EFF, ACLU, and ACLU of Maryland filed an amicus brief today in the Maryland Court of Special Appeals in the first case in the country (that we know of) where a judge has thrown out evidence obtained as a result of using a cell-site simulator without a warrant.
In the case, Baltimore Police used a Hailstorm—a cell-site simulator from the same company that makes Stingrays—to locate Kerron Andrews, the defendant. The police not only failed to get a warrant to use the device, they also failed to disclose it to the judge in their application for a pen register order. And it appears they even failed to tell the State’s attorney prosecuting Mr. Andrews’ case.
Luckily Mr. Andrews’ intrepid defense attorney suspected the police might have used a stingray and sent a discovery request asking specifically if they had. The prosecution stalled for months on answering that request, but, on the eve of trial, one of the investigators responsible for Baltimore PD’s stingrays finally testified in court not only that he’d used the device to find Mr. Andrews, but that he’d specifically not disclosed it in any report filed about Andrews’ arrest. The judge concluded the police had intentionally withheld information from Mr. Andrews—a clear violation of his constitutional rights.
This August, another Baltimore judge granted the defense’s request to suppress all evidence the police were able to get as a direct result of using the stingray. The judge held the use of the device without a warrant violated Andrews’ Fourth Amendment right to be free from unlawful searches and seizures. Unsurprisingly, the government appealed.
Cell-site simulators, also commonly known as IMSI catchers or stingrays, masquerade as legitimate cell phone towers, tricking phones nearby into connecting to the device instead of the tower operated by the phone company. This allows police to log the identifying numbers of mobile phones in the area and to pinpoint their locations. Police often use cell-site simulators when they are trying to find a suspect and know his phone’s identifying information.
As we learned from USA Today, the Baltimore PD has been using cell-site simulators extensively (and secretly) for at least the last eight years. A detective testified that Baltimore officers had used cell-site simulators more than 4,300 times since 2007. Like other law enforcement agencies around the country, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). And, like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public.
Stingrays are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship—in Mr. Andrews’ case the investigators used the Stingray to pinpoint his location to within a specific apartment. Stingrays can also be configured to capture the content of communications.
This is why it’s imperative that police not only obtain a warrant based on probable cause before using a cell-site simulator but also commit to minimization procedures, including immediately deleting information about all phones not covered by the warrant and limiting the time period during which the device is used. These are not novel or onerous requirements—the Wiretap Actrequires similar procedures. And in fact, both the Department of Justice and the Department of Homeland Security recently committed to following similar procedures whenever their agents use stingrays.
We hope the Maryland Court of Special Appeals will agree that the warrantless use of a stingray is unconstitutional and uphold the lower court ruling suppressing the evidence.
Marissa Mayer made Yahoo’s VPN famous by using it to check on the work habits of her employees. Lost amid today’s VPN conversation, however, is the fact that virtual private networks are much more than just pipelines for connecting remote employees to central work servers.
And that’s a damn shame, because VPNs can be helpful tools for protecting online privacy, and you need not be an office drone to enjoy their benefits.
A VPN, as its name suggests, is just a virtual version of a secure, physical network—a web of computers linked together to share files and other resources. But VPNs connect to the outside world over the Internet, and they can serve to secure general Internet traffic in addition to corporate assets. In fact, the lion’s share of modern VPNs are encrypted, so computers, devices, and other networks that connect to them do so via encrypted tunnels.
Why you want a VPN
You have at least four great reasons to start using a VPN. First, you can use it to connect securely to a remote network via the Internet. Most companies maintain VPNs so that employees can access files, applications, printers, and other resources on the office network without compromising security, but you can also set up your own VPN to safely access your secure home network while you’re on the road.
Second, VPNs are particularly useful for connecting multiple networks together securely. For this reason, most businesses big and small rely on a VPN to share servers and other networked resources among multiple offices or stores across the globe. Even if you don’t have a chain of offices to worry about, you can use the same trick to connect multiple home networks or other networks for personal use.
This diagram illustrates the difference between using an unencrypted connection and using a VPN-secured Internet connection at your average coffee shop.
Third, if you’re concerned about your online privacy, connecting to an encrypted VPN while you’re on a public or untrusted network—such as a Wi-Fi hotspot in a hotel or coffee shop—is a smart, simple security practice. Because the VPN encrypts your Internet traffic, it helps to stymie other people who may be trying to snoop on your browsing via Wi-Fi to capture your passwords.
Fourth and finally, one of the best reasons to use a VPN is to circumvent regional restrictions—known as geoblocking—on certain websites. Journalists and political dissidents use VPNs to get around state-sponsored censorship all the time, but you can also use a VPN for recreational purposes, such as connecting to a British VPN to watch the BBC iPlayer outside the UK. Because your Internet traffic routes through the VPN, it looks as if you’re just another British visitor.
Pick your protocol
When choosing a networking protocol for your VPN, you need worry only about the four most popular ones. Here’s a quick rundown, including the strengths and weaknesses of each.
Point-to-Point Tunneling Protocol (PPTP) is the least secure VPN method, but it’s a great starting point for your first VPN because almost every operating system supports it, including Windows, Mac OS, and even mobile OSs.
Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec) are more secure than PPTP and are almost as widely supported, but they are also more complicated to set up and are susceptible to the same connection issues as PPTP is.
Secure Sockets Layer (SSL) VPN systems provide the same level of security that you trust when you log on to banking sites and other sensitive domains. Most SSL VPNs are referred to as “clientless,” since you don’t need to be running a dedicated VPN client to connect to one of them. They’re my favorite kind of VPN because the connection happens via a Web browser and thus is easier and more reliable to use than PPTP, L2TP, or IPsec.
An SSL VPN server is designed to be accessed via Web browser and creates encrypted channels so that you can safely access the server from anywhere.
OpenVPN is exactly what it sounds like: an open-source VPN system that’s based on SSL code. It’s free and secure, and it doesn’t suffer from connection issues, but using OpenVPN does require you to install a client since Windows, Mac OS X, and mobile devices don’t natively support it.
In short: When in doubt, try to use SSL or OpenVPN. Keep in mind that some of the services highlighted in the next section don’t use these protocols. Instead, they use their own proprietary VPN technology.
Now, let’s talk about how to create and connect to your own VPN. If you want simple remote access to a single computer, consider using the VPN software built into Windows. If you’d like to network multiple computers together quickly through a VPN, consider installing stand-alone VPN server software.
If you need a more reliable and robust arrangement (one that also supports site-to-site connections), consider using a dedicated VPN router. And if you just want to use a VPN to secure your Internet traffic while you’re on public Wi-Fi hotspots and other untrusted networks—or to access regionally restricted sites—consider subscribing to a third-party hosted VPN provider.
Set up a simple VPN with Windows
Windows comes loaded with a VPN client that supports the PPTP and L2TP/IPsec protocols. The setup process is simple: If you’re using Windows 8, just bring up the Search charm, type VPN, and then launch the VPN wizard by clicking Set up a virtual private network (VPN) connection.
You can use this client to connect securely to other Windows computers or to other VPN servers that support the PPTP and L2TP/IPsec protocols—you just need to provide the IP address or domain name of the VPN server to which you want to connect. If you’re connecting to a corporate or commercial VPN, you can contact the administrator to learn the proper IP address. If you’re running your own VPN server via Windows, you can figure out the server’s IP address by typing CMD in the Search charm, launching the Command Prompt, and typing ipconfig. This simple trick comes in handy when you’re setting up your Windows PC as a VPN server, and then connecting to it so that you can securely, remotely access your files from anywhere.
Windows has a built-in VPN client, but you’ll need to provide the connection information (namely, the IP address) for the VPN server you want to use.
Quick note: When setting up incoming PPTP VPN connections in Windows, youmust configure your network router to forward VPN traffic to the Windows computer you want to access remotely. You can do this by logging in to the router’s control panel—consult the manufacturer’s instructions on how to do this—and configuring the port-forwarding or virtual-server settings to forward port 1723 to the IP address of the computer you wish to access. In addition, PPTP or VPN pass-through options need to be enabled in the firewall settings, but usually they’re switched on by default.
If you’re using Windows 7 and you need to connect to a VPN or to accept incoming VPN connections in that OS, check out our guide to setting up a VPN in Windows 7.
Use third-party software to create a VPN server
If you’d like to create a VPN between multiple computers to share files and network resources without having to configure your router or to dedicate a PC to act as the VPN server, consider using third-party VPN software. Comodo Unite, Gbridge, andTeamViewer are all decent, reliable, and (most important) free.
LogMeIn Hamachi is a simple, elegant, and secure VPN client that’s free for up to five users.
You can also use LogMeIn Hamachi for free with five or fewer users, but it’s good enough that if you have more than five PCs you want to link up securely—say, as part of your small-but-growing business—you should consider paying for the full service.
Go whole hog with your own VPN router
If you want to get your hands dirty while providing robust remote access to an entire network, or if you wish to create site-to-site connections, try setting up a router on your network with a VPN server and client. If you’re working on a budget, the cheapest way to set up your own dedicated VPN router is to upload aftermarket firmware that enables VPN functionality, such as DD-WRT or Tomato, to an inexpensive consumer-level router.
The ZyXel USG20W VPN router is a smart investment if you want to set up your own dedicated VPN at home or in the office.
When you’re choosing a VPN router and third-party router firmware, make sure they support the VPN networking protocol you need for your devices. In addition, check the VPN router to verify how many simultaneous VPN users it supports.
Let a third-party VPN provider worry about it
If you merely want VPN access to cloak your Internet traffic while you’re using public Wi-Fi or another untrusted network, or to access regionally restricted sites, the simplest solution is to use a hosted VPN provider. Hotspot Shield is my favorite, as it offers both free and paid VPN services for Windows, Mac, iOS, and Android. HotSpotVPN,StrongVPN, and WiTopia are other paid services we’ve reviewed in the past.
EFFThe Onion Router is an excellent, free utility that anonymizes your Internet activity through a series of servers scattered around the world.
If you want to keep your browsing activity anonymous but can’t spare the cash for a paid VPN, check out the Onion Router, a network of servers that can anonymize your Internet traffic for free. Visit the TOR website and download the latest browser bundle, and then start browsing with the TOR extensions enabled. The software will encrypt your connection to the TOR server before routing your Internet traffic through a randomized series of servers across the globe, slowing your browsing speed but cloaking your online activity from prying eyes.
No matter how you choose to go about it, start using a VPN today. It takes a bit of work up front, but spending the time to get on a VPN is one of the smartest, simplest steps you can take toward making your online activities more secure.
Eric Geier Contributor
Eric Geier is a freelance tech writer as well as the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.
Law-Enforcement Officials Expand Use of Tools Such as Spyware as People Under Investigation ‘Go Dark,’ Evading Wiretaps
By JENNIFER VALENTINO-DEVRIES and DANNY YADRON
Updated Aug. 3, 2013 3:17 p.m. ET
Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.
Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.
People familiar with the Federal Bureau of Investigation’s programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can’t be wiretapped like a phone, is called “going dark” among law enforcement.
The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.’s Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment.
The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.
The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.
Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer’s camera, according to court documents. The judge denied the application, saying, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people.
Since at least 2005, the FBI has been using “web bugs” that can gather a computer’s Internet address, lists of programs running and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example.
The FBI “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” said a former official in the agency’s cyber division. The tools are used when other surveillance methods won’t work: “When you do, it’s because you don’t have any other choice,” the official said.
Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the National Security Agency. The NSA gathers bulk data on millions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly.
Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren’t misused. “People should understand that local cops are going to be hacking into surveillance targets,” said Christopher Soghoian, principal technologist at the American Civil Liberties Union. “We should have a debate about that.”
Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said information about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which people discuss their work at private companies helping the FBI with surveillance.
A search warrant would be required to get content such as files from a suspect’s computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department’s primary authority on federal criminal surveillance law. Continuing surveillance would necessitate an even stricter standard, the kind used to grant wiretaps.
But if the software gathers only communications-routing “metadata”—like Internet protocol addresses or the “to” and “from” lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect’s property, he added.
An official at the Justice Department said it determines what legal authority to seek for such surveillance “on a case-by-case basis.” But the official added that the department’s approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata.
In 2001, the FBI faced criticism from civil-liberties advocates for declining to disclose how it installed a program to record the keystrokes on the computer of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt a document. He was eventually convicted.
A group at the FBI called the Remote Operations Unit takes a leading role in the bureau’s hacking efforts, according to former officials.
Officers often install surveillance tools on computers remotely, using a document or link that loads software when the person clicks or views it. In some cases, the government has secretly gained physical access to suspects’ machines and installed malicious software using a thumb drive, a former U.S. official said.
The bureau has controls to ensure only “relevant data” are scooped up, the person said. A screening team goes through all of the data pulled from the hack to determine what is relevant, then hands off that material to the case team and stops working on the case.
The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said.
Italian company HackingTeam SRL opened a sales office in Annapolis, Md., more than a year ago to target North and South America. HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system. The company declined to disclose its clients or say whether any are in the U.S.
U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed “0 day exploits”—meaning that the software maker doesn’t yet know about the security hole—for software including Microsoft Corp.’s Internet Explorer, those people said. Gamma, which has marketed its products in the U.S., didn’t respond to requests for comment, nor did Microsoft.
Write to Jennifer Valentino-DeVries at Jennifer.Valentino-DeVries@wsj.com and Danny Yadron at danny.yadron@wsj.com
She thought they were a normal couple until she found a passport in a glovebox – and then her world shattered. Now she is finally getting compensation and a police apology for that surreal, state-sponsored deception. But she still lies awake and wonders: did he ever really love me?
The most traumatising time of Lisa Jones’s life began when she agonised for months over the true identity of her boyfriend. They had been together for six years and she loved him “totally, completely, more than anyone”.
“He was the closest person in the world to me,” she says. “The person who knew me better than anybody else. I thought I knew him better than anyone else knew him.” But she had begun to suspect that he was lying about who he really was.
This is the first interview “Lisa”, who wants to retain her anonymity, has given to the media. Only now, five years later, does she feel ready to describe how she has been devastated by the deception. She speaks eloquently, though the pain is still evident. Her boyfriend, Mark, always had a slightly mysterious side to him. In their last few months together his behaviour was, at times, erratic; but at other times, their relationship was blissful.
In what she describes as a “constant see-saw from one state to another”, she oscillated between “desperately, desperately” wanting to believe the story he had told her about himself, and wondering whether he had completely deceived her about a fundamental part of his life.
Reduced to a “very fragile” state, she struggled with her dilemma: “Am I fighting to save this relationship or am I trying to figure out who he is? I am either putting my energies into this relationship or I am investigating him – I can’t do both.”
The truth was not disclosed to her by him. Instead she and her friends found out through their own detective work and a chance discovery.
They established that he was Mark Kennedy, an undercover policeman who had been sent to spy on her circle of activist friends. For seven years, he had adopted a fake persona to infiltrate environmental groups. Their unmasking of him five years ago kickstarted a chain of events that has exposed one of the state’s most deeply concealed secrets.
Back then, the public knew little about a covert operation that had been running since 1968. Only a limited number of senior police officers knew about it. Kennedy was one of more than 100 undercover officers who, over the previous four decades, had transformed themselves into fake campaigners for years at a time, assimilating themselves into political groups and hoovering up information about protests that they had helped to organise.
More than 10 women have discovered that they had relationships with undercover policemen, some lasting years, without being told their true identity.
On Friday it was announced that police had agreed to give a full apology and pay compensation to Lisa and six other women for the trauma they suffered after being deceived into forming intimate relationships with police spies.
Lisa, for her part, welcomed the apology. But it comes more than a decade after Kennedy’s mission began. “No amount of money or ‘sorry’ will make up for the lack of answers about the extent to which I was spied upon in every aspect of my most personal and intimate moments,” she says.
Kennedy first infiltrated a group of environmental campaigners in Nottingham in 2003. The fake persona he chose was that of a long-haired, tattooed professional climber by the name of Mark Stone. Among campaigners, he earned the nickname “Flash” as he always seemed to have a lot of money.
In the autumn of 2003, Lisa met Kennedy when he visited Leeds, where she was living. Then in her early 30s, she had for some years been active in environmental, anti-capitalist, and anti-nuclear campaigns. Her first impressions were that he was “very charming, very friendly and familiar in a way that was quite disarming”.
Mark Kennedy at Glastonbury Festival in 2008, in a picture taken by Lisa Jones
Kennedy had a number of sexual relationships while undercover. The longest was with Lisa. “During his deployment, he spent more time with me than anybody else, and probably more time than everyone else together,” she says. He “slotted very easily” into her group of friends, who went climbing in their spare time. He got to know her family. When her father died, Kennedy was in the mourners’ car with her. “He was the one who held me as I cried through the night, and helped me pick myself up again after that,” Lisa says.
He would go away every few weeks – the longest time was three months – working, but kept in regular contact through phone calls, emails and texts. They went abroad together, sometimes just the two of them, cycling or climbing, and sometimes for protests. Over time, he gained a reputation as a committed environmental activist. But secretly, he was passing back to his police handlers information about the protesters and their political activities.
His covert mission was terminated in October 2009 when he was summoned by his handlers to a meeting at an anonymous truckstop. That month, he disappeared abruptly from his house in Nottingham. In the weeks before his disappearance, he had been agitated and distant with his friends. Lisa recalls: “He had quite an emotional crash, it seems. Some days he would not get out of bed – that was very, very out of character. He was usually quite bright and chirpy, an early riser type, an energetic person, but he was upset quite a lot of the time. I would comfort him. It really felt to me that I was seeing him through a difficult time, and a breakdown. He leant on me very heavily.”
He appeared to be very paranoid. The police had raided his house after he was arrested at a protest, and he said he was worried they were delving into his background and income. He said he needed a break and was going to go to the US to stay with his brother for a while. Lisa says that the day before he flew, he “was behaving very, very strangely”, claiming that he was being followed.
“When he went, I was really, really worried about his sanity. I thought he had properly lost it. I kept saying to him that this looks to me as if you are not coming back. He had sold his car, apparently left his job and half-cleared out his house. The other half I had to do.”
In January 2010, he mysteriously reappeared. What Lisa and the other campaigners did not know at that time was that Kennedy was quitting the police to avoid being assigned to a humdrum desk job. But he had not discarded his fictional persona of “Mark Stone”, and continued to be involved in political campaigns. He has admitted that he was employed by a clandestine private security firm that was paid by commercial firms to monitor protesters.
To Lisa, however, he was “different, volatile, up and down a lot of the time. Obviously he was being much less supervised, much less directed, and I just don’t think he knew what he was doing at that time. He was rudderless. I was still so bruised from him losing his marbles and disappearing that I was in some ways waiting for an explanation, somehow trying to figure out what was going on with him, and whether he was alright.
“I always knew that Mark had a slight air of mystery. I knew there was something that one day he might open up about – something that had happened.”
The key discovery that eventually led to Kennedy’s exposure was made by Lisa when the two of them were on holiday in a van in July 2010.
Kennedy on Holiday in Italy in 2010
“We were having this really blissful holiday in Italy. We were up in the mountains, just the two of us. He had gone off for a cycle ride, and I was looking in the glove box for some sunglasses. I guess that there was maybe a bit of me that was a little unsure about what was going on with him. I was rooting around and I saw his passport.”
The old passport was in the unfamiliar name of Mark Kennedy. But there was something even more chilling in there: “The thing that made my stomach come into my mouth was seeing that he had a child. The character of Mark Stone wasn’t one that would have had a child. That’s such a big thing to have happened, and to have known somebody that long and have them not mention that they had a child, that’s enormous.”
She found a mobile phone that he did not seem to use much, and found emails from two children, calling him dad. “I did not know what to think. I remember feeling that the world was suddenly a really long way away. I just remember that the mountains were pulsating and swimming around me.”
It was the first time she considered that he might be an undercover cop, but quickly dismissed it as something she thought only existed in films. When Kennedy came back from his cycle ride, “I really did not know what to say to him. I was terrified about what the answer would be, and what it would mean. I just did not say anything for about two days. He knew there was something wrong. He was trying to be very nice to me and figure out what was upsetting me. I did not sleep. He slept and I paced. I remember watching the sunrise and being sick.”
She confronted him in a bar on what was his real birthday. She demanded to know about his son. “He visibly crumpled. He said, ‘I can tell you, but not here’, and we went off.”
Back in their van, he recounted a story it seems he had tucked away for years, to be used if his fictional persona was ever challenged. He said he had been a drug runner, that his close associate had been shot in front of him, and that he had promised to look after the dead man’s children, who had come to think Kennedy was their real father.
“I was desperate for an explanation that sounded plausible. Fantastical as it now sounds in the retelling, one of the reasons it seemed plausible was the amount of emotion that poured out of him when he told me,” Lisa says. It seemed as if he had finally opened up, after all the hints of a dodgy past.
“I held him as he cried for about eight hours, through the night. We sat up and talked. He cried and I cried. It felt like we had really shared something, so I really did not analyse the facts at that point particularly strongly.”
But for the rest of the summer, she had nagging feelings that his story did not add up. She challenged him but he always had an answer. She swung between believing their relationship was “better than ever, and thinking something still is not right”.
In September, they had another happy holiday in Italy. “I was floating on air when we came back.” A week later, she was visiting a friend who was, by chance, doing ancestry research online. She did not know what came over her, but she asked the friend to look up Mark Stone’s birth certificate. Nothing came back.
With her friends’ help, she started to dig into his life. She still could not believe he was a policeman, thinking: “He has been with me for so long – there’s absolutely no way they would put a cop in for that long.”
She yearned to find some new piece of information that would provide an explanation and clear her suspicions about him. For a few weeks, she went about her life, talking regularly on the phone to Kennedy but feeling she was “in this little bubble where nothing was real”. Eventually they found a birth certificate for Kennedy’s son, which recorded Kennedy’s occupation as being a police officer.
Now she wanted him to explain. He was pretending to be in the US, but she had found out that he was actually in Ireland with his children and estranged wife. At her insistence, he returned late one night to a house in Nottingham, where she and a group of friends began to question him.
For what felt like hours, he refused to admit anything. Then one of the group asked him directly when he had joined the police. He confessed, and later cried. The others left Lisa alone with him. She was shocked. “I wanted him to stay. I knew that the moment he left, the whole world was going to change. I was just trying to delay the moment.”
Mark Kennedy in 2011, after he had left the police force. Photograph: Phillip Ebeling for the Guardian
Kennedy went on to sell his story to the media and to work for a US security firm after he was unmasked in October 2010. Lisa set about trying to put her life back together. Her experience with Kennedy “made her feel very small”, but the other women in the legal action have been a valuable source of support.
Lisa, who comes across as warm-hearted and thoughtful, rejects suggestions that she could have unmasked Kennedy earlier or that his deception was no different from those of many other cheating husbands.
The difference, she says, is that his deception was supported by the resources of the state. Undercover officers who infiltrated political groups were issued with fake documents, such as passports, driving licences and bank records that would help to fortify their fabricated alter egos. “I had no chance of seeing through that kind of training and infrastructure.”
But he was rumbled, she points out, after he quit the police and no longer had their support. He had had to hand back the paperwork – including the passport bearing his fake identity of Mark Stone.
Lisa has found it difficult to come to terms with the feeling that she had no free will during her relationship with Kennedy. A “faceless backroom of cops” controlled his movements, deciding when he could go away with her, or which demonstrations they could go on. “I just have this feeling that someone else made all the decisions, and it was not me, and it was not even him.”
A series of revelations has persuaded the home secretary Theresa May to order a public inquiry into the conduct of the police spies. This inquiry could reveal far more of the police’s secrets when it starts to hear evidence in public next year. It is expected to examine how, for example, the undercover officers spied on the family of murdered teenager Stephen Lawrence and stole the identities of dead children.
Lisa does not want to pin too much hope on the inquiry uncovering the truth of Kennedy’s espionage and his relationship with her. “There are so many more questions than answers in this whole thing that I don’t think I am ever going to be in a position where I feel like I know what went on and what it all meant, and that there’s nothing more to wonder about.”
She asks herself how much he genuinely loved her. “It is an endless, endless question that I will always be wondering about. That will always keep me awake at night.”
She has been left with a “crushing disappointment and sadness”, feeling that her ability to trust others and form relationships has been shattered. “I have lost a lot of optimism about all kinds of things,” she says. “Just the idea that the world is a good place, that love exists, that love is possible for me.”
The federal government has been fighting hard for years to hide details about its use of so-called stingray surveillance technology from the public.
The surveillance devices simulate cell phone towers in order to trick nearby mobile phones into connecting to them and revealing the phones’ locations.
Now documents recently obtained by the ACLU confirm long-held suspicions that the controversial devices are also capable of recording numbers for a mobile phone’s incoming and outgoing calls, as well as intercepting the content of voice and text communications. The documents also discuss the possibility of flashing a phone’s firmware “so that you can intercept conversations using a suspect’s cell phone as a bug.”
The information appears in a 2008 guideline prepared by the Justice Department to advise law enforcement agents on when and how the equipment can be legally used.
The Department of Justice ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones ‘is an issue of some controversy.’
The American Civil Liberties Union of Northern California obtained the documents (.pdf) after a protracted legal battleinvolving a two-year-old public records request. The documents include not only policy guidelines, but also templates for submitting requests to courts to obtain permission to use the technology.
The DoJ ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones “is an issue of some controversy,” but it doesn’t elaborate on the nature of the controversy. Civil liberties groups have been fighting since 2008 to obtain information about how the government uses the technology, and under what authority.
Stingrays go by a number of different names, including cell-site simulator, triggerfish, IMSI-catcher, Wolfpack, Gossamer, and swamp box, according to the documents. They can be used to determine the location of phones, computers using open wireless networks, and PC wireless data cards, also known as air cards.
The devices, generally the size of a suitcase, work by emitting a stronger signal than nearby towers in order to force a phone or mobile device to connect to them instead of a legitimate tower. Once a mobile device connects, the phone reveals its unique device ID, after which the stingray releases the device so that it can connect to a legitimate cell tower, allowing data and voice calls to go through. Assistance from a cell phone carrier isn’t required to use the technology, unless law enforcement doesn’t know the general location of a suspect and needs to pinpoint a geographical area in which to deploy the stingray. Once a phone’s general location is determined, investigators can use a handheld device that provides more pinpoint precision in the location of a phone or mobile device—this includes being able to pinpoint an exact office or apartment where the device is being used.
In addition to the device ID, the devices can collect additional information.
Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray—not just a targeted phone—and can disrupt regular cell service.
“If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialed, the cellular telephone’s ESN, the date, time, and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected),” the documents note.
In order to use the devices, agents are instructed to obtain a pen register/trap and trace court order. Pen registers are traditionally used to obtain phone numbers called and the “to” field of emails, while trap and trace is used to collect information about received calls and the “from” information of emails.
When using a stingray to identify the specific phone or mobile device a suspect is using, “collection should be limited to device identifiers,” the DoJ document notes. “It should not encompass dialed digits, as that would entail surveillance on the calling activity of all persons in the vicinity of the subject.”
The documents add, however, that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III order.”
Title III is the federal wiretapping law that allows law enforcement, with a court order, to intercept communications in real time.
Civil liberties groups have long suspected that some stingrays used by law enforcement have the ability to intercept the content of voice calls and text messages. But law enforcement agencies have insisted that the devices they use are not configured to do so. Another controversial capability involves the ability to block mobile communications, such as in war zones to prevent attackers from using a mobile phone to trigger an explosive, or during political demonstrations to prevent activists from organizing by mobile phone. Stingray devices used by police in London have both of these capabilities, but it’s not known how often or in what capacity they have been used.
The documents also note that law enforcement can use the devices without a court order under “exceptional” circumstances. Most surveillance laws include such provisions to give investigators the ability to conduct rapid surveillance under emergency circumstances, such as when lives are at stake. Investigators are then to apply for a court order within 24 hours after the emergency surveillance begins. But according to the documents, the DoJ considers “activity characteristic of organized crime” and “an ongoing attack of a protected computer (one used by a financial institution or U.S. government) where violation is a felony” to be considered an exception, too. In other words, an emergency situation could be a hack involving a financial institution.
“While such crimes are potentially serious, they simply do not justify bypassing the ordinary legal processes that were designed to balance the government’s need to investigate crimes with the public’s right to a government that abides by the law,” Linda Lye, senior staff attorney for the ACLU of Northern California, notes in a blog post about the documents.
Another issue of controversy relates to the language that investigators use to describe the stingray technology. Templates for requesting a court order from judges advise the specific terminology investigators should use and never identify the stingray by name. They simply describe the tool as either a pen register/trap and trace device or a device used “to detect radio signals emitted from wireless cellular telephones in the vicinity of the Subject that identify the telephones.”
The ACLU has long accused the government of misleading judges in using the pen register/trap and trace term—since stingrays are primarily used not to identify phone numbers called and received, but to track the location and movement of a mobile device.
Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray—not just a targeted phone—and can disrupt regular cell service.
It’s not known how quickly stingrays release devices that connect to them, allowing them to then connect to a legitimate cell tower. During the period that devices are connected to a stingray, disruption can occur for anyone in the vicinity of the technology.
Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G if they are being used to intercept the concept of communications.
In order for the kind of stingray used by law enforcement to work for this purpose, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.
“Depending on how long the jamming is taking place, there’s going to be disruption,” Chris Soghoian, chief technology for the ACLU has told WIRED previously. “When your phone goes down to 2G, your data just goes to hell. So at the very least you will have disruption of internet connectivity. And if and when the phones are using the stingray as their only tower, there will likely be an inability to receive or make calls.”
Concerns about the use of stingrays is growing. Last March, Senator Bill Nelson (D—Florida) sent a letter to the FCC calling on the agency to disclose information about its certification process for approving stingrays and any other tools with similar functionality. Nelson asked in particular for information about any oversight put in place to make sure that use of the devices complies with the manufacturer’s representations to the FCC about how the technology works and is used.
Nelson also raised concerns about their use in a remarkable speech on the Senate floor. The Senator said the technology “poses a grave threat to consumers’ cellphone and Internet privacy,” particularly when law enforcement agencies use them without a warrant.
The increased attention prompted the Justice Department this month to release a new federal policy on the use of stingrays, requiring a warrant any time federal investigators use them. The rules, however, don’t apply to local police departments, which are among the most prolific users of the technology and have been using them for years without obtaining a warrant.
An environmental activist contacted Wired Magazine after she discovered a GPS tracking device had been placed under her vehicle, courtesy of the FBI. According to Wired.com, this method is becoming a common way for the feds to track anyone deemed to be suspicious or a “potential threat.” This continues the government’s trend of clamping down on what they perceive to be the most dangerous threat to our nation — the democratic participation of political activists.
Smartphones are vulnerable to hacks when connected to a network—whether cellular or wi-fi. In the third and final episode of Phreaked Out, they examine three real-time phone hacks – man-in-the middle attacks, the Snoopy exploit and intercepting cellular call data using an IMSI catcher.
The National Security Agency isn’t the only group with the technology that can look into wireless data, but there are ways users can protect themselves from Snoopy.
by Michael Kerner
Every day, billions of people around the globe connect wirelessly, leaving a veritable trail of identifiable breadcrumbs that can be followed, tracked and analyzed by security researchers. At the upcoming Black Hat Brazil event in November, researchers from security firm SensePost will debut an updated version of their distributed mobile tracking and analysis project, dubbed Snoopy.Glenn Wilkinson, lead security analyst at SensePost, explained to eWEEK that Snoopy is a distributed tracking, data interception and profiling framework. SensePost researchers first built Snoopy in 2012 as a very rough proof of concept and have now rewritten the framework to be more modular and scalable.The Snoopy system involves endpoint sensor devices that serve as data collection nodes, and then there is a back-end infrastructure that collects and helps make sense of all the collected data. The Snoopy node software, or Drone, can run on small Linux devices, including a BeagleBone Black, and the back end can run on Linux servers.”Snoopy can be run on multiple devices over a large area, say the entire city of London, UK,” Wilkinson said. “The Snoopy framework can then also synchronize all the data in a centralized database.”
The first iteration of Snoopy specifically looked at WiFi signals but is now being expanded to include other types of wireless signals, including Bluetooth and near-field communications (NFC). At a basic level, Snoopy is looking for any kind signal emitted by an electronic device that can then be used to uniquely identify the device and perhaps the individual who owns the device.
Snoopy collects the data by abusing functionality that is part of most WiFi stacks on mobile devices. The way that WiFi works in nearly all cases is the system will always be probing for signals from access points it has previously connected to. As a feature, that means if a user has previously connected to his or her own office access point, then whenever the device is in range of the office access point, the device is connected.
“When your smartphone is looking for all of the access points it has previously connected to, it is revealing your wireless adapter’s MAC (Media Access Control) address,” Wilkinson said. “That’s a unique number for the device, so we can identify the device as being at a particular location at a point in time.”
So in a large-scale Snoopy deployment with nodes over a distributed area, Snoopy could track the movement of a device over time.
Snoopy also includes the Karma attack, a wireless attack that impersonates the name of previously connected access points. In a Karma attack, when the wireless device is looking for its previously connected access points, Karma responds, identifying itself as one of those access points, and tricks the user into connecting. Once the victim has been connected to the rogue access point via Karma, Snoopy can then intercept data and also manipulate the data the user sees.
From an analysis perspective, the new Snoopy Framework makes use of the open-source Maltego data visualization project to provide a graphical front end and tools to understand all the data that the Snoopy node can collect.
Enterprise
Daniel Cuthbert, chief operating officer at SensePost, told eWEEK that from a business standpoint, his company is still figuring out the best license and approach for the Snoopy project. Cuthbert said he would like to emulate the approach taken by the open-source Metasploit penetration testing framework. Metasploit has a core open-source project and then layers enterprise editions with additional reporting functionality and support on top.
There are a number of things individuals can do to limit the risk of being snooped on by Snoopy. Wilkinson suggests that users flush the recently connected networks list on their mobile devices. He noted that the Karma-style attacks only work effectively for recently connected open networks.
Wilkinson also suggests that users keep WiFi turned off until such time as they need to connect.
“People are carrying devices in their pockets that are emitting signals that allow them to be uniquely identified,” Wilkinson said. “So I suspect the bigger message going forward is for people to be aware of what they are carrying that might give away some unique identifier and leak information.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter@TechJournalist.
In my October 23 blog, I mentioned that iOS 4.3.4 was susceptible to a man-in-the-middle attack that was later corrected in iOS 4.3.5. These attacks are frequently mentioned in the security literature, but many of you may still be wondering what they are exactly and how they work. With this article, I’ll explain what man-in-the-middle attacks are and how you can avoid falling prey to them.
How the Attack Works
To see how man-in-the-middle attacks work, consider the illustration below. Network traffic normally travels directly between two computers that communicate with each other over the Internet, in this case the computers belonging to User 1 and User 2.
The man-in-the-middle attack uses a technique called ARP spoofing to trick User 1’s computer into thinking that it is communicating with User 2’s computer and User 2’s computer into thinking that it is communicating with User 1’s computer. This causes network traffic between the two computers to flow through the attacker’s system, which enables the attacker to inspect all the data that is sent between the victims, including user names, passwords, credit card numbers, and any other information of interest.Man-in-the-middle attacks can be particularly effective at cafes and libraries that offer their patrons Wi-Fi access to the Internet. In open networking environments such as these, you are directly exposed to computers over unencrypted networks, where your network traffic can be readily snatched.
How to Avoid Being Attacked
In practice, ARP spoofing is difficult to prevent with the conventional security tools that come with your PC or Mac. However, you can make it difficult for people to view your network traffic by using encrypted network connections provided by HTTPS or VPN (virtual private network) technology.
HTTPS uses the secure sockets layer (SSL) capability in your browser to mask your web-based network traffic from prying eyes. VPN client software works in a similar fashion – some VPNs also use SSL – but you must connect to a VPN access point like your company network, if it supports VPN. To decrypt HTTPS and VPN, a man-in-the-middle attacker would have to obtain the keys used to encrypt the network traffic which is difficult, but not impossible to do.
When communicating over HTTPS, your web browser uses certificates to verify the identity of the servers you are connecting to. These certificates are verified by reputable third party authority companies like VeriSign.
If your browser does not recognize the authority of the certificate sent from a particular server, it will display a message indicating that the server’s certificate is not trusted, which means it may be coming from a man-in-the-middle-attacker. In this situation you should not proceed with the HTTPS session, unless you already know that the server can be trusted – like when you or the company you work for set up the server for employees only.
Bram Bonné is a PhD student in computer science at the Expertise Centre for Digital Media at Hasselt University, where he specializes in computer security and privacy. During his PhD, he developed an interest in privacy-sensitive information leaking from smartphones and laptops. Bonné summarizes the basic Wi-Fi technology hackers exploit for “man-in-the-middle” attacks. He explains how your personal information is available to anyone tracking Wi-Fi traffic and some steps you can take to make these type of attacks more difficult.
Camden Civil Rights Project 