Month: October 2015

[Dutch] Mid-20ste eeuw: teletype/vercijfermachines afluisteren via EM-echo’s van toetsaanslagen (bron: Kluiters, supplement, 1995)

Hieronder volgen twee fragmenten over afluisteren via elektromagnetische (EM) straling:

  1. een fragment uit ‘Kluiters deel 2′ (1995, Sdu Uitgeverij, ISBN 9012081793), het supplement dat Kluiters op zijn eerste werk schreef;
  2. een fragment uit Spycatcher (1989, Random House Value Publishing, ISBN 0517014378), de autobiografie van voormalig MI5-medewerker Peter Wright.

Het eerste fragment vertelt over het op (beperkte) afstand onderscheppen van teletype-communicatie via elektromagnetische (EM) “echo’s” van (onversleutelde) toetsaanslagen, die afkomstig zijn van een teleprinter waarop de klare tekst werd ingevoerd en onbedoeld aanwezig zijn in het signaal dat een vercijfermachine op de kabelverbinding plaatste. Die echo’s konden zich voordoen indien de vercijfermachine geen EM-afscherming had van de teleprinter waarop de klare tekst werd ingevoerd.

Nadat de Nederlandse academicus Wim van Eck in 1985 openbaar publiceerde over een methode om op afstand op basis van EM-straling beelden van CRT-beeldschermen te reconstrueren, wordt naar dit soort afluistermethoden — die in overheidskringen in meer of mindere mate reeds bekend waren — ook wel verwezen als Van Eck-phreaking. In Nederland is Van Eck-phreaking in 2006 nog gedemonstreerd tegen stemcomputers tijdens de Wij Vertrouwen Stemcomputers Niet-campagne.

Het geheel aan procedurele en technische maatregelen om kwetsbaarheid voor dit soort afluistermethoden te mitigeren — in voornoemd geval RED/BLACK-scheiding — wordt ook wel aangeduid met TEMPEST, een codewoord van de Amerikaanse overheid. Disseminatie van TEMPEST-kennis voor defensieve doeleinden staat op gespannen voet met het belang te voorkomen dat de vijand die kennis in handen krijgt en zichzelf beschermt (meer).

Enfin, hier volgen de twee fragmenten.

Ten eerste het fragment uit Kluiters (p.122):

Gedurende een niet nader omschreven periode werd al in het tijdvak 1946-1964 de berichtenwisseling tussen de Franse ambassadeur en het Franse Ministerie van Buitenlandse Zaken geregistreerd en meegelezen. Ook elders werd Frans diplomatiek berichtenverkeer geïntercepteerd. In zijn autobiografie vertelt Wright over de mogelijkheid, bij onvoldoende afscherming van teletype/vercijferapparatuur, echo’s — zwakke pulsjes — van klare tekst geproduceerd bij de elektromechanische vercijfering van een tekst via telefoonlijnen op (beperkte) afstand te registreren. Dankzij dat principe was de Britse veiligheidsdienst MI5 in staat gedurende bijna drie jaar (tussen 1960 en 1963) de berichtenwisseling zonder cryptoanalyse mee te lezen tussen Parijs en de Franse ambassadeur te Londen. Onafhankelijk van MI5 had Carl Nelson van de Amerikaanse veiligheidsdienst FBI hetzelfde principe ontdekt in de eerste helft van de jaren vijftig en vervolgens succesvol toegepast bij het aftappen van Sovietrussisch berichtenverkeer van en naar Wenen.

Ook in Nederland gebeurde iets dergelijks. Het Physisch Laboratorium TNO ontdekte onafhankelijk van anderen dat de bij verbindingen veel gebruikte Siemens telex, type T-100, aan eenzelfde gebrek aan afscherming leed. Nadat TNO op basis van die ontdekking bij een ministerie een hoog gerubriceerd vercijferd bericht intercepteerde en via de nog aanwezige zwakke pulsjes van de klare tekst de oorspronkelijke tekst kon reconstrueren, werd in 1962 op aandrang van de gealarmeerde Nederlandse overheid bij TNO de groep Cryptostraling gevormd. Deze groep hield zich tot 1975 bezig met het ontwerpen van maatregelen voor het stralingsvrij maken van bij vercijfering gebruikte apparatuur. Hierbij werd veel samengewerkt met de Duitse instantie die zich voor de drie Duitse krijgsmachtdelen gezamenlijk bezighield met onder andere stralingsbeveiliging.

Volgens Sheykmov — een KGB-comsecdeskundige die in 1980 overliep naar de Verenigde Staten — begon de Soviet-Unie in de eerste helft van de jaren zeventig met het treffen van maatregelen tegen elektromagnetische straling — direct en via telefoon- en netspanningsleidingen — van hun communicatie-apparatuur.

Ten tweede het fragment uit de door Kluiters gerefereerde autobiografie van voormalig MI5-medewerker Peter Wright (~1200 woorden):

I had the germ of an idea. Any cipher machine, no matter how sophisticated, has to encipher the clear text of the message into a stream of random letters. In the 1950s, most advanced ciphers were produced by typing the clear text into a teleprinter, which connected into a separate cipher machine, and the enciphered text clattered out on the other side. The security of the whole system depended on thorough screening. If the cipher machine was not electromagnetically screened from the input machine carrying the clear text, echoes of the uncoded message might be carried along the output cables along with the enciphered message. With the right kind of amplifiers it was theoretically possible to separate the “ghosting” text out and read it off.

Of course, we had no way of knowing which countries screened their cipher rooms thoroughly, and which did not, and any operation along the lines I suggested would take up to two years to reach fruition. There was little point expending vast effort trying to break the Russian cipher, when we knew it was almost certain to be well protected. It was a question of picking targets which were important, and against which we stood some chance of success.

The French cipher stood out from all the rest as the most suitable target for further ENGULF experiments. Both MI6 and GCHQ were under pressure from the Foreign Office to provide intelligence about French intentions with regard to the pending British application to the European Economic Community. Moreover, GCHQ had studied the French system in London. They used two ciphers — a low-grade one which sent traffic along a telex line to the Quai d’Orsay, and a high-grade cipher for Ambassadorial communications which was generated independently of the cipher machine for additional security. Hugh Alexander’s view was that the high-grade cipher was unbreakable, but that the low-grade one might be vulnerable to the type of attack I had outlined. Cooper gave his approval, and Operation STOCKADE began.

The first task in this joint MI5/GCHQ operation was to make a detailed technical reconnaissance of the layout of the French Embassy and, in particular, locate the area of the cipher room. I arranged to have the rating drawings sent over from the local council, and contacted the Post Office Research Unit. John Taylor had retired by this time, and had been replaced by H.T. Mitchell. Mitchell was paralyzed down one side as a result of a stroke, but although his speech was poor, his mind remained crystal clear. Mitchell gave me full diagrams of all telex and telephone cables going into and out of the Embassy, and by comparing these with the rating drawings we were able to establish the likely location of the cipher room.

We asked the Post Office to fault the telephones, and went in to make a visual inspection of the cipher room area. Unlike the Egyptians, the French security staff watched our every move, but we got the information we required. There was no telephone in the cipher room. It was tucked away down a corridor. The cipher and telex machines were in adjoining rooms, separated only by a plasterboard partition.

Using the Post Office charts, we traced the output cables back to the street, and into the footway box at the end of Albert Gate entrance to Hyde Park. I arranged with Mitchell to place a reasonably broad band radio frequency tap on the cable inside the footway box, and the captured signal was relayed into a special operations room we had taken in the Hyde Park Hotel. The hotel telephone system was faulted to give us cover while the cables were laid up through the hotel to the fourth-floor room we had commandeered. Special blocking condensers were placed on the circuit to ensure it was one-directional, and nothing could leak back into the Embassy to give away the operation. GCHQ routinely intercept radio and telex traffic coming in and out of every London embassy, from their premises in Palmer Street. We arranged for a line containing the French Embassy traffic to be fed from Palmer Street to our operations room in the Hyde Park Hotel. Using that line as a guide, we could check whether the signal we were getting on our radio frequency tap was the correct one.

The first morning we found the low-grade cipher and matched it with the Palmer Street traffic. The tap was connected to our own teleprinter, and the intercepted French cipher began to clatter out in front of us. It was clear straightaway that more than one signal was traveling down the cable we were tapping. It was just a matter of sitting down with a pencil and marking off the EN CLAIR text from the coded message, and the cipher could be read straight off.

I began to pick out a translation, and found traces of another signal on the teleprinter. I checked on the sonargram to make sure I was not mistaken, and called over the GCHQ technicians. The steady peaks and troughs of the signal blipped across the screen silently. The line from the low-grade cipher was strong, and its ghost was easily identifiable. But at each pinnacle there was a murmur as another signal crossed.

“Good God,” the GCHQ man murmured, “that’s the high-grade cipher as well’. We must be picking it up through the partition wall.”

I hastily contacted Palmer Street and got them to relay the high grade cipher down the line so that we could compare the signals. The GCHQ technicians reset the amplifiers so that the traffic was sufficiently strong to print out, and using the Palmer Street feed as a guide, I marked off the EN CLAIR text. Within ten minutes I had a rough translation of a cable from the French Ambassador in London to President De Gaulle’s private office.

For nearly three years, between 1960 and 1963, MI5 and GCHQ read the French high grade cipher coming in and out of the French Embassy in London. Every move made by the French during our abortive attempt to enter the Common Market was monitored. The intelligence was avidly devoured by the Foreign Office, and verbatim copies of De Gaulle’s cables were regularly passed to the Foreign Secretary in his red box.

In fact, STOCKADE was a graphic illustration of the limitations of intelligence. De Gaulle was determined to thwart our application, and no amount of high-grade intelligence could change that fact. We did pass on to the Americans details of French deliberation over their independent nuclear “FORCE DE FRAPPE.” It helped encourage American suspicions about De Gaulle, but the advantage we gained as a result was slight.

Nevertheless, STOCKADE was considered a major triumph inside the Foreign Office. I was sent for by the Permanent Secretary, who congratulated me on the ingenuity of the operation. “Priceless material,” he said, beaming, “simply priceless,” leaving me in no doubt that “reading the Frog’s traffic” was a worthy successor to Agincourt, the burning of Calais, and other ancient blows against the perfidious French.

EOF

Senior Dutch criminal investigator sold confidential information to criminals ‘on a large scale’

UPDATE 2016-01-25: the Minister of Security & Justice submitted an update to the House of Representatives with regard to the ongoing investigation. He states that M. accessed information of, in total, some 100 criminal investigations, and exported parts of that information. Potential indicators for harm to the investigation were found in some 10 investigations; these are still being investigated. The Minister states that as of January 1st 2016, the procedure for obtaining authorization for accessing information is based on the four eyes principle.

UPDATE 2015-12-03: it is reported that M. had 23 active ‘subscriptions’ to information about criminal investigations at the time he was arrested. Through those subscriptions he received updates about the investigations. The subscriptions have to be renewed every three months. The Public Prosecution Service (OM) states that it is possible that M. had more subscriptions before his arrest. The OM also states that the fact that M. had subscriptions does not necessarily mean that the related investigations have been corrupted, or information was leaked to criminals. M. could not access information about infiltrators, informants, or the MH17 investigation. He will first appear before a court on January 12th 2016.

UPDATE 2015-10-31: reportedly, M. was granted access to ‘BlueView’, a restricted police data search engine, in August 2011, pending a security clearance from the AIVD. In October 2011, after the AIVD refused a security clearance, M. was transferred to the traffic department, but superiors failed to revoke M.’s access to BlueView. In 2007, BlueView reportedly contained 55 million documents, referring to data about suspects, transcripts of interrogations and police reports. M.’s authorization included access to information from the Criminal Intelligence Unit (CIE), that works with informants. M. was able to access BlueView up until his arrest in September 2015 (close to four years).

UPDATE 2015-10-30: the minister submitted (in Dutch) a factual account to the parliament.

UPDATE 2015-10-27: the minister of Security and Justice expressed (in Dutch) his intent to submit a factual account of the leak to the parliament later this week.

Mark M.

Criminal investigator Mark M. allegedly sold police information to criminals. Source: NOS.

A 28 year old criminal investigator of the Dutch National Crime Squad (in Dutch: “Nationale Recherche”) was arrested on September 29th over allegations of corruption, neglect of duty, and money laundering. Some media suggest that this may be the biggest scandal since the IRT affair in the 1990s, concerning police use of controversial investigatory methods, such as letting drug shipments pass.

Mark M. applied for a job at the Dutch police in 2009, dropping out of professional college in journalism after several years of being self-employed as a freelance (crime) reporter. M. did not pass the security screening done by the General Intelligence & Security Service (AIVD) as part of the job application, but was hired by the Dutch police nonetheless as trainee in a less sensitive position that is not subject to security screening by the AIVD. The reported reason for M.’s failure to pass the screening is that M. is married to a Ukrainian woman and the AIVD has no intelligence exchange relation with the Ukraine concerning security screenings.

M. is reported to have had access to the files ‘of all large national criminal investigations’, and allegedly sold information, on a large scale, to drug organizations and criminal motor gangs. He is reported to have close ties with foremen of the motor gangs Satudarah and No Surrender.

Dutch newspaper NRC Handelsblad, which first reported about the mole, states that the screening involved investigation of M.’s social environment and personal finances. Allegedly, M. stood out because of his luxurious lifestyle: driving a Porsche Cayenne, frequenting Curacao and the Dominican Republic for holidays, and wearing expensive watches. During a search of his residence the police found 235.000 Euro, as well as confidential police information that M. allegedly would have intended to sell.

The police is investigating the extent of the damage caused by M. and which investigations have been compromised. It is reported that it is impossible for an investigator to browse criminal files without leaving a trace, and it is suspected that M. also used authorization codes belonging to higher-ranking detectives. The question of why M. was hired despite not having passed the security screening is part of the investigation. M. is stated to have acted alone; no others would be involved.