Here's what bugging your own office NSA-style can reveal

Filed Under: Apple, Featured, Google, Privacy

Eavesdropping. Image courtesy of Shutterstock. In the past year many have grown increasingly incensed at news regarding pervasive surveillance.

Then again, many have yawned.

For those who remain unconvinced that National Security Agency (NSA)-style blanket surveillance might uncover anything that could come back to haunt them, Project Eavesdrop will hopefully be an eye-opener.

That's the code name for a project designed by the US's National Public Radio (NPR) news agency to find out just what, exactly, the NSA could see about a person if it cared to look.

The answer: a lot.

To get to that answer, Steve Henn, a reporter for NPR, had his office bugged.

NPR worked with Sean Gallagher, a reporter at Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, to have the internet traffic coming into and out of his home office in California, tapped.

They set up the tap so as to mimic the broad, passive surveillance of internet traffic that's done by NSA systems, and they let it run for a week.

The main systems devoted to that task of broad surveillance at the NSA are the Turbulence network monitoring system, which skims traffic off the internet’s fiber-optic backbone, and XKeyscore, an analytics database that processes the captured traffic, allowing NSA analysts to search emails, online chats and browsing histories of millions of individuals as they hunt for specific strings of text or patterns in data (email addresses, phone numbers, file attachments).

To achieve a miniaturized version of that, Gallagher went to Henn's home office and plugged in PwnPlug R2 - a little box that looks like a small Wi-Fi access point or router but is actually a penetration-testing piece of hardware designed by Pwnie Express and loaned to the team for the project.

That little, wireless box's job was to basically capture all the data flowing to and from Henn's computer and mobile phone, then to automatically sift and analyse the traffic.

Henn didn't think he was working on anything particularly interesting or worth analysing.

There were no off-the-record sources to protect. Nor did the team have access to NPR's systems; rather, they could only eavesdrop on Henn's equipment as it chirped, peeped and chatted with the internet.

Not interesting? Boy, did his equipment chirp, peep and chat.

He wasn't even touching his iPhone, which was just sitting on his desk.

But as soon as he and Gallagher plugged in the PwnPlug R2 router and the iPhone connected to the network, "a torrent" of data began to wash over the line, Henn writes.

Porcello, monitoring the traffic from his office in Vermont, was startled by the phone's silent but perky activities.

Gallagher quotes Porcello as he ran down what he was capturing from the phone:

Whoa. Yep, there’s Yahoo, NPR... there’s an HTTP request to Google... the phone is checking for an update. Wow, there’s a lot of stuff going on here. It's just thousands and thousands of pages of stuff... Are you sure you’re not opening any apps?

Henn didn't have to touch his iPhone in order for it to be alive and spilling information.

It turned out that the phone was running a slew of apps in the background: Mail, Notes, Safari, Maps, Calendar, Messages, Twitter, and Facebook - all of which were connecting to the internet.

Within just a few minutes of tapping Henn's phone, the NSA wannabes were able to paint a surprisingly intimate portrait of the reporter, thanks in large part to the websites he had left open in the Safari web browser.

They saw, for example, what movies he was checking out for his kids, a weather report, and his work-related research, as reflected in his Google searches.

Henn quotes Porcello's colleague, Oliver Weis:

People are walking around every day with these mobile computers in their pockets, and they have no idea what they are sending to the world.

First, the team simply sat back and watched Henn’s normal internet traffic. Then, they turned their tools to specific traffic created by leading web applications and services.

Once the actual eavesdropping really got under way, encryption kept some of Henn's data from getting intercepted: corporate emails, Voice over IP phone (VoIP) calls, and other official communications.

That, by the way, is what should happen: encryption should be shielding our communications from interception. It should happen far more than it now does.

That's why the recent Reset the Net day focused on using, demanding and improving encryption.

Unfortunately, encryption didn't keep everything Henn did from seeping out where Project Eavesdrop could find it.

The team found that many popular internet services' implementations of encryption don't completely thwart eavesdropping.

One example: even though Google now encrypts searches by default, its PREF cookies, which track user identity separately from Google logins, leak data about users, given that they contain numeric codes that uniquely identify people's browsers.

Gallagher points to The Washington Post's coverage of how the NSA uses these unencrypted cookies, piggybacking on Google's tracking of consumers to better target advertising, to pinpoint targets for its own tracking purposes as well as for offensive hacking.

During the course of eavesdropping week, the Project Eavesdrop team intercepted uncut interview tape, tracked Henn from site to site, scoured sites for email addresses and telephone numbers of interview subjects, and guessed what he was writing about in spite of Google's default search encryption.

That, in fact, is a hint at what the NSA can find out about us through surveillance.

Naked Security often gets comments on stories about surveillance from those who can't see what all the fuss is about.

A few excerpts of one such, from commenter Sizzle, regarding what admittedly seems to be a pretty innocuous data point:

Oh, the NSA can now see the picture of my tortoise that my girlfriend just sent me? I hope they enjoy it as much as I did.

The fact that you're still typing posts on here is either a) you're not a threat and haven't been thrown into a dirty cell b) they really don't care about you. I'd opt for the latter.

A photo of a tortoise: pretty trivial, right?

But as Mark Stockley replied to Sizzle, just because they might not care about you (or your tortoise) *today* doesn't really mean much.

The broader point about pervasive data capture - as well as MAC address tracking by the likes of Nordstrom, Wi-Fi enabled trash cans in London, or Twitter tracking the websites you visit, for example - isn't that everyone is being actively watched by interested agents but that data is being recorded and stored, possibly forever.

(Of course, that data can also be used by outfits that profit off its sale, such as Facebook, Google, data brokers, data-stealing botnets found in data brokers' servers, etc.)

Maybe the entities collecting all this data are playing safely and honourably with it now, but we can't predict what will happen in the future, which could entail:

  • Getting taken over by overlords that have different privacy policies and business models (case in point: Moves, the fitness app that changed its privacy policy within 11 days of getting acquired by Facebook);
  • Selling the data to someone else;
  • Losing the data to someone else; or
  • Aggregating apparently innocuous or anonymous data into some form that is neither.

There are too many organisations that are profiting from our data for us to shrug off surveillance, be it targeted on our buying habits, our locations, those with whom we communicate, or our tortoises.

If you didn't tune in to Reset the Net on its official 5 June launch, you can still check out its Privacy Pack - a list of everyday software that uses encryption - along with its ways to turn on encryption you already have.

Like the Reset the Net motto says,

Don't ask for your privacy. Take it back.

Image of eavesdropping courtesy of Shutterstock.

, , , , , , ,

You might like

16 Responses to Here's what bugging your own office NSA-style can reveal

  1. Suzanne · 134 days ago

    I found the Reset the Net info on encryption complicated enough that iI didn't implement it. If it's not straightforward and simple, people won't use it. But this article definitely makes me think twice. On the bright side, I have a stupid phone, 20th century tech at its finest, so at least I'm not leaking data from that particular source.

    • My girlfriend has a brand new 99$ android touch screen phone with all the fixings.

      and a 20$ voice only plan. Data is not available.
      I borrowed it for five minutes, went into the settings, and turned off all data completely , just to make sure there would be no surprises on her bill.

      Guess that means NSA isn't getting much out of her, at least not through the phone.

      • Sammie · 133 days ago

        What about wifi? Am pretty sure she would enable it be on FB or whatsapp sometime. There are plenty of open/ rogue wifi hotspots to keep you awake at night.

  2. "Don't ask for your privacy. Take it back."
    I agree with the sentiment , but in an age where NSA cracks encryption like children eating candy , I am unconvinced encryption is the solution.

    Keep trying though , keep trying. We'll find something.

    • If the NSA could crack encryption like candy they wouldn't need to get funky with certificates, hobble RSA, invent PRISM or look for ways to hack Tor. Snowden says strong encryption works and, although I am not a mathematician, I am lead to believe that the maths would concur with that analysis.

  3. Badrajith · 134 days ago

    Do you think we're also vulnerable (for any reason) though living in Sri Lanka, outside US law (for NSA)? Just curious to know because I don't have a clear idea about what they really doing?
    Also, do you think that Comodo's free email certificate is unsecure because no one talks about it?

    • All attempts to reform the NSA are directed only at USA citizens living inside the USA. If you are outside the USA , youre delicate little behind is hanging in the breeze, the NSA feels it can do anything, anything at all , to you, with no restrictions at all.

      "Just curious to know because I don't have a clear idea about what they really doing?"

      They're putting bugs in routers being sold outside the USA. They sabataged a "standard encryption" that was used world wide to make it weak and easy to crack . They're passing "secret laws" that not only tell tech companies like microsoft to cooperate with them to the fullest , but microsoft can't tell anyone about these laws. They're "secret".

      Basically , any US item could potentially hold a bug designed for spying on you , especially anything with software, because it's so easy to write one piece of software and distribute a billion copies of it everywhere.

  4. Sammie · 133 days ago

    All these comments makes me wonder what so much people have to hide from the NSA. Unless there is an underground movement to take over the world, which I am unaware of, I still don't get what all the fuss is about. People use social media and post it, which is accessible to pretty much anyone, not just NSA. People use http URLs, give out private information to anyone who asks it, drops their business card into any box which says "Chance to win an iPad", talks to strangers about their vacation plans, pays using credit cards in dodgy shops, reads out their credit card numer over the phone for payments and above all, lets their smartphone (without a PIN) get stolen. Maybe NSA by claiming to be reading all your emails is actually helping you be more aware of your mistakes and helping you change your habits to be more secure even without you actually realising it. Give it a thought and decide for yourself.

    • An understanding of history, you lack it.

      Your answer can be found here --> study the founding of the United States of America and the thoughts of the founding fathers in the creation of this nation and the creation of our constitution.

      It's not us having something to hide that is the issue, it is us controlling our government that is the issue. They are a beast that must not be allowed to run free. THEY must be controlled and we see them running loose doing as they please unchecked using powers they were not granted. That has to be corrected. Government is OUR animal to tell what to do, we are not its subjects.

      • Sammie · 133 days ago

        Lol all the best telling the government what to do. I am sure they beg to differ.

    • nate · 128 days ago

      I don't think most US Americans have so much to hide from the NSA, so long as the NSA remains true to its mission, which involves protecting US Americans.

      Unfortunately, there is plenty of history of US gov't organizations using secretly and illegally collected information for harassment of, for instance, political dissidents. A recent-ish example that few deny is J Edgar Hoover's FBI.

      On the other hand, you don't really need anything close to the amount of information the NSA is collecting to identify political dissidents, and it's hard to imagine any reasonable reformation that would leave the NSA unable to identify domestic dissidents that didn't also declaw the NSA so utterly as to leave it a waste of budget.

      Some of the NSA's techniques (major backdoors, hardware modification, etc) become much more frightening the instant the NSA decides to become more active. Consider the ease with which the NSA could frame someone, if they had the desire to, especially before Snowden's revelations.

      More realistic concerns exist with any large database builder (NSA, Google, Facebook): stalker employees, poor security that exposes our details to crooks (Domino's, recently), and the risk that integration will eventually have our grocery store clerk recommending our favorite variety of porn to us in the presence of our grandparents.

  5. Anonymous · 133 days ago

    I'd like to point out, that at Defcon 21 there was a talk by Brendan O'Connor about his software CreepyDOL which kinda hits on the same weak spots. Furthermore it's designed to visualize user movements.

    • Jim · 133 days ago

      I agree that something needs to be done about governmental eavesdropping. However, the NSA doesn't bother me as much as they used to. Why?

      They managed to allow a contractor pull thousands of documents from "secure" servers inside their infrastructure, at his security clearance level, and also above and below it.

      This is basic intrusion detection. One failed attempt or one or two successful attempts to grab documents outside of his security level should have put up a red flag. The second time a red flag goes up, careful monitoring of the person should have begun. Shortly after that, "legal" should have been involved.

      Thousands of successful thefts? Against what is claimed to be one of the top three security organizations in the world? Something doesn't jive. They're either incompetent, or they wanted the information leaked.

      • Gavin · 129 days ago

        Surely that makes them more scary, not less? We now know that:

        1) The NSA is collecting all the electronic data it possibly can
        2) The NSA failed on one dramatic occasion to protect its assets

        I don't like the sound of that one bit.

        • Jim · 123 days ago

          Not really.

          If they let Snowden get away with it on purpose, then at least some of Snowden's information is misinformation, probably for one or more specific purposes. The remainder would have been considered acceptable to lose in order to gain whatever purpose they desired by allowing release.
          ^ This could be considered scary, but if one accepts that the NSA needs to exist, then it's just part of the package.

          If, on the other hand, they're incompetent, then none of the information Snowden released is trustworthy anyhow.
          ^ This is scary for other reasons.

          There is an outside chance that neither is true. That would require that their internal security is worse than their external security. This is certainly plausible, but I consider it unlikely.

  6. Its amazing what can be done now. Even though some think it's an intrusion, others think it isn't. I suppose they look at it as 'if you have nothing to hide then why be bothered' or at least thats what most think in the UK (so I'm led to believe).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.