Intelligence Support Systems (ISS) conferences are supposed to be where “law enforcement, public safety, telecoms and the Intelligence community turn for technical training and product selection.” If you are not in one of those categories, you are not allowed to attend the “secret snoop” conference. Therefore you’d expect people training law enforcement to excel and be experts, and for the conference to showcase cutting-edge stuff for high-tech electronic investigations and network intelligence gathering. Yet it seemed to show that some cops are stunningly clueless about security and even how the Internet works.
ISS World Europe claims to be “the world's largest gathering of European Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering.” But when Lucas Lundgren, from IOActive Labs Research, wrote about attending the 2013 ISS Conference in Prague, several points stood out about how uninformed and unwise some law enforcement, cyberterrorism investigators, and government agency “hackers” still are today.
That was precisely the case in 2011 when Anonymous published Sentinel Cyberterrorism Defense Security Tools; it was a bummer to see that the hacking and counter-hacking tools were about as old as dirt, as some had been around since before the start of the millennium. Old school canned programs do not necessarily mean the hacking tools are any less effective a decade later, but it was a bit appalling that there were not newer tools "to educate technical personnel in cyberterrorism response and prevention." It raised questions like are these cops in charge of fighting “terrorism” clueless about cybersecurity and how to hack?
A recent Réseaux IP Européens Network Coordination Centre (RIPE NCC) report about law enforcement agency (LEA) requests is another glaring example of how some cops don’t understand jack about how to use the Internet, or how it works. RIPE NCC is Regional Internet Registry that oversees Internet resources and services such as IPv4 and IPv6. In 2012, it received 21 “informational requests” from LEAs, eight of which came from the USA. For 18 of those, RIPE NCC had to explain “how to use the publicly available information in the RIPE Database to find and be able to contact the responsible party of a particular resource.” Another required explaining the “difference between public and private IP addresses.” Two had nothing to do with RIPE NCC, asking about “a European arrest order and one about the seizure of a particular domain name.”
Now, we’ll go back to ISS for people working in Intelligence. IOActive’s Lundgren called it “an attacker’s paradise.” In fact, he warned that “if you happen to represent law enforcement in your country,” don’t use Viber or What’s Up messenger apps that use clear text protocols to send messages. Also, “do not use non-encrypted protocols to check your email.”
If I had been an evil attacker at the ISS conference, I could have easily sat in the lounge downstairs all day and overheard all kinds of conversations about products, firewalls, and solutions used by a variety of countries. Also, by simply using the “free” hotel Wi-Fi, I could have gained access to a number of participant email messages, text messages, and web pages sending username and password credentials in clear text.
His colleague used SSLstrip to test the hotel’s network security; it prompts users to accept an invalid digital certificate [pdf], such as by a fake Certificate Authority, and ISS conference attendees, who should know better, accepted it anyway. Lundgren wrote:
Using a tool similar to SSLstrip, an attacker would not even have to enter the main conference area to perform attacks. He could sit back in the smoker’s lounge, order a beverage of choice, set up sniffing, lean back on the couch, and let participants do the rest of the work!
There were different colored “paper” ID badges for attendees, yellow for government officials and purple for company representatives. Both stated their name and for whom they worked. Some of the ISS training tracks were exclusively for government officials, but by simply using yellow paper to print a new, fake attendee badge, Lundgren waltzed right into an “only” G-men meeting.
Another time, he overheard “a number of yellow-badged participants indicating they had never heard of Tor,” Lundgren wrote. “As the presentation went on, I had a general feeling that the presenter viewed Tor as a safe way to stay anonymous. However, I see it as a network by which attackers can obtain a substantial amount of data (usernames, passwords, credentials, and so on) after setting up their own Tor networks.” Using Tor for BitTorrent also “isn’t a good idea” and users are not anonymous.
Other ISS tracks were apparently pretty dull. Hopefully you know that unless you turn off GPS on your phone or actively strip the Exif metadata, a photo can include the geo-location, time and date it was taken, details about camera settings, or the unique ID number of the smartphone or device used to snap the picture. Put another way, Exif data (any metadata) is forensically-friendly. An LEA official at ISS in Prague was explaining how to check a photo’s Exif data. Yet when Lundgren asked about a page with “right-click” protection, the LEA said a third-party program was required to download the page. Seriously? Lundgren wondered if the LEA instructor did not know about “view source” in the browser or “File > Save As?”
Not everyone there was clueless and some of the tools discussed and sold there were for stunningly invasive surveillance. The ISS tracks [pdf] shows the players you might expect, like VUPEN, the seller of zero-day exploits, Gamma International showing off FinFisher for mobile phone monitoring, and other mass-intercept vendors exposed in WikiLeaks Spy Files.
The Italian Hacking Team had several tracks about Da Vinci [pdf], including “a spy story about busting a terrorist organization by using the most advanced offensive technology” and a live demonstration of “unrivaled attack capabilities and total resistance to detection, quarantine and removal by any endpoint security technology.” Da Vinci can track a hundred thousand targets at once; it’s so stealthy that it’s invisible, untraceable, and defeats encryption
Yet some spooks and other LEA “intelligence” professionals didn’t turn off Bluetooth, choosing instead to use it and public Wi-Fi in public places, sent passwords and messages in the clear. Who knows, perhaps they would have used public phone chargers, or kept RFID credit cards and IDs in their wallets? (An attacker can scan those from over 200 feet away, according to a "warning" Def Con sends the press.) All of that is unwise if you attend any security conference, especially Def Con and Black Hat USA. There's nothing wrong with learning new things, but this illustrates the poor cybersecurity hygiene of people in charge of investigating and mass-surveillance. There’s plenty more “don’ts” for hacking conferences, but if you disregard them then you might as well go right ahead and use the ATMs in the hotel where the conference is being hosted!