The report below -- announcing changes in Australian law to permit
the lead Australian LEA to hack into targeted computers with a Ministerial
warrant -- may mark an important event. I suspect it is a precursor of
things to come in the US and elsehwere as LEAs and intelligence agencies
come to terms with the widespread availability and use of strong cryptography.
While crypto effectively protects data in transit and (to a lesser
extent) operationally stored data, the relative vulnerability of the common
Wintel PC and other computers -- the end points of a crypto link -- make
them an obvious target for eavesdroppers foiled by cryptography.
This is not a new insight. The Australians (and the famous Aussie
Walsh Report on AU Crypto Policy) are only more public than other nations in
their shift to focus on the end-point computers as the primary vulnerability
of encrypted communicaton links.
One approach is to develop specialized black bag techniques, where a
burglar "under color of law" -- or with minimal or no concern for local Law,
in "intelligence" ops -- slips into a target's home or office to steal
disk-stored crypto keys, or to replace a target's crypto apps (SSL, SSH,
S/MIME, PGP, RSA SecurPC, etc.) with a corrupted or backdoored versions.
(I recall that a CIA operative arrested in the US on espionage
charges last year was described as a specialist in this. I think everyone
can take it for granted that such skills (both burglary and subversive
programming) are in great demand throughout the international intelligence
community, and will soon figure prominently in warranted LEA surveillance.
In Australia now; elsewhere soon. Perhaps everywhere eventually.
A burglar or a penetration agent who can switch copy crypto keys,
switch smartcards or a smartcard reader, load keyboard sniffers, or install
"dual purpose" crypto packages on a target's computer will probably always
be the most effective way of attacking an end-point computer --- but there
is also a huge universe of active network attacks (viruses, worms, ActiveX
modules, and more) that can also be used against networked computers.
This is a range of vulnerabilities, particularly for PCs, that
should be much more widely discussed and categorized. The elite Bugtraq and
NTBugtraq readers, black hat and white, may be on top of this stuff, but the
typical sysadmin just waits for his OS vendor to send him a patch, and the
typical user ignores it all in blissful ignorance.
And it isn't as if the vendors can just change their priorities and
make the world a better place. As W.H. Murray keeps pointing out, we install
more flawed new computers daily than the number which are, daily, being
fixed, patched, or upgraded. More to the point, some reports suggest that no
more than one percent of Unix sysadmin have actually installed all the
security patches that have been made available to them. <sigh>)
The NSA is still largely dependent upon passive intercept, according
to Agency lore, but it is also well-known in the intelligence community that
former CIA Director John Deutch in 1996 ordered a major redirection in NSA
budget priorities to foster more research into active attacks on target
computer and communication systems.
Of course, hackers, vandals, and cyber-savvy crooks are probably
also far more likely to exploit host vulnerabilities over the Internet than
they are to burglarize corporate offices.
Suerte,
_Vin
-----------------------------
The Sidney Morning Herald (Au)
"ASIO cleared to hack into computers"
Friday, March 26, 1999
http://www.smh.com.au/news/9903/26/pageone/pageone3.html
By BERNARD LAGAN and BEN POWER
Australia's domestic spy agency, ASIO, will be given sweeping powers to
hack into computers and place tracking devices on people and cars.
In the most far-reaching upgrade in a decade to ASIO's powers, the agency
will also be permitted to collect foreign intelligence in Australia and
pass the information to the Australian Secret Intelligence Service (ASIS),
the foreign spy agency.
The Federal Government is acting on the recommendations of a secret report
by ASIO's former deputy director, Mr Gerard Walsh, which was mistakenly
sent to public libraries and published on the Internet late last year.
His report - copies of which were later recalled by the Attorney-General's
Department - urged that ASIO be given the power to "hack" a nominated
computer system to "secure access to that system or evidence of an
electronic attack on a computer system".
The Attorney-General, Mr Williams, told Parliament yesterday the agency
would be able to access data stored on computers "through other means
which cannot presently be used".
The changes will allow ASIO officers, with ministerial approval, to gain
access to data stored in computers by "remote access" - commonly referred
to as hacking.
The change appears to give ASIO very broad powers to hack into any
computer system.
An explanatory memorandum issued by the Government about the changes says:
"The effect is to provide the minister with the power to authorise ASIO to
access and copy computer data where unauthorised access is otherwise
prohibited by Commonwealth or State or Territory law."
For the first time ASIO will have the powers to install tracking devices
on vehicles or even people - the devices are small beacons which transmit
signals to other locations.
Mr Williams told Parliament the devices were necessary for the more
efficient use of ASIO's resources.
The Walsh report had strongly urged that ASIO be allowed to use tracking
devices, saying "the absence of this investigative tool is a privation for
the Australian Federal Police, the National Crime Authority and ASIO".
Other changes will allow ASIO to expand its foreign intelligence gathering
within Australia by dispensing with the present need for it to obtain a
special warrant for each case.
According to the Government the change will allow ASIO to supplement
foreign intelligence gathered by other agencies, such as ASIS.
ASIO will be able to use information from the Australian Transaction
Reports and Analysis Centre (AUSTRAC) to follow money trails.
The changes also mean ASIO will be permitted to carry out security
assessments during the Olympics.
------
-----
Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --
