Security Vulnerabilities in Covert CIA Websites

Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by—at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re now learning that the CIA is still “using an irresponsibly secured system for asset communication.”

Citizen Lab did the research:

Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.

The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.

[…]

The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:

  • Several are currently abroad
  • Another left mainland China in the timeframe of the Chinese crackdown
  • Another was subsequently employed by the US State Department
  • Another now works at a foreign intelligence contractor

Citizen Lab is not publishing details, of course.

When I was a kid, I thought a lot about being a spy. And this, right here, was the one thing I worried about. It didn’t matter how clever and resourceful I was. If my handlers were incompetent, I was dead.

Another news article.

EDITED TO ADD (10/2): Slashdot thread.

Tags: , , , ,

Posted on September 30, 2022 at 9:19 AM13 Comments

Comments

Jordan Sherb September 30, 2022 10:31 AM

Classic relic of early internet tech thinking.

I hope someday humans quit being savages. It’s frustrating that such a high percentage are good people, but somehow they don’t control large social systems enough to end violence and poverty.

Chris September 30, 2022 12:14 PM

The flip side of this is that, the Internet Archive can be used by malicious governments, agencies, organizations, and individuals, to investigate and target the covert past behaviours of people who might have been helping the CIA (etc.) in the past. Or have participated covertly in any number of disapproved-of behaviours or associations.

The Internet Archive is a valuable tool. But if data is a toxic asset, then does the Internet Archive help to poison society as well?

iAPX September 30, 2022 1:50 PM

@Cris, All
Security Researcher found some informations through The Internet Archive.

Did you really think that China Intelligence doesn’t have the ability to do the same work? Or didn’t think about it?
Are you really implying that The Internet Archive, that is for me a great and useful project, should be shutdown because of possible malicious usage?

Technology is agnostic, non-ideologic, apolitical, every technology could and have been used for malicious usage, but globally they made the world better.

JonKnowsNothing September 30, 2022 1:54 PM

@Chris

re: The XXX Archive can be used by malicious governments, agencies, organizations, and individuals, to investigate and target the covert past behaviours of people who might have been helping the ZZZ(etc.) in the past.

Any archive or data repository can do this. It doesn’t have to be the Wayback Machine, it can be any archive from Health Care History to Library Checkouts.

And they are used exactly for that purpose. Governments, People or Journalists trawl through ancient histories looking for “nuggets”. What did you write in the 5th grade? Did you make a spelling error on an essay? Can it be used to threaten you or compromise your current position?

iirc(badly) Some years ago, a political party in UK (1), deleted their entire on-line archive of every speech, meeting, platform and essay that they had digitized from decades old information on the party, positions and leaders. They didn’t tell anyone they were going to do it, they just did it.

What surprised folks was that it was gone from the Wayback Machine too.

It’s not surprising, it’s an agreement that the Archive has to avoid copyright and other law suits. If the owner of a site doesn’t want to be included, there’s a spider opt out for that.

  • ROBOTS.TXT

What people often don’t realize, if they only scan the first part of the standards is:

  • There is an option to delete all the same-match content from the entire archive.

===

Robots exclusion standard

Specific spider-crawlers can use different key words depending on crawler and target.

1) iirc it was the Tory Party. I dunno if they ever put back the deleted content.

SpaceLifeForm September 30, 2022 4:10 PM

@ JonKnowsNothing

The robots.txt file is just an Ask. The web crawling spiders can just ignore as they move on to the digestable catches.

Clive Robinson September 30, 2022 7:24 PM

@ Bruce, ALL,

Re : CIA not upto scratch.

It’s been long well known that the CIA has the wrong cultural ethos in almost all respects so,

“It didn’t matter how clever and resourceful I was. If my handlers were incompetent, I was dead.”

It ranges from idiocy like deploying a six foot six white male disguised by a redhead wig, into an area where the average male hight is below six foot, and the complexion East Mediterranean with black hair so,

“Stood out like a Swan Vester on a charcoal bricket”.

Worse the natives had a very engrained superstition tying “red hair” to the devil…

But back in the 1950’s through 1980’s the CIA lacked “technical” of any form in house. Thus they were buying equipment off of the consumer market. Stuff that in some cases was not any better than the toys off of the back page of comic books and similar.

You can read up on this lack of in house technical ability in several books. Peter Wright’s “Spy Catcher” goes into some detail in the first half of the book and James Bamford and Duncan Campbell have written on it.

But the real issue was the “culture” the behaviour of case officers that were obvious security risks was alowed to go on untill the point they were beyond a liability. The other issue was it was “results driven” in just about all the wrong ways. That is finding new informants was highly rated, but checking them out not, nore was looking after them.

It was “American Culture” writ large with all the “short term thinking” failures and cover up we see in US Corparates that go bad (Enron etc).

But @Bruce, this problem is endemic whilst,

“Citizen Lab is not publishing details, of course.”

Might or might not be true, many others have. Try searching for OSint based on CIA and ADS-B much about the CIA and it’s “methods and sources” has been reveiled via ADS-B and the shell corps and other obfuscation the CIA tried to keep things hidden but failed miserably.

The cost of joining the ADS-B game is,

1, A cheap laptop ($300)
2, A cheap SDR receiver ($100)
3, A suitable antenna ($75)
4, A suitable feeder ($50)

There is Open Source Software specifically for ADS-B that updates online databases.

The behaviour of many “secret organisation” aircraft gives away what they are, their flight paths can be traced back to their home airfield and the tail numbers give away registration through a public database, to the bottom of the shell company structure. Then using other public databases it all gets traced back. And like a “rag cloth patchwork cover” the pieces in fitting together reveal much much more including peoples names (technically a crime in the US). And this is what some compleatly untrained people do as a hobby…

Ted September 30, 2022 10:25 PM

Bruce, I believe you blogged about this in 2018?

https://www.schneier.com/blog/archives/2018/08/cia_network_exp.html

One thing I remember from that reporting was that a breached interim system had supposedly exposed a more secure comms platform. However, I don’t see that Reuters has offered more details on this aspect?

Rather we see excellent technical analysis by Marczak and Edwards on one facet of this exposure: details about the CIA’s overextended rudimentary website messaging system. There’s some great visuals of this in the Reuters article.

I am wondering if the higher-end systems built for “top-tier informants” was this exposed? I am also amazed that the Iranian informants in this story were allowed to live to tell the tale. Visiting US consulates and embassies as an Iranian citizen has the potential to be risky in its own right.

JonKnowsNothing September 30, 2022 11:07 PM

@SpaceLifeForm

re: The robots.txt file is just an Ask. The web crawling spiders can just ignore as they move on to the digestable catches.

True.

The point was that the Internet Archive Crawler doesn’t bypass what’s in the ROBOTS.TXT file. It actually processes the contents. If the correct command is in the file, the Archive will delete that site from the crawler list and from the archive … all of it.

You have to read the details carefully on the Archive Site about ROBOTS.TXT. The last time I bothered to read it, a good while ago, the gory bits were towards the end of the document.

It’s stated by the archive they are not a perfect history of the internet, nor can they be given the proliferation of sites. So things do get deleted. The implementation of deletion was done to end copyright infringement legal problems. Some software can be safely housed but other corporations prohibit any electronic copy of programs, source, media without a license. The Archive skips those sorts of sites and/or deletes any versions they may have previously collected.

The Archive is Up Front if something got deleted but Google? Do they honor the deletion command in ROBOTS.TXT? They claim they honor… some.

If Google really DID do a mass delete by site request, we wouldn’t have so much fun grinding through the site-snapshots looking for PASSWORD html instruction.

  • Who can say… only the Oracle knows such things. The Matrix Series….

JonKnowsNothing September 30, 2022 11:33 PM

@Clive @All

re: secret organisation” aircraft gives away what they are, their flight paths can be traced back to their home airfield and the tail numbers give away registration through a public database, to the bottom of the shell company structure.

During the overt years of USA CIA Rendition Program, which has never ended, the CIA just moved the destination camps, observers wondered how the USA-CIA was getting their hostages and victims from one end of the globe to another so they started tracking aircraft.

Like all puzzles once you know the answer the problem seems trivial to solve.

Ireland was a favorite stop over.

PlaneA would land. PlaneZ would leave.

PlaneA never left. PlaneZ never arrived.

PlaneA fueled at previous airport with XXXXgallons of fuel == Flight RangeA
PlaneZ fueled in Ireland with YYYYgallons of fuel == Flight RangeB

XXXXGallons of fuel – YYYYGallons of fuel == Flight RangeP.

Flight RangeP just happens to be the distance from Previous Airport to Ireland.

Flight RangeA also indicates the distance to the next destination Airport.

In the vastness of the ocean distances, only Diego Garcia is located on land and has an airstrip big enough to land either PlaneA or PlaneB within Flight RangeA or Flight Range P, especially if the destination is Ireland.

Topping Up in Ireland on Duty Free…

iirc(badly) recently a young person was able to put together such a project to track Mega Oligarch’s as they Jetted about. M.Musk wanted the person to stop publishing his plane private jet routes… last I read, M.Musk did not make an offer the young person was willing to accept.

ResearcherZero October 2, 2022 12:43 AM

America’s Throwaway Spies

“the victim of CIA negligence”

A faulty CIA covert communications system made it easy for Iranian intelligence to identify and capture him.
https://www.reuters.com/investigates/special-report/usa-spies-iran/

The communication system is faulty in more ways than one. When I was attacked I was provided with a CIA bodyguard, and an escort when needed. Other victims were not, everyone just pretended nothing was happening, even though they knew who was responsible. No one even bothered to inform the victims they were in danger. Unsurprisingly many of them are now dead.

If their lives were not important, then considering bugging devices were found in their homes, then perhaps at least the security of communications should be taken more seriously. As this device can also be used for eavesdropping, pretending it does not exist is a little short sighted.

CIA agents were targeted by a sophisticated microwave weapon while in Australia
https://www.9news.com.au/world/havana-syndrome-explainer-microwave-weapon-behind-havana-syndrome-attack-on-cia-agents-real/8f74e64c-1b02-4dfb-9fa9-98c7682d0652

“designed to target the living quarters in microwaves”
https://www.npr.org/2021/10/21/1047342593/long-before-havana-syndrome-u-s-reported-microwaves-beamed-at-an-embassy

Some individuals who are targeted, feeling unloved, may react negatively.

All employees deserve respect and a duty of care. That duty of care has now been missing since the discovery of the device, and those operating it, were identified more than 30 years ago.

Not all traitors are motivated by money like this guy.
https://www.justice.gov/opa/pr/former-nsa-employee-arrested-espionage-related-charges

ReacherZero October 2, 2022 1:02 AM

@Bruce

The police and the politicians were also incompetent, and any government department which may hold any records pertaining to you or manage the security of communications lines for any premises.

Dramatized reenactment of actual events in the 1990’s:

“The phone line is tapped.”

“The phone line is not tapped.”

“I’ve been watching the guy listening to the line. It has now been over a week since I first contacted you.”

“There is no record of an interception order on that line.”

“Your lines are tapped and your offices are also bugged, …d__kheads.”

“By the way I used another line to make this ca…”

BEEP BEEP BEEP BEEP BEEP

…eerp …I am dead.

“Thank you Mr Ambulance man.” …I am alive.

ResearcherZero October 2, 2022 1:18 AM

@Bruce

In truth it is a thoroughly unglamorous profession. When I was brought home from deployment my mother beat me.

“Stop dying!” [WHACKING SOUNDS]

“Your son is a hero madam.”

“He is not a hero! He is a d__khead!” [BEATING SOUNDS]

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.