Help Net Security - News

The Register - Security

Apr 7, 2016

Surveillance in the Information Age

 
Modern technology may have changed the surveillance process, but it has not eliminated the need for physical pre-operational surveillance. (ADAM BERRY/Getty Images)
"Surveillance in the Information Age is republished with permission of Stratfor."
Editor's Note:
Last week, Belgian authorities reported that a laptop used by one of the bombers in the March 22 Brussels attacks contained images of Belgian Prime Minister Charles Michel's home and office. The computer, found near the apartment where the bombs used in the Brussels attack were constructed, reportedly contained an audio memo made by Brussels Airport bomber Brahim El Bakraoui. The laptop had also been used to research a number of targets, including Michel, on the Internet. 
In light of the discovery, we are republishing this 2007 analysis, which examines how terrorists use the Internet to select and surveil their targets. Despite the significant technological advances since this column first ran, the limitations on the use of the Internet for terrorist tradecraft remain the same.
Those who conduct surveillance — either for nefarious or protective security reasons — frequently have used available technology to aid them in their efforts. In earlier times, employing such technology might have meant simply using a telescope, but in more recent years, surveillants have used photographic and video gear, night vision aids and electronic equipment such as covert listening devices, beacons and programmable scanners. These efforts have been greatly enhanced by the advent of personal computers, which can be used to database and analyze information, and the Internet, which has revolutionized information gathering.
Doubtlessly, modern technology has radically altered the surveillance process. What it has not done, however, is render physical pre-operational surveillance obsolete. Despite innovative Internet tools, a person sitting in an Internet café in Quetta, Pakistan, cannot get everything he or she needs to plan and execute a terrorist attack in New York. There are still many things that can only be seen in person, making eyes-on surveillance vital to pre-operational planning. And, as long as actual physical surveillance is required, countersurveillance will remain a key tool for proactively preventing terrorist attacks.

The Internet as a Tool


The Internet has proven to be an important asset for those preparing a surveillance operation. If the target is a person, open-source Internet searches can provide vital biographical information, such as the target's full name, address, occupation, hobbies, membership in organizations, upcoming speaking engagements and participation in charity events. It also can provide the same information on the target's spouse and children, while image searches can be used to find photos of the target and related people.
In most instances, public records checks performed on the Internet also can provide a vast amount of personal information about a potential target, including property, vehicle and watercraft ownership, voter registration data, driver's license information, criminal history, professional license information and property tax data. The property tax data can be especially revealing because it not only tells the surveillant which property the target owns, but in some jurisdictions can even include photographs of the front of the home and even copies of the floor plan. In addition, many commercial services will, for a fee, provide an extremely detailed public records dossier on a desired subject — often with little regard for how the information will be used.
There also are a number of Internet sites that offer maps and aerial photographs of specific locations. In videos released by the al Qaeda Organization for the Countries of the Arab Maghreb, the group has shown how it has used Google Earth to obtain aerial photographs to help it plan its attacks in Algeria.
An additional aspect of the Internet is that posters — wittingly or unwittingly — often meet hostile surveillants halfway, so to speak. For example, several environmental, animal rights, anti-globalization and anti-abortion groups have even gone so far as to publish lists of potential targets on their Web sites, frequently including personal data and sometimes also photographs. Real estate agencies also use the Internet to post detailed photographs, and even video tours, of homes on the market, which can provide additional information to surveillants. Buildings that lease office space also frequently post a great deal of online information. And, of course, many people are quite obliging to would-be surveillants and post a great deal of information about themselves — including numerous photographs — on blogs, personal home pages or networking Web sites like MySpace and Facebook.
Importantly, not only can surveillants use the Internet to collect an abundance of information on a person or location, they can do so quickly — and anonymously. Before the Internet era, hostile surveillants were forced to expose themselves at a far earlier stage in the attack cycle, if only to request information from a public agency or collect photographs to initially identify a person or location. Now, much of this information can be obtained without the need for surreptitious behavior or for providing false information — and from the comfort and safety of one's own home.
Of course, the Internet also can be used for protective reasons. Security managers, for instance, can conduct "cyberstalker" operations to determine how much information is available on the Internet regarding a person or building they are responsible for protecting. Though it is hard to get some information removed from the Internet once it is out there, it is important to realize that such information is available, and to identify where information vulnerabilities exist.

The Limits of Technology



One of the major problems associated with relying solely on information found 
on the Internet is the possibility of error. Because there is a great deal of erroneous information on the Internet, one cannot take every post at face value. Additionally, public data sources tend to have a considerable lag time (sometimes of several months) between an event and its posting on the Internet. For example, it is possible to pay a company to run a detailed public records profile on someone and then find that the person actually sold the property listed as the "confirmed" address on that profile two months earlier.
When information gathered from a source such as the Internet is not confirmed, it can lead to the failure of an entire operation. A militant group is unlikely to win much sympathy among its intended audience if it shoots the wrong person or leaves a timed incendiary device at the wrong residence (as the Animal Liberation Front did in June 2006.) Furthermore, terrorist attacks require a large amount of time and effort, and in some cases utilize a large proportion of the resources available to a militant group. Such attacks also carry with them the possibility of death or long imprisonment for the person conducting them. They are, therefore, too costly to be conducted without adequate planning — and sophisticated planning requires information that can only be collected by conducting physical surveillance.
Biography data and photos, maps to help find the target's house, aerial photos of the target's property and even street-level views of a target's apartment building or home are very useful to operational planners. In fact, an operational commander can use these tools to help plan the surveillance and to quickly orient the surveillance and attack teams to the target and the area around it. However, even at their best, these sources of information provide a potential attacker with a static (and usually quite limited) view of a person or building. It simply cannot provide the richness of perception that comes from actually watching the building or person over time.
Additionally, the targeted person or building does not exist in a vacuum, and potential attackers must also have an understanding of the environment around the target if they are going to determine the best time, location and method for the attack, how best to take advantage of the element of surprise and how to escape afterward, if escape is called for in the plan. It is hard to place a target into context based solely on the information available on the Internet.
Internet information also cannot provide what is perhaps the most important element of operational planning: an understanding of human behavior. If the target is a person, the surveillance team is looking not just for static facts, but for patterns of behavior that will predictably place the target in an ideal attack site at a specific time. Internet research can reveal that the target owns two cars and works for a particular company, but it will not reveal which vehicle he drives to work or whether he has a driver, the time he leaves the house, the Starbucks he visits every morning on his way to work, or the odd little shortcut he takes every morning to avoid traffic.
If the target is a building, the surveillance team will be looking to define the security in place at the site and for gaps in the security both in terms of physical security equipment and in guard coverage that can be exploited. They will make diagrams of the building, including any bollards, cameras and access control measures. They also will monitor the guards to see how they operate, and note their level of training and alertness. Militant groups have been known to test the adequacy and response time of building security by attempting to park a vehicle illegally in front of a building or by entering the building without the proper identification. In the past, al Qaeda has even entered potential target buildings and collected detailed engineering data such as the measurements and locations of building support pillars, elevator equipment and air handling systems. This is simply not the type of information that can be obtained by looking at overhead photos or even at 3D street-level views of the targeted building on the Internet.
Though the Internet can provide surveillance teams with information that allows them to become quickly oriented to their target, and to condense some of the initial surveillance they would otherwise need to conduct, it has not been able to replace physical surveillance altogether. In fact, the same video in which al Qaeda's Maghreb node uses Google Earth to demonstrate how to plan attacks also shows operatives conducting physical surveillance of the attack sites. It also shows videos of attacks, meaning a surveillance team was on hand to record the event.
Although the Internet has become a valuable tool in the surveillance process, it has not come close to eliminating the need for eyes-on monitoring of a target. As such, countersurveillance remains a powerful and proactive tool in the counterterrorism toolbox.

Feb 16, 2016

Cryptographic tools are important for civil society and industry

2016-02-12
The availability of strong and trustworthy cryptographic tools is an important building block of a society and economy that is more than ever depending on electronic services. The legitimate need to protect communication among individuals and public and private organizations has often been depicted as threat to business models or even public security. At the same time, the lack of trust in digital services has been identifi
ed as an inhibiting factor for the digital market. This has a particular weight in view of the new agreements on the NIS directive and General data protection regulation, which foster the trust of public and private sector to digital networks and services at a national and EU level. However, in the light of terrorism and crime prevention, opinions have been voiced that cryptographic tools need to be regulated.
Cryptographic tools are important for civil society and industryENISA’s paper on the subject looks into several aspects of crypto regulation and their difficulties from a technical perspective. Key points ENISA focuses on are:
  • The use of cryptography might make lawful interception harder and by this less efficient or even ineffective. While key recovery and escrow might enable lawful interception, it introduces new technological risks to IT infrastructure and it might even damage the gathered evidence.
  • It is easy to bypass systems that allow key escrow or recovery; evidence for bypassing will only be found during investigation.
  • Vulnerabilities that where left from legacy policy have been abused to attack systems. Further, policy that limits the use of cryptography in commercial products can damage IT industry.

Cryptography provides the tools necessary to protect assets in a highly computerised world. In the light of terror attacks and organized crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by criminals and terrorists, and lower the trust in electronic services, which eventually will damage industry and civil society in the EU.
The issues mentioned are mere examples of currently widely used protection measures. Emerging privacy enhancing technologies might introduce even more challenges. To overcome these issues, ENISA is eager to support the Member States and competent EU bodies to perform further analyses and to define a balanced approach to move forward.

ENISA's paper is available here
For more on the subject please contact Dr Ikonomou, email: isdp@enisa.europa.eu
For press enquiries please contact press@enisa.europa.eu

Jan 18, 2016

Cyber Security and Resilience of Intelligent Public Transport. Good practices and recommendations



This study proposes a pragmatic approach that will highlight the critical assets of Intelligent Public Transport systems. It gives an overview of the existing security measures (good practices) that could be deployed to protect these critical assets and ensure security of the IPT system, based on a survey and interviews of experts from the sector, municipalities, operators, manufacturers and policy makers.
Read more . . 
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/good-practices-recommendations



Explainer: The Internet of Things

BBC Panorama - How hackers steal your data

Latest articles from SC Magazine UK

WIRED - Threat Level

IEEE Spectrum Computing Channel

Here's a phish you might not spot - 60 Sec Security

Biggest Information Security and Cybersecurity Misconceptions

Computer History Museum Videos

Slashdot: Your Rights Online

Public Key Cryptography: Diffie-Hellman Key Exchange

InfoWorld Security

ComputerWeekly.com - When IT Meets Politics

Nextgov.com News Articles

Electronic Privacy Information Center

Cyberlaw - Stanford Center for Internet and Society

SecurityWeek

European Public Policy Blog