used in
retail outlets58.
67. I will refer later to reverse engineering as part of the skillsets and
research endeavours of GCHQ and its partner NSA.
Social Engineering
68. At several points in these descriptions of hacks reference has been
made to social engineering. In order to give the activity sufficient
prominence I am repeating its importance in many hacking /
cybercrime events. There are also implications for how its deployment
is dealt with in Codes of Practice and in the authorisation and
oversight regimes, a matter I return to later in paragraphs 101 and 112.
58
http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-salebotnet/; http://krebsonsecurity.com/2011/05/point-of-sale-skimmers-robbed-at-the-register/
IPT 14/85/CH / Statement of Peter Sommer, p 24
69. As already mentioned, social engineering can encompass a deceptive
email and website but it may be no more than a “pretext call”, a phone
call to an unsuspecting individual. Some security professionals use
the phrase “Advanced Persistent Threat” or another phrase “spear
phishing” to identify attempts which have been specifically aimed at
individuals who are thought likely to have significant administrative
roles and who, if their identities are compromised, will yield important
technical facilities for later exploitation. The targeting usually involves
researching the life of the individual through open sources and social
media so that when a booby-trapped email is sent to them it is crafted
so they are less likely to be suspicious (for example, a person known to
be a theatre lover may be more likely to open a compromised email
purporting to contain a discount offer from the National Theatre).
70. The centrality of social engineering in hacking can be seen from books
written by a famous serial hacker, Kevin Mitnick, The Art of
Deception, The Art of Intrusion, Ghost in the Wires59. Other books
include Unmasking the Social Engineer by Christopher Hadnagy60 and
Kingpin by Kevin Poulsen61. There has also been extensive discussion
of social engineering techniques at specialist conferences.62
Multi-Stage Exploits
71. Many of the actual exploits and crimes referred to above have, to be
successful, required the deployment of a series of techniques in
succession. Examples include:
•
59
Bank credentials obtained by looking over a shoulder or back-door
entry to a computer, then used to masquerade as a legitimate in
order to siphon off funds. In practice one person may steal bank
credentials, offer them for sale via a hidden “Darknet” market
place; the buyer may then hire a series of mules to rob the
http://www.amazon.co.uk/s/ref=nb_sb_ss_c_0_13?url=search-alias%3Dstripbooks&fieldkeywords=kevin+mitnick&sprefix=kevin+mitnick%2Caps%2C145
60
Wiley, 2010 and 2014
61
Random House 2012.
62
http://www.cl.cam.ac.uk/events/decepticon2015/conf_program.html
IPT 14/85/CH / Statement of Peter Sommer, p 25
individual accounts and/or launder them via casinos and retail
purchases63
•
Email credentials acquired by back-door entry to a computer; later
used to generate a plausible email to deceive third parties to
perpetrate a fraud or as a stage in obtaining confidential
information, or as a means of gaining high level access to
computer resources
•
Small malware program calls another which calls another – an
effective technique for making detection difficult
•
Malware introduced together with data destruction program either
to cause direct damage or for extortion
•
Large numbers of computers back-doored and taken over, subject
to the command-and-control of a botnet, used for a DDoS attack,
followed by an extortion demand.
CNE and EI as a means of attack
72. Strictly speaking the use of CNE /EI for attack purposes is not an
“investigatory power” but it may be useful to indicate the main forms
that it can take:
•
Remote data wiping in which stored data is by command
over-written beyond recovery
•
Distributed Denial of Service attacks in which large
numbers of innocent third party computers are taken over and
placed under command and control. From these, large-scale
simultaneous requests can be sent a target computer so that it
is overwhelmed and cannot function
•
Targeted attacks where specific devices are identified, their
characteristics examined and attacks crafted so as to disrupt or
destroy their capabilities. The best known example of this is
63
NHTCU/SOCA Operation Euphroe, 2005-2007, Dark Market¸ Mischa Glenny, Vintage 2011; Kingpin,
Kevin Poulson, Crown, 2011
IPT 14/85/CH / Statement of Peter Sommer, p 26
Stuxnet which was aimed at machinery controlling centrifuges
allegedly used by the Iranian authorities to refine uranium
•
“False flag” activities where a computer resource is created
either for propaganda or attack purposes but is controlled by
some-one other than the apparent owner. In the alternative, a
genuine computer resource is taken over, hijacked, and rogue
information and activity is promulgated from it.
Techniques revealed in Snowden documents
73. I now turn to indications in the Snowden papers of the use by GCHQ
of a number of specific techniques. The Tribunal will be familiar with
how Snowden distributed the material he had acquired and exfiltrated.
He did not publish directly but gave copies to a number of journalist
outlets including The Guardian, New York Times, Washington Post,
Der Spiegel and The Intercept leaving to them to decide what to
publish and when. I am not aware of any suggestion that the files and
documents he supplied were forged or inauthentic but I am aware that
GCHQ have said informally that some interpretations placed by the
media on the materials are incorrect or incomplete and that some of the
slides were for informal internal discussion and do not necessarily
reflect firm GCHQ policy. In using this material I have sought to be
relatively conservative – the references are to slides which have been
published and what appear to be reasonably authoritative journalistic
articles that have accompanied them, and where the technology used
reflects my understanding of what is already known to be possible in
the non-Agency world.
74. For the avoidance of doubt, I have not had access to any slides that
have not been published and it is quite likely that there are slides
which have been published which I have not seen because I am
currently unaware of their existence. It has not always been possible to
IPT 14/85/CH / Statement of Peter Sommer, p 27
identify which activities are specific to GCHQ as opposed to NSA;
however the 5-Eyes Agreement suggests very close levels of technique
and information sharing.
75. The material reviewed here was selected on the basis that they were
likely to assist the Tribunal in its deliberations on legality and
adequacy of codes of practice and oversight and in particular in
framing questions to GCHQ in closed proceedings. Up to a point it
makes little difference whether a technique is being deployed as
opposed to being the subject of research as what is relevant is what
law, codes and oversight permit.
76. The slides often refer to thematic programmes of research and activity
and may cover more than one technique. In addition, as already
observed many hacking/CNE/EI actions require the deployment of
more than one technique, what has been referred to above as “multistage exploits”.
77. NSA Tailored Access Program In December 2013 Der Spiegel
published a series of articles about a catalogue of technologies and
devices64. I produce copies as PMS/1-4. There is a useful Wikipedia
listing of some of the techniques65 and I produce a copy of this as
PMS/5. I produce extended extracts from the ANT Catalog as PMS/6.
Among those referred to and by way of example are (the footnotes
point to the “open” versions referred to earlier in this Report):
77.1.
Candygram, which appears to be a IMSI Catcher66
77.2.
Cottonmouth, which used USB connections67
77.3.
DeityBounce, which is hardware-based persistent Trojan
directed at Dell servers68
64
http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-globalnetworks-a-940969.html
65
https://en.wikipedia.org/wiki/NSA_ANT_catalog
66
See paragraph 55 above
67
See paragraph 44 above
IPT 14/85/CH / Statement of Peter Sommer, p 28
77.4.
Dropoutjeep, which is software giving remote access and
control of Apple IPhones 69
77.5.
Feedthrough, a backdoor to some mainframe computers70
77.6.
Ginsu, hardware based persistent remote controller for
personal computers71
77.7.
Gopherset, software deployed via a mobile phone SIM72
77.8.
Howlermonkey, remote control of computers via radio73
77.9.
Iratemonk, compromise of hard disks from certain
manufacturers74
77.10. Ironchef, compromise of the BIOS on a personal computer75
77.11. Picasso, software that covertly sends data from a targeted
mobile phone about location, call data and can also activate the
phone’s microphone to capture local conversations76
78. GCHQ’s Technical Enabling Covert Access Product Centre
(TECA) In June 2015 The Intercept published what it claimed were
details of GCHQ programs to subvert widely-used commercial
software77. It also included part of a memo describing the services of
GCHQ’s TECA which I produce as exhibit PMS/7. Also published
were a memo on Software Reverse Engineering78 which I exhibit as
PMS/8 and another memo on Reverse Engineering79 more generally
which I exhibit as PMS/9.
68
See paragraph 41 above
See paragraph 28 above
70
See paragraph 30 above
71
On the same principles as paragraph 40 above
72
See paragraph 49 above
73
Another version of what is described in paragraph 40 above
74
See paragraph 43 above
75
See paragraph 41 above
76
See paragraph 28 above
77
https://firstlook.org/theintercept/2015/06/22/gchq-reverse-engineering-warrants/
78
https://firstlook.org/theintercept/document/2015/06/22/software-reverse-engineering-gchq
79
https://firstlook.org/theintercept/document/2015/06/22/reverse-engineering-gchq-wiki/
69
IPT 14/85/CH / Statement of Peter Sommer, p 29
79. JTRIG / SIGDEV In February 2014 the Intercept published an
article on GCHQ’s social engineering research80. It includes a GCHQ
presentation entitled “The Art of Deception”81. I exhibit this as
PMS/10.
80. I Hunt Sys Admins In March 2014 the Intercept published a
document advising on the value of targeting system administrators as
a way of getting access to important computer resources82. I exhibit
this as PMS/11.
81. Man in the Middle attacks A further document from the Intercept
published in March 2014 describes techniques very similar to those
covered above in
82. Word did not find any entries for your table of contents.
In your document, select the words to include in the table of contents,
and then on the Home tab, under Styles, click a heading style. Repeat
for each heading that you want to include, and then insert the table of
contents in your document. To manually create a table of contents, on
the Document Elements tab, under Table of Contents, point to a style
and then click the down arrow button. Click one of the styles under
Manual Table of Contents, and then type the entries manually.s 19,
34 and 52. They are called Willowvixen and Seconddate. I exhibit
this as PMS/12.
83. Quantum Theory This series of slides83, also from the Intercept in
March 2014 shows that NSA/GCHQ tactics often involve multiple
stages and can be compared with the “open” techniques covered in
paragraph 71 and below. It will be seen that there are explicit
80
https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/. See also:
http://www.nbcnews.com/feature/edward-snowden-interview/exclusive-snowden-docs-show-uk-spiesattacked-anonymous-hackers-n21361; http://www.nbcnews.com/feature/edward-snowdeninterview/exclusive-snowden-docs-show-british-spies-used-sex-dirty-tricks-n23091
81
https://firstlook.org/theintercept/document/2014/02/24/art-deception-training-new-generation-onlinecovert-operations/
82
https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/
83
https://firstlook.org/theintercept/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics/
IPT 14/85/CH / Statement of Peter Sommer, p 30
references to GCHQ and to the NSA/GCHQ station at Menwith Hill,
North Yorkshire. I exhibit this as PMS/13.
84. Purchase of specialist software to facilitate eavesdropping on PCs
and mobile phones In June 2014 Wired magazine published a long
article about a company called Hacking Team and its Remote Control
System84 and claimed that this was an instance of GCHQ’s purchase
of surveillance software. The essential methods are similar to those
described above in paragraphs23, 25 and 28. I exhibit this as
PMS/14.
85. Optic Nerve, Webcam Image Gathering, Facial Recognition In
February 2014 The Guardian ran a feature on Optic Nerve, said to be
a GCHQ program to collect and then process millions of images from
Yahoo’s use of webcams85. I exhibit this as PMS/15 – it includes
screen captures said to come from the Snowden archive. In May
2014 the New York Times wrote about the capture of webcam
images more generally and their processing using facial recognition
software86. I produce this as PMS/16. This is a very large-scale
implementation of what is available in the open retail market and
mentioned above at paragraph 24 above.
86. Auroragold: Cellphone Surveillance In December 2104 the
Intercept published an article and slides about NSA’s alleged spying
on large numbers of cellphone companies world-wide in order to
understand their systems and to capture the traffic of their
customers87. As well as describing something which seems
analogous to the PRISM program which targeted Internet traffic the
program is also an illustration of multi-stage attack in order to
achieve a desired end. I produce the article as PMS/17, the slides for
the project overview as PMS/18, slides with more details as PMS/19,
84
http://www.wired.com/2014/06/remote-control-system-phone-surveillance/
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
86
http://www.nytimes.com/2014/06/01/us/nsa-collecting-millions-of-faces-from-web-images.html?_r=0
87
https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/
85
IPT 14/85/CH / Statement of Peter Sommer, p 31
slides providing a “working aid” as PMS/20 and a slide which
appears to show GCHQ involvement as PMS/21.
87. Gemalto: Breaking Encryption on mobile phone SIM cards.
Another route to getting access to encrypted mobile phone
conversations on a mass scale was described by the Intercept in
February 201588. This is another multi-stage attack – the first target
was Gemalto, manufacturers of SIM cards; information obtained was
then used to compromise individual SIMs and the phones in which
they were located. I produce the article as PMS/22 and two GCHQ
slides as PMS/23 and PMS/24.
88. Belgacom In September 2013, Der Speigel, relying on Snowden
documents, claimed that Belgacom, the Belgian telecommunications
company had been the subject of a complex attack by GCHQ under
the name “Operation Socialist”89. One of the techniques used was
“Quantum Insert”, presumably a variant on “Quantum Theory”
referred to above at paragraph 83. The technique itself is multi-stage
but the apparent reason for targeting Belgacom was that through it
there was access to its partners including those in Switzerland and
South Africa and through these in turn to actual persons of
intelligence interest. In December 2014 the Intercept ran a more
extended article claimed to be the “full story”90. The Intercept
account claims the use of another GCHQ-developed multi-stage
approach called Nocturnal Surge. I produce the Spiegel article as
PMS/25 and the Intercept article as PMS/26.
89. Karma Police In September 2015, the Intercept published a long
article about a GCHQ programme said to have the ambition of
capturing the Internet browsing habits of every visible user on the
Internet91. Accompanying the article is a collection of slides and
88
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a923406.html
90
https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/
91
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/
89
IPT 14/85/CH / Statement of Peter Sommer, p 32
documents from the Snowden trove. Much of the article is concerned
with bulk interception and the way in which the material can be
analysed. There is also significant comment on interpretations of
legality. But of interest to the Tribunal’s current work is the extent to
which information gathered via these forms of interception is then
used to provide credentials and other information for CNE/EI. Some
of this is done under a programme called Mutant Broth92. The
Intercept claims that these techniques were used to identify and target
individuals in the Gemalto and Belgacom events referred to above.
I exhibit the main Intercept article as PMS/27 and a collection of
slides (TDI Introduction) referring to Mutant Broth as PMS/28.
Implications and Intrusions
90. I now turn to some of the implications of CNE/EI. In contrast to
most situations in which an interception warrant is sought, there may
often be no ready linkage between a request for a technical facility
and the amount and extent of intrusion likely to be involved. An
interception warrant under s 8(1) RIPA 2000 may only cover a single
person or premises and will contain a schedule referring to all the
relevant selectors (a phone with a number, a computer with an IP
address, a ISP subscriber contract etc.) and a period in time during
which the interception is to take place. From this it is reasonably
easy to infer what it is hoped to gain and hence make judgements
about necessity, proportionality and the problems of collateral
intrusion on third parties.
91. The same may be said of Property Interference authorisations
involving video and audio bugs – they are likely to be specified in
terms of identified premises, and particular places within premises.
92. From the review of technologies I can identify the following
situations:
92
https://theintercept.com/document/2015/09/25/sensitive-targeting-authorisation
IPT 14/85/CH / Statement of Peter Sommer, p 33
92.1.
Directed Interceptions: where the CNE/EI collects traffic –
data, audio, video – by compromising equipment rather than via a
Communications Service Provider (CSP). These overlap with the
functionalities of bugs and taps which are traditionally dealt with
via Property Interference warrants in that cameras and
microphones can be activated. Such interceptions are targeted at
identifiable individuals.
92.2.
Directed Computer intrusions – with the aim of viewing the
contents of a computer, smart phone, etc. Targeted at identifiable
individuals.
92.3.
Computer intrusions to acquire information for later
exploitation. Examples include the “I hunt sys admins”
document93 and the attacks on the SIM manufacturer Gemalto to
break encryption generally94 and on Belgacom to gain widespread access facilities95.
92.4.
Mass computer intrusions to collect large quantities of data
which might later yield intelligence but without any specific target
in mind. Examples include Optic Nerve96, a program to collect
large numbers of webcam images for later use with facial
recognition software and Aurorogold97, surveillance of cellphone
companies to ease later interceptions of phones.
92.5.
Computer intrusions with the aim of using facilities to reach
other computers and to masquerade as someone else.
93. Looking at these in more detail from the perspectives of levels of
intrusion and judgements involved in initial authorisation, on-going
management and post-event review/oversight:
93
See paragraph 80 above
See paragraph 87 above
95
See paragraph 88 above.
96
See paragraph 86 above
97
See paragraph 86above
94
IPT 14/85/CH / Statement of Peter Sommer, p 34
94. Non-CSP interceptions In an interception carried out by a
Communications Service Provider in the UK it is likely to use
equipment designed specifically for that purpose. RIPA s 12 requires
the “maintenance of an interception capability”. This will limit what
is acquired by reference to a phone number, ISP subscriber or
similar. But where interception is carried out by other means rather
more may be collected as there is no obvious technical means of
limitation. This is an issue in item 6(e) of the Proposed Legal Issues.
Some of the activities considered below come very close to the issues
of bulk intercepts. With that one finds oneself re-visiting the view
that “interception” does not take place at the point of capture but only
when material is read, as reviewed in IPT/13/77/H. I understand that
the IPT’s decision is likely to be reviewed before the CJEU.
94.1.
A Wifi Access Point or Hot Spot 98 will capture all traffic
that signs on to it. It will not be possible to filter on the basis of IP
address – because a person of interest may be using a dynamically
assigned IP address99. The investigator requesting the use of a
compromised Wifi access point will thus have to carry out postcapture removal of all “irrelevant” material; it is not clear how this
process can be controlled and monitored.
94.2.
Similar considerations apply to a compromised Network
Switch100. It too will capture all traffic that signs on to it. It will
not be possible to filter on the basis of IP address – because a
person of interest may be using a dynamically assigned IP
address101. Again, post-capture filtering of traffic will be required.
98
See paragraph 50 above
Most ordinary users of the Internet do not have a permanent IP address; because of the shortage of such
addresses, ISPs usually lease an IP address to a customer for a short period and may share a single IP
address between a large number of users.
100
See paragraph 51 above
101
Most ordinary users of the Internet do not have a permanent IP address; because of the shortage of such
addresses, ISPs usually lease an IP address to a customer for a short period and may share a single IP
address between a large number of users.
99
IPT 14/85/CH / Statement of Peter Sommer, p 35
94.3.
As we have seen, the main purpose of an IMSI Catcher102 is
to identify unknown phones in a particular locality. The process
collects all the phone numbers – and possibly also the content of
conversations - in the vicinity and again post-capture filtering is
required.
94.4.
In relation to Optic Nerve and Aurogold, the available slides
do not tell us about how the harvest is managed once acquired –
the slides are about technical capabilities
95. Multi-stage Investigations: A common characteristic of digital
investigations is that several stages of technical inquiry may be
needed. For example a keylogger may be used to acquire a
username/password combination which is then subsequently used to
access a computer or a cloud resource. One would want to ensure
that any authorisation procedure saw this as two distinct actions.
Some of the issues commented on by the Tribunal in the
Chatwani/NCA case103 where a search warrant was used as a cover
for the planting of a bug, may be apposite.
96. Computer and Cloud Storage Intrusions Whereas it is relatively
easy to forecast the scope of the likely “harvest” associated with an
interception the same cannot be true of entry into a computer. I have
been examining for forensic purposes personal computers for over 20
years. Most of these have been the result of seizure by the police
under PACE and similar powers or where the owners have given
permission. The following issues of limiting the level of intrusion
arise:
96.1.
Most forms of computer access are “all or nothing” either to a
computer/smartphone itself or to the user space of an individual
account holder.
102
103
See paragraph 55 above.
Case No: IPT/15/84/88/CH
IPT 14/85/CH / Statement of Peter Sommer, p 36
96.2.
In the case of forensic access as referred to in paragraph 27
above, the access is so complete as to include portions of the
computer that would not normally be seen by the regular user.
ACPO Good Practice, which may or may not be applicable to
Agency operations, recommends forensic disk imaging104.
Redaction of a forensic disk image is difficult to achieve without
losing evidential integrity. In the Criminal Justice world this can
create difficulties where, for example, there is material likely to be
subject to legal professional privilege.105 The usual practice is to
appoint an independent lawyer, perhaps accompanied by a
technician, to arbitrate on what can and cannot be used. But this
may be more difficult in in an Agency environment where finding
the lawyer and technician with the appropriate security clearances
and the necessary independence may be challenging. 106
96.3.
A “personal” computer these days is just that: a repository of
vast amounts of personal information generated by the user. This
is even more true of a smartphone which is likely to be with its
owner all the time that the owner is awake. This fact of course
makes the personal computer such a valuable potential source of
evidence but also creates substantial difficulties when applying the
necessity, proportionality and collateral intrusion tests.
96.4.
•
Among the classes of information likely to be found are:
Archives of emails sent and received during the “liftetime” of
the device (that is, since it was first used) and possibly copies
of emails from previous earlier devices. The position is thus
very different from the interception situation where the
“harvest” is limited to the duration of the warrant. Emails
are not stored individually by the major email programs but in
databases107 which have initially to be acquired in their
104
http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf, paragraph 2.2.4
Attorney General’s Guidelines on Disclosure, December 2013, A28-34
106
The draft EI CoP attempts to address these issues in Chapter 3.
107
Microsoft Outlook emails are stored in PST files, Thunderbird emails are in “Profiles”
105
IPT 14/85/CH / Statement of Peter Sommer, p 37
entirety. The emails are highly likely to involve much more
than the subjects of immediate interest to an investigator and
will of course contain correspondence with individuals
against whom there is not and never will be suspicion.
•
A routine task of a digital forensic investigator is the
examination of the Internet cache (history). Again the cache
has to be available to be reviewed in its entirety. Searches
may reveal many irrelevant matters that a user wishes to keep
private. In one case in which I was instructed an individual
was charged and later found not guilty of conspiring to rob a
gold bullion truck, and where there were clear indications of
his use of sex escort sites in his Internet cache.
•
Similar considerations apply to records generated by the use of
social media sites, messaging systems and Internet telephony.
Records may exist for the entire lifetime of the device.
•
Computers also typically contain large repositories of files of
various kinds. These can include documents generated by the
owner and others, still and video photos, spreadsheets and
others. Video material is highly likely to be found on
smartphones and tablets because these devices have in-built
cameras. Again although some of this material may be of
significant intelligence value other files may be irrelevant but
intensely personal. In my experience over 60% of computers
owned by men are likely to contain sexual material (and I
exclude those where the subject of a charge is a sexual
offence); pictures may include the computer owner engaging
in sex with a partner.
•
Personal computers and smartphones often contain credentials
for banking and e-commerce and other services. Some of the
credentials could be used by investigators to masquerade as
the person who owns the computer. As above, one would
IPT 14/85/CH / Statement of Peter Sommer, p 38
want to see that procedures clearly balance the possible
intelligence value of this information against normal
expectations of privacy.
•
Computers owned by families may have several user accounts
for different family members; all user accounts not just that of
a suspect would be open to scrutiny by investigators.
•
In the case of computers used to run a business it is very likely
that there will be a database of customers, this in turn may
include credit and other financial information. In any event
the database will probably fall within the remit of Data
Protection legislation and contain information personal to the
individuals within it.
97. Active Use of Computers This is the situation where a third-party’s
computer is taken over and used to carry out further actions:
97.1.
At a technically trivial but important level, these techniques
can be used to disguise GCHQ’s involvement in intelligence
gathering and computer intrusions
97.2.
“False flag” operations – as an extension of the above, where
part of the aim is that activity, if discovered, should be specifically
attributed to some-one else
97.3.
Commercially available remote control software has the
capability to make use of cameras and microphones108. There is
thus the possibility that an authorisation to intrude into a computer
also acts as an authorisation to carry out live audio and video
eavesdropping – and also make recordings.
98. Social Engineering
The aim of the deployment of social
engineering tricks is intrusion in which the target unknowingly
assists the hacker/investigator. Typically the result of the trick is
108
See paragraph 24 above.
IPT 14/85/CH / Statement of Peter Sommer, p 39
information in the form of credentials which are then later exploited.
It is not clear how far this route is covered by the draft EI CoP.
Is
it the case that the deception is not EI, but the consequences are? At
what stage does a warrant authoriser become engaged?
99. Computer Attacks This aspect may be outside the immediate remit
of this case before the Tribunal but in considering issues of
authorisation and oversight it is also worth considering the situations
where attacks are mounted on specific computers and how these are
authorised. These are sometime characterised as “takedowns” and
“disruptions”. These can be aimed at state enemies, terrorist groups
and international cybercriminals. Are these situations covered under
“Equipment Interference” or more generally under, for example, ss 57 Intelligence Services Act, 1994?
Legal and Procedural issues
100.
The requirements of the law are a matter for the Tribunal, not
me. But there are a number of practical matters which I believe ought
to be, but are not currently to my knowledge, reflected in Codes of
Practice and guidance offered to those asked to authorise and
oversee. None of the comments below should be read as legal
submissions but are based on my practical experience of the criminal
justice system.
101.
The Draft EI Code plainly recognises the need to assess for
proportionality (to be exercised by the Secretary of State):
The following elements of proportionality should therefore be considered:
•
balancing the size and scope of the proposed interference against what is
sought to be achieved;
•
explaining how and why the methods to be adopted will cause the least
possible intrusion on the subject and others;
•
considering whether the activity is an appropriate use of the legislation and
a reasonable way, having considered all reasonable alternatives, of
obtaining the necessary result;
IPT 14/85/CH / Statement of Peter Sommer, p 40
•
102.
evidencing, as far as reasonably practicable, what other methods have been
109
considered and why they were not implemented.
But the Draft EI makes no reference to any specific CNE
situation although parts 2 and 4 cover general criteria and
expectations. The problem remains that those who authorise and
oversee may not have sufficient knowledge of the range of
technologies and their application to be able to make informed and
plausible judgements.
103.
What is the function of a Code of Practice? It might be
helpful at this point to reflect on why Codes of Practice exist and
their various purposes: these seem to be:
103.1. To provide a level of detail which could not be incorporated in
primary legislation but which nevertheless has acquired
Parliamentary approval where it has been reviewed
103.2. To provide guidance and interpretation to those who seek
authorisation, those who give it, and those who act on
authorisations
103.3. To alert investigators and others of limitations to their powers
which they need to respect
103.4. To give a basis for post-deployment criticism, including if
necessary by Commissioners, Tribunals, Courts, Parliamentary
committees
It is surely not simply to provide wide-ranging cover for a large variety
of disparate actions which can then be said to be compliant with the
code.
104.
It is instructive to compare the draft EI CoP with others
issued, for example under the Police and Criminal Evidence Act,
109
Paragraph 2.4 to 2.8
IPT 14/85/CH / Statement of Peter Sommer, p 41
1984110. Code A covers searches of persons, Code B covers searches
of premises and seizure of property, Code C deals with the detention,
treatment and questioning of suspects. In all instances there is a great
deal more detail. If we look at the CoP for Covert Surveillance111 we
see in Chapter 2 general rules on authorisations and extensive
discussion of the differences between directed and intrusive
surveillance.
105.
Intercepts and Intrusions In paragraph 96 above I have
already shown that given the vast amount of data that will inevitably
be found on an accessed computer and the indiscriminate nature of
non-CSP forms of interception, the practicalities of making
judgements on necessity, proportionality and limitation of collateral
intrusion are considerable. Those making these decisions will need
technical advice, separate from that used by investigators. I pick up
this issue below at paragraph 115
106.
It is extremely difficult to predict what will be found on any
given targeted computer. Investigators will undoubtedly have a list
of items they hope to find but will have little idea how much material
will be irrelevant to their aims but nevertheless be “private” to others.
107.
As a result of the various capabilities of remote control
software there is a danger that an authority to enter a computer is also
an authority to monitor live activity in the computer – and its
immediate environment. The current draft EI CoP does not make
explicit provision for this.
108.
Any intrusion into a computer is likely to result in a change to
the contents of the device unless the most stringent precautions are
taken. The precautions usually followed by law enforcement in
imaging disks – the use of write-protect devices – may not be
110
Current codes accessible from https://www.gov.uk/guidance/police-and-criminal-evidence-act-1984pace-codes-of-practice
111
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/384975/Covert_Surveillance_
Property_Interrefernce_web__2_.pdf
IPT 14/85/CH / Statement of Peter Sommer, p 42
operationally feasible in a covert intelligence exercise. The risk, if
there is an eventual criminal prosecution, is of potential defence
accusations of evidence tampering. This risk can be partly mitigated
if there is a very full log of all investigatory activity – but the
Agencies may not wish to reveal such a log on the basis that it may
weaken future investigations by revealing methods.
109.
It is highly likely that computers seized from suspects and
where those computers have been subject to CNE will want to be
tendered in evidence in any subsequent criminal proceedings given
the quantity of material likely to assist112. The position is thus
different from that with interception evidence, currently rendered
inadmissible under s 17 RIPA 2000. Whereas a prosecution may be
able to proceed without referring to an interception – because other
evidence is available – it seems highly unlikely that substantial cases
can be prosecuted without reliance on the contents of computers.
110.
The intrusion would ordinarily have to be disclosed under
Criminal Procedure and Investigations Acts 1996 and 2003. “The
test is an objective one. To comply, the prosecutor must disclose to
the accused any prosecution material which has not previously been
disclosed to the accused and which might reasonably be considered
capable of undermining the case for the prosecution against the
accused or of assisting the case for the accused, save to the extent
that the court, on application by the prosecutor, orders it is not in the
public interest to disclose it.” 113 Following the amendment of s 10
Computer Misuse Act 1990 (“CMA”) by s 44 Serious Crime Act
2015 it seems highly likely that defence lawyers will routinely
enquire whether powers under s 10 CMA have been deployed, and
with what results. One benefit could be to alert a judge if it was
thought an ex parte application might be made.
If a prosecution
decision were made to NCND or claim Public Interest Immunity in
respect of Agency activity, then defence lawyers are likely to argue
112
113
There is reference to this in the draft EI CoP at paragraph 6.3
http://www.cps.gov.uk/legal/d_to_g/disclosure_manual/disclosure_manual_chapter_11/
IPT 14/85/CH / Statement of Peter Sommer, p 43
for judicial discretion to exclude the entire related computer
evidence, under s 78 PACE 1984.
111.
There is a potential clash between a EI CoP requirement to
dispose of material when it is no longer needed and the possibility
that material needs to be retained for possible future criminal
proceedings, including defence arguments that material acquired but
subsequently destroyed might have altered the course of a criminal
trial (s 78 PACE again). 114
Oversight and Audit Trails
112.
Oversight, whether by commissioners, the ISC, judges
(perhaps under future legislation as suggested by David Anderson
QC) or indeed ministers is impossible without historic records. In the
authorisation / granting phase those making the judgements may
want to know what has happened prior to the request being made.
Evidence to support necessity, proportionality and limitation of
collateral intrusion may be necessary. I have personal detailed
knowledge of what is involved in law enforcement processes for
seeking access to communications data.
113.
In the case of post-event reviews – to cover the process of
granting the authorisation and all the events in its execution and
exploitation – detailed logs are surely essential. These logs will need
to include: a detailed contemporaneous log of manual notes of
decisions and actions generated by authorised staff, computer activity
logging, and screen capture software on all devices used by
investigators to carry out CNE operations115. I believe that these
procedures are followed by police Covert Internet Investigators
(CIIs).
114
115
The Draft EI CoP addresses these at paras 6.10 and 6.5
In the “open” world a product such as Camtasia can do this. https://www.techsmith.com/camtasia.html
IPT 14/85/CH / Statement of Peter Sommer, p 44
114.
There are indications that GCHQ does have some internal
auditing facilities116 but without more detailed examination of the
reports against the activities it is difficult to assess whether these
arrangements provide sufficient detail for any oversight team. I
exhibit two documents as PMS/29 and PMS/30.
115.
Any oversight team will need to have its own independent
technical resource with knowledge of the law, investigative practice
and the capabilities of the various CNE technologies. The need will
be at its greatest where the techniques are multi-stage, where the
amounts of collateral intrusion are not obvious, and where an
investigation includes the use of data mining software to integrate
several independent streams of evidence.
It must be recognised,
however, that recruiting such a technical resource may not be easy, as
the obvious source of expertise, and with the appropriate security
clearance, is former staffers of GCHQ and some of its contractors.
I am happy to provide the Tribunal with further information, if so requested,
and to appear before it.
Peter Sommer
30 September 2015
.
116
https://theintercept.com/document/2015/09/25/hra-auditing/;
https://theintercept.com/document/2015/09/25/sensitive-targeting-authorisation
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising