Covert CIA Websites Could Have Been Found By an 'Amateur,' Research Finds (theguardian.com) 22
An anonymous reader quotes a report from the Guardian: The CIA used hundreds of websites for covert communications that were severely flawed and could have been identified by even an "amateur sleuth," according to security researchers. The flaws reportedly led to the death of more than two dozen US sources in China in 2011 and 2012 and also reportedly led Iran to execute or imprison other CIA assets. The new research was conducted by security experts at the Citizen Lab at the University of Toronto, which started investigating the matter after it received a tip from reporter Joel Schectmann at Reuters.
The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency's handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed "with high confidence" as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites. "Knowing only one website, it is likely that while the websites were online, a motivated amateur sleuth could have mapped out the CIA network and attributed it to the US government," Citizen Lab said in a statement.
The websites were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said a subset of the websites were sill linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. Citizen Lab added: "The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behavior." CIA spokesperson Tammy Kupperman Thorp said: "CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false."
The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency's handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed "with high confidence" as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites. "Knowing only one website, it is likely that while the websites were online, a motivated amateur sleuth could have mapped out the CIA network and attributed it to the US government," Citizen Lab said in a statement.
The websites were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said a subset of the websites were sill linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. Citizen Lab added: "The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behavior." CIA spokesperson Tammy Kupperman Thorp said: "CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false."
take your meds (Score:1)
Why so butthurt over Democrats? Did they touch you where you bathing suit covers?
I know, it was lizard people in the basement of a pizza restaurant that touched you where you bathing suit covers. I'm sure the people on Fox told you so and fed you a ton of other bullshit to keep you watching and frothing at the mouth. All it shows is that you are a dimwit.
Re: take your meds (Score:2)
Re: take your meds (Score:2)
I just learned that ChrisChan was anti Trump. That means that the original AC isn't as smart as ChrisChan.
As if... (Score:1)
You'd think they'd do better. But sadly no....They're just as incompetent as the rest of us.
Re: As if... (Score:4, Funny)
You mean the Trump stolen documents?
Re: (Score:2)
And just as wilfully incompetent too. Can't be seen as not knowing, after all.
Don't get involved in espionage (Score:4, Insightful)
This should be a good reminder not to get involved in espionage. They'll never see you as any more than an "asset". You're only worth as much as the information you supply, and they'll cut you loose if they think you represent a risk to them.
Re: (Score:2)
What it has to do with, if true, is poor tradecraft. But then, a lot of things are 'obvious' after they are pointed out.
Re: Don't get involved in espionage (Score:2)
Cut loose - as in getting the throat cut.
If I were to communicate covertly I'd be doing it on 4chan by posting images wirh steganography encoded information.
Re:Don't get involved in espionage (Score:4, Interesting)
That's not a good argument. Sure, ultimately the CIA cares about acquiring information and they'll make the calls that best achieve that end. However, you could say the same thing about the military: they'll make the calls that best achieve their strategic objectives not what's best for the individual soldier.
And yet, the US military puts great stock in their commitment to No Man Left Behind. Not because the military brass are letting their emotions get the better of their strategic sense. Rather, because, in the long run the fact that our military personal know they can count on the military not to abandon them allows them to be a much more effective fighting force. The lack of such confidence in the Russian forces is part of why setbacks turn into routs.
Similarly, the CIA knows damn well that their ability to cultivate new assets depends on the perception that they'll be taken care of and won't be exposed. Sure, there are more cases where the CIA can get away with screwing over an asset without it becoming public but that's not what's going on here. This is just incompetence.
Re: (Score:3)
It's a great argument. The same argument also applies to joining the military in general. Not only can they throw you away, but it's not only legal but actually required to do so in some circumstances.
the CIA knows damn well that their ability to cultivate new assets depends on the perception that they'll be taken care of and won't be exposed
The CIA is an atrocity factory that pays shit, the only people who want to work there are hardcore ultranationalists.
Re: Don't get involved in espionage (Score:2)
So you don't get to be 007, that's the point you're trying to make? Ok...
That's not what they said... (Score:4, Insightful)
The CIA said:
" The notion that CIA would not work as hard as possible to safeguard them is false."
Citizen Lab said they were incompetent, not that they were lazy.
Link in article to reuters report broken (Score:4, Informative)
The linked article only includes a very superficial summary. It's based on the reuter's report which the article claims to link but that link is broken. Here is the link to the report.
https://www.reuters.com/invest... [reuters.com]
I was originally a bit skeptical since there is always the possibility of delibrate security failures to leak misinformation but based on the details in the report it seems like the CIA was just stupid. For instance:
But the CIA made identifying those sites easy, the independent analysts said. Marczak located more than 350 websites containing the same secret messaging system, all of which have been offline for at least nine years and archived. Edwards confirmed his findings and methodology. Online records they analyzed reveal the hosting space for these front websites was often purchased in bulk by the dozen, often from the same internet providers, on the same server space. The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street.
We fucking have a giant agency which is supposed to have expertise in this kind of thing, the NSA (not to mention the military cybercommand). Are our agencies so siloed or subject to petty rivalry the CIA couldn't just ask for expert assistance?
Re: (Score:2)
You obviously never worked for government agencies. The bad part isn't even that agency A doesn't want to play nice with agency B, the really bad part is that department X of agency A sabotages department Y of agency A for something stupid like budget reasons.
Re: (Score:2)
Budget sure, but even more concerning for pats on the head like quarterly awards that look good when it comes time for getting a promotion. Then you also have every mid and top level bureaucratic manager constantly re-organizing and micro-managing everything under them to put their own stamp on it. I've worked places where the naming/numbering for groups had been done so often and so frequently that you needed to know the previous half dozen designations for your office to function. And figuring out who was
Fortunately, only amateurs are looking (Score:2)
Because governments, all over the globe, pay SO badly that they can't attract anyone good anyway. And if both sides are blind in the Marco Polo game, you don't have to step up your game.