Assessment of U.S Intelligence Community Cyber Surveillance Programs and Tradecraft — Part One

Dancho Danchev
Oct 25 · 15 min read

Spooked by evil aliens? Did the Klingons did it again? Worry about your latest and very greatest porn collection leaking online? Thinking about your IP (Intellectual Property) as if it were U.S National Security? Want to find a meaningful way to contribute to a bigger cause — The U.S Intelligence community including your personal online privacy? Keep reading.

In this rather long analysis part of an upcoming set of Series on Current and Active U.S Intelligence Community Cyber Surveillance Programs I’ll walk you though all the currently relevant U.S Intelligence Community Cyber Intelligence and Cyber Surveillance programs in non-alphabetical order with the idea to provoke a meaningful discussion on current tactics techniques and procedures courtesy of the U.S Intelligence community how you can protect yourself and most importantly how the U.S Intelligence community can “perform better” including practical software applications and services solution based recommendations for general users and organizations.

The data in this research has been obtained from Cryptome.org the Snowden archive and the Electrospaces.net research blog including the following archive.

The first program that I’ll discuss in this analysis including the first part of the series includes “ABSOLINE EPILSON” which basically attempts to target iPhone users with client-side exploits including an active colleration of unique iPhone mobile device IDs for the purpose of infiltrating various internal and private networks for the purpose of exfiltrating private and personal data. I’ll also offer practical advice and recommendations in terms of how to program really works how the U.S Intelligence Community can make it work better — for educational purposes only — including practical advice on how users can protect themselves from the CNO (Computer Network Operations) launched by the GCHQ.

The first part of these series of analysis will detail the workings of some of the most prolific U.S Intelligence Community and GCHQ Cyber Surveillance Programs including actual steps and practical recommendations on how end users and organizations can take proper measures to protect themselves from these widespread surveillance and eavesdropping Programs and techniques.

Program Name: ABSOLINE EPILSONPDF — “This paper describes standard analysis techniques that have been used to both discover iPhone target end point machines and implant target iPhones directly using the QUANTUM system. It shows that the iPhone Unique Device Identifier (UDID) can be used for target tracking and can be used to correlate with end point machines and target phone. It highlights the exploits currently available and the CNE process to enable further targeting.

Current status: The current status of the program is active in terms of possible collerations between iPhone user ID’s including an end user’s end point Internet user activities in terms of traffic and Web site cookie acquisition for the purpose of interception profiling and active monitoring potentially resulting in information and data including privacy-violations leak for a huge majority of iPhone users internationally unaware of the basic flaws exploited in this Top Secret GCHQ Program using an end user’s iPhone as the “weakest link” to target their home-based or internal including private home-based end-point centric network.

Sample CVE Statistics for Apple’s iTunes Software Throughout the Years

How exactly does the program work? With the iPhone continuing to occupy a large market share within the mobile device market segment — it shouldn’t be surprising that malicious attackers will try to exploit both major iOS operating system flaws including the actual exploitation and use of iPhone-based client-side vulnerabilities potentially enticing a targeted user into interacting with rogue and potentially fraudulent and malicious Web site actually serving working and off-the-shelf client-side exploits to the targeted user for the purpose of compromising the confidentiality integrity and availability of the targeted device.

How it works: Every mobile has a unique ID? The problem? It tends to “phone back” to a manufacturers infrastructure and can be uniquely attributed to an end user including — possibly — to their end point potentially acting as the “weakest link” potentially exposing and end user’s end point Internet activities to the U.S Intelligence community. Prior to having a device “phone back” to a specific manufacturer’s infrastructure the data depending on the degree of OPSEC (Operational Security) applied — if any — can be easily eavesdropped on and put under active legal surveillance potentially compromising the actual confidentiality availability and integrity of the targeted mobile device including the end user’s home and internal network to a multi-tude of data-colleration attacks including active CNO (Computer Network Exploitation) campaigns and actual data leaks including high-profile privacy-violations.

How does the program actually work? Besides the general reliance on iPhone client-side vulnerabilities and exploits including the usual meta-data collection through the use of insecure and OPSEC-unware communication networks the program also attempts to exploit outdated and already patched iPhone including iTunes type of flaws and vulnerabilities in an attempt to trick users into falling victim into a possible social engineering type of fraudulent and malicious activity courtesy of the U.S Intelligence Community.

The digitally naughty part: Data colleration on a third-party device for the purpose of exposing the actual infrastructure behind the device including related end-points and related devices associated with the user in question — is nothing new. The digitally naughty part? It can be done — and the mobile device in question — an iPhone — in this particular case can be easily labeled as the “weakest link” in a possible corporate and end user private environment where it could result in the direct compromise of the actual internal infrastructure part of an ongoing legal eavesdropping and surveillance authorization campaign launched against a specific individual or an organization in question.

How you can make it work better: Shipping and delivery including supply chain infiltration tactics for the purpose of collerating unique mobile device IDs to a specific isn’t new including possible “purchase-order-to-user-ID” colleration and data infiltration through basic social engineering and offensive CNO-based tactics. Potentially launching a targeted and geo-located phishing campaign on a per country city-basis could definitely lead to a positive results in terms of good old fashioned social engineering campaigns in terms of exfiltrating the necessary data including mobile device IDs including possible browser-based Web-based decoys for the purpose of further exposing an end user or an organization’s private network and the necessary collerated end point devices.

  • Target application-isolation software and service solution providers and owners —What the GCHQ and the U.S Intelligence Community can definitely consider and actually implement on a short term and long-term basis is to launch a variety of malicious and fraudulent potentially disruptive type of attack campaigns which should be considered as as option for the purpose of ensuring that the project owner’s time remains spend on fighting the malicious attacks including the eventual slowing down of the project development including the project’s eventual shutdown. Possible portfolio of attacks might include online identity discrimination including spear phishing campaigns DDoS attack campaigns including possibly mail-flood attacks including possibly TDoS (Telephony Denial of Service attacks) against a variety of tailored and predefined project owner’s contact points. Is this legal? It largely depends on who the U.S Intelligence Community and the GCHQ is targeting including the exact direct approach for the purpose of targeting the vendor or the project owner’s individuals in question.
  • Develop an internal bug-bounty program for sand-boxing and application isolation software and service providers — It should be clearly noted that besides utilizing and using public sources crowd-sourcing the bug bounty through public and official channels including the possible outsourcing of the bug hunting process through third-parties while offering the necessary financial incentives might be the best approach to undermine the credibility of the project including the actual owner’s credibility and reputation to maintain and operate the project. What exactly do I have in mind? Exploiting a popular flaw in a high market-share antivirus solution including a popular sand-boxing application such as for instance Sandboxie could greatly undermine the project’s credibility in case the U.S Intelligence Community decides to launch a targeted and widespread malicious-software dropping and data exfiltration campaign.
  • Aim to wage disruptive warfare against private project owners — it’s becoming increasingly evident that the U.S Intelligence Community including the GCHQ are attempting to launch a variety of discremination and impersonation including active and targeted DDoS (Denial of Service) attack campaigns including actual personalization of network assets for the purpose of disrupting the cyber operations of a huge number of project owners including hacktivist groups who might be interested in spreading data information and knowledge on current and emerging Cyber Threats including the actual launching of CNE (Computer Network Exploitation) attempts in the form of Web Site Defacements including related CNE type of campaigns online.
  • Randomly picking up a software owner — In the past it’s been clearly evident that part of Top Secret U.S Intelligence Community and GCHQ Programs a random set of individuals could be easily targeted including the use of the Karma Police for the purpose of establishing a historical footprint in the context of an individual’s or an organization’s historical Web activities potentially triggering an alert to the current needs and requirements of the Top Secret U.S Intelligence and GCHQ Program in question. In need of a decent example on “on what really happened” is a good old fashioned Web site which I’ve been using and remember from the Scene for over a decade now — Matousec — which basically offers proactive and reactive Personal Firewall tests comparison and appears to have been recently targeted by an unknown set of individuals.
Sample Web Site Screenshot of the Matousec Web Site Including a Possible Mysterious Message Left Prior to the Web Site’s Shutdown
  • Passively measuring and estimating product market-share for Targets of Opportunity — it’s becoming increasingly evident in the past the U.S Intelligence Community and the GCHQ could easily attempt to measure the market share of a specific anti-virus and personal-firewall type of security solution using both public sources and SIGINT for the purpose of better launching individual or an organization based type of targeted CNE (Computer Network Exploitation) attack campaigns.
Sample Antivirus Products Market Share — 2018 — Courtesy of OPSWAT

How you can take measures to protect yourself: Consider obtaining one of the following “stripped” mobile devices in terms of hardened mobile OS offering in-depth and multi-layered security and privacy protection features for the purpose of bypassing wide-spread surveillance techniques and techniques. Ensuring that you possess a “stripped” mobile device is crucial for ensuring the necessary degree of personal privacy to stay ahead of current and emerging Cyber Threats including wide-spread privacy violations courtesy of the U.S Intelligence Community and various other nation-state and rogue actors including cybercriminals.

Sample Screenshot of a Highly Recommended Personal Firewall Net Firewall in Action
Sample Recommended “Stripped” Commercial Mobile Device

Recommended “stripped” mobile devices to use potentially preventing widespread surveillance efforts including personal privacy violations:

https://necunos.com/
https://uhuru-mobile.com/
http://omprussia.ru/
https://secure-os.com/
https://www.encrypted-os.com/
https://copperhead.co/android/
https://www.confidentia.mc/phone/
https://www.darkmatter.ae/katim/katim-phone/
https://www.armadillophone.com/
https://securegroup.com/

Sample Recommended Nova Network Security Honeypot System in Action

The next logical step would be to ensure that the metadata on the device in terms of Web browsing including possible public and proprietary service use is properly obfuscated. Among the primary concerns whenever you choose to obfuscate a particular set of data would be possible supply-chain infiltration on behalf of the U.S Intelligence community in particular purchase orders that would further allow me to collerate and potentially identify a particular end user based on the actual supply-chain infiltration. One of the primary concerns in today’s modern Internet world largely dominated by wide-spread surveillance courtesy of the U.S Intelligence Community including rogue and potentially malicious actors including nation-state and cybercriminals is the direct exposing of an individual’s private network including possible collerated-based events that could potentially identify and track down a particular individual.

In terms of mobile device obfuscation the end user is largely advised to take advantage of personal firewall for the purpose of monitoring outgoing and incoming connections on the device in particularly blocking all-incoming connections and closely monitoring outgoing connections. Furthermore, what an end user can potentially do in terms of hardening their mobile device is to ensure that it does not leak back any internal IP addresses including possibly the device MAC address potentially exposing the device user’s internal and private network potentially falling victim to “ABSOLINE EPILSON” type of end point and mobile device targeting type of attacks and campaigns courtesy of the U.S Intelligence Community including other rogue factors including nation-state actors and cybercriminals in general. How you should proceed in order to archive this process? Keep reading.

Next to the general use of “stripped” mobile devices end users should also consider the following highly recommended tactics techniques and procedures for the purpose of protecting their IP (Intellectual Property) including their mobile device and end point device’s confidentiality availability and integrity:

  • WebCRT — Among the most common privacy-exposing scenarios in terms of “ABSOLINE EPILSON” remains the active utilization of unsecure browsing habits namely a misconfigured browser in terms or browser extension including the newly introduced “local IP exposing” WebCRT feature found in a variety of browsers. What should end users better do to protect their local IP including adding additional privacy and security features to their browser? Keep reading. The first thing a user should ensure from a network-based perspective is that their browser fingerprint remains as private as possible including the inability of the U.S Intelligence Community.
Sample WebRTC Local IP Exposing Online Test Results
  • Browser-Based Fingerprinting and Possible Information Leaks — In case an end user or an organization is interested in obfuscating their online presence it should be highly recommended that user takes basic precautions by installing the necessary browser-based privacy-enhancing addons and plugins for the purpose of ensuring that their Web-based activity can be easily obfuscated including the use of basic OPSEC (Operational Security) type of methodologies in this particular case the use of advanced and sophisticated VPN (Virtual Private Network) service provider. Case in point — would be active use of a “stripped” Web browser such as for instance — nDALANG — including Sphere — which basically operates in the user’s RAM further enhancing the individual’s and the organization’s Web-based privacy for the purpose of protecting the user from a variety of high-profile browser-flaw exploiting security flaws including the active reliance on high-profile privacy-preserving features making it harder for Web sites including the U.S Intelligence Community and the GCHQ to track you down and eventually attempt to profile your Web activities on a mass scale through the use of various current active Top Secret Programs.
Sample Screenshot of the nDALANG Privacy-Enhancing Browser’s Key Features
  • Personal Host Based Firewall — the first thing to look for in a personal firewall is a bi-directional firewall functionality allowing you to block all incoming traffic and successfully allowing you to allow all ongoing traffic based on a variety of rules including possible white-listing. The next logical step would be to implement basic ARP-spoofing prevention solution for the purpose of ensuring that your ISP including VPN provider cannot perform basic ARP-spoofing attack campaigns which could compromise the confidentiality of the targeted host and expose to it a multitude of network-based attack deception attack campaigns.
Sample Screenshot of XARP Anti-ARP Spoofing Free Tool
  • HIPS-based firewall — The next logical step would be to ensure that the end user including a specific organization in question remains properly secured and protected from a variety of both known and unknown threats through the use of host-based-intrusion-prevention solution which basically protects and ensures that the end user remains properly protected from a variety of unknown threats through the use of basic host-based hardening and security practices such as for instance Comodo’s Personal Firewall which basically offers off-the-self HIPS-based host-based protection.
Sample Screenshot of Comodo HIPS in Action
  • Basic Network Deception — it should be fairly easy to assume that an end user or an organization could easily apply basic network-traffic and host deception mechanism in an attempt to detect and properly respond to including to disinform a potential attacker through the use of basic honeypot techniques applied on the targeted host.
Sample Screenshot of Canary Honeypot System
  • Privacy-Blocking online advertisements — The next logical step would be to ensure the use of an online advertisement blocking solution beyond the user’s and organization’s Web browser such as for instance the use of Pi-Hole which could be easily used to block a decent portion of third-party advertisement networks.
Sample Screenshot of Pi-Hole Online Advertisement Blocking Solution in Action
  • Custom-Based DNS-based DNSSEC-based servers with no logs policy — worry about the U.S Intelligence Community and your ISP eavesdropping on your traffic and Web browsing history potentially launching man-in-the-middle attacks? Consider utilizing basic free privacy-conscious DNS service provider with DNSSEC-enabled no-logs policy such as for instance — DNS Watch — which you can freely use without worry that your Web browsing history and DNS request history will be logged and potentially abused. A possible logical recommendation in the context of improving an end-point’s in-depth security strategy might be the utilization of DNSCrypt which basically offers access to popular no-logs DNSSEC-enabled public and private DNS Servers for the purpose of ensuring that a user’s including an organization’s Web browsing activity remains hidden and properly protected from potential surveillance and eavesdropping attempts.
Sample DNSCrypt Public No-Logs DNSSEC-enabled Providers
  • Network-bases IDS (Intrusion Detection System) — it should be fairly easy to assume that the overall reliance on host-based end-point security solutions can be easily improved through the use of publicly obtainable Network-Based IDS (Intrusion Detection System) such as for instance Snort in combination with the use of a highly-popular and recommended host-based IDS and firewall solution such as for instance PfSense.
Sample Screenshot or SNORT IDS In Action
  • NordVPN — The next logical step would be to stay away from mainstream mobile devices citing potential Security and Privacy in mind including the use of a properly selected VPN service provider for the purpose of applying basic traffic obfuscation techniques including end-point network isolation in this particular context the end user and the organization should definitely look forward to implement a possible VPN provider actually “mixing” public legitimate jurisdiction-aware infrastructure with privacy-aware public or proprietary network technology — in this particular case VPN2Tor type of technology.

Windows-based users should definitely consider using and learning how to use the Advanced Tor Router application which basically offers a diverse set of unique privacy-enhancing and privacy-preserving featuring while utilizing the Tor Network further ensuring and offering a free solution for end users interested in preserving their Web browsing activities including possible network-wide Tor Network adoption on per OS and on per application-based basis. What does this application has to offer in terms of unique privacy-preserving features?

Basically it offers a variety of unique and never presented or discussed before type of Tor-Network and end-point privacy-enhancing or preserving features further ensuring that the end user will remain properly protected from sophisticated network-based and client-based type of attack campaigns potentially aiming to identify and expose their identity. What’s worth emphasizing on in terms of the application is the unique set of privacy-preserving and oriented client-side feature in terms of possibly privacy-oriented and secure browsing experience.

  • Cryptohippie — Among the most popular and sophisticated vendors which I’ve been using for several years includes includes the Closed-Network Group offering courtesy of the Cryptohippie network which basically offers one of the most sophisticated privacy-conscious protection on the market in terms of privacy-enhancing technologies in the context of using a commercial VPN (Virtual Private Network) provider. What the provider basically does is to offer a pretty decent and sophisticated VPN type of commercial services whose featured perfectly match today’s modern environment in terms of OPSEC (Operational Security).
Sample Managed and Corporate Closed-Network Communication Router Courtesy of Cryptohippie Inc.

In conclusion — stay tuned for an upcoming set of research analysis on some of the most prolific U.S Intelligence Community and GCHQ Cyber Intelligence and Cyber Surveillance type of programs — to be covered at my Medium account on a daily basis starting from today and continuing until a proper and structured response is offered to the majority of my readers in terms of some of the most prolific U.S Intelligence Community and GCHQ Cyber Surveillance currently in use on a large-scale basis today and how to protect against these type of Programs in terms of preserving your personal and your organization’s Intellectual Property (IP) and technical “know-how” including the widespread prevention of large-scale and targeted cyber espionage campaigns and techniques.

Dancho Danchev

Written by

The World’s Leading Expert in the field of Cybercrime Research and Threat Intelligence Gathering — https://ddanchev.blogspot.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade