More on the Bomb Threats


It may be that we’re looking at some “parallel construction” [wikipedia] here; this sounds a bit dodgy.

To some of my earlier comments about ‘tradecraft’ – if you’re interested in how good the retro-scope is: you definitely want to read this. [dailybeast]

The suspect arrested Thursday for a wave of bomb threats against Jewish Community Centers in the United States employed an array of technologies, including  Bitcoin and Google Voice, to make himself virtually untraceable for months, The Daily Beast has learned. But in the end, it only took one careless slip-up to lead police to his door.

So: bitcoin to pay for services such as proxies, to make it harder to backtrack the proxy user account. The suspect clearly expected that law enforcement would peel back the first layer or so of his protections, and would start chaining together his access with warrants.

My guess would be that the FBI showed up at SpoofCard with a warrant, got the information about the proxy service that was connecting to them (Google Voice), then didn’t even need Google: they immediately looked for connections into/out of the SpoofCard service during that time, and probably got a back-reference to a cluster of networks in Israel. Having Google’s logs would be a plus, of course. One thing a lot of people that are trying to hide don’t expect is that tools like Palantir are specifically designed to time-synchronize events: a connection from here happens to there which then connects to another place. Then, the connections drop – again, in sequence. Defeating that is difficult but not impossible: if you’re going to do something very naughty, like this guy was doing, think about how to make it asynchronous. I’ll leave that as an exercise for the advanced student.

The FBI traced the phone calls back to a service called SpoofCard that allows users to mask their caller ID, so their phone calls can appear to come from any number they choose.

The FBI sent a subpoena to the company that runs the service, New Jersey-based TelTech, in the hope of obtaining the caller’s real number. But that phone number turned out to be a disposable Google Voice line established under an alias.

The server logs from both TelTech and Google weren’t much more helpful. They showed that  the suspect routed his Internet connection through anonymous proxy servers overseas. Even the caller’s voice was anonymous—he used Spoofcard’s voice-changing option to make himself sound like a voice synthesizer imitating a woman. And rather than use a traceable credit card or PayPal, the perpetrator paid for his Spoofcard in Bitcoin—another dead end.

So far, so good. Then:

But in his rush to reach as many Jewish institutions as possible, the original bomb hoaxer grew careless. On at least one occasion, he neglected to route his Internet connection through a proxy server, leaving behind a real IP address in the server logs. The address was in Israel, where police traced it to a WiFi access point that Kaydar was allegedly accessing through a giant antenna pointed out a window in his home.

I find that a bit odd. After setting all that up, then he made a basic newbie mistake? That sounds sort of like the Silk Road bust: here’s this guy with pretty good tradecraft who suddenly embeds the critical IP address in a file and leaves it on an open area in a server. So this guy was using layered proxies and bitcoin payments to mask his identity and then used an open WiFi from his home? That reeks of parallel construction. Anyone who knows enough to go to the lengths that he did, knows that once you’re localized down to a WiFi access point, your location is known (unless you’re travelling to the access point, in which case it’s a matter of time before they pull surveillance cameras in that known time-frame, and then they have your picture!).

Anyhow, it’s an interesting story because it says a lot about the capabilities of the various intelligence agencies. Reading between the lines, it sounds like what happened was a time-chart of connections was produced, then it took a couple days to scrub that against various databases and the originating geography of the threats jumped out. From there it was probably a matter of confirming the connections locally with a few of the providers involved. If you don’t think that Israel is keeping traces of connections into/out of their internet space, or that the NSA isn’t also, you ought to rethink that view based on this incident.

I’m glad they caught him. He sounds like he’s going to experience some tough times and if he really has got mental health issues, his misfortune is about to be compounded.

Comments

  1. Pierce R. Butler says

    … think about how to make it asynchronous.

    First step – route it through the FtBlogs comment system, which seems always several (not a consistent interval, though) minutes ahead of official time.

    F’rinstance, I will post this comment at 8:40 Eastern Standard Time.

  2. AndrewD says

    Pierce @1 This comment system always shows the wrong time! Oh I am in the UK of course…

  3. Brian English says

    if you’re going to do something very naughty, like this guy was doing, think about how to make it asynchronous. I’ll leave that as an exercise for the advanced student.

    Problem hasn’t been sufficiently defined. Asynchronous means untimed. But in what way? What does Palantir expect and so, what needs to be done to bypass it?
    I can write a bit of javascript to download some html when a button is clicked and the page still is useable. That’s one definition of asynchronous.
    I can start a few threads waiting on resources, and have callbacks to handle them. That’s asynchronous.
    It’s beyond my ken to have the server I’m yet to connect to initiate the connection to a third site I want to connet to and not involve me. Which seems to be what you ask of the advanced student.
    I’ll be in the dunce corner.

  4. Brian English says

    OK, I’ve relaxed the problem constraints.
    1. I befriend Cockatoos, very intelligent birds, to carry a message. (this is somewhat true, I feed wild cockatoos, 4 species, ever day, but I wouldn’t call the fucker who bites me on the foot as if I’m a pinata, and the rest who deforest our lovely gum tree, friendly).
    2. Cockatoo(s) take a message to another location with address of diamonds or other valuable merchandise for payment and instructions to do X at time Y. (This is really unlikely, little pricks just eat food, denude trees, bite feet, and generally shit all over the place, but they are cute – I’d ask the Kangaroos, who consume the water we leave for them, but seriously, extant marsupials haven’t got past cute, except Wombats, who just do angry digger, which isn’t much help).
    3. Assuming the NSA doesn’t have surveilance birds of prey, the message is sent. Thinking Wedge-tailed Eagle, or Osprey, those Cockatoos aren’t small. (I’m just not sure how to set up the orignal system: ‘Hey, I’ll send a Cockatoo with instructions, please hack site Y’, without giving the game away.)
    4. I await for return Cockatoo, with acceptable package loss for said Eagles and Hillbillys.
    5. Profit!!!!

  5. Brian English says

    * Tasmanian Devil’s are extant marsupials and do angry scavenger. Still not use for our purposes.

  6. says

    Brian English@#3:
    Problem hasn’t been sufficiently defined. Asynchronous means untimed. But in what way? What does Palantir expect and so, what needs to be done to bypass it?

    One of the things it can do is search its knowledge-space for approximately sequential events. So, for example, sending a threatening email via google using a proxy could be searched as proxy->google->message drop and it would not present the analyst with event chains that were just google->message — a tremendous reduction in search space. The sequence/time definitions can be jiggered. So, depending on what you’re thinking of doing, you’d want to really mess with the time lag (because it’s pretty much impossible to go back in time) of events. That means planning on a longer time-horizon than they are likely to expect. So, for example, you might (if you’re in the habit of sending prank emails) have a process set up that would send one of a dozen stock messages from a server that you compromised a long time ago, and upon which is installed a process that checks for a specific structure of an ad on craigslist, which tells it which message to send to whom; it then waits a couple days, deletes all of itself except the injector, then sends the message and blows itself away. You want to think in terms of techniques that have high transaction volumes (lots and lots of people and places read craigslist ads) – that sort of thing. Other possibilities would be to have something listening that took its orders from cryptographically signed stegatexts embedded in a social media picture stream that is ‘shared’ onto a certain account, or embed your command/control in an IRC bot or a bot logged into an online game, or, or, … The main thing you want to do is make it harder to establish that linear and simple time-sequence, which mostly means building multi-day delays in some of the steps.

  7. says

    Pierce R. Butler:
    First step – route it through the FtBlogs comment system, which seems always several (not a consistent interval, though) minutes ahead of official time.

    I have long suspected that some of the commentariat at some blogs, are command/control bots for botnets.

  8. says

    Brian English@#4:
    Thinking Wedge-tailed Eagle, or Osprey, those Cockatoos aren’t small.

    Use an F-35!

    Oh, no, wait, got my threads mixed up.

  9. Dunc says

    I find that a bit odd. After setting all that up, then he made a basic newbie mistake?

    People are not machines – they get careless and make stupid mistakes.

    Back when I was into climbing, I heard that amongst experienced mountaineers and big wall climbers who die on the mountains, more of them die descending than ascending, and that the single most common mistake was forgetting to tie off the end of a descent rope and then abseiling straight off the end of it. I dunno how true that is, but it makes sense – you relax because you’re doing something simple that you’ve done so many times that it’s basically automatic, and which should be perfectly safe provided you don’t make any stupid mistakes, and then one time in a thousand you make a really stupid mistake and die.

    I’d also not be too certain that this guy “expected that law enforcement would peel back the first layer or so of his protections”. A lot of these types are basically LARPers – they enjoy the thrill of playing secret agent, but they don’t really expect the opposition to actually show up and take it seriously.