SE Labs

Posts tagged 'spying'

Anatomy of a Phishing Attack

phishing_magnifying_glass_fi-3673555Who attacked a couple of Internet pressure groups earlier this year? Jon Thompson examines the evidence.

For those on those of us engaged in constructing carefully-crafted tests against client email filtering services, the public details of an unusually high-quality spear-phishing attack against a low value target make for interesting reading.

In this case, there were two targets: Free Press, and Fight for the Future. The attack, dubbed “Phish for the Future” in a brief analysis by the Electronic Frontier Foundation, is curious for several reasons.

Free Press is a pressure group campaigning for an open internet, fighting media consolidation by large corporations, and defending press freedom. Fight for the Future works to protect people’s basic online freedoms. Objectively, they’re working for a better online future, which makes the whole affair stand out like a pork buffet at a bar mitzvah.

The first thing that struck me was that the emails were apparently all sent during office hours. The time zones place the senders anywhere between Finland and India, but apparently resolve to office hours when normalised to a single zone.

Another interesting aspect is that even though the emails were sent on 23 active days, the attackers didn’t work weekends. This immediately marks them out as unusual. Anyone who’s run an email honeypot knows that commodity spam flows 24 hours a day.

The attackers first tried generic phishing expeditions, but quickly cranked up their targeting and psychological manipulation. This begs an interesting question: If you’re an experienced, professional, disciplined crew, why jeopardise the operation by beginning with less convincing samples that may alert the target to be on the lookout? Why didn’t they simply start with the good stuff, get the job done, and move on?

One possible explanation is that the attackers were trainees on a course, authorised to undertake a carefully controlled “live fire” exercise. Psychologically manipulative techniques such as pretending to be a target’s husband sending family photos, or a fan checking a URL to someone’s music, imply a level of confident duplicity normally associated with spying scandals.

The level of sophistication and persistence on display forms a shibboleth. It looks and smells somehow “wrong”. The published report reveals an attention to detail and target reconnaissance usually reserved for high value commercial targets. Either the attackers learn at a tremendous rate
through sheer interest alone, or they’re methodically being taught increasingly sophisticated techniques to a timetable. If it was part of a course, then maybe the times the emails were sent show a break for morning coffee, lunch and afternoon tea, or fall into patterns of tuition followed by practical exercises.

phishing2b-6448783The timing of the complete attack also stands out. It began on 7th July, ended on 8th August, and straddled the Net Neutrality Day of Action (12th July). With a lot happening at both targets during that time, and one assumes a lot of email flying about, perhaps the attackers believed they stood a better chance when the staff were busiest.

So, to recap, it looks like highly motivated yet disciplined attackers were operating with uncommonly sophisticated confidence against two small online freedom groups. Neither target has the business acumen of a large corporation, which rules out criminal gain, and yet an awful lot of effort was ranged against them.

The product of phishing is access, either to abuse directly or to be sold to others. Who would want secret access to organisations campaigning for online freedom? Both targets exist to change minds and therefore policy, which makes them political. They’re interesting not only to governments, but also to media companies seeking to control the internet.

I’m speculating wildly, of course. The whole thing could very easily have been perpetrated by an under-worked individual at a large company, using their office computer and keeping regular hours to avoid suspicion. The rest is down to ingenuity and personal motivation.

We’ll never know the truth, but the supporting infrastructure detailed in the EFF report certainly points to some considerable effort over a long period of time. If it was an individual, he’s out there, he’ll strike again, and he learns fast. In many ways, I’d prefer it to have been a security service training new recruits.

The Government Encryption Enigma

Is Amber Rudd right about encryption? Jon Thompson isn’t so sure.

UK Home Secretary Amber Rudd recently claimed in an article that “real people” prefer ease of use to unbreakable security when online. She was met immediately by outrage from industry pundits, but does she have a point?

Though paywalled, as reported elsewhere, Rudd asks in her article, “Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?”

Rudd name-checked Khalid Masood, who used WhatsApp minutes before he drove a van into pedestrians on Westminster Bridge killing three, and then fatally stabbed a police officer outside Parliament before being shot dead. However, Masood was not part of any MI5 investigation. In fact, a week after the attack, police had to appeal for information about him. His final WhatsApp message seems to have been the first sign that he was about to strike. The recipient was entirely innocent, and knew nothing of his murderous intentions.

There are plenty of other atrocities that were planned in part via social media apps. The attacks on Paris in December 2015, and the Stockholm lorry attack to name but two. In the UK the new UK Investigatory Powers Act 2016 (IPA), which caused so much fuss last year, can compel vendors to decrypt. So, why not just use that? The answer is somewhat complicated.

The IPA makes provision for Communications Service Providers to be served with a notice that they must remove encryption from messages to assist in the execution of an interception warrant. Apart from Providers needing access to private decryption keys, reports suggest that any move to enforce this measure would meet stiff opposition, and may not even be enforceable.

Many of the most popular secure messaging apps use the Signal Protocol, developed by Open Whisper Systems. This is a non-profit organisation and lies outside the UK’s jurisdiction, so its compliance would be difficult to obtain, even if the companies using the protocol agreed to re-engineer their platforms to include backdoors, or to lower encryption standards. There are also plenty of other issues to be resolved if Rudd is to get her way.

If the government mandates weaker encryption for messaging apps in the UK, then companies will face difficult business choices and technological challenges. It boils down to a choice: they could weaken their encryption globally, or they could just weaken encryption in the UK. But what happens
if you send a secure message from outside the UK to someone inside the country? Can the UK authorities read it? Can the recipient, using a lower encryption standard, decrypt it? How would international business communications work if the UK office doesn’t use the same encryption standard as a foreign parent company?

This isn’t the first time the UK government has attempted to find an answer to the problem of encryption. Back in January 2015, the then-Prime Minister David Cameron gave a speech in which he said there should be no means of communication “which we cannot read”. He was roundly criticised as “technologically illiterate” by opposition parties, and later clarified his views, saying he didn’t want to ban encryption, just have the ability to read anyone’s encrypted communications.

amber2brudd-2638730Authoritative voices have since waded into the argument. Lord Evans, the former head of MI5, has recently spoken out about the problems posed by strong encryption: “It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”

Besides, if the government can decrypt all messages in the UK, won’t genuine terrorists simply set up their own “dark” services? Ten seconds on Google Search shows plenty of open source, secure chat packages they could use. If such groups are as technologically advanced as we’re led to believe, then it should be simple for them, and terrifying for the rest of us. Wouldn’t it be better to keep such groups using mainstream apps and quietly develop better tools for tracking them via their metadata?

Rudd’s argument that “real people” want ease of use over strong encryption implies that secure apps are in some way difficult to set up and require effort to maintain. The opposite is plainly true, as anyone who’s ever ‘butt dialled’ with their mobile phone can tell you.

Rudd’s argument also plays into the idea that if you have nothing to hide you have nothing to fear. While writing this piece, I accessed several dozen online information sources, from mainstream news reports of terrorist outrages to super paranoid guides for setting up secure chat services. I accessed many of these sources multiple times. I didn’t access any extremist material, but my browsing history shows a clear and persistent interest in recent atrocities perpetrated on UK soil, secure chat methods, MI5 and GCHQ surveillance methods, encryption algorithms, and so on. Joining the dots to arrive at the wrong conclusion would be a grave mistake, and yet without the wider context of this blog piece to explain myself, how would authorities know I’m not planning to be the next Khalid Masood or Darren Osborne? The answer lies in developing better tools that gather more context than just what apps you use.

Quantum Inside?


Is this the dawn of the quantum computer age? Jon Thompson investigates.

Scientists are creating quantum computers capable of cracking the most fiendish encryption in the blink of an eye. Potentially hostile foreign powers are building a secure quantum internet that automatically defeats all eavesdropping attempts.

Single computers far exceeding the power of a hundred supercomputers are within humanity’s grasp. 

Are these stories true, as headlines regularly claim? The answer is increasingly yes, and it’s to China we must look for much current progress.

The Quantum Internet
Let’s begin with the uncrackable “quantum internet”. Sending messages using the properties of the subatomic world has been possible for years; it’s considered the “gold standard” of secure communications. Chinese scientists recently set a new distance record for sending information using quantum techniques when they transmitted data 1,200Km to a special satellite. What’s more, China is implementing a quantum networking infrastructure.

QuantumCTek recently announced it is to deploy a network for government and military employees in the Chinese city of Jinan, secured using quantum key distribution. Users will send messages encrypted by traditional means, with a second “quantum” channel distributing the associated decryption keys. Reading the keys destroys the delicate state of the photons that carry them, so it can only be done once by the recipient, otherwise the message cannot be decrypted and the presence of an eavesdropper is instantly apparent.

The geopolitical implications of networks no foreign power can secretly tap are potentially immense. What’s scarier is quantum computers cracking current encryption in seconds. What’s the truth here?

Encryption Under threat
Popular asymmetric encryption schemes, such as RSA, elliptic curve and SSL, are under threat from quantum computing. In fact, after mandating elliptic curve encryption for many years, the NSA recently declared it potentially obsolete due to the coming quantum computing revolution.

Asymmetric encryption algorithms use prime factors of massive numbers as the basis for their security. It takes a supercomputer far too long to find the right factors to be useful, but it’s thought to be easy for a quantum algorithm called Shor’s Algorithm.

For today’s strong symmetric encryption, such as AES and Blowfish, which use the same key to encrypt and decrypt, the news is currently a little better. It’s thought that initially, quantum computers will have a harder time cracking these, only really halving the time required by conventional hardware. So, if you’re using AES with a 256-bit key, in future it’ll be as secure as a 128-bit key.

A Quantum Leap


How far are we from quantum computers making the leap from flaky lab experiments to full production? The answer depends on the problem you want to solve, because not all quantum computers are the same. In fact, according to IBM, they fall into three classes.

The least powerful are quantum annealers. These are available now in the form of machines from Canada’s D-Wave. They have roughly the same power as a traditional computer but are especially good at solving optimisation problems in exquisite detail.  Airbus is already using this ability to increase the efficiency of wing aerodynamics.

More powerful are analogue quantum computers. These are much more difficult to build, and IBM thinks they’re about five years away. They will be the first class of quantum computers to exceed the power of conventional machines. Again, they won’t run programs as we think of them, but instead will simulate incredibly complex interactions, such as those found in life sciences, chemistry and materials science.

The most powerful machines to come are universal quantum computers, which is what most people think of when discussing quantum computers. These could be a decade or more away, but they’re coming, and will be exponentially more powerful than today’s fastest supercomputers. They will run programs as we understand them, including Shor’s Algorithm, and will be capable of cracking encryption with ease. While they’re being developed, so are the programs they’ll run. The current list stands at about 50 specialised but immensely powerful algorithms. Luckily, there are extremely complex engineering problems to overcome before this class of hardware becomes a reality.

Meanwhile, quantum computer announcements are coming thick and fast.

IBM has announced the existence of a very simple device it claims is the first step on the path to a universal quantum computer. Called IBM Q, there’s a web portal for anyone to access and program it, though learning how and what you can do with such a device could take years.

Google is pursuing the quantum annealing approach. The company says it plans to demonstrate a reliable quantum chip before the end of 2017, and in doing so will assert something called “quantum supremacy“, meaning that it can reliably complete specialised tasks faster than a conventional computer. Microsoft is also in on the action. Its approach is called StationQ, and the company been quietly researching quantum technologies for over a decade.

Our Universal Future


While there’s still a long way to go, the presence of industry giants means there’s no doubt that quantum computers are entering the mainstream, but it’ll probably be the fruits of their computational power that we see first in everyday life rather than the hardware itself. So, solutions to currently difficult problems and improvements in the efficiency of everything from data transmission to batteries for electric cars could start appearing.

Life will really change when universal quantum computers finally become a reality. Be in no doubt that conventional encryption will one day be a thing of the past. Luckily, researchers are already working on so-called post-quantum encryption algorithms that these machines will find difficult to crack.

As well as understandable fears over privacy, and even the rise of quantum artificial intelligence, the future also holds miracles in medicine and other areas that are currently far from humanity’s grasp. The tasks to which we put these strange machines remains entirely our own choice. Let’s hope we choose wisely.

Inside the CIA…


Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast.” Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes “Knockover (sic) PSPs” and “Troll people”.

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: “Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”

Revealingly, User #71473 also likes to hack the home pages of other Users: ” Its 11:30… time to deface people’s unprotected user pages…”

User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.


We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA

020 3875 5000