Sunday, January 05, 2014

NSA jams San Antonio garage openers; forensic cookie capers

A couple of stories related to digital forensics caught my eye this morning that may interest Grits readers.

NSA jams San Antonio garage openers
First, a Texas-specific item. It's a shame we have to read this from a German magazine instead of the Texas media, but there's a must-read story from Der Spiegel (Dec. 30) about the NSA facility in San Antonio that opens:
In January 2010, numerous homeowners in San Antonio, Texas, stood baffled in front of their closed garage doors. They wanted to drive to work or head off to do their grocery shopping, but their garage door openers had gone dead, leaving them stranded. No matter how many times they pressed the buttons, the doors didn't budge. The problem primarily affected residents in the western part of the city, around Military Drive and the interstate highway known as Loop 410.

In the United States, a country of cars and commuters, the mysterious garage door problem quickly became an issue for local politicians. Ultimately, the municipal government solved the riddle. Fault for the error lay with the United States' foreign intelligence service, the National Security Agency, which has offices in San Antonio. Officials at the agency were forced to admit that one of the NSA's radio antennas was broadcasting at the same frequency as the garage door openers. Embarrassed officials at the intelligence agency promised to resolve the issue as quickly as possible, and soon the doors began opening again.

It was thanks to the garage door opener episode that Texans learned just how far the NSA's work had encroached upon their daily lives. For quite some time now, the intelligence agency has maintained a branch with around 2,000 employees at Lackland Air Force Base, also in San Antonio. In 2005, the agency took over a former Sony computer chip plant in the western part of the city. A brisk pace of construction commenced inside this enormous compound. The acquisition of the former chip factory at Sony Place was part of a massive expansion the agency began after the events of Sept. 11, 2001. ...
One of the two main buildings at the former plant has since housed a sophisticated NSA unit, one that has benefited the most from this expansion and has grown the fastest in recent years -- the Office of Tailored Access Operations, or TAO. This is the NSA's top operative unit -- something like a squad of plumbers that can be called in when normal access to a target is blocked.

According to internal NSA documents viewed by SPIEGEL, these on-call digital plumbers are involved in many sensitive operations conducted by American intelligence agencies. TAO's area of operations ranges from counterterrorism to cyber attacks to traditional espionage. The documents reveal just how diversified the tools at TAO's disposal have become -- and also how it exploits the technical weaknesses of the IT industry, from Microsoft to Cisco and Huawei, to carry out its discreet and efficient attacks.

The unit is "akin to the wunderkind of the US intelligence community," says Matthew Aid, a historian who specializes in the history of the NSA. "Getting the ungettable" is the NSA's own description of its duties. "It is not about the quantity produced but the quality of intelligence that is important," one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed "some of the most significant intelligence our country has ever seen." The unit, it goes on, has "access to our very hardest targets."
Indeed, the unit maintains a catalog of spy tools, described in another Spiegel article, which "reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell."

Have a cookie, delete a cookie, give a cookie to a cop
Speaking of "getting the ungettable," while poking around various digital forensics blogs this morning I ran across this recent article on how to access incredibly detailed information from Google Analytics cookies, even if the computer user has deleted them. These aren't techniques only available to the NSA but to workaday computer forensic folk at police departments and domestic security agencies.  Wrote computer forensics examiner Mari DeGrazia:
The real power of the Google Analytic artifacts comes into play when deleted artifacts are recovered. By using Scalpel [ed. note: a file carving tool] and then parsing the carved files you can have some new data to play with and analyze.

Based on some initial and limited testing with Internet Explorer 11 and Windows 7, it appears the browser deletes then creates a new cookie when visiting a website rather then overwriting the old cookie. This means there could be a lot of cookies waiting to be recovered.
This technique not only allows forensic examiners to see what websites you visited and when but what keywords were used to get you there. In the faux example in the post, the last keywords listed on the spreadsheet created by the technique were "How to Clear History."

All kind of creepy, huh?


Anonymous said...

Very very interesting, thank you!

Anonymous said...

The fact that Windows (not the browser) does not overwrite files (including cookies) when they are deleted is nothing new; MS operating systems and other OSes have been doing this for years (decades actually) and it is common knowledge among the computer literate.

Indeed, many utilities for recovering deleted files rely on this fact.

If you want to make sure that a file is deleted then you need to use a secure deletion utility. OSX has this built in.

An Attorney said...

So the jamming was accidental due to broadcast signals on a frequency. Could have happened with any of a variety of other signal generating sources. I seem to remember that some consumer electronics did not work well during a former peak sun spot activity period, due to electronic signals generated by the sun.

Robert Langham said...

But just terrorists, right? I mean, they aren't like the IRS and some of the other big agencies who do partisan work for the Democrats? Right? Right? They only go after terrorists?

Gritsforbreakfast said...

It all depends, Robert ... what are you keeping in your garage? ;)

Gritsforbreakfast said...

@10:44, read the second link on the topic in the post for what's different about Google Analytics coocies:

"For the most part, cookies were used to show that a user account had accessed a Web site. Since no set structure for cookies existed, determining the content’s meaning was problematic. With the advent of Google Analytics (GA) cookies, that has changed. GA cookies use a set, documented structure that enables a forensic investigator to obtain useful information about a computer’s user."

Anonymous said...

I seem to recall the SA Express-News running a story about the garage door openers a few years back.