We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Data mining: Russian style

I do not usually bring my professional activities to the pages of Samizdata, but I have a very interesting little story to tell.

There are things going on out in Cyberspace of which most are little aware. Some will have heard reports saying Cyberwar backed by nation states will soon be able to bring down economies. Other reports equally vehemently say the idea is an over-hyped load of bollocks.

I can tell you from personal experience ‘on the front lines’ there are indeed goings on which I find difficult to explain without recourse to State backed Cyberwar activities as fact. I cannot give specific details: that would be violating customer trust. What I can tell is the broad brush tale of a rather interesting discovery I stumbled upon late one night.

I was trying to assist a ‘Road Warrior’ CEO in getting at his email. This was not my reason for being at the ISP working – I was there on a consulting job – but I was the only one available at that hour. Their customer was in Moscow on a business trip and was becoming more and more strident over his inability to read his office mail.

I began tracing the ISP’s systems and trying to pull needles out of haystacks of system and mail logs. At first I thought he was appearing through a different address than he claimed to be using in his hotel. Proving this was made more difficult by the Moscow hotel not having its systems properly set up.

Someone was reading his mail and it was not him. Further more, that someone was in Beijing. Most disturbingly, it was from a Beijing network through which several years ago I had a near penetration of a firewall of mine. A friend who was a reformed ‘black-hat’ could not even explain what had happened. They were that good. So seeing someone on the same network repeatedly picking up this CEO’s email was a nasty surprise. My investigation suddenly shifted from ‘help the idjit customer’ mode to defense and forensics.

I will not bore you with details. After conferring with some other network and security people I had a story that fit the facts. I cannot absolutely swear the following is what was going on, but I can make a fair case for it.

It seems old hardline KGB have a presence in China and they use Beijing as a cutout for some of their activities. Since the password had to get there somehow, I infer either in the Moscow hotel or somewhere in a nearby Russian backbone node there is a data mining operation going on.

Imagine you are a businessman arriving in Russia for a trade show or other event. You check into the hotel and immediately use the internet connection to pick up your home office email. As you are not a network security expert, you do not realize your normal ‘pop3’ mail pickup is sending a clear-text user name and password when your laptop connects to your office (or gmail) server.

Your poor, unprotected little password gets scarfed up before it reaches the border. Along with other captives it gets passed on to the cutout operation in Beijing. Someone then connects and reads your mail. Presumably all the mail then gets dumped into a huge database where it can be cross-indexed and mined for proprietary data, internal data security info, blackmail possibilities and other attack vectors into yours or other corporate networks.

I could be wrong. There are other scenarios… but not many. One must explain how a password journeyed to Beijing within no more than a day or two of the CEO’s Moscow arrival. This does not happen accidentally.

I find this all quite disturbing.

38 comments to Data mining: Russian style

  • On the more practical side of the matter, to avoid these data mining operations, how is one to secure their passwords if they have to travel frequently? Any suggestions?

  • JH

    Well for starters…

    The usual list of password do’s and dont’s apply: don’t use the same password for all accounts, make them hard to guess, change frequently, etc.

    If you have a lot of passwords to remember, a program like Password Safe is quite handy.

    On top of that…when in Moscow, Beijing, or wherever, don’t connect to systems that use cleartext passwords. These include things like POP3 email acccounts, SMTP (outgoing mail), FTP servers, HTTP authentication (if not done over SSL), or for that matter any website that uses a username/password system that isn’t on SSL. For email, your safest bet is to use an IMAP based mail system, but that isn’t always possible. Avoid FTP and use SFTP/SCP when you can…SSH for remote console use. Most ISPs offer web based email nowadays, and most of these systems are run over SSL, so that’s probably the best way to check home and office mail. Incidentally, does anyone know if MSN/AIM/other IM protocols do encryption?

  • Sunguh

    With all the choices available, there is no reason for employees to be sending anything in the clear…email or data.

    VPNs are a dime a dozen, everybody supports IPSEC now, OWA is built into Exchange and can be used with RADIUS and certificates on the cheap. There are tons of solutions out there.

    Even purpose built hardware encryption boxes can be had for road warriors.

    We use a Neoteris appliance with client certs for inbound web based access to encrypted email, citrix, and even terminal services. We’ve got Decrue boxes for our SAN. We’ve got VPNs for selected customers. One of my customers has neat little smart-cards that show an access code that changes every 60 seconds…no code, no access.

    Hell, biometrics.

    While no commercial data encryption is unbreakable, some authentication protocols are unbreakable unless you have physical access to the computers.

  • Julian Morrison

    Consider standardizing on gmail. They use https by default, it’s a zero setup system, and it has all the usual webmail advantages like remote access and platform independence.

  • Patrick

    Er, well, yes, then there’s gmail – if you don’t want just anybody stealing your data, make sure it is your mail provider ?

  • Gmail uses an encrypted (https) connection for login, but switches to unencrypted when you go to your inbox.

    It is, of course, harder to catch such a page in transit than a single username/PW pair. But your mail messages are sent to/fro in the clear, unencrypted.

    Still, Gmail is a big improvement over using unenctyped POP-mail access. The “black hat” guy would have to dedicate a specific machine of his into a man-in-the-middle attack on your system’s network connection to successfully read ALL your mail.

  • Jesus Christ, Trainer, can I have that all again in English?

    /computing buffoon

  • Always assume everything you type is being monitored.
    It may not be. It probably isn’t. But you can’t ever (outside a few closed networks) be sure.

    At one stage I worked on an unusual Communications Network (ADCNET). This was the assumption we used, and our system was, shall we say, rather secure even by Milspec standards. Even then, we took no chances.

    Trainer has it right. Purpose-built hardware, so only the NSA and a select other few can view it, and even then, probably not in Real Time.

  • “It seems old hardline KGB have a presence in China and they use Beijing as a cutout for some of their activities.”

    Not sure how this anecdote supports such a conclusion.

    Thousands of other, mostly USA based “hackers” , spammers, phishers, malware writers etc. also use intermediary bastion hosts in China. These are either poorly secured systems or they just pay for “bullet proof” hosting there.

  • As said trainer above, the answer is to us a Virtual Private Network (VPN).

    This allows you to connect to your office computer network, and all the functionality available as a workstation on that network, using an encrypted link over the Internet.

    It will be as secure as the VPN encryption, which can be “good enough”, and the security at the 2 link ends (to protect the encryption key). Thus if a virus or trojan compromises your portable or the office network, then the VPN encryption can be compromised too.

    You can protect further against the above compromise by using VPN hardware that is physically separate from the computer systems at each link end. This costs more and requires carrying of a bit of extra weight with your portable. However, it does provide better security.

    Best regards

  • Euan Gray

    For business mail, consider having the company use a more secure solution such as Lotus Notes with a private server over which you have complete control.

    For KGB involvement, try being less paranoid and don’t assume that just because someone went to Moscow then the KGB/FSB is stealing their identity and passing it on to the Chinese. As noted above, there is nothing in the story as posted that provides the remotest justification for such a conclusion.

    The likely motivator is money, not KGB conspiracy.

    EG

  • zmollusc

    This seems such an obvious problem that someone, somewhere, should have written a thing to automatically encrypt incoming emails and stick them onto an ftp (or whatever protocols you prefer) server.
    The CEO can then download the encrypted files and decode them off-line.

    The hardware requirement for the ftp server should be easily met by rummaging in the bins behind oxfam.

    Usual precautions setting up the server apply.

  • zmollusc

    ………….. also, some padding and manipulation of the incoming emails before may well be in order, if you are really paranoid about interceptions, although a good encyptionifier should do this for you.

  • Jacob

    So some spying happens ?

    What else is new, Dale ?

  • http://www.hushmail.com/ uses PGP encryption through a signed Java applet. That might take them a few hours to brute-force on a huge machine…

    GMail uses SSL for both login and SMTP and POP3. The login phase at least is secure.

    Re: large scale national espionage… I think that those who really have sensitive information also have the means to protect it. If you’re client wasn’t educated, it’s likely he wasn’t “in the know” anyway.

  • Andrew Duffin

    Is it not at least possible that this CEO was simply just as careless with his password as every other senior manager I have ever met?

    Or that the password was his favourite football team or his wife’s name or something like that? (Again, like every other senior manager I have ever met)

  • Julian Morrison

    “Gmail uses an encrypted (https) connection for login, but switches to unencrypted when you go to your inbox.”

    Nope, still HTTPS when I’m at my inbox.

  • Dale Amon

    The security solutions suggested are mostly ones used by larger organizations or very savvy tech firms. You could not even explain them, let alone sell them to most corporations that do not have dedicated IT departments, and even many that do would be overruled on price by the CFO and CEO.

    Do not believe for one moment that everything worth getting is inside the secure perimeter of companies with a dedicated CSO (Chief Security Officer).

    For those smaller operations which use ISP email, just try to sell them something more complex than bog standard pop3. They cannot deal with it. When they break it or misconfigure it, it is your fault, not their own ignorance. Throw on top of this a fairly cavalier attitude about the contents of their mail and whether they are hacked or not and you wind up with a goldmine for attackers.

    And to the couple who wonder about parts of the scenario… there are some bits of information which are privileged. I can’t tell you everything because embarrasing clients loses me work and takes food off my table. Telling specific details of information passed to me makes sources not do so in the future.

    I’ll stand by the scenario, given the sequence of events in the logs and the information passed to me by others in computer security.

    Yes, the other scenario is Chinese hackers. No the password was not an easy one. It was assigned. No there was no log signature of a dictionary attack on the POP3 server. First try and they were in.

  • Euan Gray

    And to the couple who wonder about parts of the scenario… there are some bits of information which are privileged. I can’t tell you everything because embarrasing clients loses me work and takes food off my table

    Is it not, then, a tad pointless posting speculative stuff suggesting paranoid conspiracy theories about the KGB and China? On the face of it, the article’s thesis is ludicrous and suggests too many nights in with John le Carre. If you have additional information which supports the somewhat odd contention, but can’t post it because of client confidentiality, then fair enough and one has to respect that.

    But the upshot is that by making half a post in this manner you are essentially saying that the FSB are nicking info from westerners and passing it on the the Chinese, that you have data to prove it, but that you can’t release it because it’s secret so we’ll just have to believe you.

    Yeah, right.

    EG

  • APL

    Euan Gray: “..but that you can’t release it because it’s secret so we’ll just have to believe you.”

    Nah! This was just a commercial break. Normal Samizdata programs will resume shortly.

  • Dale Amon

    Come on, Euan, it isn’t the least bit strange to think the KGB is lifting passwords on their own territory and using their own people in China as to lift the data in a deniable way. This does not take very much paranoia at all.

    I can also tell you that when I send an email from Belfast to the US, it passes through at *least* three interception points. First the Northern Ireland Police; then the MI5 in London; then the FBI in the US. Whether they chose to intercept my particular email is something I will never know. I only know, and very specifically from people in network business, that they can.

    Why do you find it surprising that the KGB would run a datamining effort?

  • Dale Amon

    Oh, and I might add that even people who know better do very stupid things. I read an email from a fellow who ran a WiFi scan at a NANOG (North American Network Operators Group) conference and picked up guys telneting into their core routers to take care of emergencies at home…

    To those who do not know, many routers have only clear text telnet so the passwords are easily sniffable. A core router is what sits inside a major network provider and routes traffic between various external links. For many years Cisco did not provide ssh for their routers because the encryption load took too much away from the main job of the router, which is, pushing packets.

    So if even backbone network engineers do such dumb things, what do you expect from the non-engineer salesmen and managers?

  • Euan Gray

    it isn’t the least bit strange to think the KGB is lifting passwords on their own territory and using their own people in China as to lift the data in a deniable way

    It is, methinks, because:

    (a) Russia and China loathe each other and have done for all but a brief period of amity in the 1950s. It’s worth noting that Stalin’s money was on Chiang in the civil war and he wasn’t too keen on the communists winning.

    (b) China’s need for resources clashes somewhat with Russia’s desire to protect her own. There’s money for Moscow here, but also threat. Moscow has historically been wary of Chinese interest in the Russian Far East. How many times did the USSR and PRC engage in military exchanges along the Sino-Soviet border? It came close to all out war more than once, for precisely this reason.

    (c) Taken together, (a) and (b) strongly suggest there is little if any plausible reason for state cooperation in stealing the passwords of western salesmen, but….

    (d) Both Russia and China have fairly serious organised crime syndicates, and it is not implausible to suspect each has sources in the other country.

    (e) Both Russia and China have turned out large numbers of people extraordinarily proficient in computer hacking. It is by no means a state fiefdom, and the expertise seems fairly widespread.

    One should be wary of elaborate conspiracy theories. The probability of two nations who are at the best of times uneasily watchful of each other actively cooperating at a state security level to nick the passwords of western vacuum cleaner salesmen is slim. Why would they do it?

    The probability of organised crime syndicates exploiting vulnerably idiotic western vacuum cleaner salesmen in foreign countries for possible commercial gain or exploitation is somewhat higher, especially given the creaky nature of the Russian economy (leading to greater willingness of Russian hackers to sell skills) and the expansion of the Chinese (leading to greater willingness and ability to buy said expertise).

    It’s far, far more likely to be bent businesses, organised crime or a few individuals. It’s almost certainly not our friends in the FSB. Always believe cock-up before conspiracy, always believe crime before organised state espionage. In each case, the former is far more common than the latter.

    EG

  • Brock

    I have a sudden yen for a William Gibson novel …

  • Toulson Caffrey

    I have a sudden yen for a William Gibson novel …

    I know the feeling, but a certain Neal Stephenson novel might fit the bill even more…

  • Dale Amon

    I never said or implied the Chinese government was involved in anything except looking the other way. KGB (well FSB, but only the name has been changed, the people are thesame). There is no elaborate conspiracy needed or suggested. All it takes is one operative and a PC in Beijing and perhaps a little trade of intel.

    I am afraid I will have to drop the subject at this point. Please note that no one else who actually seems to have extensive computer security experience has expressed the least doubts that this is likely.

    Brock: As to the Gibson reference… you have no idea how real some of it is becoming. Bot-nets, organized crime, virus writers for hire, military cyberwar teams… It is all real and it is all now.

  • It’s also easy to spoof email form CEO’s or what not without a password even (though these folks would have surely been able to send email as well as read it).

    That’s why I reccomend S/MIME signed emails.

    A brief overview is here:
    http://www.marknoble.com/tutorial/smime/smime.aspx(Link)

    Best of all, it works on all platforms – even with Gmail as long as you use a client to check the mail.

    By using S/MIME you can verify the senders identity – and when communicating to the folks back home (who presumably would have S/MIME configured as well) you would communicate via encrypted email.

    If you encrypt even unimportant things, it makes a brute force attack more of a needle in a haystack effort since they have to crack many bland emails and hopefully get tired of this before they get to anything important.

    Most folks I know only encrypt important things though – which merely advertises that the email should be snagged for processing. Not much of a risk with the local hacker, but for a larger effort backed by foreign nations it might be a trivial task.

  • Euan Gray

    I never said or implied the Chinese government was involved in anything except looking the other way

    Hmm, I think when you said:

    there are indeed goings on which I find difficult to explain without recourse to State backed Cyberwar activities

    in the original post I unaccountably got the impression that you thought there was state involvement and that, given that two countries are involved, those two states were cooperating.

    Having read and enjoyed many of your posts on Samizdata, I have long since come to the conclusion that you veer to the conspiratorial and/or complex explanation when the choice presents itself. You could be right, but I generally favour the mundane explanations since they usually turn out to be the correct ones. In this case:

    (i) he’s been surfing porn sites and downloaded a sniffer program, but for obvious reasons doesn’t want to admit how he spent his evenings in Moscow;

    (ii) alternatively, the CEO hasn’t a clue about how important passwords are and may have given it to God knows how many people. This is not uncommon, given the technical ability of the average CEO;

    (iii) the FSB could be behind it, but it seems far-fetched for a petty target (unless your man is CEO of Lockheed or some such);

    (iv) even if it is our friends from Lubyanka, it is more plausible that some Chinese group is bribing a corrupt FSBchnik to put his talents up for hire than that the state is interested;

    (v) whoever it is, if your man works for a company that uses POP mail for its internal correspondence it’s unlikely that company is significant enough to be of interest to the state.

    I personally favour (i) or (ii).

    I am afraid I will have to drop the subject at this point

    Busted, I think?

    no one else who actually seems to have extensive computer security experience has expressed the least doubts that this is likely

    “Possible” and “likely” are not the same. It’s eminently possible, but I suspect unlikely when there are so many more ordinary and plausible explanations available.

    EG

  • Dale Amon

    Euan. I think you are missing something. Data mining does not mean any great expense or effort. I am suggesting a couple programs installed by the Russian State that simply grab everything. I do not think the guy in question was a target. I hardly expect there was any direct human involvement in what I saw at all. A sniffer program at the Hotel system (I’ve actually designed and fielded such systems. I did the software installed in the Roosevelt Hotel and Roger Williams hotels in 1999-2000 period. So I know it would be easy to do locally. It would also be easy enough to put a sniffer further upstream. The UK and US governments both have things like this. I ran one of the first ISP’s in the UK so I heard a lot of details (and arguments when the UK spooks tried to get the backbone providers to not only give them the connection but to *pay* for it too.

    All you need is a server in Beijing. The ISP things came from is one that would be likely for this sort of thing. Another program in place there… program in Moscow sniffs passwords, queues it for service on the machine in Beijing; machine in Beijing feeds the result back to a large data base machine (In the US, the NSA does exactly this) where analysts can cross correlate and call things up.

    This is not a vast conspiracy. It’s not difficult to do if you have the access and the desire. Other than the database machines it would hardly cost anything at all.

    I expect I could write all the code required in a couple weeks at most, other than the database machine… which they certainly must have already or else the FSB/KGB should hang up their spook spurs.

    I repeat. There is no vast cost. There is no vast conspiracy required. The Russians could do this easily.

    And I assure you the Russians are in the industrial espionage business.

    Do you have any network and programming experience? If you do not this may all seem difficult and esoteric. I assure you it is not.

  • Dale Amon

    Re-reading the above I see a possibility for miscommunication. I designed and wrote the software and put together the hardware for a hotel connectivity system, not a sniffer on said systems! If anyone has walked into a hotel room, clicked through a Terms and Conditions and had the use billed to their room… I did one of the earliest systems of that sort.

    I did not write sniffers for NYC hotels! But I could have. It would have been close to trivial to add it.

  • Euan Gray

    I am suggesting a couple programs installed by the Russian State that simply grab everything

    Why assume state involvement when numerous porn sites can give a wholly private sector method of grabbing usernames and passwords? And indeed do so on a regular basis.

    program in Moscow sniffs passwords, queues it for service on the machine in Beijing; machine in Beijing feeds the result back to a large data base machine (In the US, the NSA does exactly this) where analysts can cross correlate and call things up.

    Possible. But so is this:

    CEO logs on to porn site out of boredom and unwittingly downloads a sniffer. He checks his email, and the sniffer grabs his login and password, sending it to wherever it is programmed to send it – presumably to some Chinese hackers in this case. Chinese hackers log in to his mail to see if there’s anything interesting.

    Are you not possibly suffering from confirmation bias? You’d like to believe that the nasty evil state is snooping on the innocent, therefore when a circumstance arises that could be explained by this you tend to believe that the state is not only a possible cause but the probable cause.

    I know perfectly well that the Russians are into industrial espionage. So is every other country that has an industrial economy, including Britain and the US. This doesn’t mean that every case of a business mail login getting nicked is industrial espionage.

    Which is more likely:

    (a) the Russian state in the guise of the FSB routinely nicks commercial login data and outsources a systematic mining operation to a huge and organised data processing subsidiary in an unfriendly nation as part of a comprehensive industrial espionage program, or;

    (b) some dumb CEO got his login hijacked when surfing for porn.

    EG

  • Dale Amon

    If it were a porn thing, it would have happened before. The sequence of events and the actual data I have simply does not support your theory. Sorry. Believe whatever you wish to believe.

  • Euan Gray

    If it were a porn thing, it would have happened before

    You haven’t provided any information which suggests it has not. Are you seriously suggesting that your man would be the first person ever to have his mail account compromised after visiting dodgy websites?

    The sequence of events and the actual data I have simply does not support your theory. Sorry. Believe whatever you wish to believe.

    I can only believe about this what you post. Your thesis consists of little more than “the state could have done it, therefore it must have been the state that did it,” which is, to say the least, uncompelling. There are numerous alternative explanations, all of which are require less conspiracy, less unlikely combinations and more realistic human behaviour.

    It’s hard not to draw the conclusion that this is half a story fitted around an anti-state conspiratorial mindset with any data which could demonstrate the veracity or otherwise of the conclusion hidden behind a veil of client confidentiality. Not to be uncharitable, but you might as well have said “I think foreign governments are spying on us, and I could prove it but I won’t, so there,” because that’s really all it amounts to.

    EG

  • rosignol

    Are you not possibly suffering from confirmation bias?

    He migt be. However, shady porn sites are in business to make money. They may scam your credit card, but they wouldn’t give a damn about your inbox on the corporate mail server.

    Seriously, the thing I’m most skeptical of is that such an operation would keep using the same network for more than a few months without moving. The other details are quite credible.

  • He had internet access in a Moscow hotel?!! What did he expect, sticking his laptop into the wall of a Russian hotel?

    He should stay at the Rossiya, he’d have no problems with cyber-security there!

  • ech

    A number of years ago (in the 80s), I got a security briefing on foreign travel as part of a job I had. The upshot was: assume every communications path (voice, data, fax) was being read by the local equivalent of the NSA & CIA. Assume every room you stayed in was bugged.

    This was not limited to the Communist Bloc countries. In fact, one EU country *cough*France*cough* was said to actively use their intel agencies to gather info on US companies.

  • Kristopher

    Go to http://www.cotse.net, and get an email and tunneling proxy account.

    Have their helpdesk help you get your machine set up ( LINUX is better for this, although a windoz box can fake it with PuTTY )

    The only thing thugs with packet sniffers will see is a 2048 bit incrypted tunnel to the cotse servers in MA. No cleartext traffic will emanate from your PC unless you screw up your setup.

    I don’t work for cotse, but I am a customer of their’s.

  • Obviously, a businessman’s email could provide great insight into approaching negotiations. Knowing where someone’s hard-stop bottom line price is lets you maximize your profit.

    We should not forget that the US had to ABANDON an embassy the Russians so graciously built for us because it was found to be wired from top to bottom with bugs.