Friday, March 26, 2021

Current and Future Assessment of U.S U.K and German Cyber Intelligence and Cyber Surveillance Programs and Tradecraft - An Analysis

Spooked by evil aliens? Did the Klingons did it again? Worry about your latest and very greatest porn collection leaking online? Thinking about your IP (Intellectual Property) as if it were U.S National Security? Want to find a meaningful way to contribute to a bigger cause - The U.S Intelligence community. Keep reading.

In this rather long analysis I'll walk you though all the currently relevant U.S Intelligence Community Cyber Intelligence and Cyber Surveillance programs in non-alphabetical order with the idea to provoke a meaningful discussion on current tactics techniques and procedures courtesy of the U.S Intelligence community how you can protect yourself and most importantly how the U.S Intelligence community can "perform better" including practical software applications and services solution based recommendations for general users and organizations.

The data in this research has been obtained from Cryptome.org the Snowden archive and the Electrospaces.net research blog including the following archive.

For this purpose of this article I'll discuss the ABSOLINE EPILSON Top Secret and Classified program and use it as example into how modern cyber surveillance and eavesdropping courtesy of the U.S Intelligence Community and nation-state including rogue actors works for the purpose of establishing the foundations for a successful discussion on the basis of which I'll offer practical and relevant examples on the basics of how you can properly protect yourself from modern cyber surveillance and eavesdropping campaigns courtesy of nation-state actors including rogue actors.

Program name: ABSOLINE EPILSON - PDF - "This paper describes standard analysis techniques that have been used to both discover iPhone target end point machines and implant target iPhones directly using the QUANTUM system. It shows that the iPhone Unique Device Identifier (UDID) can be used for target tracking and can be used to correlate with end point machines and target phone. It highlights the exploits currently available and the CNE process to enable further targeting."

Current status: The current status of the program is active in terms of possible collerations between iPhone user ID's including an end user's end point Internet user activities in terms of traffic and Web site cookie acquisition for the purpose of interception profiling and active monitoring.

How it works: Every mobile has a unique ID? The problem? It tends to "phone back" to a manufacturers infrastructure and can be uniquely attributed to an end user including -- possibly -- to their end point potentially acting as the "weakest link" potentially exposing and end user's end point Internet activities to the U.S Intelligence community.

The digitally naughty part: Data colleration on a third-party device for the purpose of exposing the actual infrastructure behind the device including related end-points and related devices associated with the user in question - is nothing new. The digitally naughty part? It can be done - and the mobile device in question -- an iPhone -- in this particular case can be easily labeled as the "weakest link" in a possible corporate and end user private environment.

How you can make it work better: Shipping and delivery including supply chain infiltration tactics for the purpose of collerating unique mobile device IDs to a specific isn't new including possible "purchase-order-to-user-ID" colleration and data infiltration through basic social engineering and offensive CNO-based tactics. Potentially launching a targeted and geo-located phishing campaign on a per country city-basis could definitely lead to a positive results in terms of good old fashioned social engineering campaigns in terms of exfiltrating the necessary data including mobile device IDs including possible browser-based Web-based decoys for the purpose of further exposing an end user or an organization's private network and the necessary collerated end point devices.
  • Target application-isolation software and service solution providers and owners - launching a variety of malicious and fraudulent potentially disruptive type of attack campaigns should be considered as as option for the purpose of ensuring that the project owner's time remains spend on fighting the malicious attacks including the eventual slowing down of the project development including the project's eventual shutdown. Possible portfolio of attacks might include online identity discrimination including spear phishing campaigns DDoS attack campaigns including possibly mail-flood attacks including possibly TDoS (Telephony Denial of Service attacks) against a variety of tailored and predefined project owner's contact points.
  • Develop an internal bug-bounty program for sand-boxing and application isolation software and service providers - crowd-sourcing the bug bounty through public and official channels including the possible outsourcing of the bug hunting process through third-parties while offering the necessary financial incentives might be the best approach to undermine the credibility of the project including the actual owner's credibility and reputation to maintain and operate the project.
  • Aim to wage disruptive warfare against private project owners - it should be clearly noted that modern Intelligence Agencies have the capacity to wage disruptive warfare against private project and software owners using a variety of means which include a variety of technical and human-oriented online disruption tactics which should be easily considered as a threat to the project and software owner's existence where the appropriate measures to protect their online assets should be taken into consideration
  • Passively measuring and estimating product market-share for Targets of Opportunity - modern Intelligence Agencies have the potential to easily measure the product or project that also includes the software's market share in an attempt to better position a disruptive campaign targeting the project owner including the software owner in a variety of ways and positioning the project owner including the actual software owner as a Target of Opportunity to participate in related mass surveillance and eavesdropping campaigns
How you can take measures to protect yourself: Consider obtaining one of the following "stripped" mobile devices in terms of hardened mobile OS offering in-depth and multi-layered security and privacy protection features for the purpose of bypassing wide-spread surveillance techniques and techniques. Ensuring that you possess a "stripped" mobile device is crucial for ensuring the necessary degree of personal privacy to stay ahead of current and emerging Cyber Threats including wide-spread privacy violations courtesy of the U.S Intelligence Community and various other nation-state and rogue actors including cybercriminals.

On the majority of occasions modern cyber surveillance and eavesdropping campaigns on passive or active SIGINT which has to do with legal and passive lawful surveillance techniques which also includes offensive techniques such as for instance direct attempts to interact with someone's online infrastructure in place for the purpose of compromising and obtaining direct access to their digital assets including personal information.

Among the first things that a concerned user should take into place would be to ensure that a proper network security is taking place going beyond your ISP's supplied network router which "definitely" comes with a built-in antivirus and anti-malware solution in place in particular the use of pfSense which offers advanced and market relevant security and IDS/IPS (Intrusion Detection System and Intrusion Prevention System) including build-in sophisticated malicious Web site blocking features which also includes a modern and relevant geolocation-based security solution in place. The same goes for Cisco Firepower ASA which is a highly recommended and market relevant network-based protection including IDS/IPS solution in place. Both devices are easily adoptable and a cost-effective solution for basic network level protection mechanisms that can greatly assist against widespread nation-state surveillance and eavesdropping including active computer network exploitation (CNE) attempts.

Among the key benefits of using such type of device would be to ensure that no incoming traffic is allowed to enter the network using a basic network level access policy which has the potential to greatly mitigate a huge number of attack campaigns including active network reconnaissance campaigns. The second logical approach would be to utilize publicly accessible that also included proprietary sources of real-time threat intelligence information for the purpose of ensuring that current and emerging threats are properly taken care of such as for instance publicly accessible Web site blocking and URL reputation lists that also included proactive and reactive solutions as for instance Snort which offers a pretty good coverage of current and emerging cyber threats that also includes a variety of high-profile and relevant network-based including DoS (Denial of Service) and network reconnaissance type of threats. 

It should be clearly noted that both the public and free instance of Snort offers an in-depth network-based and sophisticated current and emerging threats type of protection and that the rule set gets properly updated on a daily basis with relevant signatures for a variety of threats which should be considered as a must use including Cisco's proprietary Snort rule set which also gets updated on a periodic basis which also includes that use of Cisco's Threat Grid in terms of offering real-time protection against current and emerging threats including the geolocation-based firewall which basically allows a user to only allow access to a specific country's online assets and to also deny access to the majority of countries internationally potentially mitigating a possible breach and intrusion scenario where an attacker would attempt to phone back and actually attempt to access the compromised network which is a where a geolocation based firewall comes into play properly protecting a network and its infrastructure from possible leaks and malicious software attempting to phone back including possible IP (Intellectual Property) leaks which could easily allow a nation-state or a sophisticated online to easily map and attempt to build a bigger picture in terms of a company or an end user's online activity for the purpose of establishing the foundation for successful and related type of malicious attack campaigns launched against a specific network or an end user.

Among the basic principles that should drive an individual or an organization that seeks to protect itself from modern nation-state or rogue actors type of threats should include the use of community driven and basically commercially free services and products which also include the use of Snort including the use of Cisco's global threat intelligence grid for the purpose of preventing and responding to modern cyber attack outbreaks including currently active and live threats.

Yet another highly recommended and extremely relevant in  terms of proactive and reactive protection feature courtesy of Cisco's Firepower ASA appliance is the Botnet Traffic Filter feature which offers an additional set of botnet traffic mitigation features which basically protects a compromised network from possible data leaks and possible attempts for the malicious software to actually phone back to a rogue and malicious infrastructure.

For users interested in protecting their mobile device from possible mass surveillance and eavesdropping campaigns there are several scenarios which should be considered such as for instance the use of VPN on a mobile device including actual real-time and email communication which should be properly encrypted using for instance PGP including modern real-time communication protections mechanisms such as for instance the use of XMPP/Jabber's OMEMO real-time encryption feature including the use of stripped and proprietary mobile devices which greatly mitigate the threat posed by modern mobile malware in the context of using a proprietary operating system which often offers an additional layer of security and privacy for the user.

Recommended "stripped" mobile devices to use potentially preventing widespread surveillance efforts including personal privacy violations:
The next logical step would be to ensure that the metadata on the device in terms of Web browsing including possible public and proprietary service use is properly obfuscated. Among the primary concerns whenever you choose to obfuscate a particular set of data would be possible supply-chain infiltration on behalf of the U.S Intelligence community in particular purchase orders that would further allow me to collerate and potentially identify a particular end user based on the actual supply-chain infiltration. One of the primary concerns in today's modern Internet world largely dominated by wide-spread surveillance courtesy of the U.S Intelligence Community including rogue and potentially malicious actors including nation-state and cybercriminals is the direct exposing of an individual's private network including possible collerated-based events that could potentially identify and track down a particular individual. 

In terms of mobile device obfuscation the end user is largely advised to take advantage of personal firewall for the purpose of monitoring outgoing and incoming connections on the device in particularly blocking all-incoming connections and closely monitoring outgoing connections. Furthermore, what an end user can potentially do in terms of hardening their mobile device is to ensure that it does not leak back any internal IP addresses including possibly the device MAC address potentially exposing the device user's internal and private network potentially falling victim to "ABSOLINE EPILSON" type of end point and mobile device targeting type of attacks and campaigns courtesy of the U.S Intelligence Community including other rogue factors including nation-state actors and cybercriminals in general. How you should proceed in order to archive this process? Keep reading.

Next to the general use of "stripped" mobile devices end users should also consider the following highly recommended tactics techniques and procedures for the purpose of protecting their IP (Intellectual Property) including their mobile device and end point device's confidentiality availability and integrity:
  • WebCRT - Among the most common privacy-exposing scenarios in terms of "ABSOLINE EPILSON" remains the active utilization of unsecure browsing habits namely a misconfigured browser in terms or browser extension including the newly introduced "local IP exposing" WebCRT feature found in a variety of browsers. What should end users better do to protect their local IP including adding additional privacy and security features to their browser? Keep reading. The first thing a user should ensure from a network-based perspective is that their browser fingerprint remains as private as possible including the inability of the U.S Intelligence Community.
  • Personal Host Based Firewall - the first thing to look for in a personal firewall is a bi-directional firewall functionality allowing you to block all incoming traffic and successfully allowing you to allow all ongoing traffic based on a variety of rules including possible white-listing. The next logical step would be to implement basic ARP-spoofing prevention solution for the purpose of ensuring that your ISP including VPN provider cannot perform basic ARP-spoofing attack campaigns which could compromise the confidentiality of the targeted host and expose to it a multitude of network-based attack deception attack campaigns.

  • HIPS-based firewall - a decent and highly recommended solution to protect end points from malicious software including web-based client-side exploits who might attempt to drop malicious software on the affected hosts include the use of host-based intrusion prevention system which has the potential to stop a wide variety of threats that have the potential to expose an end point to a multi-tude of malicious software such as for instance the use of Comodo Firewall which is a highly relevant and recommended solution for a huge number of end points in terms of offering advanced and sophisticated malware protection mechanisms.
  • Basic Network Deception - it should be clearly noted that every network is a subject to possibly compromise including automated and targeted attacks which could be easily prevented and actually allow a network operator or a network user to gather the necessary cyber attack information which could easily offer an in-depth peek inside the activities of the cyber attacker in particular the type of information that they're interested in obtaining. Case in point would be the use of a proprietary network-based deception appliance such as for instance Thinkst Canary including the use of the Nova Network Deception Appliance which empowers a network operator with a sophisticated network deception techniques which allows them to trick a cyber attacker into falling victim into a rogue network-based assets with the actual network operator in a perfect position to gather intelligence on the real intentions of the cyber attacker while properly protecting their infrastructure from malicious attackers
  • Custom-Based DNS-based DNSSEC-based servers with no logs policy - worry about the U.S Intelligence Community and your ISP eavesdropping on your traffic and Web browsing history potentially launching man-in-the-middle attacks? Consider utilizing basic free privacy-conscious DNS service provider with DNSSEC-enabled no-logs policy such as for instance - DNS Watch - which you can freely use without worry that your Web browsing history and DNS request history will be logged and potentially abused. A possible logical recommendation in the context of improving an end-point's in-depth security strategy might be the utilization of the so called protective DNS which offers an in-depth protection techniques and is often available online for free. Case in point is the use of Cisco's Umbrella solution which offers an in-depth protection mechanism and is available to end users and organizations online for free.

Windows-based users should definitely consider using and learning how to use the Advanced Tor Router application which basically offers a diverse set of unique privacy-enhancing and privacy-preserving featuring while utilizing the Tor Network further ensuring and offering a free solution for end users interested in preserving their Web browsing activities including possible network-wide Tor Network adoption on per OS and on per application-based basis. What does this application has to offer in terms of unique privacy-preserving features? Basically it offers a variety of unique and never presented or discussed before type of Tor-Network and end-point privacy-enhancing or preserving features further ensuring that the end user will remain properly protected from sophisticated network-based and client-based type of attack campaigns potentially aiming to identify and expose their identity. What's worth emphasizing on in terms of the application is the unique set of privacy-preserving and oriented client-side feature in terms of possibly privacy-oriented and secure browsing experience.

Sample Screenshot of the Privacy-Preserving Browser-Based Advanced Tor Router features:

  • Anti-forensics - it used to be a moment in time when users were primarily concerned with their browsing habits and use of online resources which is where specific browsers that don't log anything on the hard drive come into play. A possible solution and recommendation here include the use of the Sphere anti-forensics browser which doesn't log anything on the hard drive and should be considered as a decent anti-forensics solution for anyone who's interested.
  • VeraCrypt containers - a proper full-disk encryption solution should be taken into consideration in case the user wants to protect their information and intellectual property from physical type of attacks that also includes the use of Virtual Desktops with built-in security and privacy mechanisms in place such as for instance the use of Comodo Secure Desktop
  • Application isolation - it should be clearly noted that a modern and in-depth defense strategy should include the use of application sandboxing solutions which has the potential to prevent a huge number of client-side based exploitation attempts including to actually protect an end user from a variety of Web based client-side exploits serving threats such as for instance the use of Sandboxie which is a free solution that actually works and has the potential to prevent a huge number of Web based threats that expose users to a variety of threats
  • Hardware-Based Isolation - a proper network based strategy should consist of a basic hardware-isolation methodology where for instance malicious attackers would have hard time trying to penetrate and compromise due an additional level of hardware-isolation applied methodologies and techniques
  • Whitelisting - although this approach has been widely discussed throughout the years it should be clearly noted that modern anti-malware solutions should be also providing a possible application whitelisting feature where users should only whitelist a basic application which would allow them to still perform their activities and basically block and prevent and execution of related applications
Sample tips for the purpose of ensuring a proper and secure installation of end-point security solutions include:
  • always password-protect your end-point software including possibly ensuring that the end-point security software can self-protect from having it shut down
  • always ensure that a manual update is properly taking place compared to automatic updates which leaves a window of opportunity for a possible network traffic colleration including possibly rogue and bogus update entering your network
  • ensure that you're not utilizing the cloud-database feature for the purpose of looking up your Web browsing history including possible host-based application execution which could lead to a possible data and end-point inventory colleration which basically leaves you with a properly secured "stripped" security solution that you can use to properly secure your end-point without the risk of having your Web browsing history exposes including your end-point application inventory which could lead to possible fingerprinting and inventory-mapping which could lead to possible targeted attacks

What would be an appropriate choice for a VPN-provider basically offering the necessary peace of mind in terms of network-based connectivity with privacy-enabled solutions in mind in terms of possible no-logs policy including related value-added features further enhancing the necessary privacy-based no-logs policy in today's modern Internet World with widespread surveillance and privacy-violations courtesy of the U.S Intelligence Community and various other rogue actors including nation-state and cybercriminals in general? Keep reading.

The next logical step would be to stay away from mainstream mobile devices citing potential Security and Privacy in mind including the use of a properly selected VPN service provider for the purpose of applying basic traffic obfuscation techniques including end-point network isolation in this particual context the end user and the organization should definitely look forward to implement a possible VPN provider actually "mixing" public legitimate jurisdiction-aware infrastructure with privacy-aware public or proprietary network technology - in this particular case VPN2Tor type of technology.

Mainstream VPN provider as an entry point to a proprietary hardened and privacy-features tailored network - such as for instance the Tor network - NordVPN is a highly recommended solution against "ABSOLINE EPILSON" type of end-point colleration-based targeting type of attacks. What do I have in mind? Basically the off-the-shelf commercial vendor is also currently capable of offering VPN2Tor type of access which basically offers a variety of privacy-enhancing features which basically can offer stealth and commercially-relevant solution which basically combines VPN functionality with access to the Tor Network which basically offers a high-degree of security and anonymity which can be used to protect against "ABSOLINE EPILSON" type of attacks in terms of traffic and geographical location deniability including possibly offering limited data-colleration capabilities on behalf of U.S Intelligence Agencies.


A proprietary off-the-shelf VPN service provider basically taking you a step higher in preserving your online privacy by introducing and actually providing a unique set of no-logs jurisdiction-aware type of encryption-protocols and basic traffic-mixing tactics and strategies - Cryptohippie.

Want to find out more? Are you interested in a possible evaluation of your organization's Security Project or Security Product in terms of a Security Assessment or a possible OPSEC (Operational Security) based Privacy Features Evaluation? Interested in inviting me to speak at your event including possible sensitive and classified project involvement?

Feel free to reach me at dancho.danchev@hush.com

Stay tuned!