Outlines of priorities and focus for the Dutch General & Military Intelligence and Security Service in 2020 (AIVD & MIVD)

On 19 December 2019, the Dutch government sent the outlines of the 2020 year plan (in Dutch) of the General Intelligence & Security Service (AIVD) — here — and the Military Intelligence & Security Service (MIVD) — here — to the parliament. In Dutch it is referred to as “Jaarplanbrief”, which literally translates to “Year Plan Letter”.

The remainder of this post consists of a translation of the section “Priorities and focus” in both letters, ±1000 words in total.


AIVD Priorities and focus 2020

Jihadist terrorism

The jihadist-terrorist threat picture is generally unchanged and is an important priority for the AIVD. The situation is still characterised by a threat of attacks in the West emanating from both globally active jihadist organisations and local networks and individuals. Islamic State in Iraq and al-Sham (ISIS) and al-Qaeda (AQ) have been the main exogenous jihadist threats for some time. Both organisations are still focused on carrying out attacks in the West. In addition, ISIS and AQ encourage their jihadist supporters in the West to carry out attacks independently.

The threat picture is also determined by returnees. In general, returnees have a higher threat profile than jihadists who have never travelled to a combat zone). Among the men in particular there is evidence of combat and explosion training, combat experience, tenacity and transnational jihadist contacts. When they return they can use these experiences and contacts to strengthen and/or mobilise local networks into violent action. The AIVD continues to deploy a substantial part of the available resources and capabilities to investigate terrorist threats by maintaining its intelligence positions at the desired level. In this context, the (inter)national cooperation with partner organisations, including the Counter Terrorism Group (CTG), is also being shaped.

Radicalisation

Radicalisation of various population groups In the Netherlands, the AIVD is concerned about and prompted to intensify its investigations into this issue. In its investigations into radicalisation from an Islamic perspective, the AIVD focuses on non-violent radical Islam in the Netherlands in general. Extra focus is placed on the drivers of non-violent radical Islam. The AIVD also investigates Salafist institutions in the Netherlands. The focus here is on the funding itself and its influence and interference.

Extremism

The research efforts in the field of extremism will be continued. The focus of research remains on the, sometimes violent, hard core of left-wing and right-wing extremists.

Anti-Islam feelings, fear of loss of national identity and ethnonationalism are the most important motives within the current right-wing extremist movement. An increasingly violent discourse is visible among right-wing extremists on social media in particular. In addition, right-wing terrorist attacks abroad can lead to copying behaviour. This broadens the AIVD’s field of attention from a right-wing extremist to (potentially) a right-wing terrorist threat. Clarification of the potential threat is essential if we are to offer our chain partners and authorities the prospect of action at national and local level.

Left-wing extremism in the Netherlands is characterised by individual or group activities in areas such as anti-fascism, asylum and immigration policy and anarchism. Dutch left-wing extremists/activists are often active on several themes.

Proliferation

Weapons of mass destruction pose a major threat to international peace and security. The Netherlands has signed treaties aimed at countering the proliferation of such weapons. The AIVD and the MIVD jointly investigate countries suspected of developing or already possessing weapons of mass destruction and their means of delivery in violation of these treaties.

Investigations on countries

The AIVD conducts investigations in other countries in order to provide the Dutch government with background information and prospects for action. This information can be used in consultations on subjects affecting Dutch national and international political interests. Geo-political and other developments around the world determine which countries are investigated by the AIVD.

Espionage and undesirable foreign interference

States often use digital means to gain access to vital parts of Dutch society, such as the energy or telecom sector, in order to be able to commit sabotage in this way. Russia, China and Iran, among others, show excessive interest in information from the Netherlands and companies operating in the Netherlands. All these activities can damage Dutch national security, sovereignty and economic interests. In 2020 the AIVD will expand its investigative capabilities against the use of digital resources by other countries.

In addition to the deployment of digital means of spying, in 2020 foreign powers will also continue to carry out traditional intelligence activities in the Netherlands or against Dutch interests. The main objective of espionage activities is the gathering of (secret) information in the fields of politics, defence, science and economics. In addition, they develop activities to surreptitiously influence political and economic decision-making or public opinion.

Information security

High-quality digital attacks, by Russia, China and Iran among others, aimed at espionage, influence, sabotage or terrorism pose a major and increasing threat to the integrity and confidentiality of the Dutch government. The AIVD provides (external) stakeholders with information security advice. This is done by the National Communications Security Agency (NBV), which also develops and evaluates security products for securing state secret and sensitive information.

Unprecedented threat

The AIVD’s investigations are aimed not only at providing an insight into all aspects of existing, already known threats, but also at the timely identification and identification of as yet unknown threats, both within and outside the GAI&V.

MIVD Priorities and focus 2020

Investigations on countries and mission areas

In 2020, the MIVD will conduct research into Afghanistan, Syria and Iraq, among other things. It also supports the deployment of Dutch military personnel in the context of enhanced forward presence (eFP). Together with the AIVD, the MIVD also investigates developments in the Kingdom’s overseas territories.

Counterproliferation

The MIVD and the AIVD jointly investigate countries suspected of developing or already possessing weapons of mass destruction and their means of delivery in violation of treaties. This investigation will be continued in 2020.

Military technological developments and proliferation

The MIVD also conducts research into military technological developments and the proliferation of high-grade military technology and weapon systems to crisis areas, so that the Dutch armed forces can be properly equipped against existing and future threats. This research will also be continued in 2020.

Espionage and influence

Espionage, influence and sabotage are a constant threat to the Netherlands and its allies. States with great geopolitical ambitions are looking for information to modernise their armed forces, strengthen their economies or influence political decision-making. This can be classic espionage, digital espionage or a combination of both. Hacking offers opportunities for sabotage and influencing political and administrative decision-making or public opinion. By means of takeovers or investments, states also try to obtain information or create strategic dependencies. The MIVD investigates these themes from a military perspective. In 2020, the MIVD will increase its commitment to these themes.

Radicalisation and extremism

Research into possible forms of radicalisation among defence personnel will be continued in 2020. The aim of this research is to identify undesirable behaviour in good time. The MIVD advises on the measures to be taken to identify and deal with these threats. Promoting awareness and understanding requires permanent attention.

20 December: Russian state security officers’ annual professional holiday (since 1995)

In April 1995, KGB-successor FSB was born under president Boris Yeltsin. In a presidential decree that Yeltsin issued that same year, 20 December aka Chekist Day was appointed as annual professional holiday for Russian state security officers.

The choice for that date can be traced back to 20 December 1917: the day Cheka agency was born, “the first of a succession of Soviet secret-police organizations”. The UK government has a short piece on it: What’s the Context? 20 December 1917: formation of the Cheka, the first Soviet security and intelligence agency. Also, on 20 December 1920, the Cheka’s Foreign Department was born — a predecessor of the KGB’s First Chief Directorate.

From a layman’s perspective I’m curious what meaning that day holds to present-day officers, considering that the date also bears an association with historical political persecutions by Cheka. I have no answer that question; but did find a relevant interview with FSB director Nikolai Patrushev that was published in daily tabloid Komsomolskaya Pravda on 20 December 2000 (a few months after Vladimir Putin was elected).

The remainder of this post consists of an automated translation (using DeepL) of that interview; some 2800 words. The translation is legible, but beware non-obvious inaccuracies. That being said, I found it worth taking note of.


FEDERAL SECURITY SERVICE

IF WE “BREAK DOWN” AND LEAVE THE CAUCASUS, THE COUNTRY WILL COLLAPSE.
Nikolai Patrushev

“Komsomolskaya Pravda”, December 20, 2000.

WHAT’S THE HOLIDAY IN THE LUBYANKA TODAY?

  • Mykola Platonovych, you always emphasize that the FSB is a new domestic intelligence service. And at the same time, the Day of Chekist is celebrated on December 20 – on this day in 1917 the Chekist Committee was created. Is there no contradiction here, which gives the ill-wishers an excuse to claim that “the spirit of nostalgia for the former omnipotence of the Soviet intelligence services is hovering on Lubyanka”?
  • We’re not sneaking around, calling the FSB a new security service. It was created in April 1995 on the basis of the Federal Counterintelligence Service. That year, laws were adopted that opened a new stage in the development of domestic security agencies – “On Bodies of the Federal Security Service” and “On the Operational and Search Activities”. For the first time in the history of the country, including the Tsarist period, the legislator regulated the activities (including tacit) of intelligence services, outlined the tasks and functions of the FSB, defined its rights and powers, prescribed mechanisms of state and public control over its activities. This is a qualitative difference from those times when the activities of state security agencies were dominated by the principle of partyhood, i.e. the supremacy of interests of the ruling party (or, more precisely, its top). Loyalty to the law, not to anybody, work only in the legal field – a guarantee of not repeating the tragic pages of the past. This is a sensible position of today’s generation of Lubyanka employees.

We have not given up our past, honestly said: “The history of Lubyanka of the passing century is our history, no matter how bitter and tragic it may be”. Everything in it that works for the benefit of Russian statehood, serves the interests of development and prosperity of Russia, its national security, should be preserved and multiplied.

It was December 20 that was unofficially celebrated for many decades as “the day of the Chekist” in the teams of state security officers. The decree on this, signed exactly five years ago, demonstrated demand for and social significance of the work of security service employees. And the departmental sign of the FSB combines the two-headed eagle of Tsarist Russia and “shield and sword” – a traditional symbol of the Soviet era security services.

  • What toast, by tradition, will be the first in the circle of counterintelligence on the day of professional holiday?
  • You must be impressed by movies like “National Security Agent” and think that the whole FSB will be “buzzing” in the morning. No, of course not. The units will hold personnel meetings, hand out certificates and departmental insignia, congratulate the veterans, visit the families of the victims. And when we gather at the festive tables in the evening, we will definitely wish good luck to our colleagues who are currently on a mission: in Chechnya, at checkpoints, in operations – to get out of the fight alive. And a third toast to those who haven’t returned – that stack will be very bitter… After all, the FSB is a fighting organization. We honor the memory of our fallen comrades, constantly taking care of their families, helping widows to solve domestic problems, raising children. This is one side of our corporate brotherhood, our best traditions.

WHAT DOES THE FSB DO IN CHECHNYA?

  • What tasks were a priority for your department in the past year?
  • First of all, it’s the fight against terrorism. We should not have allowed a repetition of the terrible tragedies of “black September” last year, when 305 people died. I would like to note at once that in 2000 law enforcement agencies prevented another 13 explosions of powerful explosive devices, including six in Moscow, five in Pyatigorsk, one each in Buynaksk and Vladikavkaz.

Investigations into the September bombings of residential buildings clearly showed that the traces of the crime were in Chechnya, which during the years of the Dudayev and Maskhadov regimes became a springboard for the forces of international terrorism. It would have been impossible to protect the population of Chechnya from terror without defeating the militant groups, depriving them of their training bases and resources, and freeing the republic from the criminal and terrorist clique that had seized it.

Modern terrorism is a complex social and political phenomenon, and Chechnya is only one of the nodal points on its map. The ability of our people to defend themselves is being tested there. If we break down, leave the Caucasus, the process of irreversible collapse of the country will begin. The state will expressed in 1999 – for the first time in recent years – is the guarantee that this will not happen.

  • “Komsomolka” has repeatedly written about the threat of pseudo-Islamic Muslim extremism. Does the FSB share this concern?
  • To the fullest extent, and you are right to raise this issue. The threat is really great, but you can only fight it in the legal field. For example, Wahhabism is prohibited by law in the Republic of Dagestan.
  • According to your estimates, in what condition are the leaders of Chechen fighters currently in? Have the military, border guards, the Interior Ministry and the Federal Security Service managed to seriously impede the inflow of mercenaries into gangs, limit the flow of money and arms of the terrorist?
  • One of the tasks is to uncover and cut off the channels of resource supply for the militants. But we are also responsible for investigation and prevention of terrorist attacks, search for the leaders of the separatists, participants in the attacks on Budennovsk, Kizlyar and Pervomaiskoye and armed invasion of the Republic of Dagestan. Recently our officers detained former chief of the so-called “special service of the Chechen Republic of Ichkeria” Atgeriev. Work on the leaders of the militants continues…

I will highlight the problem of mercenarism in particular. Recently FSB officers detained in Chechnya a native of Iraq, Abd al-Aziz Mohammed Abd al-Wahhab. This adherent of “Wahhabism ideas” not only took part in illegal armed formation, conducted ideological processing of its members, but also kidnapped, tortured and raped 4 women, turning them into slaves.

In the passing year illegal activities of foreign security services in the North Caucasus that were carried out under the cover of international organization Khalo-Trust were revealed. Its activists assisted Chechen militants in training local subversives.

The separatists continue their attempts to stir up tension in the neighbouring Russian regions of Chechnya – Ingushetia, Dagestan, Karachay-Cherkessia, Kabardino-Balkaria. There is information about attempts by extremist leaders to establish militant bases here and to involve certain ethnic groups and supporters of various Islamic currents in armed conflict with federal forces. Therefore, there will be a long and difficult struggle to preserve the territorial integrity of the country, interfaith harmony and peace and tranquillity of our multi-ethnic people. I am talking about this directly, without hiding anything in front of the million audience of Komsomolka.

SHOULD ONE FEAR THE CHEKISTS IN POWER?

  • Coming to the higher echelons of power of people who started their way in special services, generates different conversations – up to categorical statements about “threat to democracy”…
  • This thesis, willingly picked up in some media, is, in my opinion, an attempt to “demonize” the former employees of SVR and FSB who came into power. The aim is understandable – to create an image of some “dark force” defending not the national, but its own narrowly corporate interests, and thus to weaken the resource of people’s trust in the new leadership of the country. The appearance of people in the Old Square, in the Kremlin and in the regions who have completed the school of leadership in the national security structures is a vital necessity to pour “fresh blood” into the Russian management corps, an aspiration to use the potential of responsible and organized people who have preserved, despite everything, the “spirit of public service. I know many of them well. They are modern thinkers, educated people. They are not unwilling idealists, but tough pragmatists who understand the logic of international and domestic political developments, emerging contradictions and threats. At the same time, they understand well the impossibility of returning to the old, the need to develop the country based on a reasonable combination of liberal and traditional values.

HOW DOES COUNTERINTELLIGENCE “CATCH MICE”?

  • What other priority lines of work did the FSB have in the past year?
  • These are the fight against the intelligence and subversive activities of foreign intelligence services, work to identify and prevent threats to economic security, fight corruption, illegal export of goods, smuggling of drugs and weapons, cultural values.
  • Can we elaborate on the fight against espionage?
  • Special services of foreign states have made significant efforts to expand operational positions in Russia. One of the main goals was to identify the true plans of the new government of Russia on both domestic and foreign policy issues. The activities of foreign intelligence services in the Russian direction are now more coordinated than ever. Intelligence of the leading NATO countries today is “welcome guests” in most European countries that were formerly part of the Warsaw Pact, as well as in the Baltic States. However, the main danger is that Western intelligence, through its residences, conducts its own intelligence from the territories of these states, including operations of communication with Russian citizens’ agents. Thus, this year counterintelligence arrested a British and Estonian intelligence agent. In the recent past, he was a senior officer of one of the Russian security services and used his connections among the security services, political and business circles to gather information.

The FSB bodies were aimed at protecting our scientific and technical potential, unique breakthrough technologies and developments, without which the country’s revival is impossible. Here too, the case of Edmond Pope, a former career U.S. Naval Intelligence Officer, is landmark. In the muddy waters, foreign intelligence businessmen were very comfortable. For a penny, it was possible to acquire know-how that had been created by thousands of people. In the Pope case, Russia showed that time was running out. The country’s leadership let the international community know that it was defending its national interests strictly and fundamentally. And the president’s decision to pardon Pope, the very time of its adoption, is a demonstration of good will.

In October 1999, Sutyagin, an employee of the US and Canadian Institute of the Russian Academy of Sciences, was detained. The investigation revealed the facts of spying activities of his connection – an American citizen Joshua Handler, a specialist in nuclear safety, who is now in the United States. It has been preliminary established that Handler received from Sutyagin secret information about the Russian Armed Forces and passed it on to U.S. intelligence agencies. Unfortunately, some journalists, unaware of this, show Sutyagin in their publications as “an honest and courageous citizen who advocates democratic freedoms.

SO WHAT IS THE POWER, IF NOT MONEY?

  • What does the FSB keep smart people who, as far as we know, work for a modest salary?
  • I do not want to say high words, but our best employees, the honor and pride of the FSB, do not work for money. When I have to hand out government awards to our guys, I look at their faces. High intellectuals-analysts, broad-shouldered weathered Special Forces fighters, silent bomb technicians, strict investigators, discreet opera scouts… Outwardly, they are different, but there is one important quality that unites them – these are serving people, if you like, modern “neophytes”. On the obelisk to an FSB officer, Hero of Russia, who died in the Caucasus, there are lines, it seems to me, accurately conveying the moral “core” of our people: “Service to the Fatherland, friendship to comrades, heart to loved ones, honor to no one. Service gives a sense of involvement in a great state affair, the excitement of struggle, when you defeat an opponent better equipped and “paid”, an enemy brazen and confident, who thinks that there are no real professionals left on Lubyanka. This will not replace even the highest salary of a private guard. He works for his master, and we – for the state. Remember the words of the protagonist in the movie “Brother-2”: “Not in money strength, American, but in truth”? That’s the truth the FSB is fighting for…

Although I do not condemn those who have to leave the service due to the difficult financial situation of their families. It’s only bitter that I can’t do anything… People in epaulets hope that the state, the new leadership of the country, which knows their problems firsthand, will approach with attention the long overdue issue of improving the living standards of soldiers.

  • Tell us about those of your subordinates who did heroic deeds in the passing year.
  • This year six employees of the FSB were awarded the title of Hero of the Russian Federation. Captain Igor Yatskov was posthumously awarded the title of Hero of the Russian Federation. As part of the advanced units of the 136th Motorized Rifle Brigade near the village of Kiri of the Cheberloyevsky district of the Chechen Republic on January 11, 2000, he took part in a battle with superior forces of the militants. Having received several serious wounds, the officer, bleeding out, remained in the ranks. Captain Alexei Gorbunov, Major Andrei Chirikhin, FSB special forces officers Valery Alexandrov, Mikhail Seregin, Nikolai Shchekochikhin, Major Alexander Alimov and others were awarded the Order of Courage (posthumously).
  • You are a man, for obvious reasons, “closed”. And yet, how do you rest? What do you manage to read?
  • I’m the one who really likes the phrase: “My hobby is work” (laughs). Our work needs to be given in its entirety, it requires you everything. How am I resting? I like to play volleyball. I was serious when I was a student. It’s a collective sport. And it’s like our job: defense and assault… It’s a good way to switch hunting. I’ve been into it for a long time, just like fishing.

I start my day by watching fresh newspapers, and of course, “Komsomolka” is one of the first…

  • What would you like to wish your employees today through “Komsomolka”?
  • I wish them and their families, our veterans, everyone who helps us in the difficult task of protecting the homeland, I wish them health and fortitude.

PERSONAL BUSINESS:
Patrushev Nikolay Platonovich was born in 1951 in Leningrad in the family of a sailor. After graduating from the Leningrad Shipbuilding Institute, he worked there for some time. After joining the state security bodies, he received professional training in Minsk KGB school. Then he worked for a long time on various positions in the KGB in Leningrad region. In 1992 he was appointed Minister of Security of Karelia. In 1994, he was transferred to Moscow. Since August 1999, he has been Director of the FSB of Russia. Colonel-General.

Patrushev’s wife – doctor, specialist in ultrasound. The family has two sons.

At leisure, Nikolai Platonovich manages to read books, but, as he himself admitted, prefers “short forms” – it’s painfully short time. For example, he reads Chekhov and Zoshchenko’s stories in the mood.

EVERYTHING:
Experts have not yet “come to terms” with a specific date on which to count down the history of national security. But its milestones have been established precisely: the Order of Tsar Alexei Mikhailovich’s Secret Affairs, the Preobrazhensky Order, the Secret Search Cases of Peter the Great’s Office, the Secret Expedition to the Senate, the Special Chancellery of the Ministry of Police of Alexander I, the III Division of Emperors Nicholas I and Alexander II’s own Office, the State Police Department, the Special Division of the Police Department of the Ministry of Internal Affairs and a number of other structures. As for counterintelligence itself, its “birthday” in the course of scientific discussions was determined on January 21 (old style) 1903. On this day, Nicholas II decided to create in the structure of the General Staff of the Russian Army, the first in the history of the country, a permanent special unit to fight against espionage – the “Exploration Department”. Its first chief was gendarmerie company minister Vladimir Nikolaevich Lavrov. The Day of the Security Bodies Employee is also a professional holiday of the employees of SVR, FAPSI, FSO, GUSP, FPS – structures that were born in the early 90s on the basis of a number of departments of the USSR KGB. It is a holiday of all those who protect the interests of the Fatherland.

EOF

Physical Counter Surveillance – Dry Cleaning and Evading Capture

In a meeting with a former counter-intelligence practitioner I first learned of ‘dry cleaning’ as tradecraft jargon in the realm of countersurveillance. Willam E. Dyson’s book Terrorism – An Investigator’s Handbook, 4th Edition (2015; first edition published in 2011) defines it as follows:

dry cleaning A process by which a subject takes actions that enable him to “lose” anyone who is attempting to follow him. A person may “dry clean” himself by entering a crowded movie theater and leaving soon after through a rear door. Undercover officers and informants should also undertake “dry cleaning” maneuvers before meeting each other.

The Terms & Definitions of Interest for DoD Counterintelligence Professionals (.pdf, 2011) from the U.S. Office of Counterintelligence (DXC), part of the Defense Intelligence Agency (DIA), contains a definition taken from an old manual of the Air Force Office of Special Investigations (AFOSI):

Dry Cleaning. [Tradecraft jargon] Any technique used to elude surveillance. A usual precaution used by intelligence personnel when actively engaged in an operation. (AFOSI Manual 71-142, 9 Jun 2000)

Following the meeting I did a bit of self-study and came across a reposted text apparently once shared at the now-defunct forum at XtremeRoot.net. I’m reposting it here because 1) it is IMO a useful read that covers (a subset of) aspects that also came up in said meeting, and 2) LOCKSS. I could not readily identify whom to contact to ask for permission to re-post it here. If you’re the author, feel free to contact me (see sidebar).

Further reading on this topic (friendly reminder: always apply critical thinking):

Traditional humint tradecraft presumably remains a key aspect of modern intelligence, notwithstanding the tech-heavy era we now live in. And be reminded that technology can fail — for instance by accident, by sabotage or (indirectly) by adversarial interception/surveillance.

NOTE: everything below this line is NOT authored by me, except for one [NOTE: (…)] block that I added.


I recently underwent some counter surveillance training, and it was one of the most exciting things I’ve ever done. As such, I thought I’d write up a short tutorial based on what I was taught and what I went through. This is all related to personal counter surveillance – i.e. preventing people following you.

There are 3 major parts to counter surveillance:
1) Planning
2) Identification – Spotting people who may be following you and verifying their intent.
3) Evasion – Making it difficult to follow you by performing certain maneuvers and following certain rules.

These principles, when put together, form something called a cleaning run. Its objective is to get you to a destination whilst identifying and losing any tail you might have.

Planning
The basic rules of a cleaning run are as follows:

  • Give yourself roughly double to triple the amount of time usually needed to get to the destination. A cleaning run can last up to 3 hours!
  • Plan your journey before heading out.
  • Move across a large geographic area.
  • Act naturally.
  • Try to spend at least 50% of your journey in areas that are not covered by CCTV.
  • Vary your transport method. Travel by bus, tram, train and taxi as well as on foot.
  • Be aware of your surroundings and the people nearby.
  • Be prepared! You need a pen, paper, envelope, stamps and enough cash for transport and visits to cafes / coffee shops. If you smoke, take some cigarettes and a lighter too.

The first step is to plan your journey. Start in an arbitrary direction, heading nowhere near your destination. You need to visit a variety of locations including quiet suburbs and busy city centres. Try to make the path you take relatively realistic (e.g. don’t walk round a block twice) and make it look like you have a reason to go to certain places along the way. You need at least two locations that will be almost entirely deserted – large open areas like parks are excellent for spotting someone following you. Make sure that your route crosses a few bridges and goes down some small side streets. You need to be able to stop off frequently at shops and other attractions. Look up timetables for buses, trams and trains, and use these services in your journey. You’ll also want to find places with post boxes and phone boxes, as they can provide some useful distractions.

Identification
Before you can shake a tail, you need to identify it. The best way to do this is to spot people you have seen before. A professional team can consist of 10 or more people, of which 2 or 3 at a time will follow you. They do a hand over periodically and try to avoid re-using the same members so that you don’t notice the tail. The “tried and tested” positioning system is to have one person follow directly behind you and another follow on the other side of the road further behind. If a third person is used, they are usually kept further back. If they think you’ve identified an agent, they’ll pull them out and replace them if possible.

The following things about a person can help you identify them as a tail:

  • If there are multiple agents, expect 90% of them to be 30 years old or less.
  • A professional team member usually has a precise watch. You can spot these quite easily if you’re close by.
  • They will change their course when you stop or change your course.
  • They will avoid looking directly at you, or stare.
  • Untrained people in a team might talk into their sleeve or talk to themselves.
  • If there are only one or two agents and they are associated with the police (CID, SOCA, etc), they will usually be wearing a suit (this is true for the UK, at least).
  • When waiting, they will usually loiter aimlessly or appear fascinated by a mundane sign or poster.

When walking down quiet roads it is easy to notice someone following you. However, it is difficult to turn round and get a good look at them without them noticing. One great method to this is to enter a shop and purchase something. As you enter, glance behind you to see if anyone is there. If there is, hold the door for them. When you leave, go back the way you came for a while, then turn off and go another direction. You can usually identify at least one surveillance member this way.

In places with some traffic, cross over at an intersection. If you’re on the left of the street turn right and vice versa. This gives you chance to stop and look around as if you were checking for traffic. If you cross at a pedestrian crossing, pretend to press the button but don’t. This gives you time to stop and look around longer, making anyone following you quite obvious.

Small bridges and alleys can make great choke points. Be aware that isolated areas might be problematic because they might confront you, so try to pick areas with at least a few people around. If you smoke, stop to light up as you walk down a choke point. Stand sideways so that you can see both directions. This means that anyone following you will have to walk straight past, so you can easily identify them. You could also stop to write an SMS message – it’s feasible that you can’t walk and text at the same time. If you do this, start writing it and stop after the 4th or 5th letter. Most people will at least try to write and walk before failing!

In larger shops, stand and browse the magazines. You can use the short periods between picking up each magazine to glance in a direction to look for anyone you remember from before, or anyone looking at you. Untrained people will often behave unusually and can easily give themselves away in certain situations. They may stare intently at you, or completely avoid making eye contact. In the case of the ones who are quite obviously attempting to watch you without directly looking, orchestrate your path so that you walk past them, then stop and ask the time. This usually shocks and disorientates them, and they’ll usually get flustered and stutter their reply.

Use your pen and paper to jot down short descriptions of people that might be following you and anyone that you see twice. You can buy a newspaper and use the crossword to jot things down too. If you see someone twice in two far apart areas, you’re probably being followed. The same applies if you see the same person three times as you’re performing your run.

A clever trick is to scan for Bluetooth devices nearby when sat around. If you see the same name twice, you have a tail. [NOTE: one probably should not carry any electronic device to a secret meeting to begin with, except burners — which still requires tradecraft. Radio emissions — and not only Bluetooth or Wi-Fi — should be assumed to be unique fingerprints.]

Evasion
Once you’ve spotted the people you want to escape, you need to start doing things to divert their attention from you to thin out the crowd. The text-book stuff like dodging down an alley or switching back on yourself is way too obvious and a professional will be able to handle it easily.

Organise your journey so that you arrive at a train station, get your tickets, then have to wait 10 minutes in the coffee shop before boarding a train. If possible, use the automated ticket machine and jump in just before someone else gets in the queue behind you. This helps stop agents from shoulder-surfing to find out where you’re going, or listening in on your conversation with the ticket office person. Wait until the last minute before moving to the platform, or sit on the wrong platform until your train is announced and then move to the correct one. Sit as close to a door as possible so you can see the entire carriage.

When travelling by bus, pay for a ticket to the furthest destination it goes to, then get off before that stop. This helps divert resources and prevent any surveillance teams from setting up in a target location. If you can sit at the back do so, as you can see where everybody is. On double-decker buses you might want to sit up top to make it more obvious if you’re being followed.

Towards the final quarter of your run, make it look like you’re doing something sinister. Go to a phonebox and call the number of a small computer shop. Ask something like “how much is your cheapest SATA hard drive?” and write down the price and a random postal code that’s near the computer shop. Write a single letter on the bottom of the paper to make it more confusing, then place it on top of the phone unit and leave the box. This will look like you’re trying to perform a dead-drop, so an agent would investigate. This reduces the number of people following you. You can then go into another phone box, fumble around underneath it to make it look like you’re grabbing something that’s taped to the bottom, get out an envelope and pretend to put this non-existent thing inside it, attach a stamp, write an address on there (somewhere around five miles away) and go post it in a postbox. An agent will need to get someone to open the phone box, so this will delay them further.

Strike up a conversation with someone in the street to make it look like that’s who you went to go see. This is best done in a quiet area, so you can watch the people nearby.

You can perform a covert U-turn by walking past a shop and showing some interest in it (stare at it as you walk) and then stopping 20 feet down the road as you very obviously check your watch. Stare at your watch for a second, then turn back and go to that shop. This makes it look like you couldn’t decide if you had time to go to the shop. Some poorly trained agents might just stop still and stare at you gormlessly if you do this.

In extreme circumstances, you can go for certain overt techniques that give away the fact that you know you’re being followed:

  • Do a U-turn whilst walking and check out everyone who looks at you.
  • Do the whole “tying my shoelace” thing. It can mean agents have to be dropped because they have to pass you, but it’s very obvious and you can’t actually identify them easily.
  • Ask someone you think is tailing you for a lighter. Strike up conversation about the weather or contemplate them on their hair, shirt or watch if they have to spend more than 5 seconds fumbling around for it.
  • Dodge down an alleyway quickly or move in a circuitous through a store with multiple exits. These allow you to shake a tail, but make it obvious that you are immediately wary of someone following you.
  • Sit in a coffee shop and wait until you see someone that you know is following you. As you get up to leave, they will look over. Stare directly at them and wave before leaving.
  • Use a payphone to call for three taxis. Book one from your current location (or nearby) to position A, and book the other two from near position A to position B. Take only one of the second taxis, then have them drop you off slightly outside location B. If they’re resourceful enough to be able to pull phone records, they’ll spend resources trying to find out who you called and where you asked to go to. Once they discover you have called 3 taxis, they’ll know something is odd.

[…]

[Dutch] Kwetsbare Pulse Connect Secure SSL-VPNs in Nederlandse IP-adresruimte: bevindingen en gedachten

Klik hier om voorbij de updates te skippen en direct naar de oorspronkelijke publicatie te gaan.

  • UPDATE 2021-04-20: een onbekende kritieke bug (0-day) in Pulse Connect Secure >=9.0R3 wordt actief uitgebuit door, allegedly, “Chinese-backed state hackers”: CVE-2021-22893 = preauth RCE, CVSSv3.1 Base Score = 10 (hoogst mogelijke score). Leverancier Pulse Secure, sinds vorig jaar eigendom van Ivanti, hoopt in mei een spoedpatch uit brengen. Tot die tijd kan een workaround worden toegepast. Zie US-CERT Alert (AA21-110A), NCSC-2021-0345 en deze post van FireEye: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day.
  • UPDATE 2020-08-17: Overheid wist wie kwetsbaar was, maar liet bedrijven toch gehackt worden (FD) en ‘Overheid waarschuwt bedrijven niet altijd bij hack’ (NOS).

    Heel zuur. De kern van het verhaal: reeds in augustus 2019 waren bij NCSC lijsten van kwetsbare Pulse-systemen bekend, maar (mede) doordat het NCSC ingevolge hun (beperkte) mandaat niet alle informatie heeft doorgezet zijn sommige Nederlandse systemen in mei/juni 2020 alsnog gecompromitteerd. Informatie over systemen die niet onder rijk/vitaal vallen is door het NCSC niet doorgezet aan de betrokken organisaties.

    Organisaties, vitaal of niet-vitaal, zijn en blijven verantwoordelijk voor hun eigen informatiebeveiliging. Maar dat betekent niet dat áls je informatie hebt over actuele kwetsbaarheden, het acceptabel is dat die informatie niet terechtkomt bij die organisaties. Mij was destijds niet bekend dat het NCSC uit zulke lijsten alleen vitaal & rijk doorzette en niets deed (c.q. mocht doen) met de informatie over andere systemen, waaronder systemen van zorginstellingen en enkele van de nu alsnog gecompromitteerde bedrijven. Dat is me pas duidelijk geworden in de nasleep.

    Herhaling voorkomen eist herziening v/d status quo, waaronder mogelijk het aanpassen v/h mandaat van NCSC zodat zij die informatie wél mogen doorzetten.

    Mijn persoonlijke mening is dat organisaties — ongeacht welke — bij kwetsbaarheden v/d ernst van Pulse/Forti/Palo/Citrix/etc. niet alleen moeten worden gemaild (zoals DIVD normaal gesproken doet, o.a. via het Security Meldpunt) maar dat er ook ‘actief’ 1-op-1 contact moet zijn, bijvoorbeeld telefonisch. Een e-mail belandt nog wel ‘s in een spambox of wordt om andere reden gemist of niet doorgezet. Dat is ook de reden dat de meeste pentestbedrijven bij het aantreffen van hoge en kritieke risico’s hun klant direct bellen en niet alleen per e-mail informeren (en in onversleutelde e-mail ook nooit concrete kwetsbaarheden benoemen).

  • UPDATE 2020-08-04: Hacker leaks passwords for 900+ enterprise VPN servers (ZDNet). Kwaadwillenden lijken in juni/juli aanvallen te hebben uitgevoerd op ~900 Pulse-systemen wereldwijd. Van een grote reeks organisaties zijn o.a. inloggegevens gelekt via webfora. Dit is in omvang/scope het grootste openbaar bekende incident met ongepatchte Pulse-systemen tot nu toe.
  • UPDATE 2020-06-03: Field Note on CVE-2019-11510: Pulse Connect Secure SSL-VPN in the Netherlands, gepubliceerd in ACM DTRAP Vol. 1 Issue 2, mei 2020. Bedoeld als discussiestuk hopende de passiviteit c.q. angst c.q. risicomijdendheid te doorbreken: we moeten m.i. (doorgaan met) proactief scannen bij nieuwe kritieke kwetsbaarheden. Daar zitten juridische, ethische, organisatorische en technische aspecten aan. De Field Note bevat daarover een aantal vragen om de gedachten te prikkelen. Citeren kan als:
    Matthijs Koot. 2020. Field Note on CVE-2019-11510: Pulse Connect Secure SSL-VPN in the Netherlands. Digital Threats: Research and Practice 1, 2, Article 13 (May 2020), 7 pages. DOI:https://doi.org/10.1145/338276
  • UPDATE 2020-02-11: Kamerbrief over resultaten analyse VPN software (mirror .pdf). Het daarin genoemde DTC (van MinEZ) is (nog?) niet operationeel t.a.v. informatiedeling over specifieke kwetsbare systemen/IP-adressen. Het DTC zet algemene adviezen/waarschuwingen van het NCSC door en die worden alleen ter ore genomen door ontvangers die zelf doorhebben gebruiker te zijn van een bepaald IT-product c.q. een bepaalde IT-configuratie. De ervaring leert dat zelfbewustzijn (‘situational awareness’) daarover dikwijls verre van perfect is. En dus gaan we gewoon door met ongevraagd (pro)actief scannen en melden — de belangen zijn te groot om het over te laten aan bureaucratie. Dat zulke scanning zélf strikt genomen computervredebreuk kan inhouden, zoals het geval bij (betrouwbaar) testen op Pulse CVE-2019-11510 en Citrix CVE-2019-19781, is zeer ongemakkelijk: voor mij persoonlijk kan “einde VOG” betekenen “einde carrière”. Noodzaak, proportionaliteit en subsidiariteit van scanactiviteiten zijn dus cruciaal. Maar met kritieke kwetsbaarheden die zo breed in de samenleving blijken te bestaan moeten we wel. Niets doen is geen optie.

    Tot het DTC op het punt van informatiedeling over specifieke kwetsbare systemen/IP-adressen operationeel is blijft het Nederlandse Security Meldpunt (dat tijdens het ad hoc “live gaan” op 13/14 januari informeel is ondergebracht bij DIVD) een nuttige aanvulling op het NCSC voor het (doen) dissemineren van informatie over specifieke kwetsbare systemen aan personen die daar iets mee kunnen/moeten, zoals IT-beveiligers en -beheerders bij de betrokken organisaties en/of hun IT-dienstverleners.

    De kamerbrief benoemt overigens (begrijpelijk) niet alles dat in de praktijk heeft gespeeld c.q. nog speelt. Een voorbeeld daarvan is dat in retrospect bleek dat het NCSC ten tijde van het Pulse-verhaal in augustus 2019 geen kennis had van alle IP-adressen van alle ABDO-bedrijven c.q. -toeleveranciers en dat dáárom systemen van een tiental ABDO-bedrijven c.q. -toeleveranciers door het NCSC in de door derden bij het NCSC aangeleverde lijsten niet als zodanig zijn herkend en geïnformeerd. Informatie over het kwetsbaar zijn van die specifieke systemen is dus bij het NCSC blijven liggen en bij Defensie pas op de radar gekomen nadat ik m’n lijst (ook) beschikbaar maakte aan het Bureau Industrieveiligheid van de MIVD. Zij beschikken in tegenstelling tot het NCSC t.a.v. ABDO-bedrijven over doorzettingsmacht. Dat de betreffende systemen na het contact met Bureau Industrieveiligheid heel snel alsnog gepatcht of (tijdelijk) offline zijn gehaald zal allicht ook aan die doorzettingsmacht te danken zijn.

    De brief vermeldt verder: “De AIVD en de MIVD hebben gesignaleerd dat statelijke actoren misbruik maken van de kwetsbaarheid in de Pulse Secure VPN-software.” Weet daarbij dat het niet gaat om het napraten van NSA & GCHQ.

    Binnenkort verschijnt bij ACM DTRAP een veldnotitie van ondergetekende over de Pulse-casus, incluis enkele gedachten over proactief scannen door CSIRTs in een gefedereerd/decentraal model. Om meerdere redenen, waaronder autonomie/privacy en informatiemacht (geen extra big brother…), ben ik persoonlijk geen voorstander van een gecentraliseerd model waarbij, zeg, het NCSC zelf méér zou scannen dan alleen rijksoverheidorganisaties en infrastructuur die raakt aan vitale processen. Pragmatisch, efficiënt, betrouwbaar en vertrouwelijk zijn m.i. kernwaarden bij proactief scannen.
  • UPDATE 2019-10-07: Mitigating Recent VPN Vulnerabilities (.pdf, advies uitgebracht door de Amerikaanse NSA). Citaat: “Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices”.
  • UPDATE 2019-10-02: Vulnerabilities exploited in VPN products used worldwide (NCSC-UK, onderdeel van het Britse GCHQ).
  • UPDATE 2019-10-01: de publicaties van Volkskrant en Reporter Radio zijn vandaag besproken in de Tweede Kamer tijdens het vragenuurtje, op initiatief van Ronald van Raak (SP).
  • UPDATE 2019-09-29: als iemand vragen heeft — stel ze vooral en vermijd aannames cq onjuiste interpretaties. Ik ben goed bereikbaar via e-mail en Twitter (zie sidebar) en help graag mee.
  • UPDATE 2019-09-28: Netwerk honderden bedrijven, waaronder KLM, Shell en Schiphol, maandenlang lek (Volkskrant) en ‘Bedrijven en overheid maandenlang kwetsbaar door groot beveiligingslek’ (NOS).

    Qua oplossingsrichting is verdere drang/dwang uit Den Haag misschien niet nodig – er is reeds een wettelijke plicht voor verwerkingsverantwoordelijken tot adequate beveiliging van persoonsgegevens die is vastgelegd in Art 32. AVG; en de bestuursdwang richting vitale sector en digitale dienstverleners die is vastgelegd in Art. 27 Wbni.

    De oplossing zit in het bieden van meer ruimte voor proactief onderzoek (zoals scannen) en handelen: niet alleen aan NCSC, maar ook universiteiten en bedrijfsleven. Ik ben echter geen jurist — en het is nu een politiek vraagstuk. Ik roep politici op zich te laten informeren door de juiste mensen — waaronder inhoudelijk deskundigen, zoals technisch specialisten (o.a. uit CERT-gremia). Er wordt gesproken over doorzettingsmacht voor het NCSC. Laten we daar kalm en met koel hoofd over nadenken — dat vindt ook Jaap-Henk Hoepman — want doorzettingsmacht kan contraproductief zijn. Bijvoorbeeld in de goede/soepele verstandhouding tussen NCSC en haar doelgroepen, waarin drang/dwang vanuit NCSC ongewenste gevolgen kan hebben.

    Opmerking van algemene strekking: in beginsel hoeft niemand zich te schamen voor een kwetsbaarheid en zelfs niet voor compromitering. Techniek is complex en iedereen, ook de deskundige, kan iets over het hoofd zien of een menselijke (inschattings)fout maken. Schamen moet men zich wél als ernstige kwetsbaarheden langdurig onopgemerkt aanwezig zijn en blijven indien dat (mede) wordt veroorzaakt door passiviteit (bijvoorbeeld desinteresse) of risicoaversie (niet durven scannen/testen; terwijl kwaadwillenden dat wél doen). Het beschermen van overheid, bedrijfsleven en individuen op internet is een ‘whole of society’-vraagstuk. Iedereen die kan bijdragen aan verbetering, moet zich vrij voelen dat te doen, zonder te hoeven vrezen voor een strafblad (ervan uitgaande dat men zorgvuldig handelt: noodzaak, proportionaliteit, subsidiariteit), en die bijdragen moeten worden omarmd door ons allemaal. Wie dat doet, hoeft nimmer een promotie te worden ontzegd, verdient het niet om via media reputatieschade te lijden, en kan na onverhoopte compromitering een goed en eerlijk verhaal vertellen. Laat alle organisaties in onze samenleving het idee van Coordinated Vulnerability Disclosure (CVD; voorheen Responsible Disclosure/RD genaamd) omarmen. En laten we wat vergevingsgezinder zijn — ook richting organisaties met kwetsbaarheden — omwille van het hogere gemeenschappelijke doel: een voldoende veilige en vrije informatiesamenleving.

Oorspronkelijke publicatie

[Onderstaand bericht is gepubliceerd in samenwerking met Ralph Moonen, CTO bij Secura. Zie eventueel BNR Nieuwsradio, 2 september 2019: “Interne netwerk van tientallen Nederlandse bedrijven en organisaties staat wagenwijd open”.]

Pulse Secure, een spinoff van Juniper die het Juniper-product Junos Pulse zelfstandig heeft voortgezet onder een nieuw handelsmerk, is één van de grootste leveranciers van producten voor netwerktoegangsbeveiliging: marktonderzoekbedrijf Frost & Sullivan erkende het in oktober 2018 als één van de belangrijkste vier spelers in het marktsegment voor het MKB en grootbedrijven, met wereldwijd 20.000 klanten.

In april 2019 publiceerde Pulse Secure een kritiek beveiligingsadvies voor Pulse Connect Secure en Pulse Policy Secure, respectievelijk een SSL-VPN en NAC/BYOD-oplossing. Klanten van Pulse Secure gebruiken de producten voor beveiligde toegang van (bijvoorbeeld) medewerkers tot een extranet of een intern netwerk.

Het bijschrift in het advies luidt als volgt (markering is origineel):

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. We strongly recommend to upgrade to the corresponding version with the fix as soon as possible.

De beveiligingspatches, die dus reeds in april 2019 zijn gepubliceerd door de vendor, verhelpen een reeks ernstige kwetsbaarheden. Daarvan had CVE-2019-11510 de hoogst mogelijke (CVSSv3-)kwetsbaarheidscore: 10.

Via die kwetsbaarheid kan een anonieme, niet-ingelogde aanvaller op afstand vanaf internet willekeurige bestanden uitlezen, waaronder de .mdb-database met gebruikersnamen, wachtwoorden (in leesbare en/of ontsleutelbare vorm) en sessie-identifiers van VPN-sessies. Actieve sessies kunnen worden gekaapt (bron); trouwens ook via CVE-2019-11540, een cross-site script inclusion kwetsbaarheid, in combinatie met (bijvoorbeeld) BeEF. Tweefactorauthenticatie is daarmee ook buitenspel gezet. In combinatie met andere kwetsbaarheden kan ook infectie met malware/spionage-software plaatsvinden.

Het is aan systeem- c.q. netwerkbeheerders bij organisaties die deze producten gebruiken om op de hoogte zijn van deze beveiligingspatch(es) en deze vrijwel onmiddelijk installeren (eventueel via een noodprocedure binnen het normale change management-proces). Al dan niet op aanwijzing van hun CISO, naar aanleiding van een beveiligingsadvies van het NCSC, en/of een tip van een derde. De realiteit toont aan dat dat in dit geval bij veel organisaties niet goed is verlopen.

In augustus hebben de Taiwanese ontdekkers van de kwetsbaarheden — Orange Tsai en Meh Chang van DEVCORE, die uitstekend werk hebben geleverd — tijdens Black Hat USA 2019 (slides in .pdf-formaat) en DEF CON 27 (videos) details van hun ontdekkingen gepubliceerd, en vrij snel daarna werd o.a. CVE-2019-11510 being exploited in the wild gezien. Op zaterdagochtend 24 augustus was dat te zien in de logs van dit blog (scroll in het grijze schermpje naar rechts om de rest v/d regel te zien):

/var/log/www.cyberwar.nl-access.bloglog:- 81.40.150.167 - - [24/Aug/2019:10:45:57 +0200] "GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1" 400 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Naar aanleiding daarvan is onderzoek verricht op Nederlandse IP-adressen. Daarover is zaterdagavonds een heads-up gestuurd aan het NCSC (cert@ncsc.nl), die daarop terugbelde met een ontvangstbevestiging. Zondagochtend 25 augustus is het resultaat van het onderzoek(je) — een lijst met 538 kwetsbare Pulse Connect Secure-systemen — aan het NCSC doorgegeven (cert@ncsc.nl). In de communicatie met het NCSC hebben we dat weekend twee gevallen uitgelicht die (volgens ons) in potentie als “ernstig” of “zeer ernstig” zijn te kwalificeren voor nationale veiligheid. Beide systemen zijn vrijwel direct gepatcht.

De afgelopen week is dagelijks opnieuw getest (en dat blijft de komende tijd doorgaan). De uitkomst is als volgt:

Nota bene: het is mogelijk dat er méér kwetsbare systemen bestaan dan tijdens dit onderzoek zijn gevonden. Van de systemen die wél zijn meegeteld is aannemelijk dat die daadwerkelijk kwetsbaar zijn (en dus geen foutpositieve, zoals een honeypot). Niet elk systeem is van een Nederlandse organisatie: er zitten ook buitenlandse organisaties bij die gebruikmaken van de goede internetinfrastructuur die we in Nederland hebben.

Ten tijde van schrijven zijn dus nog ruim 300 Pulse Connect Secure SSL-VPN’s op Nederlandse IP-adresruimte kwetsbaar (*) voor ten minste CVE-2019-11510.

Het initiële lijstje van kwetsbare systemen in Nederlandse IP-adresruimte loog er niet om — het omvatte onder meer:

  • Rijksoverheid
  • lokale overheden
  • luchtvaartsector (zowel flight operators als industrie/onderzoek)
  • beursgenoteerde bedrijven (o.a. met high-tech intellectueel eigendom)
  • defensie-industrie (10 organisaties)
  • onderwijssector (waaronder een universiteit en een hogeschool)
  • financiële sector (meerdere banken, verzekeraars, belasting- en administratiekantoren)
  • ICT-bedrijven (meerdere bekende/grote namen, met o.a. Defensie als klant; en enkele ICT-beveiligingsbedrijven)
  • havenbedrijven
  • petrochemische industrie
  • zorgpartijen (o.a. zorgaanbieders en nationale zorg-ICT)
  • enkele kleinere ISPs en telecomproviders
  • […meer…]

Attributie aan de organisaties is gebaseerd op een combinatie van WHOIS-gegevens van het IP-adres, de systeem-/domeinnamen in het TLS-certificaat, en PTR- en A-records in DNS. Slechts in enkele gevallen ging het — oordelend naar die gegevens — om een test- of ontwikkelsysteem. De rest betreft productieomgevingen of voormalige productieomgevingen. In voormalige productieomgevingen kunnen nog altijd actuele gebruikersnamen/wachtwoorden staan; dus ook dán is er in potentie een ‘echt’ probleem, ook als die omgeving onmiddels is ontkoppeld van de rest van het netwerk.

Organisaties die Pulse Connect Secure gebruiken doen er goed aan hun logs te controleren op aanwezigheid van de volgende waarden (zonder de “[…]”):

[...]/data/runtime/mtmp/lmdb/dataa/data.mdb?[...]
[...]/data/runtime/mtmp/lmdb/randomVal/data.mdb?[...]
[...]/data/runtime/mtmp/system?[...]

Als één of meer hiervan succesvol is gedownload door een onbekende derde dan is het zaak de VPN-gebruikers onmiddellijk hun wachtwoord te laten wijzigen op alle systemen waar zij dat wachtwoord gebruiken. Hopelijk betreft dat niet óók hun privéaccounts bij Facebook, Google, Apple, enzovoorts; hergebruik van wachtwoorden blijft een hardnekkig fenomeen.

Het NCSC heeft meerdere meldingen ontvangen inzake Pulse Secure en verschillende partijen geïnformeerd. Ons (Secura) is niet bekend welke partijen wel en welke niet. Vanwege de ernst van de situatie hebben ook wij direct actie in gang gezet (better safe than sorry): een reeks organisaties is vorige week door ons gebeld en een meerdere kwetsbare systemen zijn inmiddels gepatcht. Ongetwijfeld zullen meer partijen zo’n inspanning hebben ondernomen. We hebben het echter druk genoeg met onze normale werkzaamheden en zouden dit dus liever niet hoeven doen; maar voelen het een beetje als een morele plicht (if not us, then who?).

Dit soort situaties is onacceptabel: het kan niet zo zijn dat honderden systemen — in dit geval ook bij grootbedrijven en in vitale sectoren — na het bekend worden van ernstige kwetsbaarheden nog maandenlang actief zijn als sitting ducks voor kwaadwillenden.

Daarover het volgende.

Zowel het NCSC als private ICT-beveiligingsbedrijven als journalisten als (andere) individuele onderzoekers hebben beperkte mogelijkheden en resources. Het testen van andermans systemen op een kwetsbaarheid kan strafbaar zijn onder de wet computercriminaliteit, ook al zijn de bedoelingen goed en doorstaat de werkwijze de toets aan subsidiariteit/proportionaliteit (zo was ons onderzoek beperkt tot het uitlezen van versie-informatie en een bestand dat op alle Pulse Connect Secure-systemen identitiek is — dus geen gebruikersgegevens verwerven, laat staan code injecteren of commando’s uitvoeren).

Coordinated Vulnerability Disclosure (CVD; voorheen Responsible Disclosure) is voor dit soort cases hooguit een lapmiddel, want te arbeidsintensief gegeven de urgentie en omvang van het aantal kwetsbare organisaties. De verantwoordelijkheid kan niet liggen bij individuele onderzoekers of beveiligingsbedrijven die ongevraagd ad-hoc testen. Maar getuige wat is aangetroffen kan de verantwoordelijkheid vooralsnog óók niet alleen liggen bij de private organisaties zelf. En de vendor heeft gedaan wat deze moest doen: een beveiligingspatch uitbrengen en daarover communiceren aan klanten.

Het NCSC is dan weer met handen en voeten gebonden door wetgeving en ethische overwegingen: misschien wenst de Rijksoverheid zich in beginsel niet wil te mengen in private aangelegenheden. En ICT-beveiliging van private organisaties is en blijft in beginsel een private aangelegenheid.

De situatie rondom CVE-2019-11510 toont echter aan dat die verantwoordelijkheid bij private organisaties nog onvoldoende effectief wordt gedragen, ook bij organisaties die competente IT-beveiligers in dienst hebben (zo weten we beroepshalve). Hoe de huidige situatie zich laat verklaren is niet duidelijk — het zou een onderwerp kunnen zijn voor een (wetenschappelijk?) evaluatieonderzoek.

Het idee is niet nieuw, maar misschien zou het NCSC of een ander (Rijks)overheidsorgaan de ruimte/bevoegdheid moeten krijgen om Nederlandse IP-adresruimte bij (uitsluitend) zeer ernstige kwetsbaarheden in internet-facing producten onder voorwaarden proactief te testen (of laten testen) op kwetsbare systemen. Een centraal contactlijstje met CISOs van MKB en grootbedrijven zou daarbij kunnen helpen, als dat niet reeds bestaat.

Het opent wel een can of worms:

  • Risico’s
    • Wat als een privaat systeem uitvalt door een test die de overheid uitvoert? (of laat uitvoeren)
    • Hoe weet je dat een IP-adres(blok) op het tijdstip van een test nog in gebruik is door organisatie X, en alleen door die organisatie?
    • Hoe om te gaan met blacklisting/whitelisting van IP-adressen waarmee de overheid test?
  • Privacy
    • Wat als grondig/zorgvuldig testen met zich meebrengt dat gebruikersgegevens worden uitgelezen, al is het maar een beetje?
    • In hoeverre is het mogelijk om op een betrouwbare/robuuste manier de IP-adresruimte die door individuele burgers wordt gebruikt (dus niet bedrijfsmatig door een organisatie) buiten de scan te laten?
  • Taakopvatting van de overheid
    • Vinden we dit wel/niet een taak voor de overheid?
    • Is er een minder inbreukmakend middel waarmee hetzelfde doel kan worden bereikt?
    • Zou het voor private organisaties opt-in of opt-out moeten zijn?
    • Hoe om te gaan met gevallen waarbij een private organisatie ook na melding door de overheid een kwetsbaar systeem niet patcht?
    • Welke kwetsbaarheden wel testen, welke niet?
    • Hoe weten we dat de overheid de gevonden kwetsbaarheden niet zelf uitbuit voor (andere) overheidsbelangen zoals opsporings- en inlichtingenwerk? (misschien geen groot punt van zorg; maar het kan niet buiten beschouwing blijven.)

Misschien eist actief testen op kwetsbaarheid door de Rijksoverheid een verandering in wetgeving. Dat is dan een kluif voor juristen en/of politiek.

Tot slot als quick-reference het lijstje met affected en non-affected versies van Pulse Connect Secure en Pulse Policy Secure (bron: SA44101):

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities
resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

Affected Versions:
Pulse Connect Secure 9.0R1 - 9.0R3.3
Pulse Connect Secure 8.3R1 - 8.3R7
Pulse Connect Secure 8.2R1 - 8.2R12
Pulse Connect Secure 8.1R1 - 8.1R15
Pulse Policy Secure 9.0R1 - 9.0R3.3
Pulse Policy Secure 5.4R1 - 5.4R7
Pulse Policy Secure 5.3R1 - 5.3R12
Pulse Policy Secure 5.2R1 - 5.2R12
Pulse Policy Secure 5.1R1 - 5.1R15

Not Affected:
Pulse Connect Secure 9.1R1 and above
Pulse Connect Secure 9.0R4 & 9.0R3.4
Pulse Connect Secure 8.3R7.1
Pulse Connect Secure 8.2R12.1
Pulse Connect Secure 8.1R15.1 
Pulse Policy Secure 9.1R1 and above
Pulse Policy Secure 9.0R4 & 9.0R3.4
Pulse Policy Secure 5.4R7.1
Pulse Policy Secure 5.3R12.1
Pulse Policy Secure 5.2R12.1
Pulse Policy Secure 5.1R15.1

P.S. 1: wie klant is bij een cyberverzekeraar en vier maanden lang een kritieke beveiligingspatch op een internet-facing systeem niet installeert hoeft bij een compromittering waarschijnlijk niet te rekenen op een uitkering. Lees meer: ‘Vlijt en naarstigheid’ in een digitale wereld: eigen schuld en beredding in de context van de cyberverzekering (.pdf) van mr. N.M. Brouwer in AV&S 2019/23, augustus 2019.

P.S. 2: Pulse Secure-productversies die later kwetsbaar bleken hebben begin 2018 in de VS een Common Criteria-certificering gekregen. Daarmee zijn die versies goedgekeurd voor gebruik in bepaalde gevoelige(re) omgevingen in de VS. Een positieve resultaat van een Common Criteria-certificeringstraject, zoals in Nederland uitgevoerd door het AIVD-NBV en onder het BSPA-programma via geaccrediteerde bedrijven, betekent niet dat een product foutloos is. Het komt vaker voor dat in goedgekeurde producten kwetsbaarheden worden gevonden — ook ernstige. Dat houdt verband met het (EAL-)niveau waarop zekerheid wordt gevraagd, en daaraan gekoppeld de scoping, beschikbare tijd, kennis, vaardigheden, apparatuur, documentatie, en (on)beschikbaarheid van broncode. Iets dat in de nabije toekomst weer ‘s zelfstandig aandacht verdient.

* Het publiceren van deze blogpost — terwijl er nog kwetsbare systemen zijn — gebeurt met gemengde gevoelens. Bad Packets heeft al gepubliceerd dat wereldwijd liefst 14.500 (!) kwetsbare instances actief zijn. Mede daarom lijkt verder wachten ons, en de personen bij wie we een zienswijze hebben gevraagd, méér onverantwoordelijk dan nu naar buiten te treden met de actuele aantallen; zonder daarbij IP-adressen of namen van organisaties te benoemen.

Detecting corruption & money laundering: 72 potential indicators, from the perspective of Financial Intelligence Units (FIUs)

Front page of public summary document released by the Egmont Group.

The Egmont Group (Twitter: @EGFIU) is a platform for exchange of expertise and financial intelligence that consists of 164 (!) Financial Intelligence Units (FIUs) worldwide. In mid-July 2019, it released a public summary (.pdf, 22 pages; mirror) of the “FIU Tools and Practices for Investigating Laundering of the Proceeds of Corruption”. The release stems from an initiative started by the FIUs of Israel (IMPA), the Netherlands (FIU-Nederland), Russia (Rosfinmonitoring) & Ukraine (SFMS).

The summary provides, notably, a list of 72 indicators (pp.16-22; a ‘checklist’, if you will) to identify possible cases of corruption and money laundering. Be reminded that the latter is also relevant to combat terrorist financing. The indicators are grouped as follows:

  • Indicators of Corruption in Public Procurement
  • Indicators of Unexplained Wealth or Income
  • General Indicators

They serve as potential triggers for FIU investigations and can be used by banks and accountancy firms — but investigative journalists (‘follow the money’) and others may also want to take note. For the latter and other purposes I (re)post the indicators below as quick reference.

NOTE #1: there is no substitute for reading original documents in full, so do read the original public summary in full. Context always matters.

NOTE #2: for some historic reading and background on FIUs, see the IMF publication Financial Intelligence Units: An Overview (.pdf, 2004, 149 pages; mirror).


Egmont Group Set of Indicators for Corruption Related Cases From the FIUs’ Perspective

Indicators of Corruption in Public Procurement

  1. Services provided to state-owned companies or public institutions by shell companies, offshore companies or formations, companies in registration offices or P.O. companies.
  2. Services provided to state-owned companies or public institutions by companies registered in high-risk jurisdictions.
  3. Long-term contracts are repeatedly awarded to the same subcontractor, or a certain legal entity or legal arrangement consistently winning a majority of the largest contracting authority tenders/public procurement bids.
  4. The issuance of unreasonable specifications for the performance of the contract (including restrictive conditions for the location of the contractor, restrictive conditions for the materials needed for the performance of the contract, particularly tight deadlines, etc.) by the procuring authority.
  5. Subcontractors have common director(s), beneficial owner(s) and/or are related with the management of the contractor.
  6. Subcontractors/intermediaries brought in on business deals once a contract has already been agreed and for no obvious reason.
  7. Contractors, subcontractors or their counterparties (within the timeframe for completion of the state contract) are linked by address, telephone number, IP-address, etc.
  8. Procurement projects which are funded through loan agreements by governing bodies such as development institutions but where the eventual tender price put out is significantly higher than the loan amount requested.
  9. Deposits in public officials’ accounts with checks issued by construction companies, individuals or non-governmental entities that previously benefited from public works contracts.
  10. Legal entities with little or limited experience receiving highly complex and technical government contracts/projects (not compatible with the size or experience of the entity) or receiving government contracts/projects that are not related to their field of business.
  11. A certain legal entity or arrangement, which is a contractor to a state-owned company, usually receives payments of higher amounts for goods or services which normally should cost less (when compared to the normal market prices for equivalent products or services).
  12. Funds received by a contractor of public procurements are not spent within a reasonable timeframe to fulfil the contract needs.
  13. Checks issued in favor of public officials and come from accounts of persons that benefited from public procurements/funds, without an evident justification.
  14. Checks issued by a public entity being cashed out and subsequently deposited to accounts of public officials or entities related to public officials.
  15. Public officials, especially those having a role in government contract management or public procurement of high-value assets, receive funds transfer instructions:
    • from business and/or personal accounts, where these funds appear to be excessive in value;
    • according to in-built distribution methods or contractors or intermediaries;
    • from distributors used at the request of the contracting party;
    • according to existence of rebate arrangements, particularly if agreed outside the contract;
    • under requirements to obtain licenses and other government permits as a pre-requisite of doing business.
  16. Use of third parties, such as contractors, consultants, vendors, suppliers and advisor/intermediaries, in order to facilitate procurement contracts fulfilment:
    • Requests for compensation not explicitly contemplated in the third party contract
    • Requests that payments be made to different third parties
    • Third party requests for charitable or political contributions
    • A third party is in a different line of business than that for which it is engaged
    • The third party has little or no experience in the relevant industry or activity
    • The third party does not have an office in the country where services will be performed
    • The third party was recently formed or incorporated
    • The third party has poor financial stability or credit record
    • The third party has a high level of reliance on subcontractors or intermediaries (so-called “fourth parties”)
    • The third party became part of a transaction at the express request or insistence of a public official
    • The third party is recommended or referred by a public official
    • Third party commissions are unreasonably large or based on inaccurate or incomplete invoices
  17. Contracting party issues commercial cards to individuals that are not employees of contracting party and are used to purchase luxury goods, make payments for high-cost services or other transactions that are not normal business expenses.
  18. Payments based on a public procurement contract are conducted at a price higher than originally contracted.
  19. Payments conducted according to public procurement contracts where there was only a single bid for a government procurement tender, which signals a lack of competition and closed access.
  20. Receipt of commission or fees before signing of agreement for services or carrying out a function or process in relation to public procurement contract.
  21. Commissions, interest or payments under commercial terms of public procurement contract are increased, reduced or restructured in a manner that is not commercially viable.
  22. Repeated or subsequent purchases of low-quality goods, works and services at market prices of goods of higher quality or purchases of goods, works and services at higher than market prices.
  23. Payments for goods according to public procurement contracts without delivery of such goods to customs territory of the country.
  24. Payments are conducted to accounts of providers of goods, works and services, which are opened in countries different from where such goods, works and services are originated or provided.

Indicators of Unexplained Wealth or Income

  1. The subjects in a transaction are domestic or foreign public officials and receive and/or send unusually large amounts of funds in different currencies.
  2. Funds received in accounts of persons, legal entities, or legal arrangements with no visible connection to public officials, but known to be controlled by such, or persons related to them (a frontman, a strawman, or legal entity established to conceal the beneficial ownership), where the funds have been sent by a shell company. The additional information provided with regard to the funds refers to “loans”, “investment purposes”, or “purchase of real estate property”, or otherwise reveal an irreconcilable conflict of interest involving commercial business between a private enterprise and a public official.
  3. Representative of a public official (i.e. lawyer, secretary, accountant) opens account and purchases expensive property or luxury goods with the express intent of bypassing Customer Due Diligence (CDD) process screening for public officials.
  4. “Straw men” (especially in the remittance sector) can be used to obfuscate the beneficial ownership of the assets by involving public officials’ employees i.e. cleaner/ gardener/driver. Usually, the funds received on the accounts of such straw men significantly exceed their legitimate employment income.
  5. Public officials receive or purchase shares (or the option to purchase shares):
    • In a company in exchange for services; or
    • In a company where the purchase is financed by the vendor; or
    • In a company where the purchase price is below the net asset value of the company; or
    • In a company and receives a dividend from the company which is disproportional to the purchase price; or
    • Which give the right to sell shares at a price which is higher than either the current market value or the price at which the shares were purchased; or
    • And profit from a share transaction where the purchase and selling dates of shares are within a short time period.
  6. Public officials receive loan guarantees from a public corporation or government body, or a loan under favorable conditions.
  7. Public officials receive large amounts of money for their attendance in workshops, conferences or as consultants to projects, in order to disguise the origin of the funds from being seen as a payment of corruption.
  8. Public officials receive debt forgiveness or repayment requirements are waived by the creditor.
  9. Public officials perform transactions with sovereign wealth funds or government-linked companies.
  10. Misrepresentation and/or inconsistency between the declared source of wealth of public officials through their sworn asset declarations, and those established during the due diligence process.
  11. Public officials have purchased virtual assets in a total amount higher than their legally declared income.
  12. The purchase of goods or services, or transfer of payments, or the receipt of any other benefits (i.e. rental payments, school fees, chauffeur fees, fees for private healthcare, funding of private jets, consultancy fees, high commissions, etc.) for or on behalf of a public official, from the contracting authority, or a contractor in the period of the execution of the state contract.
  13. Transactions that take place in accounts of public officials involving cash deposits or withdrawals in unusual frequency and amounts.
  14. Incoming transactions from foreign jurisdictions (specifically from high-risk jurisdictions) on accounts of public officials, which are intended for real estate purchases or purchases of high-value or luxury goods, typically contain no additional information about the transaction itself, and the necessary remittance information is vague (e.g. refers to ‘consultancy fees’). Such situations result in a lack of transparency with regard to the transaction and difficulty determining the source of funds.
  15. Purchases or leases of movable or immovable assets by public officials which do not coincide with the subject’s income.
  16. The use of hawala type mechanisms (especially through the remittance sector) by public officials to move money abroad.
  17. Fixed Term Deposit Certificates made by companies with the main purpose that the capital and interest generated from the investment should be transferred immediately to accounts of a political party.
  18. Cash deposits with no rationale:
    • Credit card/ home loan applications (even if declined) are useful to find out what the public official earns versus what is deposited into their account; or
    • Cash deposits made into the same public official’s account from different locations.
  19. The immediate transfer of funds from a private entity’s account to a personal account of a public official and the subsequent movement of the funds to third party accounts. These funds are eventually moved abroad, which indicates the use of the aforementioned accounts as a temporary node. Some of the persons in the described chain may deduct a percentage of the amount before transferring it further, which indicates that these persons have received a commission for their services.
  20. Incoming cash or electronic transfers from different external sources on accounts of public officials are later spent at online gambling sites – credit from the same site or different online gambling sites can then be seen.
  21. Transferring of funds from accounts of public officials to high-risk vehicles abroad, such as corporate trusts.
  22. Public officials establish legal entities or legal arrangements, which have purchased land and buildings of significant value (as is evident from their accounting documents), despite the absence of any other commercial activity, or without a justifiable source of funds.
  23. Public officials have made cash transactions involving large amounts (e.g. currency exchange, use of cash to purchase high value goods, etc.).
  24. Transaction payments of unusual amounts or frequency from public officials to lawyers, accountants, or other professional intermediaries.
  25. Payments in favor of public officials are made to facilitate or expedite a government service.
  26. Use of state funds to purchase shares in private companies or private companies belonging to public officials, at prices above market value.
  27. Issuance of sovereign debt to public officials or entities known to be controlled by them, at interest rates above the prevailing market rate.
  28. Use of Joint Venture (JV) structures for government contracts in which public officials or a company belonging to them are silent partners. For example, in a JV between a state-owned company and a private company, a third silent shareholder owned or controlled by a public official is inserted in order to allow the public official to take a share of the profit.
  29. Payments by entities to NPOs that public officials are known to be associated with.
  30. A transaction or financial activity, which involves foreign nationals with no significant link (apart from the financial) to the country where the transactions took place. These foreign nationals are known to be active consultants or employees of lobbying organizations and are sometimes reluctant to explain the source of wealth/funds or give unsatisfactory explanations.
  31. Financial flows, which reveal complex financial mechanisms and intervention by foreign legal entities or arrangements, are received in an account in another jurisdiction, where the account is related to a public official.
  32. International transfer from the Treasury of a foreign country to shell companies, to entities with no public profile, or no physical or online presence, or to individuals who are not known employees of the government.
  33. The stated source of wealth of funds received to an account of a public official may be inconsistent with the client’s stated career history, expertise, or age. In this regard a mismatch may exist between the applicant’s stated career history and their total net worth.
  34. Transactional activity usually characterized by first party payments to and from accounts in the same name or between offshore company and trust structures (linked or known to be linked to public officials).
  35. Customer, especially when it is a public official, transferring funds to/from other public officials, including law enforcement officers.

General Indicators

  1. Open source information, which can relate specific financial activity to ongoing investigations into individuals, and concerns about corruption.
  2. An entity that receives public contracts and its legal representative/s appear in media reports, which link/s him/her/them to corruption or other financial crimes.
  3. Payments made by contractors for consultancy services, particularly in industries with a higher risk to corruption, such as arms, mineral extraction, telecoms, public infrastructures, where the amount paid appears to be outside the normal price range for consultancy services.
  4. A fiduciary service company which set up the structure for the applicant may be the subject of negative press reporting.
  5. Close family members or associates of public officials are appointed as senior management officials in private companies without meeting the necessary requirements for taking up the position or the hire’s salary or compensation package is not commensurate with market conditions.
  6. Applicant wants to open an account with an unnecessarily complex structure of economic and beneficial ownership possibly involving eclectic wealth planning arrangements or bearer share companies (known to be linked to a public official).
  7. Applicant (who is a public official) expresses urgency on an application (e.g. completion on a mortgage or other time critical transaction).
  8. Explanations for transactions may include the use of words and phrases often used as euphemisms for bribes (for example commission, marketing fees, surcharge, etc.).
  9. Public officials increase their standard of living after the expiration of the officials’ mandate without any legally justifiable reasons. Another possibility would be an inability or refusal by these persons to provide a credible account regarding how the wealth was generated or to provide corroborative support for the source of wealth. In other cases, the corroborative documentation provided raises concerns about authenticity or is otherwise inconsistent with the source of wealth statement.
  10. Opaqueness of government business schemes used to encourage diversity, which should be overtly transparent.
  11. Companies which pay other firms to perform logistical roles in countries where there is a high degree of perceived corruption and which they could perform themselves, in order to transfer the risk to the other firm.
  12. Companies changing the terms of agreements and definitions of intermediaries to avoid registration and regulatory oversight in other countries.
  13. Company wins a public tender with short submission period (i.e. number of days between publication of a call for tenders and the deadline for submission of the bid).

EOF