by Unknown
158
Advanced Criminal Investigations and Intelligence Operations
In a presentation, he set up his own cellular base station and was able to message all the iPhones in the room, asking them to join his new network.
Had the iPhones’ users accepted his invitation, Weinmann would have been
able to inject a firmware update into the chips used to run the basic radio signals (baseband) in and out of the phones. That firmware would have switched on the phones’ autoanswer feature, which would have let Weinmann silently dial into the phone and remotely listen to anything nearby.
It’s not just iPhones that are vulnerable. Most phones, smart or not, running on the AT&T Wireless or T-Mobile networks in the United States are vulnerable, as are most European mobile phones. The Global System for
Mobile Communications (GSM) standard that governed second-generation
(2G) communications on those networks is more than 20 years old and wasn’t designed to guard against base station attacks. Third-generation (3G) signals are unaffected, but almost all 3G mobile phones automatically drop down
into 2G mode when 3G is not available. Anyone carrying it out this type of hack must set up a cellular base station and know the technical workings of the various baseband chips used in mobile phones. Open-source software has reduced the cost of setting up a fully working base station to less than $2000, putting the hack within the budget of anyone who really wanted to eavesdrop.
Cell Phone Data Retrieval
There are GPS data (if the phone is GPS capable), photographs and videos, text messages, phone logs, notes, and websites that were visited. Everything the cell phone does is tracked and logged somewhere. Cel ebrite has developed a Mobile Forensics and Data Transfer System, called the Universal Forensics Extraction Device (UFED), which extracts all the information from a cell
phone to aid in investigations. There is a mobile unit that can be used in the field, but there is also a device that is in a Pelican case that is a little less mobile but has the ability to charge the phone just in case the battery of the phone you are holding for evidence is dead. The Cellebrite device hooks up to cellular telephones to extract information, including call history logs, text messages, contact information, and photographs. It works on 3000 phone
models and can even defeat password protections. Once the information
is extracted from the cellular phone, the Cellebrite creates an easy-to-read report, which investigators can add to their reports.
Visual malware, for example, PlaceRaider, allows someone to view a smartphone camera remotely. Sur Tec’s APParition is a smartphone application that allows an undercover officer to stream high-quality audio and at the same time to provide global positioning (GPS) locating. The application called Casper and the monitoring component called the Fog are not limited by distance.
Emanations Intelligence
159
The proliferation of new technology has made getting a quick wiretap
more difficult. Facebook, Twitter, MySpace, BlackBerrys, Android, iPhones, iPads, and other mobile devices have diminished law enforcement’s ability to tap. The Justice Department calls this phenomenon going dark. Criminals can now communicate using wireless devices and anonymous avatars. For example, in 2009, a pimp used a social networking site to entice children into prostitution. Although there was enough evidence to obtain a wiretap, one was not obtained because there were no means to conducting electronic surveillance of the particular website. While wiretaps are still useful, the advancement in technology is exceeding developments in electronic surveillance.
IMSI Catchers and Cell-Site Simulators: The StingRay
Computers are not the only electronic devices that emanate signals that can be exploited into intelligence data. International Mobile Subscriber Identity (IMSI) catchers are tools being used in Europe and the United States. They are advanced pieces of hardware that can be used to send out a signal, trick-ing mobile phones into thinking they are part of a legitimate mobile phone network. Cel -site simulators are a sophisticated surveillance system to scoop up data from cell phones and other wireless devices to track suspects.
The IMSI is used to identify the user of a cellular network and is a unique identification associated with all cellular networks. It is stored as a 64-bit field and is sent by the phone to the network. It is also used for acquiring other details of the mobile in the home location register (HLR) or is locally copied in the visitor location register (VLR). To prevent identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly generated Temporary Mobile Subscriber Identity (TMSI) is sent
instead.
The TMSI is the identity that is most commonly sent between the mobile
and the network. TMSI is randomly assigned by the VLR to every mobile in
the area the moment it is switched on. The number is local to a location area, so it has to be updated each time the mobile moves to a new geographical
area. The network can also change the TMSI of the mobile at any time and
normally does so to avoid the subscriber from being identified and tracked by eavesdroppers on the radio interface. This makes it difficult to trace which mobile is which, except briefly, when the mobile is just switched on or when the data in the mobile become invalid for one reason or another. At that
point, the global IMSI must be sent to the network.
IMSI catchers, such as the one purchased by the London Metropolitan
Police, allow authorities to shut off targeted phones remotely and gather data about thousands of users in a specific area. They can force phones to release their unique IMSI and IMEI identity codes, which can then be used to track a
160
Advanced Criminal Investigations and Intelligence Operations
person’s movements in real time. They can be slipped into a suitcase and used almost anywhere to spy on mobile phone communications. IMSI catchers
are high-tech portable devices used by law enforcement agencies across the world to secretly intercept conversations and text messages.
Meganet is a vendor of these devices and they are based out of Washington, DC. They have several government contracts including the DoD and NSA.
There are also several websites that give detailed instructions on how to make your own IMSI catcher. But you can buy units from China-based websites for around $1700–$2000.
The device, known as a StingRay, simulates a cell phone tower and enables agents to collect the serial numbers of individual cell phones and then locate them. The Justice Department has generally maintained that a
warrant based on probable cause is not needed to use a cel -site simulator because the government is not employing them to intercept conversations,
but some judges around the country have disagreed and have insisted investigators first obtain a warrant.
Geotagging
A photo taken by a smartphone contains an image embedded with metadata that reveals the exact geographical location where the photo was taken. So by simply taking and posting a photo on the Internet, one may reveal the exact location where the photo was taken, such as one’s home, place of employment, school, or other location. Data usually consist of latitude and longitude coordinates but can also include altitude, bearing, distance, accuracy data, and place names (see Figure 9.1).
Because iPhones embed geodata into photos that users upload to
Flickr, Picasa, or similar web pages, iPhone shots can be automatically
placed on a map. A map search can then be conducted. Clicking through
the user’s photo stream and adjusting the settings to view only those of
interest on the map may reveal a cluster of images in one location. This
may give clues as to the exact location of a home, place of employment, or other important target location. With advancements in technology, such
as enhanced GPS capabilities and smartphones with built-in GPS, emana-
> tion of geodata becomes both a source of intelligence and a challenge to
privacy and security.
Geotagging is the process of adding geographical identification to pho-
tographs, video, websites, and SMS messages. It is the virtual addition of a 10-digit grid coordinate to everything you post on the Internet. Geotags are automatically embedded in pictures taken with smartphones. When loaded
to the Internet, they have been geotagged. Photos posted to photo sharing sites like Foursquare, Facebook, Twitter, Flickr, and Picasa can also be tagged
Emanations Intelligence
161
Figure 9.1 Disabling geotagging functions.
with the location, but it is not an automatic function. Foursquare currently has iPhone, Android, webOS, Windows Phone 7, and BlackBerry applications.
Facebook Places is similar to Foursquare in that it gives an individual’s location when users post information using a mobile application. This feature is available when using the Facebook application for iPhone, touch.facebook.com, and Android. This function is automatically active on Facebook
accounts until disabled (http:/ www.facebook.com/places/). Most location-
based social networks have checking in applications at various locations to “earn points, badges, and discounts” and other geo-related awards. The popularity of these network applications has changed the way our emerging digital culture must view intelligence, security, and privacy.
Gowalla is another location-based social network with functions similar
to Foursquare and Facebook Places. Users can build a passport that includes a collection of stamps from the places users have been. Gowalla users can also post photos and submit tips at various locations (http:/ gowalla.com/).
SCVNGR is a location-based social network with a checking in application that allows companies, educational institutions, and organizations to build chal enges inside the platform. Users are encouraged to complete the challenges in order to earn points, badges, or real-life discounts and coupons (http:/ www.scvngr.com/).
Formats like the JPEG format allow for geographical information to be
embedded within the image and then read by picture viewers. This shows the
162
Advanced Criminal Investigations and Intelligence Operations
exact location where a picture was taken. Most modern digital cameras do
not automatically add geolocation metadata to pictures, but that is not always the case. Camera users should check their camera’s operating manual and
determine how to turn off GPS functions.
Even if a camera does not have a GPS function, a photo can be tagged with a location and added to photo sharing sites. A simple search for “Afghanistan”
on Flickr reveals thousands of location-tagged photographs that have been uploaded. Tagging photos with an exact location on the Internet makes it
possible to track locations and correlate it with other information to give valuable intelligence on classified areas of operation or the location of particular individuals of interest. These dangers can be avoided by removing geotags with a metadata removal tool for photos before publishing them on the Internet.
By tracking movements and aggregating information, where someone
lives, works, or otherwise frequents, can be revealed. Services, like MotionX
and other location-based social network applications, allow tracking user movements and establishing patterns. When watched long enough, a pattern
emerges of when and where to find a targeted individual. A geotag readout for a photo might look like the following:
GPS Latitude
: 57 deg 38’ 56.83” N
GPS Longitude
: 10 deg 24’ 26.79” E
GPS Position
: 57 deg 38’ 56.83” N, 10 deg 24’ 26.79” E
or the same coordinates could also be presented as decimal degrees:
GPS Latitude
: 57.64911
GPS Longitude
: 10.40744
GPS Position
: 57.64911 10.40744
Metadata removal tools or a metadata scrubber is a privacy software designed to protect the privacy by removing privacy-compromising metadata from
files before they are shared (e.g., by sending them as e-mail attachments or by posting them on the web). Metadata can be found in audio files, documents, images, presentations, and spreadsheets. Metadata can include information such as the file’s author, file creation and modification dates, document revision history, and comments. Since metadata is not visible or clearly obvious in applications, there is a risk that the author will be unaware of its existence or will simply forget about it. If the file is shared, private or confidential information may inadvertently be exposed to intelligence collection. Metadata
removal tools minimize the risk of such data emanations.
There are four groups or types of metadata removal tools: (1) inte-
gral metadata removal tools, which are included in some applications, like the Document Inspector in Microsoft Office 2007; (2) batch metadata
Emanations Intelligence
163
removal tools, which can process multiple files; (3) e-mail client add-ins, which are designed to remove metadata from e-mail attachments just before they are sent; and (4) server-based systems, which are designed to automatically remove metadata at the network gateway.
Barcode Scanners and Magnetic Stripe Reader/Programmer
A barcode reader (or barcode scanner) is an electronic device for reading printed barcodes. It consists of a light source, a lens, and a light sensor translating optical impulses into electrical ones. Most barcode readers
contain decoder circuitry to analyze the barcode’s image data provided by the sensor and send the barcode’s content to the scanner’s output port (see Figure 9.2).
A magnetic stripe reader or magstripe reader reads information encoded in the magnetic stripe on the back of a plastic badges and cards. Since the 1970s, magnetic stripe readers have been used for access control and transaction processing, such as ATM and credit cards. Magnetic stripe readers can read data using a computer program through a serial port, USB connection, or a keyboard wedge. Insertion readers require that the badge be inserted into the reader and then pulled out. Swipe readers require that the badge pass completely through the reader. The magnetic stripe on the back of a card
is composed of a bar magnet of iron-based magnetic particles encased in
plastic-like tape (see Figures 9.3 and 9.4).
Polygon mirror
Laser diode
Motor
Light-receiving element
(photodiode)
Figure 9.2 Barcode readers.
164
Advanced Criminal Investigations and Intelligence Operations
Figure 9.3 Logic controls MR 3010U, magnetic card reader, USB, external (left), and Unitec MS240, magnetic card reader, USB (right).
Figure 9.4 Blank USB MSR605 MSR206 magnetic stripe card reader writer encoder + 20PCS card offer a reading and writing solution of high- and/or low-coercivity cards.
When the bar magnets are polarized in the same direction, the mag-
netic stripe is blank. Information is written on the stripe by magnetizing the bars in either a north or south pole direction with an electromagnetic writer, called an encoder. The writing process, called flux reversal, causes a change in the magnetic field that can be detected by the magnetic stripe reader, much like the binary system used by computers. The magnetic stripe reader reads the information by detecting the changes in the magnetic field caused by the flux reversals on the card’s magnetic stripe.
Emanations Intelligence
165
Smart cards are a newer generation of card containing an integrated circuit chip. The card may have metal contacts connecting the card physically to the reader, while contactless cards use a magnetic field or RFID for proximity reading. Hybrid
smart cards include a magnetic stripe in addition to the chip, so the cards are also compatible with payment terminals that do not include a smart card reader. Cards with all three features, magnetic stripe, smart card chip, and RFID chip, are also becoming common as more activities require the use of such cards.
Stripe Snoop is a suite of commercially available research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards. The data are captured through different hardware interfaces (or stdin), the contents are decoded into the correct character set, and a CDDB-like database attempts to figure out what the contents mean.
Magstripe Forgery and Skimming
Magstripes have become a favorite tool of identity thieves. By altering the magstripes of authentic bank gift cards, the suspect bypasses the difficult and risky step of fabricating fake credit cards. Instead of having to make fake cards, data harvesters can load up bank gift cards with stolen data obtained from people online and use them like cash. Identity thieves have to defeat a security code on the magstripe, as well as automated systems that watch for and alert the credit-issuing bank to suspicious transactions. Every Visa transaction that goes through their network, for example, is rated for fraud potential in real time. Data hacked from retail sources, in the hands of data harvesters, identity thieves, and forgers, are embedded into the magstripes of counterfeited credit cards.
Gift cards issued by Visa, MasterCard, and American Express have
emerged as attractive fraud targets because they are widely available and can be used in more places than merchant gift cards. Acquiring a bank gift card is easy at grocery stores or by ordering online. Thousands of banks, credit unions, supermarkets, drugstores, and convenience stores offer them; they can be picked up at a checkout line or ordered from online banking websites or sites such as iCardGiftCard.com and work at millions of restaurants and shops, using exactly the same magstripe-driven payment system used for credit and debit card transactions.
Bank gift cards are flat, with no embossed numerals and no individual’s
name anywhere on the card. No proof of identity is required to use them.
Altering the magstripe to convert a bank gift card into a credit card is a way to convert low-value cards into high-value ones. It takes thousands of dollars of equipment to create counterfeit credit cards from scratch, but a generic Visa gift card, with an altered magstripe, no name on it, and no way to trace